Professional Documents
Culture Documents
AND APPLICATIONS
PROCEEDINGS OF THE EUROPEAN SAFETY AND RELIABILITY CONFERENCE, ESREL 2008,
AND 17TH SRA-EUROPE, VALENCIA, SPAIN, SEPTEMBER, 22–25, 2008
Editors
Sebastián Martorell
Department of Chemical and Nuclear Engineering,
Universidad Politécnica de Valencia, Spain
C. Guedes Soares
Instituto Superior Técnico, Technical University of Lisbon, Lisbon, Portugal
Julie Barnett
Department of Psychology, University of Surrey, UK
VOLUME 1
Cover picture designed by Centro de Formación Permanente - Universidad Politécnica de Valencia
CRC Press/Balkema is an imprint of the Taylor & Francis Group, an informa business
All rights reserved. No part of this publication or the information contained herein may be reproduced, stored
in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, by photocopying,
recording or otherwise, without written prior permission from the publisher.
Although all care is taken to ensure integrity and the quality of this publication and the information herein, no
responsibility is assumed by the publishers nor the author for any damage to the property or persons as a result
of operation or use of this publication and/or the information contained herein.
Table of contents
Preface XXIV
Organization XXXI
Acknowledgment XXXV
Introduction XXXVII
VOLUME 1
Thematic areas
Accident and incident investigation
A code for the simulation of human failure events in nuclear power plants: SIMPROC 3
J. Gil, J. Esperón, L. Gamo, I. Fernández, P. González, J. Moreno, A. Expósito,
C. Queral, G. Rodríguez & J. Hortal
A preliminary analysis of the ‘Tlahuac’ incident by applying the MORT technique 11
J.R. Santos-Reyes, S. Olmos-Peña & L.M. Hernández-Simón
Comparing a multi-linear (STEP) and systemic (FRAM) method for accident analysis 19
I.A. Herrera & R. Woltjer
Development of a database for reporting and analysis of near misses in the Italian
chemical industry 27
R.V. Gagliardi & G. Astarita
Development of incident report analysis system based on m-SHEL ontology 33
Y. Asada, T. Kanno & K. Furuta
Forklifts overturn incidents and prevention in Taiwan 39
K.Y. Chen, S.-H. Wu & C.-M. Shu
Formal modelling of incidents and accidents as a means for enriching training material
for satellite control operations 45
S. Basnyat, P. Palanque, R. Bernhaupt & E. Poupart
Hazard factors analysis in regional traffic records 57
M. Mlynczak & J. Sipa
Organizational analysis of availability: What are the lessons for a high risk industrial company? 63
M. Voirin, S. Pierlot & Y. Dien
Thermal explosion analysis of methyl ethyl ketone peroxide by non-isothermal
and isothermal calorimetry application 71
S.H. Wu, J.M. Tseng & C.M. Shu
V
Crisis and emergency management
A mathematical model for risk analysis of disaster chains 79
A. Xuewei Ji, B. Wenguo Weng & Pan Li
Effective learning from emergency responses 83
K. Eriksson & J. Borell
On the constructive role of multi-criteria analysis in complex decision-making:
An application in radiological emergency management 89
C. Turcanu, B. Carlé, J. Paridaens & F. Hardeman
Decision support systems and software tools for safety and reliability
Complex, expert based multi-role assessment system for small and medium enterprises 99
S.G. Kovacs & M. Costescu
DETECT: A novel framework for the detection of attacks to critical infrastructures 105
F. Flammini, A. Gaglione, N. Mazzocca & C. Pragliola
Methodology and software platform for multi-layer causal modeling 113
K.M. Groth, C. Wang, D. Zhu & A. Mosleh
SCAIS (Simulation Code System for Integrated Safety Assessment): Current
status and applications 121
J.M. Izquierdo, J. Hortal, M. Sánchez, E. Meléndez, R. Herrero, J. Gil, L. Gamo,
I. Fernández, J. Esperón, P. González, C. Queral, A. Expósito & G. Rodríguez
Using GIS and multivariate analyses to visualize risk levels and spatial patterns
of severe accidents in the energy sector 129
P. Burgherr
Weak signals of potential accidents at ‘‘Seveso’’ establishments 137
P.A. Bragatto, P. Agnello, S. Ansaldi & P. Pittiglio
Dynamic reliability
A dynamic fault classification scheme 147
B. Fechner
Importance factors in dynamic reliability 155
R. Eymard, S. Mercier & M. Roussignol
TSD, a SCAIS suitable variant of the SDTPD 163
J.M. Izquierdo & I. Cañamón
VI
From diagnosis to prognosis: A maintenance experience for an electric locomotive 211
O. Borgia, F. De Carlo & M. Tucci
Human factors
A study on the validity of R-TACOM measure by comparing operator response
time data 221
J. Park & W. Jung
An evaluation of the Enhanced Bayesian THERP method using simulator data 227
K. Bladh, J.-E. Holmberg & P. Pyy
Comparing CESA-Q human reliability analysis with evidence from simulator:
A first attempt 233
L. Podofillini & B. Reer
Exploratory and confirmatory analysis of the relationship between social norms
and safety behavior 243
C. Fugas, S.A. da Silva & J.L. Melià
Functional safety and layer of protection analysis with regard to human factors 249
K.T. Kosmowski
How employees’ use of information technology systems shape reliable operations
of large scale technological systems 259
T.K. Andersen, P. Næsje, H. Torvatn & K. Skarholt
Incorporating simulator evidence into HRA: Insights from the data analysis of the
international HRA empirical study 267
S. Massaiu, P.Ø. Braarud & M. Hildebrandt
Insights from the ‘‘HRA international empirical study’’: How to link data
and HRA with MERMOS 275
H. Pesme, P. Le Bot & P. Meyer
Operators’ response time estimation for a critical task using the fuzzy logic theory 281
M. Konstandinidou, Z. Nivolianitou, G. Simos, C. Kiranoudis & N. Markatos
The concept of organizational supportiveness 291
J. Nicholls, J. Harvey & G. Erdos
The influence of personal variables on changes in driver behaviour 299
S. Heslop, J. Harvey, N. Thorpe & C. Mulley
The key role of expert judgment in CO2 underground storage projects 305
C. Vivalda & L. Jammes
VII
Precaution in practice? The case of nanomaterial industry 361
H. Kastenholz, A. Helland & M. Siegrist
Risk based maintenance prioritisation 365
G. Birkeland, S. Eisinger & T. Aven
Shifts in environmental health risk governance: An analytical framework 369
H.A.C. Runhaar, J.P. van der Sluijs & P.P.J. Driessen
What does ‘‘safety margin’’ really mean? 379
J. Hortal, R. Mendizábal & F. Pelayo
VIII
Maintenance modelling integrating human and material resources 505
S. Martorell, M. Villamizar, A. Sánchez & G. Clemente
Modelling competing risks and opportunistic maintenance with expert judgement 515
T. Bedford & B.M. Alkali
Modelling different types of failure and residual life estimation for condition-based maintenance 523
M.J. Carr & W. Wang
Multi-component systems modeling for quantifying complex maintenance strategies 531
V. Zille, C. Bérenguer, A. Grall, A. Despujols & J. Lonchampt
Multiobjective optimization of redundancy allocation in systems with imperfect repairs via
ant colony and discrete event simulation 541
I.D. Lins & E. López Droguett
Non-homogeneous Markov reward model for aging multi-state system under corrective
maintenance 551
A. Lisnianski & I. Frenkel
On the modeling of ageing using Weibull models: Case studies 559
P. Praks, H. Fernandez Bacarizo & P.-E. Labeau
On-line condition-based maintenance for systems with several modes of degradation 567
A. Ponchet, M. Fouladirad & A. Grall
Opportunity-based age replacement for a system under two types of failures 575
F.G. Badía & M.D. Berrade
Optimal inspection intervals for maintainable equipment 581
O. Hryniewicz
Optimal periodic inspection of series systems with revealed and unrevealed failures 587
M. Carvalho, E. Nunes & J. Telhada
Optimal periodic inspection/replacement policy for deteriorating systems with explanatory
variables 593
X. Zhao, M. Fouladirad, C. Bérenguer & L. Bordes
Optimal replacement policy for components with general failure rates submitted to obsolescence 603
S. Mercier
Optimization of the maintenance function at a company 611
S. Adjabi, K. Adel-Aissanou & M. Azi
Planning and scheduling maintenance resources in a complex system 619
M. Newby & C. Barker
Preventive maintenance planning using prior expert knowledge and multicriteria method
PROMETHEE III 627
F.A. Figueiredo, C.A.V. Cavalcante & A.T. de Almeida
Profitability assessment of outsourcing maintenance from the producer (big rotary machine study) 635
P. Fuchs & J. Zajicek
Simulated annealing method for the selective maintenance optimization of multi-mission
series-parallel systems 641
A. Khatab, D. Ait-Kadi & A. Artiba
Study on the availability of a k-out-of-N System given limited spares under (m, NG )
maintenance policy 649
T. Zhang, H.T. Lei & B. Guo
System value trajectories, maintenance, and its present value 659
K.B. Marais & J.H. Saleh
IX
The maintenance management framework: A practical view to maintenance management 669
A. Crespo Márquez, P. Moreu de León, J.F. Gómez Fernández, C. Parra Márquez & V. González
Workplace occupation and equipment availability and utilization, in the context of maintenance
float systems 675
I.S. Lopes, A.F. Leitão & G.A.B. Pereira
Occupational safety
Application of virtual reality technologies to improve occupational & industrial safety
in industrial processes 727
J. Rubio, B. Rubio, C. Vaquero, N. Galarza, A. Pelaz, J.L. Ipiña, D. Sagasti & L. Jordá
Applying the resilience concept in practice: A case study from the oil and gas industry 733
L. Hansson, I. Andrade Herrera, T. Kongsvik & G. Solberg
Development of an assessment tool to facilitate OHS management based upon the safe
place, safe person, safe systems framework 739
A.-M. Makin & C. Winder
Exploring knowledge translation in occupational health using the mental models approach:
A case study of machine shops 749
A.-M. Nicol & A.C. Hurrell
Mathematical modelling of risk factors concerning work-related traffic accidents 757
C. Santamaría, G. Rubio, B. García & E. Navarro
New performance indicators for the health and safety domain: A benchmarking use perspective 761
H.V. Neto, P.M. Arezes & S.D. Sousa
Occupational risk management for fall from height 767
O.N. Aneziris, M. Konstandinidou, I.A. Papazoglou, M. Mud, M. Damen, J. Kuiper, H. Baksteen,
L.J. Bellamy, J.G. Post & J. Oh
Occupational risk management for vapour/gas explosions 777
I.A. Papazoglou, O.N. Aneziris, M. Konstandinidou, M. Mud, M. Damen, J. Kuiper, A. Bloemhoff,
H. Baksteen, L.J. Bellamy, J.G. Post & J. Oh
Occupational risk of an aluminium industry 787
O.N. Aneziris, I.A. Papazoglou & O. Doudakmani
Risk regulation bureaucracies in EU accession states: Drinking water safety in Estonia 797
K. Kangur
X
Organization learning
Can organisational learning improve safety and resilience during changes? 805
S.O. Johnsen & S. Håbrekke
Consequence analysis as organizational development 813
B. Moltu, A. Jarl Ringstad & G. Guttormsen
Integrated operations and leadership—How virtual cooperation influences leadership practice 821
K. Skarholt, P. Næsje, V. Hepsø & A.S. Bye
Outsourcing maintenance in services providers 829
J.F. Gómez, C. Parra, V. González, A. Crespo & P. Moreu de León
Revising rules and reviving knowledge in the Norwegian railway system 839
H.C. Blakstad, R. Rosness & J. Hovden
Risk Management in systems: Learning to recognize and respond to weak signals 847
E. Guillaume
Author index 853
VOLUME 2
XI
Risk and evidence based policy making
Environmental reliability as a requirement for defining environmental impact limits
in critical areas 957
E. Calixto & E. Lèbre La Rovere
Hazardous aid? The crowding-out effect of international charity 965
P.A. Raschky & M. Schwindt
Individual risk-taking and external effects—An empirical examination 973
S. Borsky & P.A. Raschky
Licensing a Biofuel plan transforming animal fats 981
J.-F. David
Modelling incident escalation in explosives storage 987
G. Hardman, T. Bedford, J. Quigley & L. Walls
The measurement and management of Deca-BDE—Why the continued certainty of uncertainty? 993
R.E. Alcock, B.H. McGillivray & J.S. Busby
XII
Developments in fault tree techniques and importance measures 1103
J.K. Vaurio
Dutch registration of risk situations 1113
J.P. van’t Sant, H.J. Manuel & A. van den Berg
Experimental study of jet fires 1119
M. Gómez-Mares, A. Palacios, A. Peiretti, M. Muñoz & J. Casal
Failure mode and effect analysis algorithm for tunneling projects 1125
K. Rezaie, V. Ebrahimipour & S. Shokravi
Fuzzy FMEA: A study case on a discontinuous distillation plant 1129
S.S. Rivera & J.E. Núñez Mc Leod
Risk analysis in extreme environmental conditions for Aconcagua Mountain station 1135
J.E. Núñez Mc Leod & S.S. Rivera
Geographic information system for evaluation of technical condition and residual life of pipelines 1141
P. Yukhymets, R. Spitsa & S. Kobelsky
Inherent safety indices for the design of layout plans 1147
A. Tugnoli, V. Cozzani, F.I. Khan & P.R. Amyotte
Minmax defense strategy for multi-state systems 1157
G. Levitin & K. Hausken
Multicriteria risk assessment for risk ranking of natural gas pipelines 1165
A.J. de M. Brito, C.A.V. Cavalcante, R.J.P. Ferreira & A.T. de Almeida
New insight into PFDavg and PFH 1173
F. Innal, Y. Dutuit, A. Rauzy & J.-P. Signoret
On causes and dependencies of errors in human and organizational barriers against major
accidents 1181
J.E. Vinnem
Quantitative risk analysis method for warehouses with packaged hazardous materials 1191
D. Riedstra, G.M.H. Laheij & A.A.C. van Vliet
Ranking the attractiveness of industrial plants to external acts of interference 1199
M. Sabatini, S. Zanelli, S. Ganapini, S. Bonvicini & V. Cozzani
Review and discussion of uncertainty taxonomies used in risk analysis 1207
T.E. Nøkland & T. Aven
Risk analysis in the frame of the ATEX Directive and the preparation of an Explosion Protection
Document 1217
A. Pey, G. Suter, M. Glor, P. Lerena & J. Campos
Risk reduction by use of a buffer zone 1223
S.I. Wijnant-Timmerman & T. Wiersma
Safety in engineering practice 1231
Z. Smalko & J. Szpytko
Why ISO 13702 and NFPA 15 standards may lead to unsafe design 1239
S. Medonos & R. Raman
XIII
Thermal characteristic analysis of Y type zeolite by differential scanning calorimetry 1267
S.H. Wu, W.P. Weng, C.C. Hsieh & C.M. Shu
Using network methodology to define emergency response team location: The Brazilian
refinery case study 1273
E. Calixto, E. Lèbre La Rovere & J. Eustáquio Beraldo
Safety culture
‘‘Us’’ and ‘‘Them’’: The impact of group identity on safety critical behaviour 1377
R.J. Bye, S. Antonsen & K.M. Vikland
Does change challenge safety? Complexity in the civil aviation transport system 1385
S. Høyland & K. Aase
Electromagnetic fields in the industrial enviroment 1395
J. Fernández, A. Quijano, M.L. Soriano & V. Fuster
Electrostatic charges in industrial environments 1401
P. LLovera, A. Quijano, A. Soria & V. Fuster
Empowering operations and maintenance: Safe operations with the ‘‘one directed team’’
organizational model at the Kristin asset 1407
P. Næsje, K. Skarholt, V. Hepsø & A.S. Bye
XIV
Leadership and safety climate in the construction industry 1415
J.L. Meliá, M. Becerril, S.A. Silva & K. Mearns
Local management and its impact on safety culture and safety within Norwegian shipping 1423
H.A Oltedal & O.A. Engen
Quantitative analysis of the anatomy and effectiveness of occupational safety culture 1431
P. Trucco, M. De Ambroggi & O. Grande
Safety management and safety culture assessment in Germany 1439
H.P. Berg
The potential for error in communications between engineering designers 1447
J. Harvey, R. Jamieson & K. Pearce
Software reliability
Assessment of software reliability and the efficiency of corrective actions during the software
development process 1513
R. Savić
ERTMS, deals on wheels? An inquiry into a major railway project 1519
J.A. Stoop, J.H. Baggen, J.M. Vleugel & J.L.M. Vrancken
Guaranteed resource availability in a website 1525
V.P. Koutras & A.N. Platis
Reliability oriented electronic design automation tool 1533
J. Marcos, D. Bóveda, A. Fernández & E. Soto
Reliable software for partitionable networked environments—An experience report 1539
S. Beyer, J.C. García Ortiz, F.D. Muñoz-Escoí, P. Galdámez, L. Froihofer,
K.M. Goeschka & J. Osrael
SysML aided functional safety assessment 1547
M. Larisch, A. Hänle, U. Siebold & I. Häring
UML safety requirement specification and verification 1555
A. Hänle & I. Häring
XV
Stakeholder and public involvement in risk governance
Assessment and monitoring of reliability and robustness of offshore wind energy converters 1567
S. Thöns, M.H. Faber, W. Rücker & R. Rohrmann
Building resilience to natural hazards. Practices and policies on governance and mitigation
in the central region of Portugal 1577
J.M. Mendes & A.T. Tavares
Governance of flood risks in The Netherlands: Interdisciplinary research into the role and
meaning of risk perception 1585
M.S. de Wit, H. van der Most, J.M. Gutteling & M. Bočkarjova
Public intervention for better governance—Does it matter? A study of the ‘‘Leros Strength’’ case 1595
P.H. Lindøe & J.E. Karlsen
Reasoning about safety management policy in everyday terms 1601
T. Horlick-Jones
Using stakeholders’ expertise in EMF and soil contamination to improve the management
of public policies dealing with modern risk: When uncertainty is on the agenda 1609
C. Fallon, G. Joris & C. Zwetkoff
VOLUME 3
XVI
A depth first search algorithm for optimal arrangements in a circular
consecutive-k-out-of-n:F system 1715
K. Shingyochi & H. Yamamoto
A joint reliability-redundancy optimization approach for multi-state series-parallel systems 1723
Z. Tian, G. Levitin & M.J. Zuo
A new approach to assess the reliability of a multi-state system with dependent components 1731
M. Samrout & E. Chatelet
A reliability analysis and decision making process for autonomous systems 1739
R. Remenyte-Prescott, J.D. Andrews, P.W.H. Chung & C.G. Downes
Advanced discrete event simulation methods with application to importance measure
estimation 1747
A.B. Huseby, K.A. Eide, S.L. Isaksen, B. Natvig & J. Gåsemyr
Algorithmic and computational analysis of a multi-component complex system 1755
J.E. Ruiz-Castro, R. Pérez-Ocón & G. Fernández-Villodre
An efficient reliability computation of generalized multi-state k-out-of-n systems 1763
S.V. Amari
Application of the fault tree analysis for assessment of the power system reliability 1771
A. Volkanovski, M. Čepin & B. Mavko
BDMP (Boolean logic driven Markov processes) as an alternative to event trees 1779
M. Bouissou
Bivariate distribution based passive system performance assessment 1787
L. Burgazzi
Calculating steady state reliability indices of multi-state systems using dual number algebra 1795
E. Korczak
Concordance analysis of importance measure 1803
C.M. Rocco S.
Contribution to availability assessment of systems with one shot items 1807
D. Valis & M. Koucky
Contribution to modeling of complex weapon systems reliability 1813
D. Valis, Z. Vintr & M. Koucky
Delayed system reliability and uncertainty analysis 1819
R. Alzbutas, V. Janilionis & J. Rimas
Efficient generation and representation of failure lists out of an information flux model
for modeling safety critical systems 1829
M. Pock, H. Belhadaoui, O. Malassé & M. Walter
Evaluating algorithms for the system state distribution of multi-state k-out-of-n:F system 1839
T. Akiba, H. Yamamoto, T. Yamaguchi, K. Shingyochi & Y. Tsujimura
First-passage time analysis for Markovian deteriorating model 1847
G. Dohnal
Model of logistic support system with time dependency 1851
S. Werbinska
Modeling failure cascades in network systems due to distributed random disturbances 1861
E. Zio & G. Sansavini
Modeling of the changes of graphite bore in RBMK-1500 type nuclear reactor 1867
I. Žutautaite-Šeputiene, J. Augutis & E. Ušpuras
XVII
Modelling multi-platform phased mission system reliability 1873
D.R. Prescott, J.D. Andrews & C.G. Downes
Modelling test strategies effects on the probability of failure on demand for safety
instrumented systems 1881
A.C. Torres-Echeverria, S. Martorell & H.A. Thompson
New insight into measures of component importance in production systems 1891
S.L. Isaksen
New virtual age models for bathtub shaped failure intensities 1901
Y. Dijoux & E. Idée
On some approaches to defining virtual age of non-repairable objects 1909
M.S. Finkelstein
On the application and extension of system signatures in engineering reliability 1915
J. Navarro, F.J. Samaniego, N. Balakrishnan & D. Bhattacharya
PFD of higher-order configurations of SIS with partial stroke testing capability 1919
L.F.S. Oliveira
Power quality as accompanying factor in reliability research of electric engines 1929
I.J. Jóźwiak, K. Kujawski & T. Nowakowski
RAMS and performance analysis 1937
X. Quayzin, E. Arbaretier, Z. Brik & A. Rauzy
Reliability evaluation of complex system based on equivalent fault tree 1943
Z. Yufang, Y. Hong & L. Jun
Reliability evaluation of III-V Concentrator solar cells 1949
N. Núñez, J.R. González, M. Vázquez, C. Algora & I. Rey-Stolle
Reliability of a degrading system under inspections 1955
D. Montoro-Cazorla, R. Pérez-Ocón & M.C. Segovia
Reliability prediction using petri nets for on-demand safety systems with fault detection 1961
A.V. Kleyner & V. Volovoi
Reliability, availability and cost analysis of large multi-state systems with ageing components 1969
K. Kolowrocki
Reliability, availability and risk evaluation of technical systems in variable operation conditions 1985
K. Kolowrocki & J. Soszynska
Representation and estimation of multi-state system reliability by decision diagrams 1995
E. Zaitseva & S. Puuronen
Safety instrumented system reliability evaluation with influencing factors 2003
F. Brissaud, D. Charpentier, M. Fouladirad, A. Barros & C. Bérenguer
Smooth estimation of the availability function of a repairable system 2013
M.L. Gámiz & Y. Román
System design optimisation involving phased missions 2021
D. Astapenko & L.M. Bartlett
The Natvig measures of component importance in repairable systems applied to an offshore
oil and gas production system 2029
B. Natvig, K.A. Eide, J. Gåsemyr, A.B. Huseby & S.L. Isaksen
The operation quality assessment as an initial part of reliability improvement and low cost
automation of the system 2037
L. Muslewski, M. Woropay & G. Hoppe
XVIII
Three-state modelling of dependent component failures with domino effects 2045
U.K. Rakowsky
Variable ordering techniques for the application of Binary Decision Diagrams on PSA
linked Fault Tree models 2051
C. Ibáñez-Llano, A. Rauzy, E. Meléndez & F. Nieto
Weaknesses of classic availability calculations for interlinked production systems
and their overcoming 2061
D. Achermann
XIX
Model of air traffic in terminal area for ATFM safety analysis 2191
J. Skorupski & A.W. Stelmach
Predicting airport runway conditions based on weather data 2199
A.B. Huseby & M. Rabbe
Safety considerations in complex airborne systems 2207
M.J.R. Lemes & J.B. Camargo Jr
The Preliminary Risk Analysis approach: Merging space and aeronautics methods 2217
J. Faure, R. Laulheret & A. Cabarbaye
Using a Causal model for Air Transport Safety (CATS) for the evaluation of alternatives 2223
B.J.M. Ale, L.J. Bellamy, R.P. van der Boom, J. Cooper, R.M. Cooke, D. Kurowicka, P.H. Lin,
O. Morales, A.L.C. Roelen & J. Spouge
Automotive engineering
An approach to describe interactions in and between mechatronic systems 2233
J. Gäng & B. Bertsche
Influence of the mileage distribution on reliability prognosis models 2239
A. Braasch, D. Althaus & A. Meyna
Reliability prediction for automotive components using Real-Parameter Genetic Algorithm 2245
J. Hauschild, A. Kazeminia & A. Braasch
Stochastic modeling and prediction of catalytic converters degradation 2251
S. Barone, M. Giorgio, M. Guida & G. Pulcini
Towards a better interaction between design and dependability analysis: FMEA derived from
UML/SysML models 2259
P. David, V. Idasiak & F. Kratz
XX
Risk perception and communication of food safety and food technologies in Flanders,
The Netherlands, and the United Kingdom 2325
U. Maris
Synthesis of reliable digital microfluidic biochips using Monte Carlo simulation 2333
E. Maftei, P. Pop & F. Popenţiu Vlădicescu
Civil engineering
Decision tools for risk management support in construction industry 2431
S. Mehicic Eberhardt, S. Moeller, M. Missler-Behr & W. Kalusche
Definition of safety and the existence of ‘‘optimal safety’’ 2441
D. Proske
Failure risk analysis in Water Supply Networks 2447
A. Carrión, A. Debón, E. Cabrera, M.L. Gamiz & H. Solano
Hurricane vulnerability of multi-story residential buildings in Florida 2453
G.L. Pita, J.-P. Pinelli, C.S. Subramanian, K. Gurley & S. Hamid
Risk management system in water-pipe network functioning 2463
B. Tchórzewska-Cieślak
XXI
Use of extreme value theory in engineering design 2473
E. Castillo, C. Castillo & R. Mínguez
Critical infrastructures
A model for vulnerability analysis of interdependent infrastructure networks 2491
J. Johansson & H. Jönsson
Exploiting stochastic indicators of interdependent infrastructures: The service availability of
interconnected networks 2501
G. Bonanni, E. Ciancamerla, M. Minichino, R. Clemente, A. Iacomini, A. Scarlatti,
E. Zendri & R. Terruggia
Proactive risk assessment of critical infrastructures 2511
T. Uusitalo, R. Koivisto & W. Schmitz
Seismic assessment of utility systems: Application to water, electric power and transportation
networks 2519
C. Nuti, A. Rasulo & I. Vanzi
Author index 2531
VOLUME 4
XXII
Cyanotoxins and health risk assessment 2613
J. Kellner, F. Božek, J. Navrátil & J. Dvořák
The estimation of health effect risks based on different sampling intervals of meteorological data 2619
J. Jeong & S. Hoon Han
Manufacturing
A decision model for preventing knock-on risk inside industrial plant 2701
M. Grazia Gnoni, G. Lettera & P. Angelo Bragatto
Condition based maintenance optimization under cost and profit criteria for manufacturing
equipment 2707
A. Sánchez, A. Goti & V. Rodríguez
PRA-type study adapted to the multi-crystalline silicon photovoltaic cells manufacture
process 2715
A. Colli, D. Serbanescu & B.J.M. Ale
Mechanical engineering
Developing a new methodology for OHS assessment in small and medium enterprises 2727
C. Pantanali, A. Meneghetti, C. Bianco & M. Lirussi
Optimal Pre-control as a tool to monitor the reliability of a manufacturing system 2735
S. San Matías & V. Giner-Bosch
The respirable crystalline silica in the ceramic industries—Sampling, exposure
and toxicology 2743
E. Monfort, M.J. Ibáñez & A. Escrig
XXIII
Natural hazards
A framework for the assessment of the industrial risk caused by floods 2749
M. Campedel, G. Antonioni, V. Cozzani & G. Di Baldassarre
A simple method of risk potential analysis for post-earthquake fires 2757
J.L. Su, C.C. Wu, K.S. Fan & J.R. Chen
Applying the SDMS model to manage natural disasters in Mexico 2765
J.R. Santos-Reyes & A.N. Beard
Decision making tools for natural hazard risk management—Examples from Switzerland 2773
M. Bründl, B. Krummenacher & H.M. Merz
How to motivate people to assume responsibility and act upon their own protection from flood
risk in The Netherlands if they think they are perfectly safe? 2781
M. Bočkarjova, A. van der Veen & P.A.T.M. Geurts
Integral risk management of natural hazards—A system analysis of operational application
to rapid mass movements 2789
N. Bischof, H. Romang & M. Bründl
Risk based approach for a long-term solution of coastal flood defences—A Vietnam case 2797
C. Mai Van, P.H.A.J.M. van Gelder & J.K. Vrijling
River system behaviour effects on flood risk 2807
T. Schweckendiek, A.C.W.M. Vrouwenvelder, M.C.L.M. van Mierlo, E.O.F. Calle & W.M.G. Courage
Valuation of flood risk in The Netherlands: Some preliminary results 2817
M. Bočkarjova, P. Rietveld & E.T. Verhoef
Nuclear engineering
An approach to integrate thermal-hydraulic and probabilistic analyses in addressing
safety margins estimation accounting for uncertainties 2827
S. Martorell, Y. Nebot, J.F. Villanueva, S. Carlos, V. Serradell, F. Pelayo & R. Mendizábal
Availability of alternative sources for heat removal in case of failure of the RHRS during
midloop conditions addressed in LPSA 2837
J.F. Villanueva, S. Carlos, S. Martorell, V. Serradell, F. Pelayo & R. Mendizábal
Complexity measures of emergency operating procedures: A comparison study with data
from a simulated computerized procedure experiment 2845
L.Q. Yu, Z.Z. Li, X.L. Dong & S. Xu
Distinction impossible!: Comparing risks between Radioactive Wastes Facilities and Nuclear
Power Stations 2851
S. Kim & S. Cho
Heat-up calculation to screen out the room cooling failure function from a PSA model 2861
M. Hwang, C. Yoon & J.-E. Yang
Investigating the material limits on social construction: Practical reasoning about nuclear
fusion and other technologies 2867
T. Horlick-Jones, A. Prades, C. Oltra, J. Navajas & J. Espluga
Neural networks and order statistics for quantifying nuclear power plants safety margins 2873
E. Zio, F. Di Maio, S. Martorell & Y. Nebot
Probabilistic safety assessment for other modes than power operation 2883
M. Čepin & R. Prosen
Probabilistic safety margins: Definition and calculation 2891
R. Mendizábal
XXIV
Reliability assessment of the thermal hydraulic phenomena related to a CAREM-like
passive RHR System 2899
G. Lorenzo, P. Zanocco, M. Giménez, M. Marquès, B. Iooss, R. Bolado Lavín, F. Pierro,
G. Galassi, F. D’Auria & L. Burgazzi
Some insights from the observation of nuclear power plant operators’ management of simulated
abnormal situations 2909
M.C. Kim & J. Park
Vital area identification using fire PRA and RI-ISI results in UCN 4 nuclear power plant 2913
K.Y. Kim, Y. Choi & W.S. Jung
Policy decisions
Dealing with nanotechnology: Do the boundaries matter? 3007
S. Brunet, P. Delvenne, C. Fallon & P. Gillon
Factors influencing the public acceptability of the LILW repository 3015
N. Železnik, M. Polič & D. Kos
Risk futures in Europe: Perspectives for future research and governance. Insights from a EU
funded project 3023
S. Menoni
Risk management strategies under climatic uncertainties 3031
U.S. Brandt
XXV
Safety representative and managers: Partners in health and safety? 3039
T. Kvernberg Andersen, H. Torvatn & U. Forseth
Stop in the name of safety—The right of the safety representative to halt dangerous work 3047
U. Forseth, H. Torvatn & T. Kvernberg Andersen
The VDI guideline on requirements for the qualification of reliability engineers—Curriculum
and certification process 3055
U.K. Rakowsky
Public planning
Analysing analyses—An approach to combining several risk and vulnerability analyses 3061
J. Borell & K. Eriksson
Land use planning methodology used in Walloon region (Belgium) for tank farms of gasoline
and diesel oil 3067
F. Tambour, N. Cornil, C. Delvosalle, C. Fiévez, L. Servranckx, B. Yannart & F. Benjelloun
XXVI
Impact of preventive grinding on maintenance costs and determination of an optimal grinding cycle 3183
C. Meier-Hirmer & Ph. Pouligny
Logistics of dangerous goods: A GLOBAL risk assessment approach 3191
C. Mazri, C. Deust, B. Nedelec, C. Bouissou, J.C. Lecoze & B. Debray
Optimal design of control systems using a dependability criteria and temporal sequences
evaluation—Application to a railroad transportation system 3199
J. Clarhaut, S. Hayat, B. Conrard & V. Cocquempot
RAM assurance programme carried out by the Swiss Federal Railways SA-NBS project 3209
B.B. Stamenković
RAMS specification for an urban transit Maglev system 3217
A. Raffetti, B. Faragona, E. Carfagna & F. Vaccaro
Safety analysis methodology application into two industrial cases: A new mechatronical system
and during the life cycle of a CAF’s high speed train 3223
O. Revilla, A. Arnaiz, L. Susperregui & U. Zubeldia
The ageing of signalling equipment and the impact on maintenance strategies 3231
M. Antoni, N. Zilber, F. Lejette & C. Meier-Hirmer
The development of semi-Markov transportation model 3237
Z. Mateusz & B. Tymoteusz
Valuation of operational architecture dependability using Safe-SADT formalism: Application
to a railway braking system 3245
D. Renaux, L. Cauffriez, M. Bayart & V. Benard
Waterborne transportation
A simulation based risk analysis study of maritime traffic in the Strait of Istanbul 3257
B. Özbaş, I. Or, T. Altiok & O.S. Ulusçu
Analysis of maritime accident data with BBN models 3265
P. Antão, C. Guedes Soares, O. Grande & P. Trucco
Collision risk analyses of waterborne transportation 3275
E. Vanem, R. Skjong & U. Langbecker
Complex model of navigational accident probability assessment based on real time
simulation and manoeuvring cycle concept 3285
L. Gucma
Design of the ship power plant with regard to the operator safety 3289
A. Podsiadlo & W. Tarelko
Human fatigue model at maritime transport 3295
L. Smolarek & J. Soliwoda
Modeling of hazards, consequences and risk for safety assessment of ships in damaged
conditions in operation 3303
M. Gerigk
Numerical and experimental study of a reliability measure for dynamic control of floating vessels 3311
B.J. Leira, P.I.B. Berntsen & O.M. Aamo
Reliability of overtaking maneuvers between ships in restricted area 3319
P. Lizakowski
Risk analysis of ports and harbors—Application of reliability engineering techniques 3323
B.B. Dutta & A.R. Kar
XXVII
Subjective propulsion risk of a seagoing ship estimation 3331
A. Brandowski, W. Frackowiak, H. Nguyen & A. Podsiadlo
The analysis of SAR action effectiveness parameters with respect to drifting search area model 3337
Z. Smalko & Z. Burciu
The risk analysis of harbour operations 3343
T. Abramowicz-Gerigk
Author index 3351
XXVIII
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Preface
This Conference stems from a European initiative merging the ESRA (European Safety and Reliability
Association) and SRA-Europe (Society for Risk Analysis—Europe) annual conferences into the major safety,
reliability and risk analysis conference in Europe during 2008. This is the second joint ESREL (European Safety
and Reliability) and SRA-Europe Conference after the 2000 event held in Edinburg, Scotland.
ESREL is an annual conference series promoted by the European Safety and Reliability Association. The
conference dates back to 1989, but was not referred to as an ESREL conference before 1992. The Conference
has become well established in the international community, attracting a good mix of academics and industry
participants that present and discuss subjects of interest and application across various industries in the fields of
Safety and Reliability.
The Society for Risk Analysis—Europe (SRA-E) was founded in 1987, as a section of SRA international
founded in 1981, to develop a special focus on risk related issues in Europe. SRA-E aims to bring together
individuals and organisations with an academic interest in risk assessment, risk management and risk commu-
nication in Europe and emphasises the European dimension in the promotion of interdisciplinary approaches of
risk analysis in science. The annual conferences take place in various countries in Europe in order to enhance the
access to SRA-E for both members and other interested parties. Recent conferences have been held in Stockholm,
Paris, Rotterdam, Lisbon, Berlin, Como, Ljubljana and the Hague.
These conferences come for the first time to Spain and the venue is Valencia, situated in the East coast close
to the Mediterranean Sea, which represents a meeting point of many cultures. The host of the conference is the
Universidad Politécnica de Valencia.
This year the theme of the Conference is "Safety, Reliability and Risk Analysis. Theory, Methods and
Applications". The Conference covers a number of topics within safety, reliability and risk, and provides a
forum for presentation and discussion of scientific papers covering theory, methods and applications to a wide
range of sectors and problem areas. Special focus has been placed on strengthening the bonds between the safety,
reliability and risk analysis communities with an aim at learning from the past building the future.
The Conferences have been growing with time and this year the program of the Joint Conference includes 416
papers from prestigious authors coming from all over the world. Originally, about 890 abstracts were submitted.
After the review by the Technical Programme Committee of the full papers, 416 have been selected and included
in these Proceedings. The effort of authors and the peers guarantee the quality of the work. The initiative and
planning carried out by Technical Area Coordinators have resulted in a number of interesting sessions covering
a broad spectre of topics.
Sebastián Martorell
C. Guedes Soares
Julie Barnett
Editors
XXIX
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Organization
Conference Chairman
Dr. Sebastián Martorell Alsina Universidad Politécnica de Valencia, Spain
Conference Co-Chairman
Dr. Blás Galván González University of Las Palmas de Gran Canaria, Spain
XXXI
Bris R, Czech Republic Le Bot P, France
Bründl M, Switzerland Limbourg P, Germany
Burgherr P, Switzerland Lisnianski A, Israel
Bye R, Norway Lucas D, United Kingdom
Carlos S, Spain Luxhoj J, United States
Castanier B, France Ma T, United Kingdom
Castillo E, Spain Makin A, Australia
Cojazzi G, Italy Massaiu S, Norway
Contini S, Italy Mercier S, France
Cozzani V, Italy Navarre D, France
Cha J, Korea Navarro J, Spain
Chozos N, United Kingdom Nelson W, United States
De Wit S, The Netherlands Newby M, United Kingdom
Droguett E, Brazil Nikulin M, France
Drottz-Sjoberg B, Norway Nivolianitou Z, Greece
Dutuit Y, France Pérez-Ocón R, Spain
Escriche I, Spain Pesme H, France
Faber M, Switzerland Piero B, Italy
Fouladirad M, France Pierson J, France
Garbatov Y, Portugal Podofillini L, Italy
Ginestar D, Spain Proske D, Austria
Grall A, France Re A, Italy
Gucma L, Poland Revie M, United Kingdom
Hardman G, United Kingdom Rocco C, Venezuela
Harvey J, United Kingdom Rouhiainen V, Finland
Hokstad P, Norway Roussignol M, France
Holicky M, Czech Republic Sadovsky Z, Slovakia
Holloway M, United States Salzano E, Italy
Iooss B, France Sanchez A, Spain
Iung B, France Sanchez-Arcilla A, Spain
Jonkman B, The Netherlands Scarf P, United Kingdom
Kafka P, Germany Siegrist M, Switzerland
Kahle W, Germany Sørensen J, Denmark
Kleyner A, United States Storer T, United Kingdom
Kolowrocki K, Poland Sudret B, France
Konak A, United States Teixeira A, Portugal
Korczak E, Poland Tian Z, Canada
Kortner H, Norway Tint P, Estonia
Kosmowski K, Poland Trbojevic V, United Kingdom
Kozine I, Denmark Valis D, Czech Republic
Kulturel-Konak S, United States Vaurio J, Finland
Kurowicka D, The Netherlands Yeh W, Taiwan
Labeau P, Belgium Zaitseva E, Slovakia
Zio E, Italy
Webpage Administration
Alexandre Janeiro Instituto Superior Técnico, Portugal
XXXII
Rafael Pérez Ocón Universidad de Granada
Ana Isabel Sánchez Galdón Universidad Politécnica de Valencia
Vicente Serradell García Universidad Politécnica de Valencia
Gabriel Winter Althaus Universidad de Las Palmas de Gran Canaria
Sponsored by
Ajuntament de Valencia
Asociación Española para la Calidad (Comité de Fiabilidad)
CEANI
Generalitat Valenciana
Iberdrola
Ministerio de Educación y Ciencia
PMM Institute for Learning
Tekniker
Universidad de Las Palmas de Gran Canaria
Universidad Politécnica de Valencia
XXXIII
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Acknowledgements
The conference is organized jointly by Universidad Politécnica de Valencia, ESRA (European Safety and
Reliability Association) and SRA-Europe (Society for Risk Analysis—Europe), under the high patronage of
the Ministerio de Educación y Ciencia, Generalitat Valenciana and Ajuntament de Valencia.
Thanks also to the support of our sponsors Iberdrola, PMM Institute for Learning, Tekniker, Asociación
Española para la Calidad (Comité de Fiabilidad), CEANI and Universidad de Las Palmas de Gran Canaria. The
support of all is greatly appreciated.
The work and effort of the peers involved in the Technical Program Committee in helping the authors to
improve their papers are greatly appreciated. Special thanks go to the Technical Area Coordinators and organisers
of the Special Sessions of the Conference, for their initiative and planning which have resulted in a number of
interesting sessions. Thanks to authors as well as reviewers for their contributions in the review process. The
review process has been conducted electronically through the Conference web page. The support to the web
page was provided by the Instituto Superior Técnico.
We would like to acknowledge specially the local organising committee and the conference secretariat and tech-
nical support at the Universidad Politécnica de Valencia for their careful planning of the practical arrangements.
Their many hours of work are greatly appreciated.
These conference proceedings have been partially financed by the Ministerio de Educación y Ciencia
de España (DPI2007-29009-E), the Generalitat Valenciana (AORG/2007/091 and AORG/2008/135) and the
Universidad Politécnica de Valencia (PAID-03-07-2499).
XXXV
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Introduction
The Conference covers a number of topics within safety, reliability and risk, and provides a forum for presentation
and discussion of scientific papers covering theory, methods and applications to a wide range of sectors and
problem areas.
Thematic Areas
• Accident and Incident Investigation
• Crisis and Emergency Management
• Decision Support Systems and Software Tools for Safety and Reliability
• Dynamic Reliability
• Fault Identification and Diagnostics
• Human Factors
• Integrated Risk Management and Risk-Informed Decision-making
• Legislative dimensions of risk management
• Maintenance Modelling and Optimisation
• Monte Carlo Methods in System Safety and Reliability
• Occupational Safety
• Organizational Learning
• Reliability and Safety Data Collection and Analysis
• Risk and Evidence Based Policy Making
• Risk and Hazard Analysis
• Risk Control in Complex Environments
• Risk Perception and Communication
• Safety Culture
• Safety Management Systems
• Software Reliability
• Stakeholder and public involvement in risk governance
• Structural Reliability and Design Codes
• System Reliability Analysis
• Uncertainty and Sensitivity Analysis
XXXVII
• Nuclear Engineering
• Offshore Oil and Gas
• Policy Decisions
• Public Planning
• Security and Protection
• Surface Transportation (road and train)
• Waterborne Transportation
XXXVIII
Thematic areas
J. Hortal
Spanish Nuclear Safety Council (CSN), Madrid, Spain
ABSTRACT: Over the past years, many Nuclear Power Plant (NPP) organizations have performed Probabilistic
Safety Assessments (PSAs) to identify and understand key plant vulnerabilities. As part of enhancing the PSA
quality, the Human Reliability Analysis (HRA) is key to a realistic evaluation of safety and of the potential
weaknesses of a facility. Moreover, it has to be noted that HRA continues to be a large source of uncertainly in
the PSAs. We developed SIMulator of PROCedures (SIMPROC) as a tool to simulate events related with human
actions and to help the analyst to quantify the importance of human actions in the final plant state. Among others,
the main goal of SIMPROC is to check if Emergency Operating Procedures (EOPs) lead to safe shutdown plant
state. First pilot cases simulated have been MBLOCA scenarios simulated by MAAP4 severe accident code
coupled with SIMPROC.
3
63% were into power operation and the remaining 37% 3 BABIECA-SIMPROC ARCHITECTURE
into shutdown operation. Additionally, analyzing the
events reported using the International Nuclear Event The final objective of the BABIECA-SIMPROC sys-
Scale (INES) during the last decade, most of the major tem is to simulate accidental transients in NPPs con-
incidents of Level 2 or higher could be attributed to sidering human actions. For this purpose is necessary
causes related to human performance. Moreover, a to develop an integrated tool that simulates the dynam-
study based on a broad set of PSA data states that ics of the system. To achieve this we will use the
between 15 and 80% of Core Damage Frequency is BABIECA Simulation Engine to calculate the time
related with execution failure of some operator action evolution state of the plant. Finally we will model
(NEA 2004). Reason (Reason 1990), in a study of a the influence of human operator actions by means of
dozen meaningful accidents in the 15 years prior to SIMPROC. We have modeled the operators influence
their publication, including Three Mile Island (TMI), over the plant state as a separate module to empha-
Chernobyl, Bhopal and the fire of London under- size the significance of operator actions in the final
ground, concludes that at least 80% of the system state of the plant. It is possible to plug or unplug
failures were caused by humans, specially by inad- SIMPROC to consider the operator influence over the
equate management of maintenance supervision. In simulation state of the plant in order to compare end
addition, it determines that other aspects have rel- states in both cases. The final goal of the BABIECA-
evance, mainly technical inaccuracy or incomplete SIMPROC overall system, integrated in SCAIS, is to
training in operation procedures. This last aspect is of simulate Dynamic Event Trees (DET) to describe the
great importance in multiple sectors whose optimiza- time evolution scheme of accidental sequences gen-
tion of operation in abnormal or emergency situations erated from a trigger event. During this calculation it
is based on strict operation procedures. In this case, must be taken into account potential degradations of
it stands out that four of the investigations carried out the systems associating them with probabilistic calcu-
by the NRC and nearly 20 of the additional investiga- lations in each sequence. Additionally EOPs execution
tions from Three Miles Island (TMI) concluded that influence is defined for each plant and each sequence.
intolerable violations of procedures took place. The In order to achieve this objective the integrated scheme
TMI accident illustrated clearly how the interaction must fit the following features:
of technical aspects with human and organizational
factors can help the progression of events. After the 1. The calculation framework must be able to integrate
incident, big efforts on investigation and develop- other Simulation Codes (MAAP, TRACE, . . . ). In
ment have focused on the study of human factors in this case, BABIECA-SIMPROC acts as a wrapper
accidents management. The management of accidents to external codes. This will allow to work with dif-
includes the actions that the operation group must per- ferent codes in the same time line sequence. In case
form during beyond design basis accidents, with the the simulation reaches core damage conditions, it is
objective of maintaining the basic functions of reac- possible to unplug the best estimate code and plug
tor safety. Two phases in emergencies management a severe accident code to accurately describe the
are distinguished: The preventive phase, in which per- dynamic state of the plant.
formances of the operator are centered in avoiding 2. Be able to automatically generate the DET associ-
damage to the core and maintaining the integrity of the ated to an event initiator, simulating the dynamic
installation, and the phase of mitigation, in which once plant evolution.
core damage occurs, operator actions are oriented to 3. Obtain the probability associated to every possible
reduce the amount of radioactive material that is going evolution sequence of the plant.
to be released. Management of accidents is carried out All the system is being developing in C++ code
by following EOPs and Severe Accident Management in order to meet the requirements of speed and
Guides (SAMGs), and its improvement was one of performance needed in this kind of simulations. Paral-
the activities carried out after TMI accident. The acci- lelization was implemented by means of a PVM archi-
dent sequence provides the basis for determining the tecture. The communication with the PostGresSQL
frequencies and uncertainties of consequences. The database is carried out by the libpq++ library. All the
essential outcome of a PSA is a quantitative expres- input desk needed to initialize the system is done using
sion of the overall risks in probabilistic terms. The standard XML.
initial approach to import human factor concerns into The main components of the Global System Archi-
engineering practices was to use existing PSA meth- tecture can be summarized as follows:
ods and extend them to include human actions. We will
use SIMPROC to extend this functionality to include 1. DENDROS event scheduler. It is in charge of
the human factors into the plant evolution simulation. opening branches of the simulation tree depending
This is done in a dynamic way instead of the static on the plant simulation state. DENDROS allows
point of view carried out by PSA studies. the modularization and parallelization of the tree
4
generation. Calculation of the probability for each
branch is based on the true condition of certain
logical functions. The scheduler arranges for the
opening of the branch whenever certain conditions
are met, and stops the simulation of any particu-
lar branch that has reached an absorbing state. The
time when the opening of the new branch occurs can
be deterministically fixed by the dynamic condi-
tions (setpoint crossing) or randomly delayed with
respect to the time when the branching conditions
are reached. The latter option especially applies
to operator actions and may include the capabil-
ity to use several values of the delay time within
the same dynamic event tree. The scheduler must
know the probability of each branch, calculated
in a separate process called Probability Wrapper,
in order to decide which branch is suitable for Figure 1. BABIECA-SIMPROC architecture.
further development. The applications of a tree
structured computation extend beyond the scope
of the DETs. In fact, the branch opening and cutoff
can obey any set of criteria not necessarily given by modules allow us to represent relevant plant systems
a probability calculation as, for instance, sensitiv- in great detail. In this publication we will focus our
ity studies or automatic initialization for Accident attention on the MAAP4 Wrapper, which allows us to
Management Strategy analyses. More details on connect BABIECA with this severe accident code. The
how dynamic event trees are generated and handled SIMPROC interaction over the system is illustrated in
and their advantages for safety analysis applica- 2. The process can be summarized in the following
tions are given in another paper presented in this steps:
conference (Izquierdo et al. 2008).
2. BABIECA plant simulator. It is adapted to exe- 1. BABIECA starts the simulation and SIMPROC
cute the sequence simulation launched by Den- is created when a EOP execution is demanded
dros Event Scheduler. As mentioned previously, according to a set of conditions over plant variables
BABIECA can wrap other nuclear simulation codes previously defined.
(i.e., MAAP). This simulation code is able to 2. SIMPROC is initialized with the plant state vari-
extend the simulation capacities of BABIECA to ables at that time instant. As a previous step the
the context of severe accidents. computerized XML version of the set of EOPs must
3. SIMPROC procedures simulator. This simulation be introduced in the SIMPROC database.
module allows us to interact with the Simulation 3. The BABIECA calculation loop starts and the out-
Engine BABIECA to implement the EOPs. come of EOPs executions are modeled as bound-
4. Probability engine. It calculates the probabilities ary conditions over the system. Each topology
and delays associated with the set points of the block can modify its state according to the spe-
DET. The initial implementation will be based in cific actions of SIMPROC EOPs execution. Once
PSA calculations, but we have developed a proba- boundary conditions are defined for the current
bility wrapper able to use calculations from BDDs step, the solution for the next step is calculated
structures in the future. for each topology block. The calculation sequence
5. Global database. It will be used to save data from includes continuous variables, discrete variables
the different simulation modules, providing restart and events recollection for the current time step.
capability to the whole system and allowing an Finally, all variables information are saved in the
easier handling of the simulation results. database and, depending on the system configura-
tion, a simulation restart point is set.
If we focus our attention on the SIMPROC inte- 4. The procedures simulator SIMPROC does not have
gration of the system, the BABIECA-SIMPROC its own time step but adapts its execution to the
architecture can be illustrated accordingly (Fig. 1). BABIECA pace. Additionally, it is possible to set
BABIECA acts as a master code to encapsulate a default communication time between BABIECA
different simulation codes in order to build a robust and SIMPROC. This time represents the average
system with a broad range of application and great time the operator needs to recognize the state of
flexibility. BABIECA Driver has its own topology, the plant, which is higher than the time step of the
named BABIECA Internal Modules in Fig. 1. These simulation.
5
Figure 3. SIMPROC-BABIECA-MAAP4 connection.
6
the mentioned transient using MAAP4 alone. After
that, the same simulation was run using BABIECA-
SIMPROC system. Finally, the results from both
simulations are compared.
W = Wmax (1) The first step is to define the topology file for
BABIECA to work. In this file we need to set the block
where W is the feed water flow rate. structure of the systems we want to simulate and we
If the water level is above 0.9z0 , the model applied need to specify which blocks are going to be used by
a limited proportional control in two steps: SIMPROC to model Operator actions over the plant
1. Proportional control. The resulting feed water flow simulation. The EOP has a unique code to identify it
rate, W, returns the water level to z0 at a rate in the database, and some tags to include a description
proportional to the mismatch, of the actions we are going to execute. Moreover it has
a load-delay parameter designed to take into account
(W − Ws ) = α(z − z0 ). (2) the time the operator needs since the EOP demand
trigger starts until the operator is ready to execute the
The coefficient of proportionality, α in eq. 2 proper actions.
is chosen so that the steam generator inventory This simple EOP has only one step designed to
becomes correct after a time interval τ , which is control the Steam Generator Water Level. The main
set to 100 s at present. parameters of this step are:
2. A limited flow rate. The feed water flow rate is
limited to values between 0 (valve closed) and Wmax • Skill. Sets the operator profile we want to execute
(valve fully opened). the action. In this example there is a REACTOR
profile.
The other control mode is manual. In this mode, • Texec. Defines the time the operator is going to be
the control tries to hold the water level within an enve- busy each time he executes an action.
lope defined by a user-supplied deadband zDEAD . The • Taskload. Defines a percentage to take account of
feedwater flow rate is set as follows: the attention that the operator needs to execute an
⎧ action properly. The sum of all the taskload parame-
⎪
⎪ Wmax , if z < z0 − zDEAD ters of the actions the operator is executing must be
⎪0, if z > z0 + zDEAD 2
⎪
⎪
⎨ less than 100%. In future works, Texec and Taskload
Wmin , if z0 + zDEAD <z parameters will be obtained from the Probability
W = 2 (3)
⎪
⎪ < z0 + z DEAD Engine in executing time according probability dis-
⎪
⎪
⎪W , if z0 z− 2 < z
zDEAD
⎩ tributions of human actuation times for the different
< z0 + DEAD 2 actions required by EOPs. These time distributions
could be obtained from experimental studies.
where Wmin is the flow rate used on the decreasing part • Time window. Sets the temporal interval during
of the cycle. which the MONITOR is active.
Operation in manual mode results in a sawtooth- • Targets. Sentences that define the logical behavior
like level trajectory which oscillates about the desired of the MONITOR. We tell the MONITOR what it
level z0 . has to do, when and where.
The parameters used to implement the narrow-
band control over the steam generator water level are In more complex applications, a great effort must
illustrated in Fig. 4. be made in computerizing the specific EOPs of each
To simulate the BABIECA-SIMPROC version of nuclear plant under study, (Expósito and Queral
the same transient we must create the XML files 2003a) and (Expósito and Queral 2003b). This topic
needed to define the input desk of the overall system. is beyond the scope of this paper.
7
Finally, it is necessary to define the XML simu-
lation files for BABIECA and SIMPROC. The main
difference with the previous XML files is that they do
not need to be parsed and introduced in the database
prior to the simulation execution. They are parsed
and stored in memory during runtime execution of the
simulation.
The BABIECA simulation file parameters are:
• Simulation code. Must be unique in the database.
• Start input. Informs about the XML BABIECA
Topology file linked with the simulation.
• Simulation type. It is the type of simulation: restart,
transient or steady.
• Total time. Final time of the simulation.
• Delta. Time step of the master simulation.
• Save output frequency. Frequency to save the out- Figure 5. Steam Generator Water Level comparison (black
puts in the database. line: MAAP4 output; dashed red line: BABIECA-SIMPROC
• Initial time. Initial time for the simulation. output).
• Initial topology mode. Topology block can be in
multiple operation modes. During a simulation exe-
cution some triggers can lead to mode changes that
modify the calculation loop of a block.
• Save restart frequency. Frequency we want to save
restart points to back up simulation evolution.
• SIMPROC active. Flag that allow us to switch on
SIMPROC influence over the simulation.
The main parameters described in the XML SIM-
PROC simulation file are:
• Initial and end time. These parameters can be dif-
ferent to the ones used for the simulation file and
define a time interval for SIMPROC to work.
• Operator parameters. These are id, skill and slow-
ness. The first two identify the operator and his type
and the latter takes account of his speed to execute
the required actions. It is known that this parameter Figure 6. Mass Flow Rate to the Cold Leg (red line: MAAP4
depends on multiple factors like operator experience output; dashed black line: BABIECA-SIMPROC output).
and training.
• Initial variables. These are the variables that are
monitored continuously to identify the main param-
eters to evaluate the plant state. Each variable has a
the simulation. Then water level starts to raise going
procedure code to be used in the EOP description,
through the defined dead band until the level reaches
a BABIECA code to identify the variable inside the
12.5 m. At this point we set FWFR to its minimum
topology and a set of logical states.
• Variables. These variables are not monitored in a value (7.36 kgs ). When SGWL is higher than 15 m, the
continuous way but have the same structure as Initial flow rate is set to zero.
Variables. They are only updated under SIMPROC The concordance between MAAP4 and BABIECA-
request. SIMPROC results is good in general. The differences
can be explained due to different time steps of both
Once we have defined the XML input files, we have codes. MAAP4 chooses its time step according to con-
met all the required conditions to run the BABIECA- vergence criteria, while BABIECA-SIMPROC has a
SIMPROC simulation. fixed time step set in the XML BABIECA Simula-
Compared simulation results of MAAP4 simulation tion File. Additionally, BABIECA-SIMPROC takes
and BABIECA-SIMPROC simulation can be seen in into consideration the time needed by the operator to
Fig. 5 and Fig. 6. As shown in the figures, feed water execute each action whereas MAAP4 implementation
flow rate is set to 9,9 kgs when SGWL is lower than of the operator automatically execute the requested
7.5 m. This situation occurs in the very first part of actions.
8
6 CONCLUSIONS CSN Spanish Nuclear Safety Council
EOP Emergency Operation Procedure
The software tool BABIECA-SIMPROC is being SAMG Severe Accident Management Guide
developed. This software package incorporates oper- LOCA Loss of Coolant Accident
ator actions in accidental sequences simulations in DET Dynamic Event Tree
NPP. This simulation tool is not intended to evalu- PVM Parallel Virtual Machine
ate the probability of human errors, but to incorporate BDD Binary Decision Diagram
in the plant dynamics the effects of those actions per- XML Extensible Markup Language
formed by the operators while following the operating SGWL Steam Generator Water Level
procedures. Nonetheless, human errors probabilities FWFR Feed Water Flow Rate
calculated by external HRA models can be taken into
account in the generation of dynamic event trees under
the control of DENDROS. We have tested this applica- REFERENCES
tion with a pilot case related with the steam generator
water level control during a MBLOCA transient in a CSNI (Ed.) (1998). Proceedings from Specialists Meeting
PWR Westinghouse NPP. The results have been satis- Organized: Human performance in operational events,
factory although further testing is needed. At this stage CSNI.
we are in this process of validation to simulate a com- CSNI-PWG1, and CSNI-PWG5 (1997). Research strategies
for human performance. Technical Report 24, CSNI.
plete set of EOPs that are used in a PWR Westinghouse Expósito, A. and C. Queral (2003a). Generic questions about
NPP. Moreover, we are extending the capabilities of the computerization of the Almaraz NPP EOPs. Technical
the system to incorporate TRACE as an external code report, DSE-13/2003, UPM.
with its corresponding BABIECA wrapper. When this Expósito, A. and C. Queral (2003b). PWR EOPs computeri-
part of the work is completed, a wider simulation will zation. Technical report, DSE-14/2003, UPM.
be available. This will allow to analyze the impact of Izquierdo, J.M. (2003). An integrated PSA approach to inde-
EOPs execution by operators in the final state of the pendent regulatory evaluations of nuclear safety assess-
plant as well as the evaluation of the allowable response ment of Spanish nuclear power stations. In EUROSAFE
times for the manual actions. Forum 2003.
Izquierdo, J.M., J. Hortal, M. Sanchez-perea, E. Meléndez,
R. Herrero, J. Gil, L. Gamo, I. Fernández, J. Esperón,
P. González, C. Queral, A. Expósito, and G. Rodríguez
ACKNOWLEDGMENTS (2008). SCAIS (Simulation Code System for Integrated
Safety Assesment): Current status and applications. Pro-
SIMPROC project is partially funded by the Spanish ceedings of ESREL 08.
Ministry of Industry (PROFIT Program) and SCAIS Izquierdo, J.M., C. Queral, R. Herrero, J. Hortal, M. Sanchez-
project by the Spanish Ministry of Education and Sci- perea, E. Melandez, and R. Muñoz (2000). Role of fast
ence (CYCIT Program). Their support is gratefully Running TH Codes and Their Coupling with PSA Tools,
acknowledged. in Advanced Thermal-hydraulic and Neutronic Codes:
Current and Future Applications. In NEA/CSNI/R(2001)2,
We want to show our appreciation to the people Volume 2.
who in one way or another, have contributed to the NEA (2004). Nuclear regulatory challenges related to human
accomplishment project. performance. Isbn 92-64-02089-6, NEA.
Rasmussen, N.C. (1975). Reactor safety study, an assessment
of accident risks in u. s. nuclear power plants. In NUREG
NOMENCLATURE NUREG-75/014, WASH-1400.
Reason, J. (1990). Human Error. Cambridge University
ISA Integrated Safety Analysis Press.
SCAIS Simulation Codes System for Integrated Safety Trager, E.A. (1985). Case study report on loss of safety sys-
tem function events. Technical Report AEOD/C504, ffice
Assessment for Analysis and Evaluation of Operational Data. Nuclear
PSA Probabilistic Safety Analysis Regulatory Commission (NRC).
HRA Human Reliability Analysis
9
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Crime may be regarded as a major source of social concern in the modern world. Very often
increases in crime rates will be treated as headline news, and many people see the ‘law and order’ issue as
one of the most pressing in modern society. An example of such issues has been highlighted by the ‘‘Tláhuac’’
incident which occurred in Mexico City on 23 November 2004. The fatal incident occurred when an angry
crowd burnt alive two police officers and seriously injured another after mistaking them for child kidnappers.
The third policeman who was finally rescued by colleagues (three and half hours after the attack began) suffered
serious injuries. The paper presents some preliminary results of the analysis of the above incident by applying the
MORT (Management Over-sight Risk Three) technique. The MORT technique may be regarded as a structured
checklist in the form of a complex ‘fault tree’ model that is intended to ensure that all aspects of an organization’s
management are looked into when assessing the possible causes of an incident. Some other accident analysis
approaches may be adopted in the future for further analysis. It is hoped that by conducting such analysis lessons
can be learnt so that incidents such as the case of ‘Tláhuac’ can be prevented in the future.
11
and the possibilities of realising it, that are illegal much more sophisticated. This role includes such as
or socially unacceptable. Lampe and Johansen (2004) developments as DNA testing and evidence, the use
attempt to develop a thorough understanding of organ- of less-than-lethal weapons, increasingly sophisticated
ised crime, by clarifying and specifying the concept forms of identification, and crimes such as identity
of thrust in organise crime networks. They propose theft and a variety of frauds and scams. The use of
four typologies that categorise trust as: (a) individ- scientific evidence and expert witnesses is also a sig-
ualised trust, (b) trust based on reputation, (c) trust nificant issue in the prosecution and adjudication of
based on generalisations, and (d) abstract trust. They offenders. Third, he puts emphasis on public security
show that the existence of these types of trust through and terrorism. This has shaped, and will continue to
the examination of illegal markets. shape, criminal justice in a variety of ways.
Ratcliffe (2005) emphasises on the practice of intel-
1.1.4 Battering ligence driven policing as a paradigm in modern law
Chiffriller et al. (2006) discuss the phenomenon enforcement in various countries (e.g., UK, USA,
called battering, as well as batterer personality and Australia & New Zealand). The author proposes a
behavioural characteristics. Based on cluster analysis, conceptual model of intelligence driven policing; the
they developed five distinct profiles of men who batter model essentially entails three stages: (1) law enforce-
women. And based on the behavioural and personality ment interpret the criminal environment, (2) influence
characteristics that define each cluster, they establish decision-makers, and (3) decision-makers impact on
five categories: (1) pathological batterers, (2) sexu- the criminal environment.
ally violent batterers, (3) generally violent batterers,
(4) psychologically violent batterers, and (5) family-
only batterers. The authors discuss the implications for 1.2 Crime in Mexico City
intervention of these categories. In 1989 the International Crime Victim Survey
(ICVS) was born and since then it has contributed to
1.1.5 Bullying the international knowledge of crime trends in several
Burgess et al. (2006) argue that bullying has become a countries. It is believed that since its conception stan-
major public health issue, because of its connection to dardized victimization surveys have been conducted in
violent and aggressive behaviours that result in seri- more than 70 countries worldwide. The ICVS has been
ous injury to self and to others. The authors define surrounded by a growing interest by both the crime
bullying as a relationship problem in which power research community and the policy makers. A part for
and aggression are inflicted on a vulnerable person providing an internationally standardized indicators
to cause distress. They further emphasise that teasing for the perception and fear of crime across different
and bullying can turn deadly. socio-economic contexts; it also has contributed to
an alternative source of data on crime. Similarly, in
1.1.6 Law enforcement Mexico, four National Crime Victim Surveys (known
Finckenauer (2004) emphasizes that a major push of as ENSI-1, 2, 3 & 4 respectively) have been conducted
the expansion of higher education in crime and justice since 2001. The surveys are intended to help to pro-
studies came particularly from the desire to profes- vide a better knowledge of the levels of crime which
sionalise the police—with the aim of improving police affect the safety of the Mexican citizens (ICESI 2008).
performance. He suggests new and expanded subject- Some key findings of the fourth (i.e., ENSI-4) are
matter coverage. First, criminal-justice educators must summarized in Tables 1 & 2.
recognise that the face of crime has changed—it has
become increasingly international in nature. Examples
include cyber-crime, drug trafficking, human traf- Table 1. Victimization (ICESI 2008).
ficking, other forms of trafficking and smuggling,
Types of crime Percentage (%)
and money laundering. Although global in nature,
these sorts of crimes have significant state and local Robbery 56.3
impact. The author argues that those impacts need to Other types of robbery 25.8
be recognised and understood by twenty-first-century Assault 7.2
criminal-justice professors and students. Increasingly, Theft of items from cars (e.g., accessories) 2.9
crime and criminals do not respect national borders. Burglary 2.4
As a result, law enforcement and criminal justice can- Theft of cars 1.5
not be bond and limited by national borders. Second, Other types of crime 0.4
Kidnappings 2.1
he emphasises the need to recognise that the role Sexual offences 0.8
of science in law enforcement and the administra- Other assaults/threat to citizens 0.6
tion of justice has become increasingly pervasive and
12
Table 2. Public’s perceptions of crime (ICESI 2008). 18:25 hrs. One of the PFP-police officers tried to
communicate with his superiors at the Headquarters
Activities that have been given but failed in the attempt. It is believe that the reason
up by the public in Mexico City Percentage (%) was because there was a meeting going on at the time
and his superior was unable to assist the call. At about
The Public have been given up:
• going out at night 49.1 the same time, the crowd cheered, chanted obscenities
• going to the football stadium 17.1 as they attacked the officers.
• going to dinner out 19.8 18:30 hrs. A first live TV coverage is being
• going to the cinema/Theater 21.3 broadcasted.
• carrying cash with them 45.4 19:30 hrs. Again, one of the PFP-police officers
• taking public transport 28.1 attempted for the second time to communicate with
• wearing jewellery 56.0 their superiors and it was broadcasted live, and he
• taking taxis 37.0 said ‘‘They are not allowing us to get out, come and
• carrying credit cards with them 38.0
rescue us’’.
• visiting friends or relatives 30.5
• other 1.6 21:20 hrs the regional police director from the
regional police headquarters (it will be called here
as RPHQ) was acknowledged that two police officers
have been burnt alive, he ordered the back-up units to
Overall, the public’s perception of crime shows that 9 intervene and rescue the officers.
out of 10 citizens feel unsafe in Mexico City. More than 22:30 hrs after three and a half hours the bodies of
half of the population believes that crime has affected the two PFP-police officers were recovered.
their quality of life; for example, Table 2 shows that
one in two citizens gave up wearing jewellery, going
out at night and taking cash with them. 3 THE MANAGEMENT OVERSIGHT RISK
TREE (MORT)
On 23 November 2004 an angry crowd burnt a live The Management Oversight and Risk Tree (MORT)
two police officers and seriously injured another after is an analytical procedure for determining causes and
mistaken them for child kidnappers. The third police contributing factors (NRI-1 2002).
officer was finally rescued by colleagues three and In MORT, accidents are defined as ‘‘unplanned
half hours after the attack began. (The three police events that produce harm or damage, that is, losses’’
officers were members of the branch called ‘‘Fed- (NRI-1 2002). Losses occur when a harmful agent
eral Preventive Police’’, known as ‘‘PFP’’. They were comes into contact with a person or asset. This con-
under the management of the Federal Police Head- tact can occur either because of a failure of prevention
quarters; here it will be called FPHQ). The incident or, as an unfortunate but acceptable outcome of a
occurred at San Juan Ixtayoapan, a neighborhood of risk that has been properly assessed and acted-on (a
approximately 35,000 people on Mexico City’s south- so-called ‘‘assumed risk’’). MORT analysis always
ern outskirts; however, the incident is better known evaluates the ‘‘failure’’ route before considering the
as the ‘Tláhuac’ case. It is believed that the police ‘‘assumed risk’’ hypothesis. In MORT analysis, most
officers were taken photographs of pupils at a pri- of the effort is directed at identifying problems in the
mary school, where two children had recently gone control of a work/process and deficiencies in the pro-
missing. TV reporters reached the scene before police tective barriers associated with it. These problems are
reinforcements, and live cameras caught a mob beat- then analysed for their origins in planning, design,
ing the police officers. However, the head of the FPHQ policy, etc. In order to use MORT key episodes in
said that back-up units were unable to get through for the sequence of events should be identified first; each
more than three and a half hours because of heavy traf- episode can be characterised as: {a} a vulnerable target
fic. The main events are thought to be the following exposed to; {b} an agent of harm in the; {c} absence
(FIA 2004, 2005): of adequate barriers.
MORT analysis can be applied to any one or more
November 23rd 2004 of the episodes identified; it is a choice for you to
17:55 hrs. Residents caught the PFP-police officers make in the light of the circumstances particular to
in plain clothes taking photographs of pupils leaving your investigation. To identify these key episodes, you
the school in the San Juan Ixtlayopan neighbourhood. will need to undertake a barrier analysis (or ‘‘Energy
18:10 hrs. The crowd was told that the three PFP- Trace and Barrier Analysis’’ to give it its full title).
police officers were kidnappers. Barrier analysis allows MORT analysis to be focussed;
13
Losses
it is very difficult to use MORT, even in a superficial
way, without it.
Oversights Assumed
and omissions risks 3.2 Barrier analysis
The ‘‘Barrier analysis’’ is intended to produce a clear
set of episodes for MORT analysis. It is an essential
R1 R2 Rn preparation for MORT analysis. The barrier analysis
Specific Management
Control factors system factors embraces three key concepts, namely: {a} ‘‘energy’’;
LTA LTA {b} ‘‘target’’; and {c} ‘‘barrier’’.
S M
‘‘Energy’’ refers to the harmful agent that threatens
or actually damages a ‘‘Target’’ that is exposed to it.
‘‘Targets’’ can be people, things or processes—any-
Incident Mitigation Policy Implemen- Risk
LTA LTA tation of Assessment thing, in fact, that should be protected or would be
SA1
SA2
MA1
policy LTA System LTA better undisturbed by the ‘‘Energy’’. In MORT, an inci-
MA2 MA3 dent can result either from exposure to an energy flow
Potentially Controls & Energy flows
without injuries or damage, or the damage of a tar-
Vulnerable get with no intrinsic value. ‘‘Barrier’’ part of the title
Harmful Barriers leading
people/objects
condition LTA accident/incident refers to the means by which ‘‘Targets’’ are kept safe
SB1 SB2 SB3 SB4
from ‘‘Energies’’.
14
3.3 MORT structure On the other hand, the ‘‘Specific and Management’’
branches are regarded as the two main branches in
Figure 1 shows the basic MORT structure. The top
MORT (see Fig. 2). Specific control factors are broken
event in MORT is labelled ‘‘Losses’’, beneath which
down in to two main classes: {a} those related to the
are its two alternative causes; i.e., {1} ‘‘Oversights &
Omissions’’, {2} ‘‘Assumed risks’’. In MORT all
the contributing factors in the accident sequence are
treated as ‘‘oversights and omissions’’ unless they are
transferred to the ‘‘Assumed risk’’ branch. Input to
the ‘‘Oversights and Omissions’’ event is through and
AND logic gate. This means that problems manifest
in the specific control of work activities, necessarily
involve issues in the management process that govern
them.
15
Figure 7. SD1 branch—‘‘Communication LTA’’. (Red:
problems that contributed to the outcome; Green: is judged
to have been satisfactory).
16
blue, to indicate where there is a need to find more
information to properly assess it. Figures 2–11 show
several branches of the MORT chart for the ‘Tlahuac’
incident.
Table 4 summarizes some of the findings in brief
of the third phase identified by the Barrier analysis.
5 DISCUSSION
REFERENCES
17
Burgess, A.W., Garbarino, C., & Carlson, M.I. 2006. Patho- Levenson, N.G., Daouk, M., Dulac, N., & Marais, K. 2003.
logical teasing and bulling turned deadly: shooters and Applying STAMP in accident analysis. Workshop on the
suicide. Victims and Offenders 1: 1–14. investigation and reporting of accidents.
Chiffriller, S.H., Hennessy, J.J., & Zappone, M. 2006. Under- McCabe, M.P., & Wauchope, M. 2005. Behavioural charac-
standing a new typology of batterers: implications for teristics of rapists. Journal of Sexual Aggression 11 (3):
treatment. Victims and Offenders 1: 79–97. 235–247.
Davis, P.K., & Jenkins, B.M. 2004. A systems approach to NRI-1. 2002. MORT User’s Manual. For use with the Man-
deterring and influencing terrorists. Conflict Management agement Oversight and Risk Tree analytical logic diagram.
and Peace Science 21: 3–15. Generic edition. Noordwijk Risk Initiative Foundation.
Ekblom, P. 2005. How to police the future: scanning for ISBN 90-77284-01-X.
scientific and technological innovations which generate Puglia, M., Stough, C., Carter, J.D., & Joseph, M. 2005.
potential threats & opportunities in crime, policing & The emotional intelligence of adult sex offenders: ability
crime reduction (Chapter 2). M.J. Smith & N. Tilley (eds), based EI assessment. Journal of Sexual Aggression 11 (3):
Crime Science—new approaches to prevent & detecting 249–258.
crime: 27–55. Willan Publishing. Ratcliffe, J. 2005. The effectiveness of police intelli-
Elklit, A. 2002. Attitudes toward rape victims—an empirical gence management: A New Zealand case study. Police
study of the attitudes of Danish website visitors. Jour- Practice & Research 6 (5): 435–451.
nal of Scandinavian Studies in Criminology and Crime Santos-Reyes, J., & Beard, A.N. 2008. A systemic approach
Prevention 3: 73–83. to managing safety. Journal of Loss Prevention in the
FIA, 2004. Linchan a agentes de la PFP en Tláhuac. Fuerza Process Industries 21 (1): 15–28.
Informativa Azteca (FIA), http://www.tvazteca.com/ Schmid, A.P. 2005. Root Causes of Terrorism: Some concep-
noticias (24/11/2004). tual Notes, a Set of Indicators, and a Model, Democracy
FIA, 2005. Linchamiento en Tláhuac parecía celebración. and Security 1: 127–136.
Fuerza Informativa Azteca (FIA), http://www.tvazteca. The international Crime Victim Survey (ICVS). Online
com/noticias (10/01/2005). http://www.unicri.it/wwd/analysis/icvs/index.php.
Finckenauer, J.O. 2005. The quest for quality in criminal Tucker, J. 2004. How not to explain murder: a sociological
justice education. Justice Quarterly 22 (4): 413–426. critique of bowling for columbine. Global Crime 6 (2):
Griffiths, H. 2004. Smoking guns: European cigarette 241–249.
smuggling in the 1990’s. Global Crime 6 (2): 185–200. Van der Schaaf, T.W. 1996. A risk management tool based
Instituto Ciudadano de Estudios Sobre la Inseguridad on incident analysis. International Workshop on Process
(ICESI), online www.icesi.org.mx. Safety Management and Inherently Safer process, Proc.
Klein, J. 2005. Teaching her a lesson: media misses boys’ Inter. Conf. 8–11 October, Orlando, Florida, USA:
rage relating to girls in school shootings. Crime Media 242–251.
Culture 1 (1): 90–97.
Lampe, K.V., & Johansen, P.O. 2004. Organized crime and
trust: on the conceptualization and empirical relevance of
trust in the context of criminal networks. Global Crime
6 (2): 159–184.
18
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
I.A. Herrera
Department of Production and Quality Engineering, Norwegian University of Science and Technology,
Trondheim, Norway
R. Woltjer
Department of Computer and Information Science, Cognitive Systems Engineering Lab,
Linköping University, Linköping, Sweden
ABSTRACT: Accident models and analysis methods affect what accident investigators look for, which con-
tributing factors are found, and which recommendations are issued. This paper contrasts the Sequentially Timed
Events Plotting (STEP) method and the Functional Resonance Analysis Method (FRAM) for accident analy-
sis and modelling. The main issues addressed in this paper are comparing the established multi-linear method
(STEP) with the systemic method (FRAM) and evaluating which new insights the latter systemic method pro-
vides for accident analysis in comparison to the former established multi-linear method. Since STEP and FRAM
are based on a different understandings of the nature of accidents, the comparison of the methods focuses on
what we can learn from both methods, how, when, and why to apply them. The main finding is that STEP helps
to illustrate what happened, whereas FRAM illustrates the dynamic interactions within socio-technical systems
and lets the analyst understand the how and why by describing non-linear dependencies, performance conditions,
variability, and their resonance across functions.
19
the third principle states that the variability of multiple by the co-pilot as ‘‘Pilot-Flying’’ (PF) and the captain
functions may combine in unexpected ways, lead- as ‘‘Pilot Non-Flying’’ (PNF). Shortly after clearance
ing to disproportionately large consequences. Normal to 4000 ft, the crew was informed that runway 19R
performance and failure are therefore emergent phe- was closed because of sweeping and that the landing
nomena that cannot be explained by solely looking at should take place on runway 19L. The aircraft was
the performance of system components. Fourth, the guided by air traffic control to land on 19L. Changing
variability of a number of functions may resonate, of the runway from 19R to 19L resulted in change in
causing the variability of some functions to exceed the go-around-altitude from 4000 ft at 19R to 3000 ft
normal limits, the consequence of which may be an at 19L. The crew performed a quick briefing for a new
accident. FRAM as a model emphasizes the dynam- final approach.
ics and non-linearity of this functional resonance, but During the last part of the flight, while the air-
also its non-randomness. FRAM as a method there- craft was established on the localizer (LLZ) and glide
fore aims to support the analysis and prediction of slope (GS) for runway 19L, the glide slope signal
functional resonance in order to understand and avoid failed. It took some time to understand this for the
accidents. pilots, who had not yet switched to tower (TWR) fre-
quency from APP frequency after acknowledging the
new frequency. Immediately after the glide path sig-
nal disappeared the aircraft increased its descent rate to
2 RESEARCH QUESTIONS AND APPROACH 2200 ft/min while being flown manually towards LLZ-
minima. The aircraft followed a significantly lower
The main question addressed in this paper is which approach than intended and was at its lowest only 460 ft
new insights this latter systemic method provides for over ground level at DME 4,8. The altitude at this dis-
accident analysis in comparison to the former estab- tance from the runway should have been 1100 ft higher.
lished multi-linear method. Since the accident analysis The crew initiated go-around (GA) because the aircraft
methods compared in this paper are based on a dif- was still in dense clouds and it drifted a little from the
ferent understanding of the nature of accidents, the LLZ at OSL. However, the crew did not notice the
comparison of the methods focuses on what we can below-normal altitude during approach. Later a new
learn from both methods, how, when, and why to apply normal landing was carried out.
them, and which aspects of these methods may need The executive summary of the Norwegian Accident
improvement. Investigation Board (AIBN) explains that the investi-
The paper compares STEP and FRAM in relation gation was focused on the glide slope transmission,
to a specific incident to illustrate the lessons learned its technical status and information significance for
from each method. The starting point of the study the cockpit instrument systems combined with cockpit
is the incident investigation report. A short descrip- human factors. The AIBN understanding of the situ-
tion of STEP and FRAM is included. For a more ation attributes the main cause of the incident to the
comprehensive description, the reader is referred to pilots’ incorrect mental picture of aircraft movements
Hendrick and Benner (1987; STEP) and Hollnagel and position. The report concludes that the in-cockpit
(2004; FRAM). Since different methods invite for glide slope capture representation was inadequate. In
different questions to be asked, it was necessary to addition, the report points to a deficiency in the pro-
interview air traffic controllers, pilots, and accident cedure for transfer of responsibility between approach
investigators to acquire more information. The infor- and tower air traffic control. (AIBN, 2004)
mation in this paper was collected through interviews Five recommendations resulted from the AIBN
and workshops involving a total of 50 people. The anal- investigation. The first recommendation is that the
ysis with STEP and FRAM was an iterative process responsibility between controls centres should be
between researchers and operative personnel. transferred 8 NM before landing or at acceptance
of radar hand-over. The second recommendation is
related to the certification of avionics displays, advis-
ing the verification of the information provided to
3 SUMMARY OF THE INCIDENT pilots, with special attention to glide slope and auto-
pilot status information. Third, training should take
A Norwegian Air Shuttle Boeing 737-36N with call- into account glide slope failures after glide slope cap-
sign NAX541 was en-route from Stavanger Sola air- ture under ILS approach. Fourth, Oslo airport should
port to Oslo Gardermoen airport (OSL). The aircraft consider the possibility of providing radar information
was close to Gardermoen and was controlled by Oslo to the tower controller to be able to identify approach
Approach (APP). The runway in use at Gardermoen paths deviations. The last recommendation is for the
was 19R. The aircraft was cleared to reduce altitude to airline to consider situational awareness aspects in the
4000 ft. The approach and the landing were carried out crew resource management (CRM) training.
20
14:42:36 14:42:55 14:42:57 14:44:02 TIME LINE
1
ACTORS
TWR INFORMS
GARDERMOEN TWR G/S FAIL AC-2
CONTROL 14:42:57
4 SEQUENTIAL TIMED EVENTS PLOTTING represented in STEP are related to normal work and
help to predict future risks. The safety problems are
STEP provides a comprehensive framework for acci- identified by analysing the worksheet to find events
dent investigation from the description of the accident sets that constitute the safety problem. The identi-
process, through the identification of safety problems, fied safety problems are marked as triangles in the
to the development of safety recommendations. The worksheet. These problems are evaluated in terms of
first key concept in STEP is the multi-linear event severity. Then, they are assessed as candidates for rec-
sequence, aimed at overcoming the limitations of the ommendations. A STEP change analysis procedure
single linear description of events. This is imple- is proposed to evaluate recommendations. Five activ-
mented in a worksheet with a procedure to construct a ities constitute this procedure. The identification of
flowchart to store and illustrate the accident process. countermeasures to safety problems, the ranking of the
The STEP worksheet is a simple matrix. The rows are safety effects, assessment of the trade-off involved the
labelled with the names of the actors on the left side. selection of the best recommendations and a quality
The columns are labelled with marks across a time line. check.
Secondly, the description of the accident is per-
formed by universal events building blocks. An event
is defined as one actor performing one action. To 5 APPLICATION OF STEP TO NAX541
ensure that there is a clear description the events are
broken down until it is possible to visualize the pro- The incident is illustrated by a STEP diagram. Due
cess and be able to understand its proper control. In to page and paper limitations, Figure 1 illustrates a
addition, it is necessary to compare the actual accident small part of the STEP diagram that was created based
events with what was expected to happen. on the incident report. In Figure 1, the time line is
A third concept is that the events flow logically in on along the X-axis and the actors are on the Y-axis.
a process. This concept is achieved by linking arrows An event is considered to mean an actor performing
to show proceed/follow and logical relations between one action. The events are described in event building
events. The result of the third concept is a cascading blocks, for example ‘‘APP request to A/C to change
flow of events representing the accident process from to TWR frequency’’. An arrow is used to link events.
the beginning of the first unplanned change event to the Safety problems are illustrated on the top line by tri-
last connected harmful event on the STEP worksheet. angles in the incident process. Three such problems
The organization of the events is developed and were identified: 1) no communication between air-
visualized as a ‘‘mental motion picture’’. The com- craft 1 (NAX541) and tower (triangle 1 in Figure 1);
pleteness of the sequence is validated with three tests. 2) changed roles between PF and PNF not coordinated;
The row test verifies that there is a complete picture of and 3) pilots not aware of low altitude (2 and 3 not
each actor’s actions through the accident. The column shown in simplified figure).
test verifies that the events in the individual actor rows
are placed correctly in relation to other actors’ actions.
The necessary and sufficient test verifies that the early 6 FUNCTIONAL RESONANCE ANALYSIS
action was indeed sufficient to produce the later event, METHOD
otherwise more actions are necessary.
The STEP worksheet is used to have a link between FRAM promotes a systemic view for accident anal-
the recommended actions and the accident. The events ysis. The purpose of the analysis is to understand
21
the characteristics of system functions. This method The description of the aspects defines the potential
takes into account the non-linear propagation of events links among the functions. For example, the output of
based on the concepts of normal performance variabil- one function may be an input to another function, or
ity and functional resonance. The analysis consists of produce a resource, fulfil a pre-condition, or enforce
four steps (that may be iterated): a control or time constraint. Depending on the con-
Step 1: Identifying essential system functions, and ditions at a given point in time, potential links may
characterizing each function by six basic parame- become actual links; hence produce an instantiation
ters. The functions are described through six aspects, of the model for those conditions. The potential links
in terms of their input (I, that which the func- among functions may be combined with the results of
tion uses or transforms), output (O, that which the step 2, the characterization of variability. That is, the
function produces), preconditions (P, conditions that links specify where the variability of one function may
must be fulfilled to perform a function), resources have an impact, or may propagate. This analysis thus
(R, that which the function needs or consumes), time determines how resonance can develop among func-
(T, that which affects time availability), and control tions in the system. For example, if the output of a
(C, that which supervises or adjusts the function), and function is unpredictably variable, another function
may be described in a table and subsequently visual- that requires this output as a resource may be per-
ized in a hexagonal representation (FRAM module, formed unpredictably as a consequence. Many such
Figure 2). The main result from this step is a FRAM occurrences and propagations of variability may have
‘‘model’’ with all basic functions identified. the effect of resonance; the added variability under the
Step 2: Characterizing the (context dependent) normal detection threshold becomes a ‘signal’, a high
potential variability through common performance risk or vulnerability.
conditions. Eleven common performance conditions Step 4: Identifying barriers for variability (damping
(CPCs) are identified in the FRAM method to be factors) and specifying required performance moni-
used to elicit the potential variability: 1) availability toring. Barriers are hindrances that may either prevent
of personnel and equipment, 2) training, preparation, an unwanted event to take place, or protect against
competence, 3) communication quality, 4) human- the consequences of an unwanted event. Barriers can
machine interaction, operational support, 5) availabil- be described in terms of barrier systems (the orga-
ity of procedures, 6) work conditions, 7) goals, number nizational and/or physical structure of the barrier)
and conflicts, 8) available time, 9) circadian rhythm, and barrier functions (the manner by which the bar-
stress, 10) team collaboration, and 11) organizational rier achieves its purpose). In FRAM, four categories
quality. These CPCs address the combined human, of barrier systems are identified: 1) physical bar-
technological, and organizational aspects of each func- rier systems block the movement or transportation
tion. After identifying the CPCs, the variability needs of mass, energy, or information, 2) functional bar-
to be determined in a qualitative way in terms of sta- rier systems set up pre-conditions that need to be
bility, predictability, sufficiency, and boundaries of met before an action (by human and/or machine)
performance. can be undertaken, 3) symbolic barrier systems are
Step 3: Defining the functional resonance based on indications of constraints on action that are physi-
possible dependencies/couplings among functions and cally present and 4) incorporeal barrier systems are
the potential for functional variability. The output of indications of constraints on action that are not phys-
the functional description of step 1 is a list of functions ically present. Besides recommendations for barriers,
each with their six aspects. Step 3 identifies instantia- FRAM is aimed at specifying recommendations for
tions, which are sets of couplings among functions for the monitoring of performance and variability, to be
specified time intervals. The instantiations illustrate able to detect undesired variability.
how different functions are active in a defined context.
22
The operative areas and functions for this particular Table 2. Manual Flight Approach CPCs.
incident are:
Function: Performance
– Crew operations: Change Runway (RWY) to 19L, Manual approach conditions Rating
New final approach briefing, Auto-pilot approach
(APP), Change APP frequency (frq) to TWR Availability Adequate
frq, Manual approach, GO-AROUND, Landing, of resources
Approach, Receiving radio communication, Trans- (personnel,
equipment)
mitting radio communication
Training, PF little Temporarily
– Avionics Functions: Disconnect Autopilot (A/P), preparation, experience on type inadequate
Electronic Flight Instrument (EFIS), Ground Prox- competence
imity Warning System (GPWS) Communication Delay to contact Inefficient
– Air traffic control: Oslo APP control, RWY sweep- quality tower
ing, Glideslope transmission, Gardermoen TWR HMI operational Unclear alerts Inadequate
control support
– Aircraft in the vicinity: AC-2 communication, AC-3 Avail. procedures Adequate
communication Work conditions Interruptions? Temporarily
inadequate?
The NAX541 incident report contains information # Goals, conflicts Overloaded More than
that helps to define aspects of functional performance. capacity
Essential functions are described with these aspects. Available time Task synchronisation Temporarily
inadequate
Table 1 shows an example of the aspects of the function
Circadian rhythm Adjusted
‘‘Manual Approach’’. Similar tables were developed Team collaboration Switched roles Inefficient
for 18 other functions. Org. quality
In step 2 the potential for variability is described using
a list of common performance conditions (CPCs).
Table 2 presents an example of CPCs for the function
‘‘Manual Approach’’.
The description of variability is based on the infor- it is normal and correct to request a runway change
mation registered in the incident report combined with with such a short notice? The interviews identified
a set of questions based on the CPCs. Since little of that there are no formal operational limits for tower
this information regarding variability was available, air traffic controllers, but for pilots there are. Thus
it was necessary to interview operational personnel an understanding of performance and variability was
(air traffic controllers, pilots). An example is for CPC obtained.
‘HMI, operational support’, a question was how aware In step 3 links among functions are identified for
pilots are of these EFIS, GPWS discrepancies, a pilot certain time intervals. States are identified to be valid
stated ‘‘Boeing manuals explain which information is during specific time intervals, which define links
displayed, it is normal to have contradictory informa- among the aspects of functions, hence instantiate
tion. In this case an understanding of the system as a the model. An example instantiation is presented in
whole is required. Pilots needs to judge relevant infor- Figure 3, where some of the links during the time inter-
mation for each situation.’’ An additional example of val 14:42:37–14:43:27 of the incident are described as
questions for the function ‘‘Runway change’’, was if an instantiation of the FRAM that resulted from step
1. Many more such instantiations may be generated,
but here only one example can be shown.
Table 1. A FRAM module function description. To understand the events in relation to links and
functions in this instantiation, numbers 1–5 and letters
Function: a-d have been used to illustrate two parallel processes.
Manual approach Aspect description
Following the numbers first, the APP controller com-
Input GPWS alarms, municates to the pilot that they should contact TWR
pilot informed of G/S failure at the TWR frequency (1). This is an output of ‘Oslo
Output Altitude in accordance with APP control’, and an input to ‘Receiving radio com-
approach path, Altitude lower/ munication’. This latter function thus has as output the
higher than flight path state that transfer is requested to the TWR frequency
Preconditions A/P disconnected (2), which matches the preconditions of ‘Change APP
Resources Pilot Flying, Pilot Non Flying frq to TWR frq’, and ‘Transmitting radio communi-
Time Efficiency Thoroughness Trade- cation’. The fulfilment of this precondition triggers
Off, time available varies
Control SOPs
the pilots to acknowledge the transfer to TWR to the
APP controller (3), an output of transmitting function,
23
T C T C T C
A/C-1 pilot & A/C functions
A/C-1 avionics ept Change
Manual
I APP frq to O I
Auto-pilot
O I O
Oslo APP control approach approach
TWR frq
Gardermoen TWR control
Ground equipment P R P R P R
5,d)Pilotinformed
of G/S failure
2)Transfer requested
toTWRfrq
T C 4) Frequency still
set to APP T C
c) A/P d isconn ected
Transmit-
14:43:27
I ting radio O
Receiving
comm I O
rad io comm
P R T C
P R
1) APP -Pilot:
3) Pilot-APP :
con tact TWR I Auto-p ilot O
on TWR frq
to TWR frq 6) Pilot-TWR : b)TWR-pilot:
Fligh t on TWRfrq informa/cof
T C T C G/Sfailure P R
Glide slope
P R P R I O
transmission
P R
X) Proactive TWR -APP comm:
a) no G/S sign al
check frequency change
14:42:55
Figure 3. A FRAM instantiation during the time interval 14:42:37–14:43:27 with incident data.
input to ‘Oslo APP control’. The pilots however do (d). Concurrently, the loss of G/S no longer fulfils the
not switch immediately after the transfer is requested, precondition of the auto-pilot function, with the result-
hence the output is that the frequency still is set to ing output of A/P being disconnected (c) about half a
APP, for a much longer time than would be intended minute after G/S loss. This in turn no longer fulfils
(indicated by the red ‘O’), and the pilots do not contact the precondition of an auto-pilot approach and instead
TWR (6) until much later. This has consequences for matches the precondition for a manual approach. All
the precondition of receiving/transmitting (4), which of this in turn results in variability on the manual
is being on the same frequency with the control centre approach, e.g. with decreased availability of time,
that has responsibility for the flight. With the delay in inadequate control because of PF-PNF collaboration
frequency change, the link that the pilot is informed problems, and inadequate resources (e.g. displays
of the G/S failure (5) is also delayed. unclear indications of A/P and G/S) resulting in highly
At about the same time, following the letters in variable performance (output) of the manual approach.
Figure 3, ‘Glide slope transmission’ changes output to Step 4 addresses barriers to dampen unwanted vari-
that there is no G/S signal at 14:42:55 (a), because of a ability and performance variability monitoring where
failure of the G/S transmitting equipment (a resource, variability should not be dampened. AIBN recom-
R in red). This makes the TWR controller inform mendations could be modelled as barrier systems and
pilots on the TWR frequency of the G/S failure (b), barrier functions, e.g. ‘‘Responsibility between con-
excluding the incident aircraft crew because of the trol centres should be transferred 8 NM before landing,
unfulfilled precondition because of link (4), delay- or at acceptance by radar hand over.’’ (AIBN, p. 31,
ing the point that the pilot is informed of G/S failure our translation). In FRAM terminology this can be
24
described as an incorporeal prescribing barrier. This performance varied becomes apparent: For example,
barrier would have an effect on the variability of the the operational limits for runway change for different
APP and TWR control functions through the aspect operators were discussed; the question of why the fre-
of control and the links between input and output in quency change was delayed gets answered based on
various instantiations describing communication and the normal variability in pilot-first-officer-interaction
transfer of responsibility. New suggestions for barriers patterns in cases of experience difference; the pilots’
also result from the FRAM. For example, a proac- unawareness of the low altitude is understandable with
tive communication from TWR to APP when a flight regard to variability related to e.g. team collaboration
does not report on frequency would link their out- and human-machine interface issues.
put and input (see link (X) in Figure 3), triggering STEP provides a ‘‘mental motion picture’’
instantiations of links 1–6 so that control and contact (Hendrick & Benner, 1987, p. 75) illustrating
is re-established. This barrier may be implemented in sequences of events and interactions between pro-
various systems and functions, such as through reg- cesses, indicating what happened when. FRAM
ulation, training, procedures, checklists and display instead sketches a ‘functional slide show’ with its
design, etc. The FRAM also points to the intercon- illustrations of functions, aspects, and emerging links
nectivity of air traffic control and pilot functions, between them in instances, indicating the what and
suggesting joint training of these operators with a wide when, and common performance conditions, vari-
range of variability in the identified functions. As with ability, and functional resonance, indicating why.
any method, FRAM enables the suggestion of barriers FRAM’s qualitative descriptions of variability pro-
(recommendations), which need to be evaluated by vide more gradations in the description of functions
domain experts in terms of feasibility, acceptability, than the bimodal (success/failure) descriptions typical
and cost effectiveness, among other factors. for STEP.
The FRAM and the instantiations that were created In relation to the question of when each method
here also point to the future development of indicators should be used, the type of incident and system to
for matters such as overload and loss of control when be analysed needs to be taken into account. STEP
cockpit crew has significant experience differences. is suited to describe tractable systems, where it is
possible to completely describe the system, the prin-
ciples of functioning are known and there is sufficient
8 COMPARISON knowledge of key parameters. FRAM is better suited
for describing tightly coupled, less tractable systems
Accident models, implicitly underlying an analysis or (Hollnagel, 2008b), of which the system described in
explicitly modelling an adverse event, influence the this paper is an example. Because FRAM does not
elicitation, filtering, and aggregation of information. focus only on weaknesses but also on normal per-
Then, what can we learn from the applications of STEP formance variability, this provides a more thorough
and FRAM to this incident? understanding of the incident in relation to how work
STEP is relatively simple to understand and pro- is normally performed. Therefore the application of
vides a clear picture of the course of the events. FRAM may lead to a more accurate assessment of
However, STEP only asks the question of which events the impact of recommendations and the identifica-
happened in the specific sequence of events under tion of previously unexplored factors that may have
analysis. This means that events mapped in STEP are a safety impact in the future. While the chain of events
separated from descriptions of the normal function- is suited for component failures or when one or more
ing of socio-technical systems and their contexts. For components failed, they are less adequate to explain
example, the STEP diagram illustrates that the PNF’s systems accidents (Leveson, 2001). This can be seen
switch to TWR frequency was delayed, but not why. in the STEP-FRAM comparison here. The STEP dia-
Instead, STEP only looks for failures and safety prob- gram focuses on events and does not describe the
lems, and highlights sequence and interaction between systems aspects: the understanding of underlying sys-
events. FRAM refrains from looking for human errors temic factors affecting performance is left to experts’
and safety problems but tries to understand why the interpretation. FRAM enables analysts to model these
incident happened. Since FRAM addresses both nor- systemic factors explicitly.
mal performance variability and the specifics of an
adverse event, FRAM broadens data collection of the
analysis compared to a STEP-driven analysis: Thus 9 CONCLUSIONS AND PRACTICAL
the development of the incident is contextualized in a IMPLICATIONS
normal socio-technical environment. Through asking
questions based on the common performance condi- This paper presented two accident analysis methods:
tions and linking functions in instantiations, FRAM The multi-sequential STEP and systemic FRAM. The
identified additional factors and the context of why question of how to apply these methods was addressed
25
by discussing the steps of the methods, illustrated by ACKNOWLEDGEMENTS
applying these methods to a missed approach incident.
This paper concluded that FRAM provides a different This work has benefited greatly from the help and sup-
explanation about how events are a result of variabil- port of several aviation experts and the participants in
ity of normal performance and functional resonance, the 2nd FRAM workshop. We are particularly grateful
compared to STEP. The main finding is that STEP to the investigators and managers of the Norwegian
helps to illustrate what happened, whereas FRAM cov- Accident Investigation Board who commented on a
ers what happened and also illustrates the dynamic draft of the model. Thanks to Ranveig K. Tinmannsvik,
interactions within the socio-technical system and lets Erik Jersin, Erik Hollnagel, Jørn Vatn, Karl Rollen-
the analyst understand the how and why by describ- hagen, Kip Smith, Jan Hovden and the conference
ing non-linear dependencies, performance conditions reviewers for their comments on our work.
and variability, and their resonance across functions.
Another important finding is that it was possible to
identify additional factors with FRAM. STEP inter- REFERENCES
pretations and analysis depends on investigator experi-
ence, FRAM introduces questions for systemic factors AIBN. 2004. Rapport etter alvorlig luftfartshendelse ved
and enables the explicit identification of other relevant Oslo Lufthavn Gardermoen 9. Februar 2003 med Boe-
aspects of the accident. The example also illustrates ing 737-36N, NAX541, operert av Norwegian Air Shuttle.
how unwanted variability propagates such as the infor- Aircraft Investigation Board Norway, SL RAP.:20/2004.
mation about G/S failure and the undesired resonance Amalberti, R. 2001. The paradoxes of almost totally safe
with the differences in pilots’ experience. However, transportation systems. Safety Science, 37, 109–126.
Dekker, S.W.A. 2004. Ten questions about human error: A
several incidents in different contexts would need to new view of human factors and system safety. Mahwah,
be analysed to validate and generalize these findings. NJ: Lawrence Erlbaum.
Two practical implications are found. The first is Hendrick, K., Benner, L. 1987. Investigating accidents with
that FRAM provides new ways of understanding fail- STEP. Marcel Dekker Inc. New York.
ures and successes, which encourages investigators to Hollnagel, E. 2004. Barriers and accident prevention. Alder-
look beyond the specifics of the failure under analysis shot, UK: Ashgate.
into the conditions of normal work. The second is that Hollnagel, E. 2008a. From FRAM to FRAM. 2nd FRAM
it models and analyses an intractable socio-technical Workshop, Sophia-Antipolis, France.
system within a specific context. While FRAM as a Hollnagel, E. 2008b. The changing nature of risks. Ecole des
Mines de Paris, Sophia Antipolis, France.
model has been accepted in the majority of discussions Hollnagel, E., Pruchnicki, S., Woltjer, R., & Etcher, S. 2008.
with practitioners, and seems to fill a need for under- Analysis of Comair flight 5191 with the Functional Res-
standing intractable systems, FRAM as a method is onance Accident Model. Proc. of the 8th Int. Symp. of
still young and needs further development. This paper the Australian Aviation Psychology Association, Sydney,
has contributed to the development of the method by Australia.
outlining a way to illustrate instantiations for a limited Leveson, N. 2001. Evaluating accident models using recent
time interval. An additional need is the identification aerospace accidents. Technical Report, MIT Dept. of
of normal and abnormal variability which this paper Aeronautics and Astronautics.
has addressed briefly. Remaining challenges include Perrow, C. 1999. Normal accidents. Living with high risk
technologies. Princeton: Princeton University Press. (First
a more structured approach to generating recommen- issued in 1984).
dations in terms of barriers and indicators, as well Rochlin, G.I. 1999. Safe operation as a social construct.
as evaluating how well FRAM is suited as a method Ergonomics, 42, 1549–1560.
to collect and organize data during early stages of Woods, D.D., & Cook, R.I. 2002. Nine steps to move forward
accident investigation. from error. Cognition, Technology & Work, 4, 137–144.
26
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
R.V. Gagliardi
ISPESL Department of Industrial Plants and Human Settlements, Rome, Italy
G. Astarita
Federchimica Italian Federation of Chemical Industries, Milan, Italy
ABSTRACT: Near misses are considered to be an important warning that an accident may occur and therefore
their reporting and analysis may have a significant impact on industrial safety performances, above all for those
industrial sectors involving major accident hazards. From this perspective, the use of a specific information
system, including a database ad hoc designed for near misses, constitutes an appropriate software platform
that can support company management in collecting, storing and analyzing data on near misses, and also
implementing solutions to prevent future accidents. This paper describes the design and the implementation of
such a system, developed in the context of a cooperation agreement with the Italian Chemical Industry Federation.
This paper also illustrates the main characteristics and utilities of the system, together with future improvements
that will be made.
27
Industry Federation. The various steps undertaken for the assumption that a similar approach can benefit
the development of such a system, involved in record- the whole industrial sector involving major accident
ing near misses in the Italian chemical industry, are hazards, the development of an informative system
presented below. for the collection and analysis of near misses in the
chemical process industry, has been undertaken at a
national level. This is thanks to a strong cooperation
2 FRAMEWORK FOR A NATIONWIDE agreement between the Italian National Institute for
APPROACH Prevention and Safety at Work (ISPESL), and Feder-
chimica. ISPESL is a technical-scientific institution
2.1 Legislative background within the Ministry of Health, which supports Ital-
ian Competent Authorities for the implementation of
As a preliminary remark, from a legislative perspec- the Seveso legislation in Italy; in recent decades it
tive, the recommendation that Member States report has acquired wide expertise in post major accidents
near misses to the Commission’s Major Accident investigations and reporting activities, as well as in
Reporting System (MARS) on a voluntary basis has the inspection of establishments which are subject to
been introduced by the European Directive 96/82/EC the Seveso legislation. Federchimica is the Italian fed-
‘‘Seveso II’’. This is in addition to the manda- eration of chemical industries and is comprised of
tory requirements of major accident reporting. More more than 1300 companies, including several estab-
specifically, in annex VI of the Directive, in which lishments which are subject to the Seveso legislation.
the criteria for the notification of an accident to the In Italy, Federchimica leads the ‘‘Responsible Care’’
Commission are specified, is included a recommen- voluntary worldwide programme for the improvement
dation that near misses of particular technical interest of health, safety and environmental performances
for preventing major accidents and limiting their con- in the chemical industry. The authors of this paper
sequences should be notified to the Commission. This hope that a joint effort in the field of near misses
recommendation is included in the Legislative Decree reporting and investigation, incorporating different
n. 334/99 (Legislative Decree n. 334, 1999), the expertises and perspectives from ISPESL and Feder-
national law implementing the Seveso II Directive in chimica, could result in a real step forward in industrial
Italy. safety enhancement.
In addiction further clauses regarding near misses
are included in the above mentioned decree, refer-
ring to the provisions concerning the contents of the 3 SYSTEM DESIGN AND REQUIRED
Safety Management System in Seveso sites. In fact, ATTRIBUTES
the Decree states that one of the issues to be addressed
by operators in the Safety Management System is In the context of the above mentioned cooperation
the monitoring of safety performances; this must be agreement, an informative system has been devel-
reached by taking into consideration, among other oped consisting of a web based software and a
things, the analysis of near misses, functional anoma- database designed for near misses. The system is
lies, and corrective actions assumed as a consequence specifically directed towards companies belonging to
of near misses. Federchimica which have scientific knowledge and
operating experience in the prevention of accidents and
safety control; moreover ISPESL personnel, who are
2.2 State of the art
involved in inspection activities on Seveso sites, are
Although legislation clearly introduces the request for authorized to enter the system in order to acquire all
the reporting of near misses, the present situation, elements useful for enhancing its performances in pre-
in Italy, is that this activity is carried out not on a vention and safety issues. Two main goals have been
general basis but only by a number of companies, taken into account with regard to the project design:
which use their own databases to share learning inter- first, gather as much information as possible on near
nally. It should also be noted that similar initiatives misses events occurring in the national chemical pro-
in this field have been undertaken by public author- cess industry. This is in order to build a reliable and
ities, in some cases, at a regional level. However exhaustive database on this issue. Second, provide
a wider, more systematic and nationwide approach a tool which is effective in the examination of near
for the identification, reporting and analysis of near misses and extraction of lesson learned, and which
misses is lacking. To fill this gap a common software aims to improve industrial safety performances.
platform, not specifically for each individual situation, To meet these requirements a preliminary analysis
facilitating the dissemination of information between of specific attributes to be assigned to the system has
different establishments as well as different industrial been carried out in order to define its essential charac-
sectors, must be implemented. Therefore, based on teristics. The first attribute which has been considered
28
is accessibility: To allow a wider diffusion, the sys-
tem has been developed in such a way that it is easy
to access when needed. A web-version has therefore near miss
been built, which assures security, confidentiality and
integrity criteria of the data handled. Secondly, in order
to guarantee that the system can be used by both expert reporting phase
and non-expert users, the importance of the system
being ‘‘user-friendly’’ has been an important consid-
eration in its design. The user must have easy access
to the data in the system and be able to draw data from
it by means of pull-down menus, which allow several
options to be chosen; moreover, ‘‘help icons’’ clarify
the meaning of each field of the database to facili- consultation phase
tate data entry. Third, the system must be designed in
such a way as to allow the user to extract information lesson
from the database; to this end it has been provided learned
with a search engine. By database queries and the
subsequent elaboration of results, the main causes of
the near misses and the most important safety mea-
sures adopted to avoid a repetition of the anomaly can Figure 1. Concept of the software system.
be singled out. In this way the system receives data
on near misses from the user and, in return, provides
information to the user regarding the adoption of cor-
of the near misses, and the second is the consultation
rective actions aimed at preventing similar situations
phase, for the extraction of the lessons learned from the
and/or mitigating their consequences. Lastly, the sys-
database, both described in the following paragraphs.
tem must guarantee confidentiality: this is absolutely
necessary, otherwise companies would not be will-
ing to provide sensitive information regarding their 4.1 Near misses reporting phase
activities. In order to ensure confidentiality, the data
are archived in the database in an anonymous form. This part contains all data regarding the near miss and
More precisely, when the user consults the database, is divided into two sections: the first contains all the
the only accessible information on the geographical information about the specific event (time, place, sub-
location of the event regards three macro-areas, North- stances involved etc.); the second provides the causes,
ern, Central and Southern Italy respectively; this is in the post accident measures put into place, and the
order to avoid that the geographical data inserted in the lessons learned. It is worth noting that, in order to
database (municipality and province) in the reporting encourage use of the database, in the selection of fields
phase could lead to the identification of the establish- to be filled in, a compromise was reached between the
ment in which near misses have occurred. Another need to collect as much information as possible, so
factor which assures confidentiality is the use of user- as to enrich the database and the need to simplify the
names and passwords to enter the system. These are completion of the form by the user.
provided by Federchimica, after credentials have been These forms are filled in on a voluntary basis, in
vetted, to any company of the Federation, which has fact. The contents of the two sections are described
scientific knowledge and operating experience in pre- in paragraph 4.1.1 and 4.1.2 respectively. A print-
vention and safety control. In this way, any company, out illustrating the fields contained in section 1 is
fulfilling the above conditions, is permitted to enter the presented in Fig. 2, in which the fields and the
system, in order to load near misses data and consult explanations are shown in Italian.
the database, and have the guarantee of data security
and confidentiality. 4.1.1 Section 1
Geographical location: Municipality and province
where the near miss occurred.
4 DATABASE STRUCTURE Date: The date when the near miss took place.
Time: The time when the near miss took place.
On the basis of the above defined attributes, which Seveso classification: Upper or lower tier establish-
are assigned to the system, the software platform sup- ments.
porting the near misses database has been created and Location: The location where the near miss occurred,
performs two main functions, as illustrated in Fig. 1: either inside the production units, or in the logistic
The first is the reporting phase, for the description units, internal or external.
29
Figure 2. Section 1 of the near misses database.
Area: Area of establishment in which the near miss Causes: The analysis of causes, including equipment
took place, including production, storage, services, failure, procedural deficiencies or human factors.
utilities or transport units. Each near miss may be triggered by more than
Unit: Depending on the area selected, unit directly one cause. The operational status of the estab-
involved in the near miss. lishment (normal operation, shut down, restart,
Accident description: The description of the accident maintenance), when the near miss took place must
as it was given by the compiler. be specified.
Substances: The substance or the substances involved Damages: The cost of damages provoked by the near
in the near miss. miss.
Corrective actions: Corrective actions that have been
put in place after the near miss in order to avoid a
4.1.2 Section 2 repetition of the event; these actions can be immedi-
Type of event: The types of events which occurred after ate or delayed, and if delayed, can be further divided
a near miss; this is a multi-check field allowing the into technical, procedural or training.
user to select more options simultaneously. Lessons learned: Descriptions of what we have learned
Potential danger: Dangers that could have stemmed from the near miss and what improvements have
from a near miss and that could have resulted in been introduced as a consequence.
more serious consequences if the circumstances had Annex: It is possible to complete the record of any near
been slightly different. miss, adding files in pdf, gif o jpeg format.
Safety measures in place: The kind of safety measures
which are in place, if any, specifying if they have Once this descriptive part is completed, a classifi-
been activated and, if this is the case, if they are cation code will be attributed to any near miss, in order
adequate. that identification is univocal.
30
Figure 3. Near misses search criteria.
4.2 Near misses consultation phase thus supporting effective training activities. In this
initial phase of the project the first priority has been the
As specified at the beginning of the previous para-
collection of as much near misses data as possible. In
graph, the second part of the software platform
order to reach this goal, the use of the database has been
concerns the extraction of lessons learned by the con-
encouraged among the partners of Federchimica, who
sultation of the database contents. In fact, one of the
are, in fact the main contributors of the data entered.
main objectives of the database is the transfer of tech-
To publicize the use of the software system both the
nical and managerial corrective actions throughout the
institutions responsible for the project, ISPESL and
chemical process industry. The database has therefore
Federchimica, have organized a number of workshops
been supplied with a search engine which aids nav-
in different Italian cities to illustrate the performances
igation through near miss reports, allowing several
and potentialities of the database. The feedback from
options. First, the user is able to visualize all near
the industries with respect to the initiative promoted
misses collected in the database in a summary table,
by ISPESL and Federchimica can be considered, on
illustrating the most important fields, that are, respec-
the whole, positive, at least for those bigger com-
tively, event code, submitter data, event description,
panies which already dedicate economic and human
damages, immediate or delayed corrective actions,
resources to the industrial safety; further efforts are
lessons learned, annex; second, the details of a specific
required to motivate also the smaller enterprises to use
event can be selected by clicking on the correspond-
the database.
ing code. It is also possible to visualize any additional
The system is currently in a ‘‘running in’’ phase,
documents, within the record of the specific event, by
which will provide an in-depth evaluation of its per-
clicking on ‘‘Annex’’. Third, to extract a specific near
formance and identify potential improvements. This
miss from the database, on the basis of one or more
phase involves the analysis of the (approximately) 70
search criteria, a query system has been included in
near misses which are now stored in the database.
the software utilities. This is done by typing a key-
A preliminary analysis of the first data collected shows
word, relevant, for example, to the location, unit,
that, for any near misses reported, all fields contained
year of occurrence, potential danger, etc, as shown
in the database have been filled; this fact represents a
in Fig. 3.
good starting point for an assessment on the quality of
the technical and managerial information gathered, as
well as on the reported lessons learned, which will be
5 RESULTS AND DISCUSSION carried out in the next future. Further distribution to the
competent authorities and to other industrial sectors
Thanks to these functions, the analysis of the database will be considered in a second stage.
contents can provide company management with
the information required to identify weaknesses in the
safety of the industrial facilities, study corrective 6 CONCLUDING REMARKS
actions performed to prevent the occurrence of acci-
dents, prioritize preventive and/or mitigating measures A software system for the collection, storage and anal-
needed, and better understand the danger of specific ysis of near misses in the Italian chemical industry has
situations. Another important function is the transfer been developed for multiple purposes. It allows infor-
of knowledge and expertise to a younger workforce, mation regarding the different factors involved in a
31
near miss event to be shared and information regarding training activities implemented in the chemical
lessons learned among all interested stakeholders to industry; they should be for all personnel involved
be disseminated in a confidential manner. The sys- in the use of the software system. These training
tem which has been developed attempts to fill a gap activities, to which both ISPESL and Federchimica
which exists in the wide range of databases devoted to may vigorously contribute, are expected to lead to an
process industry accidents. The system also can fulfil enhancement in the quality of the retrieval of the under-
the legal requirements for the implementation of the lying causes of near misses. They should also lead to
Safety Management System; in fact, it offers indus- an increase in the reliability of data stored as well as
try management the possibility of verifying its safety of lessons learned extracted from the database.
performances by analyzing near miss results. Its user-
friendly character can stimulate the reporting of near
misses as well as the sharing of lessons learned, sup- REFERENCES
porting industry management in the enhancement of
safety performances. It is the intention of the authors to Center for Chemical Process Safety, 2003. Investigating
Chemical Process Incidents. New York, American Insti-
continue the work undertaken, creating a wider range tute of Chemical Engineers.
of functions and keeping the database up to date. From European, Council 1997. Council Directive 96/82/EC on
a preliminary analysis carried out on the data collected, the major accident hazard of certain industrial activ-
we realized that, in the near future, a number of aspects ities (‘‘Seveso II’’). Official Journal of the European
regarding the management of near misses will need Communities. Luxembourg.
to be investigated in more depth. For example, the Jones, S., Kirchsteiger, C. & Bjierke, W. 1999. The impor-
screening criteria for the selection of near misses must tance of near miss reporting to further improve safety
be defined. These criteria are necessary for identifying performance. Journal of Loss prevention in the Process
near misses of particular technical interest for prevent- Industries, 12, 59–67.
Legislative Decree 17 August 1999, n. 224 on the control of
ing major accidents and limiting their consequences, major accident hazards involving dangerous substances.
as required by the Seveso legislation. Another element Gazzetta Ufficiale n. 228, 28 September 1999 Italy.
which requires in-depth analysis is the root causes of Philley, J., Pearson, K. & Sepeda, A. 2003. Updated CCPS
near misses, and the corrective measures needed. All Investigation Guidelines book, Journal of Hazardous
the above mentioned issues can benefit from specific Materials, 104, 137–147.
32
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: As increase of complex systems, simple mistakes or failures may cause serious accidents. One
of measures against this situation is to understand the mechanism of accidents and to use the knowledge for
accident prevention. However, analyzing incident reports is not kept up with the pace of their accumulation
at present, and a database of incident reports is utilized insufficiently. In this research, an analysis system of
incident reports is to be developed based on the m-SHEL ontology. This system is able to process incident reports
and to obtain knowledge relevant for accident prevention efficiently.
1 INTRODUCTION
33
analyzing incident reports using advanced information
processing technologies.
In this study, a conceptual design of an analysis
system of incident reports is proposed, and its verifica-
tion is conducted experimentally. We adopted nuclear
industry as a particular application domain because of
availability of NUCIA.
34
prediction of a similar incident by checking specific 2. Hierarchical structure by is-a link between two
factors. concepts, like ‘‘BMW is a car’’ or ‘‘dog is a
mammal’’.
3. Some relationships between different concepts
3.3 Nuclear Information Archives (NUCIA) other than ‘‘is-a link’’, like ‘‘car has an engine’’.
Here, let us look into an example of an incident report 4. Axiom that defines or constrains concepts or
database. links.
In NUCIA, lots of information such as inspection In this study, ontology is defined for analysis of
results or incident reports in nuclear power plants are incidents occurred in nuclear systems as follows:
available to the public. Disclosure of the information
is conducted under the following ideas. 1. A set of concepts necessary for analysis of incidents
in nuclear power plants.
• Various opinions not only from electric power sup- 2. Hierarchical structure. In nuclear engineering, the
pliers but also from industry-government-academia structure of a nuclear power plant and the organi-
communities are useful to solve problems in nuclear zational framework are described.
safety. 3. Relationships. Causality information is defined in
• Increasing transparency to the society contributes this part.
to obtain trust from the public. 4. Definition of axioms. Synonyms are also defined.
Collected information, however, is not utilized An ontology-based system is different from knowl-
enough at present. There are several reasons as edge base systems, expert systems or artificial intel-
follows. ligence. These traditional ways have some problems.
They are:
• The amount of data is enough, but no effective
methods of analysis are available. • Little knowledge is usable in common between
• While some reports are detailed, others are not. different fields.
There is little uniformity in description method. • New information cannot be added to the existent
knowledge base easily.
Under such circumstances, even though there is a
lot of useful information in the database, analysis and Compared with knowledge based system, ontology
application are not kept up with accumulation of data. is meta-level knowledge. In this research, the inci-
dent ontology contains not only detailed knowledge
or case examples (which are traditional knowledge-
3.4 Ontology base), but also association of incidents or causality
information (which are meta-level information). For
Ontology here means relations between concepts like this reason, analysis by ontology based system is more
synonyms or sub concepts. Mizoguchi defines ontol- multidirectional.
ogy as a theory of vocabulary/concepts used for build-
ing artificial systems (Mizoguchi, Kozaki, Sano &
Kitamura). Figure 3 shows an example of ontology. 3.5 m-SHEL ontology
There are four elements in ontology. They are: There are some previous works for computer based
1. A conceptual set which consists of elementally analysis. Chris was proposed case based retrieval
concepts of the intended field. with Semantic Network (Johnson 2003). In his
research, network were made by basic verbal phrases,
such as is_a, makes or resolved_by. David did
document synthesis with techniques like XML or
Semantic Web systems (Cavalcanti & Robertson
2003).
In this study, an m-SHEL ontology is developed
using XML (eXtensive Markup Language) (Tim et al.
1998). The m-SHEL ontology is based on incident
reports of NUCIA. In this ontology, each element has
at least one m-SHEL attribution, such as Software or
Environment. All of construction processes, like tag-
ging of attribution or making a hierarchical structure
were done manually. There is an example of XML
description of a concept contained in the m-SHEL
Figure 3. An example of ontology. ontology.
35
<concept>
<label>
(Information about concept.
This label is for readability.)
</label>
<ont-id>
143
</ont-id>
<mSHEL>
H
</mSHEL>
<description>
(Information about what is this
concept.
This is used for searching)
</description>
<cause-id>
217
(id of the concept which cause No. 143)
</cause-id>
<effect-id>
314
(id of the concept which is caused by No. 143)
</effect-id>
</concept>
The m-SHEL ontology has not only information of Figure 4. A part of m-SHEL ontology.
a hierarchical structure of elements, but also of causal
association. Causality is defined by a link orthogonal There is a weighing factor in the causality. It is
to the concept hierarchy. defined by how many cases are there which have the
Causality is described by XML as follows: same cause in the reports. This weighing factor is used
to decide which causality leads to the most or the least
<causality> likely outcome.
<label> Figure 4 shows a part of the m-SHEL ontology.
(Information about causality.
This label is for readability.)
</label> 4 ANALYSIS SYSTEM
<causality-id>
C-13 After having made the m-SHEL ontology, an analy-
</causality-id> sis system was developed. The flow of this system is
<cause-id> shown below:
147 1. Input an incident data in a text form. This step can
(id of the element which cause C-13) be done both manually and by importing from XML
</cause-id> style files.
<effect-id> 2. In Japanese language, since no spaces are placed
258 between words, morphological analysis is done to
(id of the element which is caused by C-13) the input text. It is explained in Chapter 4.1.
</effect-id> 3. Keywords from the text are selected and mapped
<weight> onto the ontology. Keywords are the words included
0.3 (weighing factor) in the m-SHEL ontology.
</weight> 4. Required information of the incident is structur-
</causality> ized both in the concept hierarchy and causality
relations.
In this example, causality labeled 13 is caused by
the concept No.147, and it causes the concept No. 258. Figure 5 shows an example of mapping result. For
These concept numbers are the same as the id of each visualization, only specific elements related to the
element of ontology. incident are shown here.
36
Figure 5. An example of mapping result.
37
Table 1. Result of verification test. Another reason for the high ratio is a trend of report-
ing incidents in nuclear industry of Japan that incidents
Case Case Case Case Case Case Case are reported from a viewpoint of failure mechanism of
1 2 3 4 5 6 7 hardware rather than human factors.
This trend also resulted in the low presence of Envi-
m 0/0 1/2 0/1 4/7 2/2 0/1 2/4
S 2/6 3/7 5/6 2/4 1/3 1/2 4/7 ronment or management items. Not only the result of
H 7/18 5/12 6/13 5/12 9/10 0/8 5/7 the system, but also that of the expert marked low
E 0/1 0/0 0/0 2/2 0/1 3/3 0/1 counts for these items. It means that the low scores are
L 2/4 1/5 2/4 2/5 3/4 3/5 4/3 attributable not to the system but to some problems in
c∗ 1/4 0/3 2/4 3/6 4/5 0/2 1/2 the original reports.
On the other hand, the results for Liveware and
∗ Number of causal association. causal association are different from those for Envi-
ronment and management. The results of automatic
analysis for Liveware and causal association also
4. Two results were compared. At this step, we
marked low scores. However, the expert did not mark
focused how many elements and causality relations
so low as the system. It seems this outcome is caused
are extracted automatically.
by some defects in the m-SHEL ontology.
In this study, seven reports were used for verification.
The incidents analyzed are briefly described below:
7 CONCLUSION
• automatic trip of the turbine generator due to
breakdown of the excitation equipment, An analysis system of incident reports has been devel-
• automatic trip of the reactor due to high neutron flux oped for nuclear power plants. The method of analysis
of the Intermediate Range Monitor (IRM), adopted is based on the m-SHEL ontology. The result
• impaired power generation due to switching over of of automatic analysis failed to mark high scores in
the Reactor Feed Pump (RFP), and assessment, but it is partly because of the contents
• manual trip of the reactor because of degradation of of the original incident report data. Though there is
vacuum in a condenser. a room for improvement of the m-SHEL ontology,
Result of the test is shown in Table 1. In this table, the system is useful to process incident reports and
each number shows how many concepts contained in to obtain knowledge useful for accident prevention.
the ontology were identified in the input report. The
numbers on the left represent the result obtained by the
system and those on the right the result by the expert. REFERENCES
For example, 3/7 means three concepts were identified
H.W. Heinrich. 1980. Industrial accident prevention: A safety
by the system, and seven by the expert. management approach, McGraw-Hill.
It should be noted here that not the numbers them- Frank E. Bird Jr. & George L. Germain. 1969. Practical Loss
selves are important, but coincidence of the both Control Leadership, Intl Loss Control Inst.
numbers is significant for judging validity of analy- NUCIA: Nuclear Information Archives, http://www.nucia.jp
sis by the system. In this research, since the algorithm R. Kawano. 2002. Medical Human Factor Topics. http://
of the system is quite simply designed it is reasonable www.medicalsaga.ne.jp/tepsys/MHFT_topics0103.html
to think that analysis by the expert is the reference. If E. Hollnagel. 1993. Human reliability analysis: Context and
the system identified more concepts than the expert, control. Academic Press.
it is probable that the system picked up some noises Riichiro Mizoguchi, Kouji Kozaki, Toshinobu Sano & Yoshi-
nobu Kitamura. 2000. Construction and Deployment of a
rather than the system could analyze more accurately Plant Ontology. Proc. of the 12th International Confer-
than the expert. ence Knowledge Engineering and Knowledge Manage-
ment (EKAW2000). 113–128.
C.W. Johnson. 2003. Failure in Safety-Critical Systems:
6 DISCUSSION A Handbook of Accident and Incident Reporting,
University of Glasgow Press, http://www.dcs.gla.ac.uk/∼
In Table 1, Hardware elements are relatively well johnson/book/
extracted. Plenty of information related to some parts J. Cavalcanti & D. Robertson. 2003. Web Site Synthesis based
of a power plant, such as CR (control rod) or coolant on Computational Logic. Knowledge and Information
Systems Journal, 5(3):263–287.
water, are included in incident reports. These words MeCab: Yet Another Part-of-Speech and Morphological
are all categorized as Hardware items, so the number Analyzer, http://mecab.sourceforge.net/
of Hardware items is larger than others. This is the Tim Bray, Jean Paoli, C.M. Sperberg-McQueen (ed.), 1998.
reason why Hardware has a high ratio of appearance. Extensible Markup Language (XML) 1.0: W3C Recom-
A similar tendency is shown with Software elements. mendation 10-Feb-1998. W3C.
38
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Chi-Min Shu
Process Safety and Disaster Prevention Laboratory, Department of Safety, Health, and Environmental
Engineering, National Yunlin University of Science and Technology, Douliou, Yunlin, Taiwan, ROC
ABSTRACT: Forklifts are so maneuverable that they can move almost everywhere. With stack board, fork-
lifts also have the capability of loading, unloading, lifting and transporting materials. Forklifts are not only
widely used in various fields and regions, but are common in industry for materials handling. Because they are
used frequently, for any incidents such as incorrect forklift structures, inadequate maintenance, poor working
conditions, the wrong operations by forklift operators, and so on, may result in property damages and casual-
ties. The forklifts, for example, may be operated (1) over speed, (2) in reverse or rotating, (3) overloaded, (4)
lifting a worker, (5) on an inclined road, or (6) with obscured vision and so on, which may result in overturn-
ing, crushing the operator, hitting pedestrian workers, causing loads to collapse, lifting a worker high to fall
and so on. The above–mentioned, therefore, will result in adjacent labor accidents and the loss of property.
According to the significant professional disaster statistical data of the Council of Labor Affairs, Executive
Yuan, Taiwan, approximately 10 laborers perish in Taiwan due to forklift accidents annually. This obviously
shows that forklift risk is extremely high. If the operational site, the operator, the forklifts and the work environ-
ment are not able to meet the safety criterion, it can possibly cause a labor accident. As far as loss prevention
is concerned, care should be taken to guard handling, especially for forklift operation. This study provides
some methods for field applications, in order to prevent forklift overturn accidents and any related casualties
as well.
39
Year include collisions with workplace materials, resulting
2007 6 in the collapse of the materials and wounding operators
2006 7 nearby.
2005 10
2004 13
1.4 Collapsing and crushed
2003 10
2002
Because of the high speed of the forklift’s reverse or
5
rotation, or because of the ascending, the descend-
2001 4
ing, uneven ground, wet slippery ground, soft ground,
2000 16
overly high lifted truck forks, or overloads, the forklifts
1999 10 overturned to crush the operator.
1998 9
1997 12
0 2 4 6 8 10 12 14 16
1.5 Becoming stuck or pinned
Number of fatalities Getting stuck or pinned between the truck forks and
mast or the tires while repairing or maintaining the
Figure 1. Fatalities of forklift accidents in Taiwan, from
1997 to 2007.
forklifts. In other instances, the operator forgot to turn
the forklift off in advance and adjust the goods on
the truck fork, or got off and stood in front of the
Others
forklift and next to the forklift’s dashboard to adjust
5
the goods. Therefore, when the operator returned to
the driver seat, he (or she) touched the mast operating
Construction 10 lever carelessly, causing the mast backward, and got
his or her head or chest stuck between the mast and
Transportation, overhead guard.
warehousing and 27
communication This study focused on reporting forklifts overturn
accidents and preventing them from occurring. Two
Manufacturing
forklifts overturn accidents were described as below
60
(http://www.iosh.gov.tw/, 2008; http://www.cla.gov.
0 10 20 30 40 50 60 tw/, 2008).
Figure 2. Fatalities from forklift accidents are distributed
in different industries, Taiwan, from 1997 to 2007.
2 OVERTURN CASE REPORT
Collapsing
Falling and because the wheel deviated from the board. It, then,
20
17 Crushed Overturn Stuck was turned over, crushing the driver to death, as shown
16 and
15
15 Pinned in Fig. 4.
11
10
Hitting 2.2 Case two
5 4 Others
2 Figure 5 shows that on September 27, 2005 about
0
11:00 am, an 18-year-old laborer had engaged in
forklift operation, but accidentally hit against the con-
Figure 3. The number of deaths in forklift—accidents is
necting rod of the shelf while driving, and then the
divided into different types, Taiwan, from 1997 to 2007.
forklift overturned, crushing him, and he passed away.
The laborer operated the forklift to lift the cargo up
inclined while the forklift operator was driving so a to a shelf. After laying aside the cargo 7 meters
worker stood on the forklift to assist material han- high, the forklift left the shelf. The forklift moved
dling by holding the goods with hands and so on, without the truck fork being lowered. The forklift’s
which easily made the goods collapse and crushed the mast accidentally hit against the connecting rod and
assistant worker or pedestrians nearby; other disasters inclined. The operator was shocked by the disaster
40
and escaped quickly from the driver’s seat to the ware-
house entrance. However, the forklift was unable to
stop, decelerate its movement, but was still moving
forward to the warehouse entrance. After the forklift
mast hit against the connecting rod, its center of grav-
ity was changed to the driver seat side. The forklift
reversed in the direction of the warehouse entrance.
The laborer was hit and killed. A similar accident of a
forklift overturning and tipping is pictured in Fig. 6.
3 RELATED REGULATIONS
41
uses a forklift in the place with dangerous which are supplied by all equipment manufacturers
goods. and described the safe operation and maintenance of
g. The employer can not exceed the biggest load that forklifts.
forklifts can bear for the operation, and it trans-
ports of the goods should keep a firmness status
and prevent to turn over. 4 CONCLUSION AND RECOMMENDATIONS
42
elevating personnel with a forklift. Also, secure the c. Do not jump from an overturning forklift. Stay
platform to the lifting carriage or forks. there, hold on firmly and lean in the opposite
c. Provide means for personnel on the platform to shut direction of the overturn, if a lateral tip over occurs.
power off whenever the forklift is equipped with d. Use extreme caution on grades, ramps, or inclines.
vertical only or vertical and horizontal controls for In general, the operator should travel only straight
lifting personnel. up and down.
d. When work is being performed from an elevated e. Do not raise or lower the forks while the forklift is
platform, a restraining means such as rails, chains, moving.
and so on, should be in place, or a safety belt with f. Do not handle loads that are heavier than the weight
lanyard or deceleration device should be worn by capacity of the forklift.
the person on the platform. g. Operate the forklift at a speed that will permit it to
be stopped safely.
h. Look toward the path of travel and keep a clear view
4.3 Workers near forklifts—employer event
of it.
a. Separate forklift traffic from other workers where i. Do not allow passengers to ride on a forklift unless
possible. a seat is provided.
b. Limit some aisles to workers either on foot or by j. When dismounting from a forklift, always set the
forklifts. parking brake, lower the forks, and turn the power
c. Restrict the use of forklifts near time clocks, break off to neutralize the controls.
rooms, cafeterias, and main exits, particularly when k. Do not use a forklift to elevate a worker who is
the flow of workers on foot is at a peak (such as at standing on the forks.
the end of a shift or during breaks). l. Whenever a truck is used to elevate personnel,
d. Install physical barriers where practical to ensure secure the elevating platform to the lifting carriage
that workstations are isolated from aisles traveled or forks of the forklift.
by forklifts.
e. Evaluate intersections and other blind corners to
determine whether overhead dome mirrors could ACKNOWLEDGMENTS
improve the visibility of forklift operators or work-
ers on foot. The authors are deeply grateful to the Institute of Occu-
f. Make every effort to alert workers when a forklift pational Safety and Health, Council of Labor Affairs,
is nearby. Use horns, audible backup alarms, and Executive Yuan, Taiwan, for supplying related data.
flashing lights to warn workers and other forklift
operators in the area. Flashing lights are especially
important in areas where the ambient noise level REFERENCES
is high.
http://www.iosh.gov.tw/frame.htm, 2008; http://www.cla.gov.
tw, 2008
4.4 Work environment—employer event U.S. National Institute for Occupational Safety and Health,
a. Ensure that workplace safety inspections are rou- 2001 ‘‘NIOSH alert: preventing injuries and deaths of
workers who operate or work near forklift’’, NIOSH
tinely conducted by a person who can identify Publication Number 2001-109.
hazards and conditions that are dangerous to work- Collins, J.W., Landen, D.D., Kisner, S.M., Johnston, J.J.,
ers. Hazards include obstructions in the aisle, blind Chin, S.F., and Kennedy, R.D., 1999. ‘‘Fatal occupa-
corners and intersections, and forklifts that come tional injuries associated with forklifts, United States,
too close to workers on foot. The person who con- 1980–1994’’, American Journal of Industrial Medicine,
ducts the inspections should have the authority to Vol. 36, 504–512.
implement prompt corrective measures. Yang, Z.Z., 2006. Forklifts accidents analysis and prevention,
b. Enforce safe driving practices, such as obeying Industry Safety Technology, 26–30.
speed limits, stopping at stop signs, and slowing The Rule of Labor Safety and Health Facilities, 2007.
Chapter 5, Council of Labor Affairs, Executive Yuan,
down and blowing the horn at intersections. Taipei, Taiwan, ROC.
c. Repair and maintain cracks, crumbling edges, and The Machine Tool Protection Standard, 2001. Chapter 5,
other defects on loading docks, aisles, and other Council of Labor Affairs, Executive Yuan, Taipei, Taiwan,
operating surfaces. ROC.
The Rule of Labor Safety Health Organization Management
and Automatic Inspection, 2002. Chapters 4 and 5, Coun-
4.5 Workers—labor event cil of Labor Affairs, Executive Yuan, Taipei, Taiwan,
a. Do not operate a forklift unless trained and licensed. ROC.
b. Use seat belts if they are available.
43
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
E. Poupart
Products and Ground Systems Directorate/Generic Ground Systems Office, CNES, Toulouse, France
ABSTRACT: This paper presents a model-based approach for improving the training of satellite control room
operators. By identifying hazardous system states and potential scenarios leading to those states, suggestions
are made highlighting the required focus of training material. Our approach is grounded on current knowledge
in the field of interactive systems modeling and barrier analysis. Its application is shown on a satellite control
room incident.
45
Table 1. Categorization of types of users and systems.
Identification Examples Barrier
of users Types of users of systems Training availability Response to failure implementation
Many General public Microsoft Office Online documentation Software/hardware + online Technical barrier
identifiable only—training offered documentation patch
by third parties
Few Specialists Software Optional—In house and Software/hardware + Technical barrier
identifiable development third parties documentation patch
tools
Pilots Aircraft cockpits Trained—in house only Software/hardware/documen- Socio-technical
tation patch & training barrier
Very few Satellite Satellite control Trained—in house only Software/hardware patch Human barrier
identifiable operators room (unlikely) training
barriers and how the model-level integration allows Modifications to an error-prone version of the training
to assess, a priori, the adequacy and efficiency of the material (both the actual document and its ICO model)
barrier. are performed, so that operator behaviour that led to
The current paper focuses on a new problem cor- the incident/accident is substituted by safer behaviour.
responding to the highlighted lower row of Table 1. As for the work on barriers, the formal descrip-
It corresponds to a research project in collaboration tion technique allows for verifying that the training
with CNES (the French Space Agency) and deals with material covers all the system states including the ones
command and control systems for spacecraft ground known to lead to the accident/incident. We will pro-
segments. In such systems, modifications to the space- vide examples of models based on an example of an
craft are extremely rare and limited in scope which operational procedure in a spacecraft control room.
significantly changes incident and accident manage- The approach provides a systematic way to deal with
ment with respect to systems we have formally worked the necessary increase of reliability of the operations
on such as Air Traffic Control workstations (Palanque of safety-critical interactive systems.
et al. 1997) or aircraft cockpit applications (Barboni The approach uses the following foundations.
et al. 2007), (Navarre et al. 2004). A system model is produced, using the ICO notation,
For the space systems we are currently considering, representing the behaviour and all possible states of the
only the ground system is partly modifiable while the currently unreliable system on which an incident was
embedded system remains mostly unreachable. identified. Using formal analysis techniques, such as
To address the issue of managing incidents and marking graphs for Petri nets, an extraction of all pos-
accidents in the space domain we promote a formal sible scenarios leading to the same hazardous state in
methods approach focussing on operators. This paper which the incident occurred is performed. This ensures
presents an approach that shows how incidents and that not only the actual scenario is identified, but any
accidents can be prevented from recurring by defining additional scenarios as well. A barrier analysis is then
adequate training material to alter operator behaviour. performed, in order to identify which technical, human
The paper illustrates how to exploit a graphical formal and/or socio-technical barriers must be implemented
description technique called Interactive Cooperative in order to avoid such a scenario from reoccurring.
Objects (ICOs) (Navarre et al. 2003), based on high- This however, depends on whether or not the system
level Petri nets, for describing training material and is reachable and modifiable. In the case of technical
operators’ tasks. Using such a formal method ensures barriers, the system model is modified and the same
knowledge of complete coverage of system states as a hazardous scenarios are run on the improved system
means of informing training material. When we talk model as a means of verification. The human barri-
about complete coverage of system states, or unam- ers, based on identification of hazardous states, must
biguous descriptions, we refer to the software part of be realised via modifications to training material and
the global system, which alone can be considered as an selective training.
improvement to what is currently achieved with for- The following section presents related work in the
mal methods for describing states and events which field of model-based training. We then present the
are at the core of any interactive system. Verification case study and an incident in section 3, followed by
techniques can then be used to confront such our training approach to safety in section 4. Section 5
models with the system model of the subsection of briefly presents the ICO formalism and the Petshop
the ground segment and the model of a subsection of support tool used for the formal description of the
the spacecraft in order to assess their compatibility. interactive system. We present in section 6 system
46
models relating to the reported incident and discuss
how these models can be used to inform training
material in section 7. We then conclude in the final
section.
47
to learn; (b) the specification of expertise and (c) a
specification of the target trainees.
The MOBAT framework includes multiple mod-
els, such as the task model, cognitive model, physical
model and domain model. The closest representation
of a system model in the framework (physical model)
(modeled using specific notations), does not provide
explicit representation of all the system states or of the
human-computer interaction. It does however provide
the facility for a user to request information relating
to past, present and future states (Khan et al. 1998).
A second model-based framework dedicated to
safety-critical domains, is NASA’s Man Machine
Design and Analysis System (MIDAS). MIDAS is a
‘‘a 3D rapid prototyping human performance mod-
eling and simulation environment that facilitates the Figure 2. Typical application interface for sending telecom-
design, visualization, and computational evaluation mands.
of complex man-machine system concepts in simu-
lated operational environments’’ (NASA 2005). The
framework has several embedded models including,
an anthropometric model of human figure, visual
perception, Updatable World Representation (UWR),
decisions, task loading, mission activities. . .
While the related work discussed in this section
focus on model-based training, they do not specifically
target post-incident improvements. For this reason, we
argue that an explicit system model is required, as a
means of identifying hazardous states and scenarios
leading to those states for informing training material
with intention to improve operator awareness.
48
Figure 4. Hazardous telecommand icon.
49
two model-based approaches for improving safety
following the hazardous TC incident reported in
section 3.1.
4.2 Changing operator behaviour with system Figure 6. Approach to formal modelling of incidents and
modification accidents as a means for enriching training material.
The second proposed approach assumes that the
ground system is modifiable. In the same way as
before, the hazardous state is identified using the The point here is not to force the operator to avoid
system model and preconditions are identified after an action, but to accurately make them learn the new
running scenarios on the system model. A barrier anal- system behavior.
ysis and implementation is then performed (Basnyat,
Palanque, Schupp, and Wright 2007). This implies
localised changes (not spread throughout entire sys- 5 INTERACTIVE COOPERATIVE
tem) to the system behavior. The existing training OBJECTS & PETSHOP
material (if any) must then be updated to reflect the
change in behaviour due to the technical barrier imple- The Interactive Cooperative Objects (ICOs) formal-
mentation. Similarly, localized changes to the train- ism is a formal description technique dedicated
ing material are made from an identified hazardous to the specification of interactive systems (Bastide
system state. et al. 2000). It uses concepts borrowed from the
While modifications to the ground segment may object-oriented approach (dynamic instantiation, clas-
have an impact on the onboard system, it can be con- sification, encapsulation, inheritance, client/server
sidered more reliable as the system will block the relationship) to describe the structural or static aspects
identified hazardous situation. The operators would of systems, and uses high-level Petri nets (Gen-
receive additional differential training (selective train- rich 1991) to describe heir dynamic or behavioural
ing since the behaviour of the system before and aspects.
after modifications is known) for the new behav- An ICO specification fully describes the potential
ior but even if they do not remember, or slip into interactions that users may have with the applica-
old routines, the improved system will block the tion. The specification encompasses both the ‘‘input’’
actions. aspects of the interaction (i.e. how user actions impact
50
Figure 7. An ICO model for procedure management.
on the inner state of the application, and which models to enable designers to break-down complexity
actions are enabled at any given time) and its ‘‘output’’ into several communicating models. This feature of
aspects (i.e. when and how the application displays the ICO notation has not been exploited in this paper
information relevant to the user). as explanation through one single (even fairly illegi-
An ICO specification is fully executable, which ble model) is better choice for explanatory purposes,
gives the possibility to prototype and test an appli- especially as on paper a model cannot be manipulated.
cation before it is fully implemented (Navarre et al. The diagram has been segregated for explanatory pur-
2000). The specification can also be validated using poses. Part A represents the behavior of an available
analysis and proof tools developed within the Petri list of instructions contained within the procedure.
nets community. In subsequent sections, we use the In this case they are CheckTM (check telemeasure),
following symbols (see Figure 7). Switch (an operator choice), Wait, Warning and TC
(telecommand). These instructions can be seen glob-
– States of the system are represented by the distribu-
ally in part B read from left to right. Parts C and D
tion of tokens into places (the focus of the incident) describe the behaviour for
– Actions triggered in an autonomous way by the sending of a TC (normal and hazardous). For brevity,
system are called transitions these are the only sections of the model that will be
– Actions triggered by users are represented by half discussed in detail.
bordered transition The model is such that the operator may select any
instruction before selecting the instruction he wishes
to implement. However, the instructions must be car-
6 SYSTEM MODEL OF PROCEDURE ried out in a given order defined within the procedure
BEHAVIOUR and correctly restricted by the application. While the
operator is effectuating an instruction (usually on a
Using the ICO formalism and its CASE tool, Pet- separate window superimposed on the list of instruc-
shop (Navarre, Palanque, and Bastide 2003), a model tions), he cannot click on or select another instruction
describing the behavior of a ground segment applica- until his current instruction is terminated. This behav-
tion for the monitoring and control of a non-realistic ior of instruction order restriction is represented with
procedure, including the sending of a hazardous a place OrderX after the terminating click of each
telecommand has been designed. Figure 7 illustrates instruction, a transition Next/Ok.
this ICO model. It can be seen, that as the complexity The ICO tool, Petshop, provides a novel feature
of the system increases, so does the Petri net model. with respect to common Petri nets, called ‘‘virtual
This is the reason why the ICO notation that we use places’’, to increase the ‘‘explainability’’ of models
involves various communication mechanisms between (by reducing the number of crossing arcs in the net).
51
A virtual place is a partial copy of a normal place. It ‘‘x.equals(‘‘tc’’)’’ and ‘‘x.equals(‘‘tchaza’’)’’ in transi-
adopts the display properties (such as markings) but tions SendTc2_1, SendTc2_2 respectively. If a normal
not the arc connections. The arcs can be connected TC is being treated, only transitions SendTc2_1 and
to normal places or to virtual places. The display is Cancel2 will be fireable. A click on the SendTC button
therefore modified allowing easier reorganisation of (Transition SendTC_1) will terminate the instruc-
models (see (Barboni et al. 2006)). In the ICO pro- tion, sending a token in place Past_instructions. If
cedure model, there are 3 uses of the virtual place; the operator clicks CANCEL, transition Cancel2,
Instruction_List, a place containing tokens represent- the TC is returned to the instruction list ready for
ing the available instructions, Block_Selection, a place reimplementation.
restricting the operator from selecting an instruction
while manipulating another and Past_Instructions, a
place containing the tokens representing instructions 6.2 Sending a hazardous telecommand
that have terminated.
If the TC (token) is of type hazardous, only transitions
Referring back to the incident described, we are
SendTc2_2 and Cancel2 will be fireable. Respect-
particularly interested in the sending of a hazardous
ing the requirements, a 3rd confirmation click is
telecommand. Once the operator has terminated all of
required. After transition SendTc2_2 is fired, place
the instructions preceding the telecommand instruc-
Display_Confirmation receives a token. The key to
tion, transition becomes fireable TC (see upper tran-
the incident described in section 3.1 lies in this
sition of Figure 8) and parts C and D of the model
state.
become the focus of the simulation.
Before clicking for the 3rd time to send the haz-
ardous TC, the operator should verbally request the
Go-Ahead from the Flight Director. The application
6.1 Sending a telecommand modelled allows the operator to click SEND (or
CANCEL) without the Go-Ahead. It is therefore up
When transition Tc is fired, place ReadyToSendTc to the operator to recall the fact that dialogue must be
receives a token. From here, the application allows initiated.
the operator can click SEND (the red button next to Part D in Figure 7 represents the potential scenarios
number 2 in Figure 2). This is represented by transition available, if transition DialogWithFD is fired, a token
SendTc1. After this external event has been received, is received in place RequestPending (representing the
place Display_TC_inspection receives a token. In operator initiating dialogue with the Flight Director).
this state, the application displays a pop-up window This part of the complete model is shown in Figure 9.
and the operator can either click SEND or CAN- For improved legibility, the virtual places represent-
CEL. In the model, transitions SendTc2_1, SendTc2_2 ing Block_selection and Past_instructions_have been
and Cancel2 become fireable. The two Send transi- removed from the diagram. For simulation purposes,
tions identify the value of the token (x) currently in the transition DialogWithFD is represented using the
place Display_TC_inspection, to determine whether autonomous type of transition even though the event
it is a normal TC or a hazardous TC. The code is external to the system behaviour. The action does
52
not involve the operator clicking a button on the inter- improvements to the modelled application assuming
face. Rather, this action can be considered as a human system modifications cannot and subsequently can
cognitive task and subsequently physical interac- be made. Each suggestion includes a barrier classi-
tion with an independent communication system (see fication according to Hollnagel’s Barrier systems and
Figure 5). barrier functions (Hollnagel 1999).
Tokens in places RequestPending and FlightDirec-
tor allow transition RequestGoAheadFD to be fire-
able. This transition contains the statement y=fd. 7.1 Without system modifications
requestGoAhead(x).
If the application cannot be modified, training should
It is important to note, that data from the token
focus on operator behaviour between the 2nd and
in place FlightDirector would come from a sepa-
3rd click for sending a hazardous TC. Section 6.2
rate model representing the behaviour of the Flight
identifies that the process of establishing dialogue
Director (his interactions with control room mem-
with the Flight Director as being potentially com-
bers etc). Once place Result receives a token,
pletely excluded from the operational procedure. This
4 transitions to be fireable: Go, WaitTimeAndGo,
is why part D of Figure 7 is intentionally segre-
WaitDataAndGo and NoGo, representing the possi-
gated.
ble responses from the Flight Director. Again, these
Training of operators concerning this behaviour
transitions (apart from the one involving time) are
should explicitly highlight the fact that although they
represented using autonomous transitions. While they
can click the SEND button without actually receiv-
are external events; they are not events existing
ing the Go-Ahead from the Flight Director, that it is
in the modelled application (i.e. interface buttons).
imperative to request the Go-Ahead. A ‘‘go-around’’
These are verbal communications. In the case of each
and potential support technique would be to use a
result, the operator can still click on both SEND
paper checklist. This suggestion is an immaterial bar-
and FAIL on the interface, transitions SendTc3_x and
rier system with barrier functions Monitoring and
Cancel3_ x in Figure 9. We provide here the expla-
Prescribing.
nation of one scenario. If the token (x) from the
FlightDirector place contains the data ‘‘WaitTime’’,
then transition WaitTimeAndGo, (containing the state-
ment y==‘‘WaitTime’’) is fireable taking the value 7.2 With system modifications
of ‘‘y’’. Assuming the application is modifiable, an improve-
Within the scenario in which the operator must ment in system reliability could be achieved using
wait for data (from an external source) before clicking several technical (software) barriers.
SEND, the model contains references to an exter-
nal service (small arrows on places SIP_getData, – Support or replace the current verbal Go-Ahead
SOP_getData and SEP_getData, Service Input, Out- with an exchange of data between the two parties.
put and Exception Port respectively. When in state Functional barrier system with hindering barrier
WaitingForData a second model, representing the ser- function
vice getData would interact with the current procedure – Modify the application so that the Go-Ahead data is
model. requested and sent via interaction with the interface,
the packet would contain information necessary for
the Flight Director to make a decision. Functional
7 MODEL-BASED SUPPORT FOR TRAINING barrier system with soft preventing barrier function.
– Change the 3rd SEND button behaviour, so that it
The aim of the approach presented in this paper, is is disabled pending receipt of the Go-Ahead packet
to use a model-based representation of current system (including timer and additional data if necessary).
behaviour (in this case after an incident) to support Functional barrier system with soft preventing bar-
training of operators in order to improve reliability in rier function.
a satellite control room. – Although the application analysed has a very vis-
The analysis and modelling of the monitoring ible red window providing the 3rd SEND but-
and control application including operator interac- ton (as demanded in the system requirements),
tions, and reported incident enables us to identify a it does not include any form of reminder to
hazardous state: After transition SendTc2_2 is fired the operator that dialogue with Flight Direc-
(2nd confirmation of a hazardous TC) and place tor must established. The 3rd pop-up window
Display_Confirmation contains a token. should thus display text informing the opera-
Table 1 highlights that the only likely response to tor of the data exchange process. Symbolic bar-
a failure in a satellite control room is to modify oper- rier system with regulating and indicating barrier
ator training. The following two subsections provide functions.
53
8 CONCLUSIONS AND FURTHER WORK Cortiade, E. and PA Cros. 2008. OCTAVE: a data model-
driven Monitoring and Control system in accordance
We have presented a model-based approach for with emerging CCSDS standards such as XTCE and
identifying human-computer interaction hazards and SM&C architecture. SpaceOps 2008 12–16 May 2008,
their related mitigating human (training) and tech- Heidelberg, Germany.
Eiff, G.M. 1999. Organizational safety culture. In R.S. Jensen
nical (software) barriers, classified according to (Ed.). Tenth International Symposium on Aviation Psy-
Hollnagel’s barrier systems and barrier functions chology (pp. 778–783). Columbus. OH: The Ohio State
(Hollnagel 1999). University.
The approach, applied to a satellite ground segment Elizalde, Francisco, Enrique Sucar, and Pablo deBuen. 2006.
control room incident, aids in identifying barriers such ‘‘An Intelligent Assistant for Training of Power Plant
as symbolic and immaterial barriers, necessary in the Operators.’’ pp. 205–207 in Proceedings of the Sixth
case where the degraded system is not modifiable. IEEE International Conference on Advanced Learning
These barriers may not have been considered within Technologies. IEEE Computer Society.
the development process, but have been identified Fitts, P.M. 1954. ‘‘The Information Capacity of the
Human Motor System in Controlling the Amplitude of
using the system model. Movement. . .’’.
We have used the ICO formal description technique Genrich, H.J. 1991. ‘‘Predicate/Transitions Nets, High-
(a Petri net based formalism dedicated to the mod- Levels Petri-Nets: Theory and Application.’’ pp. 3–43 in.
elling of interactive systems) to model the monitoring Springer Verlag.
and control of an operational procedure using a satel- Hollnagel, E. 1999. ‘‘Accidents and barriers.’’ pp. 175–180
lite ground segment application. The model provides in Proceedings CSAPC’99, In J.M. Hoc, P. Millot,
explicit representation of all possible system states, E. Hollnagel & P.C. Cacciabue (Eds.). Villeneuve d’Asq,
taking into account human interactions, internal and France: Presses Universitaires de Valenciennes.
external events, in order to accurately identify haz- Hollnagel, E. 2004. ‘‘Barriers and Accident Prevention.’’
Ashgage.
ardous states and scenarios leading to those states via
Johnson, C.W. 1997. ‘‘Beyond Belief: Representing
human-computer interactions. Knowledge Requirements For The Operation of Safety-
Critical Interfaces.’’ pp. 315–322 in Proceedings of
the IFIP TC13 International Conference on Human-
Computer Interaction. Chapman & Hall, Ltd http://portal.
ACKNOWLEDGEMENTS acm.org/citation.cfm?id=647403.723503&coll=GUIDE
&dl=GUIDE&CFID=9330778&CFTOKEN=19787785
This research was financed by the CNES R&T Tortuga (Accessed February 26, 2008).
project, R-S08/BS-0003-029. Johnson, C.W. 2006. Understanding the Interaction Between
Safety Management and the ‘Can Do’ Attitude in
Air Traffic Management: Modelling the Causes of
the Ueberlingen Mid-Air Collision. Proceedings of
REFERENCES Human-Computer Interaction in Aerospace 2006, Seat-
tle, USA, 20–22 September 2006. EDITORS F. Reuzeau
Barboni, E, D Navarre, P Palanque, and S Basnyat. 2007. and K. Corker.Cepadues Editions Toulouse, France.
‘‘A Formal Description Technique for the Behavioural pp. 105–113. ISBN 285428-748-7.
Description of Interactive Applications Compliant with Khan, Paul, Brown, and Leitch. 1998. ‘‘Model-Based Expla-
ARINC Specification 661.’’ Hotel Costa da Caparica, nations in Simulation-Based Training.’’ Intelligent Tutor-
Lisbon, Portugal. ing Systems. http://dx.doi.org/10.1007/3-540-68716-5_7
Barboni, E, D Navarre, P Palanque, and S Basnyat. 2006. (Accessed February 20, 2008).
‘‘Addressing Issues Raised by the Exploitation of For- Kontogiannis, Tom. 2005. ‘‘Integration of task networks and
mal Specification Techniques for Interactive Cockpit cognitive user models using coloured Petri nets and its
Applications.’’ application to job design for safety and productivity.’’
Basnyat, S, and P Palanque. 2006. ‘‘A Barrier-based Cogn. Technol. Work 7:241–261.
Approach for the Design of Safety Critical Interactive Lee, Jang R, Fanjoy, Richard O, Dillman, Brian G. The
Application.’’ vol. Guedes Soares & Zio (eds). Estoril, Effects of Safety Information on Aeronautical Decision
Portugal: Taylor & Francis Group. Making. Journal of Air Transportation.
Basnyat, S, P Palanque, B Schupp, and P Wright. 2007. ‘‘For- Lin, Fuhua. 2001. ‘‘Modeling online instruction knowledge
mal socio-technical barrier modelling for safety-critical using Petri nets.’’ pp. 212–215 vol.1 in Communications,
interactive systems design.’’ Special Edition of Elsevier’s Computers and signal Processing, 2001. PACRIM. 2001
Safety Science. Special Issue safety in design 45:545–565. IEEE Pacific Rim Conference on, vol. 1.
Bastide, R, O Sy, P Palanque, and D Navarre. 2000. ‘‘Formal NASA. 2005. ‘‘Man-machine Integration Design and
specification of CORBA services: experience and lessons Analysis System (MIDAS).’’ http://human-factors.arc.
learned. . .’’ ACM Press. nasa.gov/dev/www-midas/index.html (Accessed Febru-
Brown, Keith. 1999. ‘‘MOBIT a model-based framework for ary 19, 2008).
intelligent training.’’ pp. 6/1–6/4 in Invited paper at the Navarre, D, P Palanque, and R Bastide. 2004. ‘‘A Formal
IEEE Colloqium on AI. Description Technique for the Behavioural Description
54
of Interactive Applications Compliant with ARINC 661 Palanque, P, R Bastide, F Paterno, R Bastide, and F Paterno.
Specification.’’ 1997. ‘‘Formal Specification as a Tool for Objective
Navarre, D, P Palanque, and R Bastide. 2003. ‘‘A Tool- Assessment of Safety-Critical Interactive Systems. . . ’’
Supported Design Framework for Safety Critical Interac- Sydney, Australia: Chapman et Hall.
tive Systems.’’ Interacting with computers 15/3:309–328. Pipo, C, and C.A Cros. 2006. ‘‘Octave: A Portable, Dis-
Navarre, D, P Palanque, R Bastide, and O Sy. 2001. ‘‘A tributed, Opened Platform for Interoperable Monitoring
Model-Based Tool for Interactive Prototyping of Highly Services.’’ Rome, Italy.
Interactive Applications.’’ Schupp, B, S Basnyat, P Palanque, and P Wright. 2006.
Navarre, D, P Palanque, R Bastide, and O Sy. 2000. ‘‘A Barrier-Approach to Inform Model-Based Design of
‘‘Structuring Interactive Systems Specifications for Exe- Safety-Critical Interactive Systems.’’
cutability and Prototypability.’’ pp. 97–109 in, vol. no, Shang, P.W.H., L Chung, K Vezzadini, K Loupos, and
1946. Lecture Notes in Computer Science, Springer. W Hoekstra. 2006. ‘‘Integrating VR and knowledge-
Norman, D.A. 1990. ‘‘The ‘Problem’ with Automation: based technologies to facilitate the development of oper-
Inappropriate Feedback and Interaction, not ‘Over- ator training systems and scenarios to improve process
Automation Philosophical Transactions of the Royal Soci- safety.’’ vol. Guedes Soares & Zio (eds). Estoril, Portugal:
ety of London. Series B, Biological Sciences 327:585–593. Taylor & Francis Group.
55
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Road safety depends mainly on traffic intensity and conditions of road infrastructure. More
precisely, one may found many more factors influencing safety in road transportation but process of their
perception, processing and drawing conclusions by the driver while driving is usually difficult and in many cases
fall behind the reality. Diagnostic Aided Driving System (DADS) is an idea of supporting system which provides
driver with selected, most useful information which reduces risk due to environment, weather conditions as well as
statistics of past hazardous events corresponding to given road segment. Paper presents part of the project aiming
to describe relations and dependencies among different traffic conditions influencing number of road accidents.
57
driving over pedestrian crossing, turning, stopping,
parking, reverse a car], driving wrong lane, driv-
ing by red light, not observing other signs and
signals, not maintaining safe distance between vehi-
cles, rapid breaking, driving without required lights,
tiredness, falling asleep, decreasing of psychomotor
efficiency, other),
• driver gender and experience,
• age (age interval: 0–6, 7–14, 15–17, 18–24, 25–39,
40–59, 60 and over),
• culprit due to the influence of alcohol (because of
driver, pedestrian, passenger, other, complicity of
traffic actors),
• weather conditions (sunshine, clouds, wind, rain/ Figure 2. Ratio of number of people injured or victims in
snow, fog/smog), total number of accidents.
• type of vehicle (bicycle, moped/scooter, motorbike,
car, tuck, bus, farm tractor, horse-drawn vehicle,
tram, train, other), It is seen that over 87% of accidents happen between
• vehicle fault (self damage, damage of the other 6 a.m. and 10 p.m. with the highest frequency range
vehicle), between 8 a.m. and 6 p.m. Within observed period, the
• event consequences (environment [soil, water, air], frequency and distribution of accidents in day hours is
road, road infrastructure [road facilities, buildings], stable and does not change much despite from rising
cargo [own, foreign]), motorization index in Poland. The average rate of traf-
• necessary actions (first-aid service, road rescue, fic flow, according to the entire analyzed road segment
chemical neutralization, fire extinguishing, rebuild). at motorway A-4, is presented in Fig. 4. It is shown
that since year 2001, volume of traffic is growing year
by year mainly due to economic development.
2.2 Analysis of accidents conditions Similar analysis of accidents distribution in time
General analysis of the database is directed on main was done in relation to months over the year (Fig. 5)
factors attendant circumstances. Major accidents con- and week days (Fig. 6).
sequences are caused proportionally by cars (over 80%
of injured and victims) but almost 30% of losses result
from trucks and road machines (tractors, combine 3 MODELLING OF ROAD EVENT NUMBER
harvesters end the like) accidents (Fig. 1).
The worst consequences of accident dealing with 3.1 Regression models
human life are usually death or bodily harm. Over Statistical number of accidents along certain road
the entire observation period an average ratio of vic- segments is a random number depending on many fac-
tims per accident is 0,22 and lies between 0,35 and tors described precisely above. Randomness means
0,07. Average number of injured is about 1,8 per each in this case that the number of expected accidents
accident (Fig. 2). may vary according to random events and is corre-
Analysis of accidents taking place within day time lated to some other factors. Regression models allow
is shown in Fig. 3. taking into consideration several factors influencing
accident number. Variation of accident number is
described as pure random and systematic variation
depending on some accident factors (Baruya 1999,
Evans 2005).
Two main regression models exist which are gener-
ally based on Poisson distribution (Fricker & Whitford
2004). Poisson model is adequate to random events
(accident number in a given road segment) providing
that randomness is independent for all variables taken
into account (Evans 2005, Kutz 2004, Miaou & Lum
1993).
Poisson regression function of accent number is:
Figure 1. Accident consequences fraction caused by differ-
ent type of vehicle. λ = e(β0 +β1 x1 +β2 x2 +···+βk xk ) (1)
58
0,07
day
07:00 17:00
accident
0,25
frequency
0,2
0,15
0,1
0,05
week day
0
Thursday
Tuesday
Saturday
Wednesday
Sunday
Monday
Friday
Figure 4. Traffic volume in analyzed motorway segment in Figure 6. Distribution of accidents in week days over the
years 1999–2005. period 1999–2005.
no
injured
120 accidents appropriate. Otherwise the Pascal model (2) should
100
death
be considered, because it assumes randomness of λ
80
parameter itself (Michener & Tighe 1999).
20
where: ξ is the Gamma distributed error term.
0
1 2 3 4 5 6 7 8 9 10 11 12
month
59
Ta ble 1. Regression models for all road events.
Independent variable
rn rc
J rj Number Number of rl
ln l ln tv Hv Number Number of road road junc- Number of rp rm
Length Daily Heavy of all of road junctions tions road junc- Number of Number of
of road traffic vehicle junc- junc- (national (commu- tions (lo- exits to moderni-
Model segment volume rate tions tions roads) nal roads) cal roads) parking zation
8 0,72 0,88 0,69 0,87 0,69 0,87 261,26 10−5 0,034 0,1936
9 0,74 0,90 0,70 0,88 0,70 0,90 267,63 10−5 0,027 0,2617
10 0,76 0,92 0,72 0,91 0,72 0,92 269,76 10−5 0,020 0,3763
11 0,78 0,95 0,75 0,94 0,75 0,96 269,83 10−5 0,011 0,6067
12 0,70 0,85 0,67 0,84 0,67 0,85 248,61 10−5 0,053 0,1054
Table 3. Comparison of regression models for number of road events, accidents, injured and fatalities.
Model β0 ln l ln tv hv j rj rn Rc rl rp rm
Number of road events 0,0001 2,26 0,953 −0,056 – – −0,071 −0,099 −0,1 – −0,854
Number of accidents 0,0004 2,769 0,681 −0,083 – – −0,128 −0,209 −0,152 0,053 −1,005
Number of injured 0,0028 3,759 0,18 −0,065 – – −0,104 −0,077 −0,093 −0,114 −1
Number of fatalities 2203,9357 5,885 −1,972 −0,055 −0,209 – – – – – −1,718
– ji = x4 —number of all junctions (exits and – rmi = x10 —time fraction of the year with mod-
approaches of motorway), ernization road works of subsection (value from
– rji = x5 —number of all types road junctions, 0 to 1).
– rni = x6 —number of road junctions with national
roads, Accident database and construction data obtained
– rci = x7 —number of road junctions with communal from the company managing motorway allowed for
roads, building general regression model in the following
– rli = x8 —number of road junctions with local form (3):
roads,
– rpi = x9 —number of exits and approaches of
λi = li 1 · tvi 2 · e (β0 +βj xji ) ;
β β
parking places, j>2 (3)
60
14 number of road events
0
0 3000 6000 9000 12000 15000 18000 21000 24000 27000
traffic volume [veh./24h]
Figure 7. Regression functions of number of road events, accidents, injured and fatalities in function of traffic volume (all
remaining independent variables are constant). Shaded area relates to the range of traffic volume analyzed in database.
Twelve regression models were created on the pr = 1, rm = 1. Fig. 7 shows number of road events,
basis of the formula (3) and 10 independent variables number of accident, number of injured and number of
described above. In the Table 1 the successive models fatalities in function of daily traffic flow.
are presented containing logical combination of vari- These theoretical functions are valid in the inter-
ables x3 to x10 . Regression functions were obtained and val of traffic flow 9000–24000 veh./24 hours (shaded
selected using the squared multiple correlation coeffi- area) what was observed in the database in the period
cient R, the weighted multiple correlation coefficient of years 1999–2005. Regression functions may be
Rw and the Freeman-Tukey correlation coefficient Rft . extended on wider range of traffic flow to predict
Five models no. 8–12 (marked in shaded records) number of interesting events in other conditions. The
are considered as models of good statistical signifi- phenomenon of decreasing number of fatalities in traf-
cance. In that models parameters β are estimated prop- fic flow may be explained that within seven years of
erly and parameter θ is insignificantly different from 0. observation average quality of cars has risen. Traffic
In the estimated models number of accidents follows flow is here strongly correlated with time. ‘‘Better’’
Poisson distribution. Models significance analysis is cars move faster and generate higher traffic flow and
shown in Table 2. Regression coefficients denoted on the other hand may rise traffic culture and provide
with index p deal with adjusted models that describe higher safety level through installed passive and active
portion of explained systematic randomness. safety means. Estimation of victim number is bur-
Probability values given in Table 2 for parameter θ den higher randomness and proper and precise models
greater then 0,05 prove that θ is insignificant and cer- have not been elaborated jet.
tify correct assumption of Poisson rather than Pascal
model for number of accidents.
Described calculation method and regression model 4 CONCLUSIONS
gave the basis of evaluating theoretical number of road
events. There are four important events discussed in Two main subjects are discussed in the paper: the-
road safety: road event, accident with human losses, oretical modeling of traffic events and elaborating
accident with injured and fatalities. Having known his- of regression models on the basis of real accident
torical data, these events were analyzed and created database. Proposed model consists in developing of
regression models. In Table 3 parameters of regres- prediction function for various road events. There
sion models are put together to describe numbers of were four types of road events concerning: all road
the mentioned events. It is seen that some independent events, accidents, injuries and fatalities. Verification
variables does not influence on calculated number, of the assessment that number of, so called, rare
especially on number of fatalities. events undergoes Poisson distribution was done com-
In order to check the behavior of the obtained model paring elaborated real data with Poisson model with
it is has been proposed that all independent variables parameter λ calculated as regression function of ten
are constant contrary to traffic volume. It will give independent variables. Conformity of five proposed
regression function of number of certain events in rela- models was checked calculating statistical signifi-
tion to traffic volume. It is assumed that: l = 10 km, cance of parameter θ. Regression models applied to
hv = 0, 25, j = 3, rj = 1, rn = 1, rc = 0, rl = 1, online collected data are seen to be a part of active
61
supporting system for drivers, warning them about Fricker J.D. & Whitford R.K. 2004. Fundamentals of Trans-
rising accident risk at given road segment in certain portation Engineering. A Multimodal System Approach.
environmental conditions. Further development of the Pearson. Prentice Hall.
models would be possible to use in road design process Kutz M. (ed.). 2004. Handbook of Transportation Engineer-
especially in risk analysis and assessment. ing. McGraw-Hill Co.
Miaou S.P. & Lum H. 1993. Modeling Vehicle Accidents
And Highway Geometric Design Relationships. Accident
Analysis & Prevention, no. 25.
REFERENCES Michener R. & Tighe C. 1999. A Poisson Regression Model
of Highway Fatalities. The American Economic Review.
Baruya A. 1998. Speed-accident Relationships on European vol. 82, no. 2, pp. 452–456.
Roads. Transport Research Laboratory, U.K. Wixson J.R. 1992. The Development Of An Es&H Compli-
Evans A.W. 2003. Estimating Transport Fatality Risk From ance Action Plan Using Management Oversight, Risk Tree
Past Accident Data. Accident Analysis & Prevention, Analysis And Function Analysis System Technique. SAVE
no. 35. Annual Proceedings.
62
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: EDF R&D has developed an organisational analysis method. This method which was designed
from in depth examination of numerous industrial accidents, incidents and crises and from main scholar find-
ings in the domain of safety, is to be applied for industrial safety purpose. After some thoughts regarding
(dis)connections between ‘‘Safety’’ and ‘‘Availability’’, this paper analyses to what extend this method could be
used for event availability oriented analysis.
63
2.1 Historical dimension
As Llory states (1998): ‘‘accident does not start
with triggering of final accidental sequence; there-
fore, analysis require to go back in time, [. . .]’’ in
order to put in prominent place deterioration phenom-
ena. Analysis has to ‘‘go upstream’’ in the History
of the organisations involved for highlighting signifi-
Figure 1. General description of the method building (from cant malfunctioning aspects: what was not appreciated
Dien & Llory, 2006). in real time has to ‘‘make sense’’ when risk was
confirmed (i.e. when event has happened). Vaughan
reminds (2005): ‘‘The O-ring erosion that caused the
loss of Challenger and the foam debris problem that
took Columbia out of the sky both had a long history.’’
Early warning signs has to be looked for and detected
long before time event occurrence.
Numerous industrial events show that weakness
of operational feedback could be incriminated for
their occurrence—i.e. that previous relevant event(s)
was/were not taken into account or poorly treated after
their occurrence—. Analysts have to pay a specific
attention at incidents, faults, malfunctioning occurred
prior to the event.
Analysis of the ‘‘historical dimension’’ is parallel
to detailed examination of parameters, of variables of
Figure 2. The organizational analysis three main axis.
context which allow understanding of events. It has
to avoid a ‘‘retrospective error’’. Fine knowledge of
According to Reason (1997), causes of an event is event scenario—i.e. sequences of actions and deci-
made of three levels: sions which led to it—allows to assess actual mid and
long term effects of each action and decision. Analysts
• The person (having carried out the unsafe acts, the have to keep in mind that this evaluation is easier to
errors); make after the event than in real time. In other words,
• The workplace (local error-provoking conditions); analysts have to avoid a blame approach.
• The organization (organizational factors inducing
the event).
Development of event is ‘‘bottom-up’’, i.e. direc-
tion causality is from organizational factors to person. 2.2 Organizational network
In the event analysis, direction is opposite. Starting Within an organisation, entities communicate (‘‘Entity’’
point of analysis is direct and immediate causes of means a part of organisation more or less important in
bad outcome (event). Then, step by step, analysis con- terms of size, staffing. It could be a small amount
siders, as far as possible, how and when defences of people or even an isolated person, for instance a
failed. whistle blower): entities exchange data, they make
In addition to results obtained by scholars in the common decisions—or at least they discuss for mak-
field of organisational studies, real event organisa- ing a decision—, they collaborate, . . . So it is of the
tional analyses carried out allow us to define the three first importance to ‘‘draw’’ organisational network’’
main dimensions of an organisational approach, help- between entities concerned in the event. This network
ing to go from direct causes to root organisational is not the formal organisation chart of entities. It is a
causes (see figure 2): tool for showing numerous and complex interactions
involved for occurrence of event. It is a guideline for
• Historical dimension;
carrying out the analysis; it is built all along analysis
• Organizational network;
itself.
• ‘‘Vertical relationships’’ in the organization (from
Organisational network is hardly defined once and
field operators to plant top management).
for all for a given organisation. It is draft according to
We have to note that, if these dimensions are intro- the analysis goals. Parts of organisation can be ignored
duced in a independent way, they are interacting and because they were not involved in the event.
an analysis has to deal with them in parallel (and in Organisational network allows visualising com-
interaction). plexity of functional relationships between entities,
64
and sometimes, it highlights absence of relationships Table 2. The seven Pathogenic Organizational Factors
which had to be present. (POF).
65
• Results of the Organizational Analysis are built with also a safety mission because they are part of the sec-
the help of a ‘‘thick description’’ (Geertz, 1998) and ond barrier against radioactive material leakage, and
then summarized. also because their cooling capacities are necessary to
deal with some accidental events.
But all of these systems could have both an impact
3 SAFETY AND AVAILABILITY: HOW on safety and availability. It is clear for systems deal-
CLOSE OR DIFFERENT ARE THESE TWO ing both with Safety and Availability, but, in case of
CONCEPTS? failures, some of the systems dealing only with avail-
ability could have clearly an impact on safety, as some
Although the method described above was built for of the systems dealing only with safety could have
safety purposes, considering the potential impacts of clearly an impact on availability (Voirin et al., 2007).
the Pathogenic Organizational Factors on the safety For example, if there is a turbine trip while the plant is
of a given complex system, the first applications of operating at full power, the normal way to evacuate the
this method within EDF were dedicated to availability energy produced by the nuclear fuel is no longer avail-
events. able without the help of other systems, and that may
According to the CEI 60050-191 standard, the sys- endanger safety even if the turbine is only dedicated
tem availability is the capacity of a system to feed its to availability.
expected mission, within given operating conditions at Safety and availability have then complex rela-
a given time. Availability must not be confused with tionships: This is not because short term or medium
reliability which has the same definition, excepted term availability is ensured that neither long term
that the time dimension is not at a given time, but availability or safety are also insured.
during a time interval. And we shall never forget that, before the acci-
Therefore Availability addresses two different dent, the Chernobyl nuclear power plant as the Bhopal
issues: the system capacity to avoid an damageable chemical factory had records of very good availability
event, and, if such an event had to occur, the system levels, even if, in the Bhopal case, these records were
capacity to recover from the event so that its initial obtained with safety devices out of order since many
performances are fully met again. months (Voirin et al., 2007).
Safety can be described as the system capacity to
avoid catastrophic failures, potentially hazardous for
workers, for the environment or for the public (Llory 4 CAN AN ORGANIZATIONAL ANALYSIS
& Dien 2006–2007). BE CARRIED OUT FOR AVAILABILITY
Safety and Availability seem then, at the first view, ORIENTED EVENT?
to be two un-related characteristics. But this is only
an impression. In fact, Availability and Safety are not Due to this strong relationship between availability and
independent. safety, is it possible to perform an Organisational Anal-
This is due to the fact that the equipment being ysis of an Availability event in the same way Safety
parts of a complex high risk system can deal, either oriented Organisational Analysis are performed?
only with Availability, either only with Safety, either We already gave a positive answer to that ques-
with Safety and Availability (Voirin et al., 2007). tion (Voirin et al., 2007), even if they are noticeable
For instance, in a nuclear power plant, there sys- differences.
tems dealing only with the plant availability, such as The POFs were established on the study of many
the generator group which allows to produce elec- Safety Events (Pierlot et al., 2007), they rely on a
tricity thanks to the steam coming from the Steam strong empirical basis However, the transposition of
Generators. such Safety oriented POFs into Availability oriented
There are also systems dealing only with safety. Pathogenic Organisational Factors was performed only
These systems are not required to produce electricity from the theoretical point of view, with the help of
and are not operating: Their purpose is only to fulfil a our knowledge of some study cases (Voirin et al.,
safety action if needed. For example, the Safety Injec- 2007).
tion System in a nuclear power plant has for mission The main point is that, during an Availability Organ-
to insure the water quantity within the primary circuit, isational Analysis, particular attention must be paid
so that decay heat could be still evacuated, even in case to the equilibrium between Availability and Safety,
of a water pipe break. knowing that one of the Safety oriented POFs (produc-
At last, they are systems dealing both with safety tion pressures) leads to the rupture of such a balance
and availability. For example, the Steam Generators (Dien et al., 2006; Pierlot et al., 2007).
of a nuclear power plant have an availability mission, It is with such a background knowledge that we
because they produce the sufficient steam to make the performed in 2007 the Organisational Analysis of an
generator group working; but Steam Generators fulfil event that occurred in one power plant. This event
66
was originally chosen because of its impact on the most of them were reluctant to give materials to the
Availability records of the plant. analysts.
We have checked these assumptions by carrying out It can be pointed out that the few managers who
an Organizational Analysis of a real case occurred in a agree to be interviewed were mainly managing entities
power plant. This is discuss in the following chapters. which could be seen, at first, in that case, as ‘‘vic-
tims’’. In that case, managers appeared to be opened
because they thought that the organisational analysis
was the opportunity for them to let the entire organ-
5 MAIN FINDINGS REGARDING. . . isation know that they can not be blamed for what
happened. . .
5.1 . . . Organizational analysis method These reaction of defence of the managers could
5.1.1 The three main dimensions have been forecasted. It can be over passed, knowing
The event we studied was chosen for Availability rea- that the analysts have to adopt a empathic attitude dur-
sons, but it appeared very early in the analysis that ing the interviews but also, that they have to bring a
it had also a Safety dimension. This event involved judgment of the information given by the interviewees.
different technical teams of the power plant where it The second fact that could be bring out to explain the
occurred, but also several engineering divisions. difficulty in that case to address the vertical dimension
The Organization Analysis methodology requires is the analysts position. In this analysis, the analysts
to address three dimensions: a historical one, a cross- were closed to the analysis sponsor. But, as analysts
functional one, and the ‘‘vertical relationships’’ in the can be stopped in their investigation by implicit stop
organisation. rules (Hopkins, 2003), and as the organisation cul-
ture and/or analyst’s interests could have effects on the
• The organizational network analysis results, the closer of the organisation the ana-
We have interviewed people working in each of lysts are, the more difficult will be for them to address
the concerned entities and involved in the related the vertical dimension.
event. We also succeeded in recovering official and However these difficulties to address the vertical
un-official (e-mails, power point presentations) data dimension are not blocking points: in this case study,
written by members of these entities. even if this dimension is not treated with the extent
The combination of interviews and the study of the it should have been, it is nevertheless explored suf-
written documents allowed us to draw the organisa- ficiently so that, in the end, the analysts were able to
tional network (Pierlot et al., 2007), describing how give a ‘‘thick description’’ of the event, and then a syn-
all these entities really worked together on the issues thesis, which have been accepted by the people who
related to this event: We were able then to address the ordered the study.
cross functional dimension.
• The historical dimension 5.1.2 The thick description
It was easily possible to address the historical dimen- The thick description (Geertz, 1998) appears to be a
sion, and then, to obtain not only a chronology of added value in the analysis process as in the restitution
related facts on a time scale, but also to draw a three phase. It allows the analysts to clearly formulate their
dimension organisational network, made of the usual assumptions, to make sure that all the pieces of the
cross functional plan and a time dimension, allow- puzzle fit the overall picture. In this way, this thick
ing then to put in obvious place the evolution of these description is elaborated by a succession of ‘‘tries and
cross functional dimension over the years before the errors’’, until the general sense of the studied issue is
event occurrence. In this sense, we could make ours made clear to the analysts.
the title of one chapter of the CAIB report ‘‘History as The first attempts to build this thick description
A Cause’’ (CAIB, 2003). were not made at the end of the analysis but during
• The vertical dimension the analysis. As a result, we can say that the analysis is
The study of the third dimension, the vertical one, over when the collection of new data doesn’t change
was more difficult to address. We could give several anymore this thick description, when these new data
explanations of this fact. don’t change the picture given in the description.
This thick description is a necessary step in the anal-
The first one is due to the position of the managers. ysis process, but it isn’t the final result of the analysis.
As organisational analysis has for purpose to point out As Pierlot mentioned it (Pierlot, 2006), there is a need
the organisational dysfunctions of a given organisa- to establish a synthesis of this thick description so that
tion, as one of the manager’s missions is to make sure general learning could be deduced from the analysis.
that the organisation works smoothly, he/she could Going from the thick description to this synthesis
have had a ‘‘protection’’ reaction that may explain why requires the analysts to bring a judgment so that the
67
main conclusions of the analysis could be understood also an impact on Availability. In that way, we can
and accepted by the concerned organisation and its say then that we are dealing with POFs having a
managers. potential impact on the overall results of a complex
In this sense, the writing of the synthesis is an high-risk system because these factors could lead to
important part of the analysis that may use, in a cer- a decrease of the results on the safety scale or on the
tain way, the same narrative techniques that are used availability scale. This is more specifically the case
by the ‘‘storytelling’’ approaches although the goals to for the factors ‘‘Poor handling of the organisational
be fulfilled are dramatically different: to give a general complexity’’ and ‘‘failures of operational feedback
sense to the collected data in the case of the organi- system’’.
sational analysis; to meet propaganda purposes in the However, the performed analysis was focused on
case of the ‘‘pure’’ storytelling (Salmon, 2007). the event occurrence. The analysis did not have for
During the building of the thick description and the purpose to look at the way the organisation recovered
writing of the synthesis, a specific focus has to be from the situation. If it had, we can make the realistic
paid to the status that has to be given to the collected assumption that the Safety oriented POFs might not
data. As stated above, the data come from two differ- be useful to study this issue. It is then a possibility that
ent paths: written documents and specific information there are also some pathogenic organisational factors
given by interviewees. that could describe the different dysfunctions ways for
an organisation to recover from an Availability (and
perhaps Safety) event.
5.1.3 The collected data status
If the reality of written documents cannot be discussed,
there could be always doubts on the quality, the reality
6 CONCLUSIONS
of information collected during interviews. In order
to overcome this difficulty, a written report of each
The performed Organisational Analysis on the occur-
interview was established and submitted to the appro-
rence of an Availability event confirms that the method
bation of the interviewees. Each specific information
designed for a Safety purpose can be used for an event
was also cross-checked, either with the collected writ-
dealing with Availability.
ten documents, or with information collected during
The three main dimensions approach (historical,
other interviews.
cross-functional, and vertical), the data collection and
But, there is still the case where a specific infor-
checking (written data as information given by inter-
mation cannot be confirmed or denied by written
viewees), the use of the thick description allow to
documents or during other interviews. What has to be
perform the analysis of an Availability event and to
done in that case? There is no generic answer. A ‘‘pro-
give a general sense to all the collected data.
tective’’ choice could be to say that, in this case, the
The knowledge of the Organisational Analysis
related information is never considered by the analysts.
of many different safety events, of the different
This could protect the analysts against the criticism to
Safety oriented Pathogenic Organisational Factors is a
use un-verified (and perhaps even false) data. How-
required background for the analysts so that they could
ever, such a solution could deprive the analysts of
know what must be looked for and where it must be
interesting and ‘‘valuable’’ materials.
done, or which interpretation could be done from the
We believe then, that the use of ‘‘single’’ subjective
collected data.
data relies only on the analysts judgment. If the data
This case confirms also that the usual difficul-
fits the overall picture, if it fits the general idea that the
ties encountered during the Organisational Analysis
analysts have of the situation, it can be used. However,
of a Safety event are also present for the Organisa-
if this data doesn’t cope with the frame of the analysis
tional Analysis of an Availability event : the vertical
results, the best solution is to avoid using it.
dimension is more difficult to address, the question
of ‘‘single’’ data is a tough issue that could deserve
deepener thoughts.
5.2 . . . The FOPs
The performed analysis proves also that most of
We remind that the performed analysis was launched the Safety oriented Pathogenic Organisational Factors
due to Availability reasons, but that it had also a Safety could be also seen as Availability oriented Pathogenic
dimension. Organisation Factors. However, these factors are
Let us recall also that most of the Safety POFs focused only on the event occurrence; they do not
(Pierlot et al., 2007) can be seen also, from a theoret- intend to deal with the organisation capacity to recover
ical point of view, as Availability oriented Pathogenic from the availability event. We believe that this
Organisational Factors (Voirin et al., 2007). particular point must also be studied more carefully.
The performed analysis confirms this theoretical The last point is that an Availability event
approach: most of the Safety oriented POFs have Organisational Analysis must be performed with a
68
close look on safety issues, and more specifically, Llory, M., Dien. Y. 2006–2007. Les systèmes socio-
on the balance between Safety and Availability. Here techniques à risques : une nécessaire distinction entre
again, we believe that the complex relationships fiabilité et sécurité. Performances. Issue No. 30 (Sept–Oct
between Availability and Safety deserves a closer look 2006); 31 (Nov–Dec 2006); 32 (Janv–fev 2007)
and that some research based on field studies should Perrow, C. (ed.) 1984. Normal Accidents. Living with High-
Risk Technology. New York: Basic Books.
be carried out. Pierlot, S. 2006. Risques industriels et sécurité: les
Eventually this case reinforces what we foresaw, organisations en question. Proc. Premier Séminaire de
i.e. if an organization is malfunctioning, impacts can Saint—André. 26–27 Septembre 2006, 19–35.
be either on Safety or on Availability (or both) and Pierlot, S., Dien, Y., Llory M. 2007. From organizational
so, a method designed and used for a Safety purpose factors to an organizational diagnosis of the safety. Pro-
can also be used, to a large extent, for Availability ceedings, European Safety and Reliability conference, T.
purpose. Aven & J.E. Vinnem, Eds., Taylor and Francis Group,
London, UK, Vol. 2, 1329–1335.
Reason, J (Ed.). 1997. Managing the Risks of Organizational
Accidents. Aldershot: Ashgate Publishing Limited.
REFERENCES Roberts, K. (Ed.). 1993. New challenges to Understand-
ing Organizations. New York: Macmillan Publishing
Columbia Accident Investigation Board 2003. Columbia Company.
Accident Investigation Board. Report Volume 1. Sagan, S. (Ed.). 1993. The Limits of Safety: Organizations,
Cullen, W. D. [Lord] 2000. The Ladbroke Grove Rail Inquiry, Accidents and Nuclear Weapons. Princeton: Princeton
Part 1 Report. Norwich: HSE Books, Her Majesty’s University Press.
Stationery Office. Sagan, S. 1994. Toward a Political Theory of Organiza-
Cullen, W. D. [Lord] 2001. The Ladbroke Grove Rail Inquiry, tional Reliability. Journal of Contingencies and Crisis
Part 2 Report. Norwich: HSE Books, Her Majesty’s Management, Vol. 2, No. 4: 228–240.
Stationery Office. Salmon, C. (Ed.). 2007. Storytelling, la machine à fabriquer
Dien, Y. 2006. Les facteurs organisationnels des acci- des histoires et à formater les esprits. Paris: Éditions La
dents industriels, In: Magne, L. et Vasseur, D. (Ed.), Découverte.
Risques industriels—Complexité, incertitude et décision: Turner, B. (Ed.). 1978. Man-Made Disasters. London:
une approche interdisciplinaire, 133–174. Paris: Éditions Wykeham Publications.
TED & DOC, Lavoisier. U.S. Chemical Safety and Hazard Investigation Board. 2007.
Dien, Y., Llory, M., Pierlot, S. 2006. Sécurité et perfor- Investigation Report, Refinery Explosion and Fire, BP –
mance: antagonisme ou harmonie? Ce que nous appren- Texas City, Texas, March 23, 2005, Report No. 2005-04-
nent les accidents industriels. Proc. Congrès λμ15—Lille, I-TX.
October 2006. Vaughan, D. (Ed.). 1996. The Challenger Launch Deci-
Dien, Y., Llory M. 2006. Méthode d’analyse et de diagnostic sion. Risky Technology, Culture, and Deviance at NASA.
organisationnel de la sûreté. EDF R&D internal report. Chicago: The Chicago University Press.
Dien, Y., Llory, M. & Pierlot, S. 2007. L’accident à la raf- Vaughan, D. 1997. The Trickle-Down Effect: Policy Deci-
finerie BP de Texas City (23 Mars 2005)—Analyse et sions, Risky Work, and the Challenger Tragedy. Califor-
première synthèse. EDF R&D internal report. nia Management Review, Vol. 39, No. 2, 80–102.
Geertz C. 1998. La description épaisse. In Revue Enquête. Vaughan, D. 1999. The Dark Side of Organizations: Mistake,
La Description, Vol. 1, 73–105. Marseille: Editions Misconduct, and Disaster. Annual Review of Sociology,
Parenthèses. vol. 25, 271–305.
Hollnagel, E., Woods, D.D., et Leveson, N.G. (Ed.) 2006. Vaughan, D. 2005. System Effects: On Slippery Slopes,
Resilience Engineering: Concepts and Precepts. Alder- Repeating Negative Patterns, and Learning from Mis-
shot: Ashgate Publishing Limited. take, In: Starbuck W., Farjoun M. (Ed.), Organization at
Hopkins, A. 2003. Lessons from Longford. The Esso Gas the Limit. Lessons from the Columbia Disaster. Oxford:
Plant Explosion. CCH Australia Limited, Sydney, 7th Blackwell Publishing Ltd.
Edition (1st edition 2000). Voirin, M., Pierlot, S. & Llory, M. 2007. Availability
Llory, M. 1998. Ce que nous apprennent les accidents indus- organisational analysis: is it hazard for safety? Proc.
triels. Revue Générale Nucléaire. Vol. 1, janvier-février, 33rd ESREDA Seminar—Future challenges of accident
63–68. investigation, Ispra, 13–14 November 2007.
69
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
S.H. Wu
Graduate School of Engineering Science and Technology, National Yunlin University of Science and Technology,
Douliou, Yunlin, Taiwan, ROC
J.M. Tseng
Graduate School of Engineering Science and Technology, National Yunlin University of Science
and Technology, Douliou, Yunlin, Taiwan, ROC
C.M. Shu
Department of Safety, Health, and Environmental Engineering, National Yunlin University of Science
and Technology, Douliou, Yunlin, Taiwan, ROC
ABSTRACT: In the past, process accidents incurred by Organic Peroxides (OPs) that involved near miss,
over-pressure, runaway reaction, thermal explosion, and so on occurred because of poor training, human error,
incorrect kinetic assumptions, insufficient change management, inadequate chemical knowledge, and so on, in
the manufacturing process. Calorimetric applications were employed broadly to test small-scale organic peroxides
materials because of its thermal hazards, such as exothermic behavior and self-accelerating decomposition in the
laboratory. In essence, methyl ethyl ketone peroxide (MEKPO) has a highly reactive and unstable exothermal
feature. In recent years, it has many thermal explosions and runaway reaction accidents in the manufacturing
process. Differential Scanning Calorimetry (DSC), Vent Sizing Package 2 (VSP2), and thermal activity monitor
(TAM) were employed to analyze thermokinetic parameters and safety index and to facilitate various auto-alarm
equipment, such as over-pressure, over-temperature, hazardous materials leak, etc., during a whole spectrum of
operations. Results indicated that MEKPO decomposed at lower temperature (30–40◦ C) and was exposed on
exponential development. Time to Maximum Rate (TMR), self-accelerating decomposition temperature (SADT),
maximum of temperature (Tmax ), exothermic onset temperature (T0 ), and heat of decomposition (Hd ) etc.,
were necessary and mandatory to discover early-stage runaway reactions effectively for industries.
71
Table 1. Thermal explosion accidents caused by MEKPO
globally.
72
Table 2. Thermokinetics and safety parameters of 31 mass% MEKPO and 20 mass% H2 O2 by DSC under β at 4◦ C min−1 .
Mass (mg) T1 (◦ C) Hd (J g−1 ) T2 (◦ C) Tmax (◦ C) Hd (J g−1 ) T3 (◦ C) Tmax (◦ C) Hd (J g−1 ) Htotal (J g−1 )
1 MEKPO; 2 H O .
2 2
73
Table 3. Thermokinetic parameters of MEKPO and H2 O2 from adiabatic tests of VSP2.
T0 (◦ C) Tmax (◦ C) Pmax (psi) (dT dt−1 )max (◦ C min−1 ) (dP dt−1 )max (psi min−1 ) Tad (◦ C) Ea(kJ mol−1 )
1 MEKPO; 2 H2 O2 .
180 0
160 Tmax = 158°C
Figure 4. Temperature vs. time for thermal decomposition Figure 6. Dependence of rate of temperature rise on temper-
of 20 mass% MEKPO and H2 O2 by VSP2. ature from VSP2 experimental data for 20 mass% MEKPO
and H2 O2 .
900 Pmax = 841 psi 160
140
800 120
100
700
80
Pmax = 530 psi 60
Pressu re (psig)
100 80
60
0 40 20 mass H2O2
20
-100 0
0 50 100 150 200 250 -20
-3.6 -3.4 -3.2 -3.0 -2.8 -2.6 -2.4 -2.2 -2.0 -1.8
Time (min)
74
Table 4. Scanning data of the thermal runaway decom- were about 263◦ C and 34.7 bar, respectively. Under 20
position of 31 mass% MEKPO by TAM. mass% MEKPO by VSP2 test, the (dT dt−1 )max and
(dP dt−1 )max were about 394.7◦ C min−1 and 140.0 bar
Isothermal min−1 , respectively. During storage and transporta-
temperature Mass Reaction time TMR Hd
tion, a low concentration (<40 mass%) and a small
(◦ C) (mg) (hr) (hr) (Jg−1 )
amount of MEKPO should be controlled. H2 O2 was
60 0.05008 800 200 784 controlled 10◦ C when it joined a MEKPO manufactur-
70 0.05100 300 80 915 ing reaction. This is very dangerous for the MEKPO
80 0.05224 250 40 1,015 manufacturing process, so the reaction was a concern
and controlled at less than 20◦ C in the reactor.
0.00015
0.00010 ACKNOWLEDGMENT
0.00005
Isothermal test for 60˚ C
0.00000 The authors would like to thank Dr. Kuo-Ming Luo for
Heat flux (Wg-1)
0.00015 0 200 400 600 800 1000 1200 valuable suggestions on experiments and the measure-
0.00010 Isothermal test for 70˚ C
ments of a runaway reaction. In addition, the authors
0.00005 are grateful for professional operating techniques and
0.00000
information.
0 50 100 150 200 250 300 350
0.00015
0.00010
Isothermal test for 80˚ C REFERENCES
0.00005
0.00000
0 50 100 150 200 250 300 350
Ando, T., Fujimoto, Y., & Morisaki, S. 1991. J. of Hazard.
Time (hr) Mater., 28: 251–280.
ASTM E537-76, 1976. Thermal Stability of Chemical by
Figure 8. Thermal curves for 31 mass% MEKPO by TAM Methods of Differential Thermal Analysis.
at 60–80◦ C isothermal temperature. Chervin, S. & Bodman, G.T. 2003. Process Saf. Prog, 22:
241–243.
Chang, R.H., Tseng, J.M., Jehng, J.M., Shu, C.M. & Hou,
temperature rise rate ((dT dt−1 )max ) and temperature H.Y. 2006. J. Therm. Anal. Calorim., 83, 1: 57–62.
rise rate maximum of pressure rise rate ((dP dt−1 )max ) Fu, Z.M., Li, X.R., Koseki, H.K., & Mok, Y.S. 2003. J. Loss
from Figures 6 and 7, MEKPO is more dangerous Prev. Process Ind., 16: 389–393. Semenov, N.N. 1984. Z.
than H2 O2 . According to Figure 2, the MEKPO and Phys. Chem., 48: 571.
H2 O2 were the Ops that may cause a violent reactivity Fessas, D. Signorelli, M. & Schiraldi, A. 2005. J. Therm.
behavior in the batch reactor. Anal. Cal., 82: 691.
Hou, H.Y., Shu, C.M. & Duh, Y.S. 2001. AIChE J., 47(8):
1893–6.
3.3 Thermal decomposition analysis of 31 Liao, C.C., Wu, S.H., Su, T.S., Shyu, M.L. & Shu, C.M.
mass% MEKPO for TAM 2006. J. Therm. Anal. Cal., 85: 65.
Marti, E., Kaisersberger, E. & Emmerich, W.D. 2004. J.
TAM was employed to determine the reaction behav- Therm. Anal. Cal., 77: 905.
ior for isothermal circumstance. Table 4 displays Miyakel, A., Kimura, A., Ogawa, T., Satoh, Y. & Inano, M.
the thermal runaway decomposition of 31 mass% 2005. J. Therm. Anal. Cal., 80: 515.
MEKPO under various isothermal environment by MHIDAS, 2006. Mayor Hazard Incident Data Service,
TAM. Results showed the TMR for isothermal tem- OHS_ROM, Reference Manual.
Sivapirakasam, S.P. Surianarayanan, M. Chandrasekaran, F.
perature at 60, 70, and 80◦ C that were about 200,
& Swaminathan, G. 2004. J. Therm. Anal. Cal., 78: 799.
80, and 40 hrs, respectively. From data investigations, Smith, D.W. 1982. ‘‘Runaway Reaction, and Thermal Explo-
isothermal temperature was rise, and then emergency sion’’, Chemical Engineering, 13: 79–84.
response time was short. The Isothermal Calorimetric Manual for Thermometric AB,
1998, Jarfalla, Sweden.
Tseng, J.M., Chang, R.H., Horng, J.J., Chang, M.K., &
4 CONCLUSIONS Shu, C.M. 2006. ibid, 85 (1) : 189–194.
Tseng, J.M., Chang, Y.Y., Su, T.S., & Shu, C.M. 2007. J.
According to the DSC experimental data, MEKPO Hazard. Mater., 142: 765–770.
Wang, W.Y., Shu, C.M., Duh, Y.S. & Kao, C.S. 2001. Ind.
decomposes at 30–40◦ C. Under external fire Eng. Chem. Res., 40: 1125.
circumstances, MEKPO can decompose quickly and Yeh, P.Y., Duh, Y.S., & Shu, C.M. 2003. Ind. Eng. Chem.
cause a runaway reaction and thermal explosion. On Res., 43: 1– 5.
the other hand, for 20 mass% MEKPO by VSP2, Yuan, M.H., Shu, C.H., & Kossoy, A.A. 2005. Thermo-
the maximum temperature (Tmax ) and pressure (Pmax ) chimica Acta,430: 67–71.
75
Crisis and emergency management
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
A. Xuewei Ji
Center for Public Safety Research, Tsinghua University, Beijing, China
School of Aerospace, Tsinghua University, Beijing, China
ABSTRACT: A disaster often causes a series of derivative disasters. The spreading of disasters can often form
disaster chains. A mathematical model for risk analysis of disaster chains is proposed in causality network,
in which each node represent one disaster and the arc represent interdependence between them. The nodes of
the network are classified into two categories, active nodes and passive nodes. The term inoperability risk,
expressing the possible consequences of each passive node due to the influences of all other nodes, is cited
to assess the risk of disaster chains. An example which may occur in real life is solved to show how to apply
the mathematical model. The results show that the model can describe the interaction and interdependence of
mutually affecting emergencies, and it also can estimate the risk of disaster chains.
79
For each active node j = 1, 2, . . ., m, a random
variable ξi is used to represent the state, which takes
values 1 or 0 provided the node occurs or not. For each
passive node k(k = m +1, m+ 2, . . . , n) inoperability
is cited to represent its state, which is assumed to be a
continuous variable (ζk ) evaluated between 0 and 1,
with 0 corresponding to a normal state and 1 cor-
responding to completely destroyed state. We shall
consider conditional distribution of ξi and postulate
the Markov property: this distribution depends only on
the influence of the direct connected nodes. We pos-
tulate the following expressions for these conditional
probabilities:
Figure 1. Causality network of disaster chains. P(ξj = 1|ξi = xi , ζk = yk ) = πj + xi aij + yk akj
i k
i, j = 1, . . . , m, k = m + 1, . . . , n (2)
to refer to the nodes whose consequences (loss or dam-
age) are embodied through passive nodes, for example, where πi denotes the probability of spontaneous
the loss of earthquake comes from the damage of some occurrence of the active node j. In the above equation,
anthropogenic structures caused by it. Likewise, pas- it is supposed that
sive nodes will be used to refer to the nodes whose
consequences are possible loss events and are embod-
m
n
ied by themselves. Taking power system as an exam- πj + xi aij + yk akj ≤ 1 (3)
ple, the disaster is the consequence of inability of part i=1 k=m+1
of its functions (called inoperability here). Risk is the
integration of possibility and consequence. Therefore, Equation (2) means that the conditional probability
the inoperability risk proposed by Haimes et al. which of the event ξi = 1 with given ξi = xi , ζk = yk is a lin-
expresses the possible consequences of each passive ear combination of xi plus constant. Only the nodes i
node due to the influences of other nodes (including directly connected with the nodes j are involved in this
passive and active), is cited to assess the risk of disaster linear combination. This hypothesis forms the basis of
chains. the mathematical theory of the voter model (Malyshev
The proposed model is based on an assumption that et al.). Let us denote by Pi the unconditional proba-
the state of active node is binary. That means that bility P(ξi = 1). It is interpreted as the probability
active node has only two states (occurrence of nonoc- of the occurrence of the active node j. If we take the
currence). The magnitude of active node (disaster) is expectation value of (2), we get the equations:
not taken into consideration in the model. In contrast
to that, the state of passive nodes can be in continu-
m
n
ous states from normal state to completely destroyed Pj = πj + Pi aij + Rk akj (4)
state. i=1 k=m+1
m
n
Pj = min πj + Pi aij + Rk akj , 1 (5)
2.2 The model i=1 k=m+1
Let us define certain active node with certain occur- where Rk denotes the inoperability of the passive
rence probability as the start point of disaster chains. node k. Next, we use the quantity bjk to represent
Let us index all nodes i = 1, 2, . . . , m, m + 1, m + the inoperability of each passive node k caused by
2, . . . , n. The nodes represent active nodes if i = active node i. So we have the inoperability (Ck ) of pas-
1, 2, . . . , n, and passive nodes if i = m + 1, m + sive node k due to all the active nodes that are directly
2, . . . , n. We shall denote by aij the probability for any connected with the passive node:
node i to induce directly the active node j, and aij > 0
in case of the existence of an arrow from node i to node
m
j, otherwise aij = 0. By definition, we put aii = 0. So Ck = Pi bik (6)
we get the matrix: i=1
80
⎧
⎪ m n
It expresses the influence of inoperability between pas- ⎪
⎪ Pj = πj + Pi aij + Rk akj
sive i and j, which are directly connected. We get direct ⎪
⎪
⎪
⎪
i=1 k=m+1
influence coefficient matrix: ⎪
⎪ m n
⎪
⎪ Rk = Pi bki + Ri Mik
⎪
⎪
⎪
⎨ i=1 i=m+1
M = (Mij ), i, j = m + 1, m + 2, . . . , n (7) s.t.
⎪ P = min π +
⎪
m
+
n
⎪
⎪ j j Pi aij R k a kj , 1
The expression M k reflects all influences over k −1 ⎪
⎪
m i=1
⎪
⎪
k=m+1
nodes and k links, i.e. k = 1 corresponds to direct ⎪
⎪
n
⎪
⎪ Rk = min Pi bki + Ri Mik , 1
influences, k = 2 to feedback loops with one interme- ⎪
⎪
⎩ i=1 i=m+1
diate node, etc. So, total influence coefficient matrix for j = 1, 2, . . . , m, k = m + 1, m + 2 . . . , n
(Tij ) can be expressed:
(14)
∞
Finally, in the mathematical model, we need to
T = M + M2 + M3 + · · · + Mk + · · · = Mk determine three matrix, i.e. the A matrix, the B matrix
k=1 and the M matrix. For the matrix A, several physical
(8) models and probability models have been developed
to give the probability that a disaster induces another
As this converges only for the existence of the one (Salzano et al.). Extensive data collecting, data
matrix (I − M )−1 , we will obtain the formula: mining and expert knowledge or experience may be
required to help determine the M matrix. We can use
T = (I − M )−1 − I (9) historical data, empirical data and experience to give
the matrix B.
where I denotes the unity matrix. Besides, the total
inoperability risk of the passive node k due to the
3 EXAMPLE
influence of all the nodes (active and passive) can be
expressed as:
To show how to apply the mathematical model, we
solve the following example. We consider the disaster
n
chains consisting of eight nodes and earthquake is con-
Rk = Ci Tik (10) sidered as spontaneous with a known probability π1 .
i=m+1 The causality network of the disaster chains is illus-
trated by Figure 2. We think that D1 ∼D4 are active
Based on the above equations, we can get: nodes and D5 ∼D8 are passive nodes.
In principle, the matrix A, B and M are obtained
n from expert data and historical data. For simplicity,
Rk = Ck + Ri Mik (11) all the elements of the three matrixes are regarded as
i=m+1 constant. We have:
⎡ ⎤ ⎡ ⎤
0 0.4 0.6 0.2 0.6 0 0.5 0.3
That is also: ⎢
⎢0
⎢ 0 0.1 0⎥⎥ B = ⎢0.9 0 0 0⎥ ⎥
⎢0 0.4 0 0⎥ ⎣0 0 0 0⎦
m
n ⎢ ⎥
⎢0 0 0 0⎥ 0.5 0 0.1 0
Rk = Pi bki + Ri Mik (12) A=⎢
⎢0
⎥ ⎡ ⎤
⎢ 0 0 0⎥⎥ 0 0 0 0
i=1 i=m+1 ⎢0 0 0 0⎥ ⎢ 0.3 0 0 0⎥
⎢ ⎥ M =⎢ ⎥
⎣0 0 0 0⎦ ⎣0 0.4 0 0.9⎦
It is important to notice that, due to the constraint 0 0.3 0 0 0 0.2 0.5 0
0 ≤ Rk ≤ 1, equation (12) sometimes does not have
a solution. If this is the case, we will have to solve an
alternative problem, i.e. Now, suppose π1 = 0.3. Due to the earthquake,
fires in commercial area, hazardous materials release
m and social crisis are induced, and commercial area,
n
public transportation system and power supply system
Rk = min Pi bki + Ri Mik , 1 (13)
are impacted. We can get the results:
i=1 i=m+1
81
Thus, because of the possible influences of the 4 CONCLUSIONS
earthquake and a series of disasters (fires and haz-
ardous materials release) induced by it, the commer- The mathematical model proposed here can be used to
cial area and power plant loss 58% and 42% of each study the interaction and interdependence of mutually
functionality, the economic situation deteriorate 23% affecting among disasters and to conduct risk analysis
of its normal state, and the transportation system loses of disaster chains. It can also be used to analyze which
63% of its operability. We conclude that the interde- disaster is more important compared to other disasters,
pendences make the influence of the earthquake be and to provide scientific basis for disaster chains emer-
amplified according to the results above. From the gency management. However, disaster chains are so
viewpoint of disaster chains, the interdependences can complex that developing a meaningful mathematical
be taken into consideration. model capable of study disaster chains is an arduous
We can also evaluate the impact of the earthquake task. The work here is only a preliminary attempt to
of varying occurrence probability on the risk distri- contribute to the gigantic efforts.
bution. Solving the problem can yield the following In order to construct a mathematical model to study
results. When π1 is 0.52, the value of R5 reaches 1. disaster chains in causality network, we think that the
The value of R8 reaches 1, when π1 increases to 0.72. following steps are needed:
This means the operability of commercial area and
• Enumerate all possible disasters in the causality
economic situation is 0.55 and 0.87 at π1 = 0.72,
network.
while the other two systems have been in completely
• For each node of the network, define a list of
destroyed. When π1 increases to 0.97, all of the sys-
other nodes which can be directly induced by it
tems completely fail except economic situation. The
and directly induce it, and define the interdependent
results are shown in Fig. 3.
relationships between them.
• Define appropriate quantities to describe the risk of
disaster chains.
Then risk analysis process of disaster chains can be
described by the model presented above.
REFERENCES
82
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
K. Eriksson
LUCRAM (Lund University Centre for Risk Analysis and Management),
Department of Fire Safety Engineering and Systems Safety, Lund University, Lund, Sweden
J. Borell
LUCRAM (Lund University Centre for Risk Analysis and Management),
Department of Design Sciences, Lund University, Lund, Sweden
ABSTRACT: During recent years a couple of emergencies have affected the city of Malmo and its inhabitants
and forced the city management to initiate emergency responses. These emergencies, as well as other incidents,
are situations with a great potential for learning emergency response effectiveness. There are several methods
available for evaluating responses to emergencies. However, such methods do not always use the full potential
for drawing lessons from the occurred emergency situations. Constructive use of principles or rules gained
during one experience (in this case an emergency response) in another situation is sometimes referred to as
‘positive transfer’. The objective of this paper is to develop and demonstrate an approach for improving learning
from the evaluation of specific response experiences through strengthening transfer. The essential principle in
the suggested approach is to facilitate transfer through designing evaluation processes so that dimensions of
variation are revealed and given adequate attention.
83
approach can improve experience-based learning in 3.2 Transfer
organisations.
Constructive use of principles or rules that a per-
son gained during one experience (in this case an
emergency response operation) in another situation
2 METHOD is sometimes referred to as ‘positive transfer’ (Reber
1995). Transfer may be quite specific when two sit-
From theories of learning a first hypothetical approach uations are similar (positive or negative transfer), but
for improving learning from evaluations of emergency also more general, e.g. ‘learning how to learn’. The
responses was created. To further examine and refine concept of transfer is also discussed within organisa-
the approach it was tested through application on tional theory. At an organisational level the concept
an evaluation of emergency response in the city of transfer involves transfer at an individual level but
Malmo. The evaluation concerned the management also transfer between different individuals or organisa-
of emergency response activities during the Lebanon tions. Transfer at an organisational level can be defined
war in July 2006. In addition, evaluations of the as ‘‘ . . . the process through which one unit (e.g. group,
Boxing Day Tsunami in 2004 and the emergency man- department, or division) is affected by experience of
agement organisations handling of a riot that broke another’’ (Argote & Ingram 2000 p. 151).
out in a district of the Malmo during April 2007
are used for further demonstration of the approach.
The evaluations are based on analyses of interviews 3.3 Variation
and collected documents. The interviews were car- One essential principle for facilitating the transfer
ried out with mainly municipal actors involved during process, established in the literature on learning, is
the incidents. In total 19 interviews have been com- to design the learning process so that the dimen-
pleted. The documents analysed were for example sions of possible variation become visible to the
notes from the response organisations’ information learners (Pang 2003, Marton & Booth 1999). Suc-
systems, notes and minutes from managerial meet- cessful transfer for strengthening future capability
ings during the events, written preparedness plans demands that critical dimensions of possible varia-
and newspaper articles. The use of the three eval- tion specific for the domain of interest are considered
uations can be seen as a first test of the approach (Runesson 2006).
for improved learning from evolutions of emergency When studying an emergency scenario two differ-
situations. ent kinds of variation are possible; variation of the
parameter values and variation of the set of param-
eters that build up the scenario. The first kind of
variation is thus the variation of the values of the
3 THEORY
specific parameters that build up the scenario. In prac-
tice, it is not possible to vary all possible parameter
3.1 Organisational learning
values. A central challenge is how to know which
For maintaining a response capability in an organisa- parameters are critical in the particular scenario and
tion over time there is a need that not only separate thus worth closer examination by simulated varia-
individuals but the entire organisation has the neces- tion of their values. The variation of parameter values
sary knowledge. According to Senge (2006 p. 129) can be likened to the concept of single-loop learning
‘‘. . . Organizations learn only through individuals who (Argyris & Schön 1996). When the value of a given
learn. Individual learning does not guarantee orga- parameter in a scenario is altered, that is analogous
nizational learning. But without it no organizational to when a difference between expected and obtained
learning occurs’’. Also Argyris & Schön (1996) point outcome is detected and a change of behaviour is
out that organisational learning is when the individ- made.
ual members learn for the organisation. Argyris & The second kind of variation is variation of the
Schön (1996) also discuss two types of organisational set of parameters. This kind of variation may be dis-
learning: single-loop learning and double-loop learn- cerned through e.g. discussing similarities as well as
ing. Single-loop learning occurs when an organisation dissimilarities of parameter sets between different sce-
modifies its performance due to a difference between narios. The variation of the set of parameters can be
expected and obtained outcome, without questioning likened to the concept of double-loop learning (Argyris
and changing the underlying program (e.g. changes & Schön 1996), wherein the system itself is altered
in values, norms and objectives). If the underly- due to an observed difference between expected
ing program that led to the behaviour in the first and obtained outcome. A central question is what
place is questioned and the organisation modifies it, the possible sets of parameters in future emergency
double-loop learning has taken place. scenarios are.
84
3.4 Scenario 4.2 Variation of the values of the parameters
A specific emergency situation can be described as The second step is to vary the value of the parame-
a scenario, here seen as a description of a series of ters that build up the scenario. This may be carried out
occurred or future events arranged along a timeline. through imagining variation of the included param-
Scenarios describing past emergencies ‘‘. . . answers eters (that are seen as relevant) within the scenario
the question: ‘What happened?’ ’’ (Alexander 2000 description. Typical examples of parameters can be
pp. 89–90). An emergency scenario can further be the length of forewarning or the number of people
seen as consisting of various parameters. The con- involved in an emergency response.
cept parameter is here defined in very broad terms and Variation of parameter values makes the parameters
every aspect with a potential for variation in a scenario themselves as well as the possible variation of their
is seen as a parameter. For example the duration of a values visible. This can function as a foundation for
scenario or the quantity of recourses that is needed positive transfer to future emergency situations with
can be viewed as parameters. Alexander (2000 p. 90) similar sets of relevant parameters. This in turn may
further mentions that when imagining the future the strengthen the capability to handle future emergencies
question to ask is ‘‘What if . . . ?’’. of the same kind as the one evaluated, but with for
One kind of parameters suitable for imagined example greater impact.
variation that is discussed in the literature is the
different needs or problems that arise during an emer-
gency situation. Dynes (1994) discusses two differ- 4.3 Variation of the set of parameters
ent types of needs or problems that requires to be The third step is the variation of the set of parameters.
responded to during an emergency. These are the By comparing the current case with other cases both
response generated and the agent generated needs. occurred (e.g. earlier emergencies) and imagined (e.g.
The response generated needs are quite general and results from risk and vulnerability analyses) different
often occur during emergencies. They are results of sets of parameters can be discussed.
the particular organisational response to the emer- Obviously it is not possible to decide the ultimate
gency, e.g. the needs for communication and coor- set of parameters to prepare for with general validity.
dination. The agent generated needs (Dynes et al. There is always a need for adaption to the situation.
1981) are the needs and problems that the emer- Yet it is often possible for an organisation to observe a
gency in itself creates, for example search, rescue, pattern of similarities in the parameters after a couple
care of injured and dead as well as protection against of evaluations. Even if two emergency scenarios dif-
continuing threats. These needs tend to differ more fer when it comes to physical characteristics there are
between emergencies than the response generated often similarities in the managing of the scenarios.
needs do. A possible way to vary the set of parameter is to
be inspired by Dynes (1994) different types of needs
or problems that arise during an emergency situa-
4 THE PROPOSED APPROACH tion. Commonly similarities are found when studying
response generated needs and it is thus wise to prepare
The main goal of this paper is to develop and to handle them. Even if agent generated needs tend to
demonstrate an approach to strengthening emergency differ more between emergencies, paying them some
response capability through improving learning from attention too may be worthwhile.
the evaluation of response experiences. Greater experience means more opportunities for
positive transfer. Furthermore, with increasing expe-
rience of thinking in terms of varying the set of
4.1 Description of the emergency scenario parameters and their values, it is probable that the
The first step in the approach is to construct a descrip- organisation and its employees also develop the ability
tion of the emergency scenario, i.e. create and docu- to more general transfer, through the abstract ability
ment a description of an occurred emergency situation. to think of variation of parameters.
The description of the occurred scenario is needed for
further discussions on the organisation’s ability to han-
4.4 Transferring information and knowledge
dle future emergencies. By describing the series of
events that build up the scenario, the most relevant A step that is often given inadequate attention is the
parameters can be identified. From this description transferring of information and knowledge obtained
it is then possible to vary the possible parameters as during the managing and the evaluation of an emer-
well as the set of parameters that build up the scenario, gency to the entire organisation. Thus there is a need
and thus answer Alexander’s (2000) question: ‘‘what for creating organisational learning (Carley & Harrald
if . . . ?’’. 1997). This task is not an easy one, and requires serious
85
resources. Therefore it is essential for organisations Malmo also had an administrative diary system that
to create a planned structure or process for this task. was supposed to be used as a way to spread informa-
This step also includes activities such as education and tion within the organisation. During the managing of
exercises. In the end it is essential that the findings are the Lebanon war this system was not used as intended.
carried by the individuals as well as codified in suitable Among other things, this depended on that some peo-
artefacts of the organisation. ple had problems using it. The critical question to ask
In addition, to create a better transfer and organisa- is thus: If the situation had been worse, how would they
tional learning it is throughout all steps of the approach then disseminate information within the organisation?
recommendable to work in groups. One reason for this In a worse situation, with many more people involved,
is that more people can be potential messengers to the it is probably not manageable to only use direct contact.
rest of the organisation. Would Malmo have managed such a situation?
By asking what if-questions concerning these two
critical aspects or parameters (as well as others), and in
5 DEMONSTRATING THE APPROACH that way varying the parameters, the organisation and
its employees might get an improved understanding of
The main goal of this paper was to develop and their capability to manage future emergencies. When
demonstrate an approach for strengthening emergency Malmo used the proposed approach and asked those
response capability through improving learning from critical questions several problems became visible and
the evaluation of specific response experiences. From discussed. Due to this, Malmo has later developed
theories of learning a hypothetical approach has been new routines for staffing their emergency response
constructed. Below the constructed approach will be organisation.
demonstrated through application on the evaluation of
the city of Malmo’s response to the Lebanon war. In
5.3 Variation of the set of parameters
addition, the evaluations of Malmo’s managing of the
tsunami and the riot will be used in the demonstration. The second step was to vary the set of parameters
by e.g. comparing the evaluated scenario to other
scenarios.
5.1 Description of the emergency scenario
During the interviews many people compared
The test of the approach started from a construction Malmo’s managing of the Lebanon war with the
of the emergency scenario. During this work critical managing of the Tsunami. During both emergencies
parameters for the response of the managing of the the Swedish government evacuated Swedish people
Lebanon war were observed. to Sweden from other countries. Individuals arriv-
ing to Malmo caused Malmo to initiate emergency
responses. Malmo’s work during both the situations
5.2 Variation of the values of the parameters
aimed at helping the evacuated. During both situations
During the evaluation of the Lebanon war two param- it is possible to identify more or less the same response
eters were identified as especially critical. These were generated needs. Both situations required e.g. commu-
the staffing of the central staff group and the spreading nication within the organisation and the creation of a
of information within the operative organisation. staff group to coordinate the municipal response.
During the emergency situation the strained staffing Also the agent generated needs were similar in
situation was a problem for the people working in the the two situations. Some of the affected individuals
central staff group. There was no plan for long-term arriving to Sweden needed support and help from the
staffing. A problem was that the crisis happened dur- authorities. But the type of support needed varied. For
ing the period of summer when most of the people example, after the tsunami there were great needs for
that usually work in the organisation were on vaca- psychosocial support, while the people returning from
tion. In addition, there seems to have been a hesitation Lebanon instead needed housing and food.
to bring in more than a minimum of staff. This resulted After the riot in 2007 a comparison with the man-
in that some individuals on duty were overloaded with aging of the Malmo consequences of the Lebanon war
tasks. After a week these individuals were exhausted. was carried out. This comparison showed much more
This was an obvious threat to the organisation’s ability dissimilarities than the comparison mentioned above,
to continue operations. Critical questions to ask are: especially when discussing in terms of agent gener-
What if the situation was even worse, would Malmo ated needs. For example, during the riot efforts were
have managed it? What if it would have been even concentrated on informing the inhabitants on what the
more difficult to staff the response organisation? city was doing and on providing constructive activities
The spreading of information within the opera- for youths. The response generated needs, e.g. a need
tive central organisation was primarily done by direct to initiate some form of emergency response organi-
contact between people either by telephone or mail. sation and communication with media, were the same
86
as during Malmo’s managing of the Lebanon related unproductive. But if we can do those things in a rea-
events. sonably disciplined way, we can be smarter and more
Really interesting question to ask are: What will imaginative’’ (Clarke 2005 p. 84).
happen in the future? What if Malmo will be hit by a The application of the approach during the eval-
storm or a terrorist attack? How would that influence uation of the managing of the Lebanon war conse-
the city? Who will need help? Will there be any need quences appears to have strengthened the learning in
for social support or just a need for technical help? the organisation. This statement is partly based on
Will people die or get hurt? Obviously, this is a never opinions expressed by the individuals in the organi-
ending discussion. The main idea is not to find all sation involved in the discussions during and after the
possible future scenarios, but to create a capability for evaluation. During the reception of the written report
this way of thinking. There is a need to always expect as well as during seminars and presentations of the sub-
the unexpected. ject we found that the organisation understood and had
use of the way of thinking generated by using the pro-
posed approach. Subsequently the organisation used
5.4 Transferring information and knowledge the findings from the use of this way of thinking in
their revision of their emergency management plan.
To support transfer of the result throughout the organ-
The new way of thinking seems to have resulted
isation the evaluation of the Lebanon war resulted in
in providing the organisation a more effective way
seminars for different groups of people within the
of identifying critical aspects. Consequently, it comes
organisation, e.g. the preparedness planners and the
down to being sensitive to the critical dimensions of
persons responsible for information during an emer-
variation of these parameters. There is still a need to
gency. These seminars resulted in thorough discus-
further study how an organisation knows which the
sions in the organisation on emergency management
critical dimensions are. It is also needed to further
capability. In addition, an evaluation report was made
evaluate and refine the approach in other organisations
and distributed throughout the organisation. The dis-
and on other forms of emergencies.
cussions during and after the evaluation of the Lebanon
war also led to changes in Malmo’s emergency man-
agement planning and plans. Some of these changes 7 CONCLUSION
can be considered examples of double-loop learning,
with altering of parameters, expected to improve future Seeing scenarios as sets of parameters, and elaborat-
emergency responses. ing on the variation of parameter values as well as
the set of parameters, seems to offer possibilities for
strengthening transfer. It may thus support emergency
6 DISCUSSION response organisations in developing rich and many-
sided emergency management capabilities based on
This paper has focused on the construction of an evaluations of occurred emergency events.
approach for strengthening emergency response capa-
bility through improving learning from the evaluation
of specific response experiences. REFERENCES
We have described how imaginary variation of sets
of parameters and parameter values can be used in Alexander, D. 2000. Scenario methodology for teaching prin-
evaluation processes around scenarios. Discussing in ciples of emergency management. Disaster Prevention
terms of such variation has shown to be useful. This and Management: An International Journal 9(2): 89–97.
Argote, L. & Ingram, P. 2000. Knowledge Transfer: A
holds for written reports as well as presentations. Sim- Basis for Competitive Advantage in Firms. Organiza-
ilar views are discussed in the literature. For example tional Behavior and Human Decision Processes 82(1):
Weick & Sutcliffe (2001) discuss how to manage the 150–169.
unexpected. They describe certain attitudes within an Argyris, C. & Schön, D.A. 1996. Organizational Learning II:
organisation, e.g. that the organisation is preoccupied Theory, Method, and Practice. Reading, Massachusetts:
with failures and reluctant to simplify interpreta- Addison-Wesley Publishing Company.
tions, that help the organisation to create mindfulness. Boin, A., ’t Hart, P., Stern, E. & Sundelius, B. 2005. The
A mindful organisation continues to question and Politics of Crisis Management: Public Leadership Under
reconsider conceptualisations and models and thus Pressure. Cambridge: Cambridge University Press.
Carley, K.M. & Harrald, J.R. 1997. Organizational Learn-
increases the reliability of their operations. Like- ing Under Fire. The American Behavioral Scientist 40(3):
wise Clarke (2005) discusses the need for playing 310–332.
with scenarios and imagines different possible futures. Clarke, L. 2005. Worst cases: terror and catastrophe in
‘‘It is sometimes said that playing with hypotheti- the popular imagination. Chicago: University of Chicago
cal scenarios and concentrating on consequences is Press.
87
Dynes, R.R. 1994. Community Emergency Planning: False Reber, A.S. 1995. The Penguin dictionary of psychology.
Assumptions and Inappropriate Analogies. International London: Penguin Books.
Journal of Mass Emergencies and Disasters 12(2): Runesson, U. 2006. What is it Possible to Learn? On Varia-
141–158. tion as a Necessary Condition for Learning. Scandinavian
Dynes, R.R., Quarantelli, E.L. & Kreps, G.A. 1981. A per- Journal of Educational Research 50(4): 397–410.
spective on disaster planning, 3rd edition (DRC Research Senge, P.M. 2006. The Fifth Discipline: The Art and Practice
Notes/Report Series No. 11). Delaware: University of of the Learning Organization. London: Random House
Delaware, Disaster Research Center. Business.
Lagadec, P. 2006. Crisis Management in the Twenty-First Smith, D. & Elliott, D. 2007. Exploring the Barriers to
Century: ‘‘Unthinkable’’ Events in ‘‘Inconceivable’’ Con- Learning from Crisis: Organizational Learning and Crisis.
texts. In H. Rodriguez, E.L. Quarantelli & R. Dynes (eds), Management Learning 38(5): 519–538.
Handbook of Disaster Research: 489–507. New York: Tierney, K.J., Lindell, M.K. & Perry, R.W. 2001. Facing the
Springer. unexpected: Disaster preparedness and response in the
Marton, F. & Booth, S. 1999. Learning and Awareness. United States. Washington, D.C.: Joseph Henry Press.
Mahawa NJ: Erlbaum. Weick, K.E. & Sutcliffe, K.M. 2001. Managing the Unex-
Pang, M.F. 2003. Two Faces of Variation: on continuity in pected: Assuring High Performance in an Age of Com-
the phenomenographic movement. Scandinavian Journal plexity. San Francisco: Jossey-Bass.
of Educational Research 47(2): 145–156.
88
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: In this paper we discuss about the use of multi-criteria analysis in complex societal problems and
we illustrate our findings from a case study concerning the management of radioactively contaminated milk. We
show that application of multi-criteria analysis as an iterative process can benefit not only the decision-making
process in the crisis management phase, but also the activities associated with planning and preparedness. New
areas of investigation (e.g. zoning of affected areas or public acceptance of countermeasures) are tackled in
order to gain more insight in the factors contributing to a successful implementation of protective actions and
the stakeholders’ values coming into play. We follow the structured approach of multi-criteria analysis and we
point out some practical implications for the decision-making process.
89
It is therefore of interest to extend the study of of MAVT software in decision conferences can be
potential applications of MCDA in this particular field more successful provided there is a careful planning in
and to try to integrate it into the socio-political con- advance, particularly for use in emergency exercises.
text specific to each country. Drawing on these ideas, In what concerns the aggregation function used, the
the research reported in this paper aimed at adding usual choice is an additive aggregation. The use of
the knowledge and experience from key stakeholders a utility function of exponential form had been ear-
in Belgium to the multi-criteria analysis tools devel- lier proposed by Papamichail & French (2000), but
oped for decision-support, and at exploring various it proved non-operational due to missing information
MCDA methods. The management of contaminated on the variance of actions’ scores. It is interesting to
milk after a radioactive release to the environment has notice that although risk aversion could seem as a nat-
been chosen as case study. ural attitude, Hämäläinen et al. (2000b) report a case
In Section 2 we discuss about the use of multi- study where half of the participants were risk averse
criteria analysis in nuclear emergency management. and half were risk seeking, possibly due to a different
In Section 3 we outline the Belgian decision-making perception of the decision problem. Related to this,
context. This will set the framework for Section 4 in the authors of this case study refer to the hypothesis
which we elaborate on the results from a stakeholder of Kahneman & Tversky (1979) that people are often
process carried out in Belgium in order to set up a risk seeking when it comes to losses (e.g. lives lost) and
theoretical and operational framework for an MCDA risk averse when it comes to gains (e.g. lives saved).
model for the management of contaminated milk. The Another type of MCDA approach, addressing at the
constructive role of multi-criteria analysis, the conclu- same time the definition of countermeasure strategies
sions and lessons learnt are summarised in the final as potential actions, as well as the exploration of the
section. efficient ones is due to Perny & Vanderpooten (1998).
In their interactive MCDA model, the affected area is
assumed to be a priori divided in a number of zones,
2 MCDA IN NUCLEAR EMERGENCY whereas the treatment of food products in each zone
MANAGEMENT can be again divided among various individual coun-
termeasures. The practical implementation makes use
MCDA provides a better approach than CBA for of a multi-objective linear programming model having
nuclear emergency management and site restoration, as objective functions cost, averted collective dose and
first and foremost because the consequences of poten- public acceptability. This modelling, although ques-
tial decisions are of a heterogeneous nature, which tionable as far as public acceptability—and qualitative
impedes coding them on a unique, e.g. monetary, factors in general—is concerned, allows a great deal
scale. In an overwhelming majority (e.g. French 1996, of flexibility at the level of defining constraints and
Zeevaert et al. 2001, Geldermann et al. 2005, Panov exploration of efficient, feasible strategies.
et al. 2006, Gallego et al. 2000), the MCDA methods The various degrees of acceptance of such decision
used up to now in connection with the management aid tools in the different countries suggest however that
of radiological contaminations mainly draw from the the processes envisaged must be tuned to fully accom-
multi-attribute value/utility theory (MAU/VT). modate the stakeholders’ needs (Carter & French
Research in this application field for MCDA has 2005). At the same time, the role of such analyses
started in the early 90’s in the aftermath of the in a real crisis is still a subject of debate (Hämäläinen
Chernobyl accident (French et al. 1992) and sub- et al. 2000a, Mustajoki et al. 2007).
sequently linked to the European decision-support Early stakeholder involvement in the design of
system RODOS (Ehrhardt & Weiss. 2000), as reported models developed for decision support is needed in
e.g. in French (1996), Hämäläinen et al. (1998) and order to accommodate their use to the national context,
more recently in Geldermann et al. (2006). e.g. to ensure that the hypotheses assumed, the mod-
The reported use of MAU/VT for comparing and els and the type of reasoning used reflect the actual
ranking countermeasure strategies suggests that it needs of the decision-making process. From an oper-
facilitates the identification of the most important ational viewpoint, the MCDA process can be used to
attributes, contributing thus to a shared understand- check if the existing models fit e.g. the databases and
ing of the problem between the different stakeholders decision practices in place and, at the same time, if
concerned by the decision-making process. Among they are sufficiently flexible at all levels: from defini-
the drawbacks revealed was the informational bur- tion of potential actions and evaluation criteria, up to
den of setting criteria weights, especially for socio- modelling of comprehensive preferences.
psychological attributes (e.g. Hämäläinen et al. 1998), In what concerns the general use of MCDA meth-
or even evaluating the impact of potential actions for ods, some authors (Belton & Stewart 2002) suggest
such non-quantifiable factors. Some recent studies that value functions methods are well suited ‘‘within
(Mustajoki et al. 2007) suggest that the application workshop settings, facilitating the construction of
90
preferences by working groups who mainly represent agricultural countermeasures in case of a radioactive
stakeholder interests’’. Outranking methods and contamination in the food chain is to reduce the radio-
what/if experiments with value functions might instead logical risk for people consuming contaminated food-
be better ‘‘fitted for informing political decision- stuff. For such cases, maximum permitted radioactiv-
makers regarding the consequences of a particular ity levels for food products, also called the European
course of action’’. Council Food Intervention Levels—CFIL—(CEC,
The exploration of an outranking methodology is 1989), have been laid down and are adopted by the
motivated by some particularities of our decision prob- Belgian legislation as well.
lem (Turcanu 2007). Firstly, the units of the evaluation The experience from the European project FARM-
criteria (e.g. averted dose, cost, and public accep- ING (Vandecasteele et al. 2005) clearly showed how-
tance) are heterogeneous and coding them into one ever that the characteristics of the agriculture and the
common scale appears difficult and not entirely natu- political environment, as well as the past experiences
ral. Secondly, the compensation issues between gains of food chain contamination crises are also important
on some criteria and losses on other criteria are not factors to be taken into account. This explains why
readily quantifiable. In general, Kottemann & Davis some countermeasures aiming at reducing the con-
(1991) suggest that the degree to which the preference tamination in food products were considered hardly
elicitation technique employed requires explicit trade- acceptable by the stakeholders, if at all, even when
off judgments influences the ‘‘decisional conflict’’ that supported by scientific and technical arguments.
can negatively affect the overall perception of a multi- Decisions taken have potentially far-reaching con-
criteria decision support system. Thirdly, the process sequences, yet they often have to be made under time
of weighting and judging seems in general more quali- pressure and conditions of uncertainty. Also in case of
tative than quantitative. When it comes to factors such food countermeasures, time may become an important
as social or psychological impact, the process of giving issue. For example in case of milk, the large amounts
weights to these non-quantifiable factors may appear produced daily vs. the limited storage facilities of
questionable. Furthermore, outranking methods relax diaries make it necessary to rapidly take a decision
some the key assumptions of the MAUT approach, for for management of contaminated milk (processing,
example comparability between any two actions and disposal, etc).
transitivity of preferences and indifferences.
In the following sections, the focus is laid on
the management of contaminated milk. The con- 4 MCDA MODEL FRAMEWORK
tinuous production of milk requires indeed urgent
decisions due to the limited storage facilities. More- In this section we discuss the multi-criteria decision
over, dairy products are an important element of the aid framework developed for the management of con-
diet, especially for children, who constitute the most taminated milk. We describe the stakeholder process
radiosensitive population group. Finally, for certain and the key elements of the MCDA model. Additional
radionuclides with high radiotoxicity such as radio- details on the stakeholder process and its results can
caesium and radioiodine, maximum levels of activity be found in Turcanu et al. (2006); in the following we
concentration in milk are reached within few days point out the new areas of investigation opened by this
after the ground deposition of the radioactive material research and we underline the constructive dimension
(Nisbet, 2002). brought by the use of MCDA.
91
to cover in a consistent way a range of stakeholders as fast calculation of e.g. the amount of production in
complete as possible and to facilitate free expression the selected zone, the implementation costs for the
of opinions. The discussion protocol used followed the selected countermeasure, the collective doses and
main steps described below. maximal individual doses due to ingestion of contam-
inated foodstuff (the dose is an objective measure of
4.2 Potential actions the detriment to health), helping the decision makers
or advisers in choosing the set of potential actions to
Several individual or combined countermeasures can be further evaluated.
be employed for the management of contaminated
milk (Howard et al. 2005), for instance disposal of
contaminated milk; prevention or reduction of activity 4.3 Evaluation criteria
in milk (clean feeding, feed additives) and/or storage
and processing to dairy products with low radioactivity The evaluation criteria were built through a process
retention factors. The need to make available a more combining a top-down and a bottom-up approach
flexible way to generate potential actions, require- (Turcanu et al. 2006).
ment which came out from the stakeholder process, The stakeholders interviewed were first asked to
led to the development of a prototype tool allowing identify all the relevant effects, attributes and con-
the integration of various types of data: data from the sequences of potential actions. Subsequently, they
food agency (e.g. location of dairy farms and local commented on a list of evaluation criteria derived from
production), modelling and measurement data (e.g. the literature and amended it, if felt necessary. Based
ground depositions of radioactive material at the loca- on the resulting list, a number of evaluation criteria
tion of dairy farms), other data such as administrative was built taking account, as much as possible, of the
boundaries, etc (see Fig. 2). properties of exhaustiveness, cohesiveness and non-
Simulated deposition data, for example for iodine redundancy (see Roy 1996 for a description of these
and caesium, were generated in discrete points of a grid concepts), in order to arrive at a consistent set of eval-
using dispersion and deposition models, e.g. as exist- uation criteria. The example discussed at the end of
ing in the RODOS decision-support system (Ehrhardt this section illustrates the list of criteria proposed.
and Weiss 2000) and introduced into a geographi- Here we should mention that one of the evalua-
cal information system (GIS). Here, the data were tion criteria highlighted by all stakeholders as very
converted into continuous deposition data through a important is public acceptance. To have a better
simple natural neighbour algorithm. Next, the deposi- assessment of it, we included in a public survey in
tion data were evaluated at the locations of dairy farms, Belgium (Turcanu et al. 2007) a number of issues
and combined with production data, both provided relevant for the decision-making process: i) public
by the federal food agency. The GIS allows overlay- acceptance of various countermeasures; ii) consumer’s
ing these data with other spatial information such as behaviour. The results showed that clean feeding
administrative boundaries, topological maps, selected of dairy cattle and disposal of contaminated milk
zones, population data, etc. are the preferred options in case of contaminations
A data fusion tool was subsequently implemented above legal norms. For contaminations below legal
in spreadsheet form. This tool can be used for a norms, normal consumption of milk seemed better
accepted than disposal. Nonetheless, the expressed
consumer’s behaviour revealed a precautionary ten-
dency: the presence of radioactivity at some step
GIS data in the food chain could lead to avoiding purchas-
ing products from affected areas. Finally, public trust
building was revealed as a key element of a successful
countermeasure strategy.
Food Agency The resulting distributions of acceptance degrees
data (from ‘‘strong disagreement’’ to ‘‘strong agreement’’)
on the sample of respondents can be compared in sev-
eral ways (Turcanu et al. 2007). To make use of all
information available, an outranking relation S (with
the meaning ‘‘at least as good as’’) can be defined on
Model and the set of individual countermeasures, e.g. based on
measurement data stochastic dominance:
Figure 2. Integration of various types of data and selection
aSb ⇔ aj ≤ bj + θ, ∀i = 1, . . . , 5
of areas and countermeasures. j≤i j≤i
92
where aj , bj are the percentages of respondents using be better fitted for a given criterion gi ,the following
the j-th qualitative label to evaluate countermeasures discrimination thresholds were chosen:
a and b, respectively, and θ is a parameter linked
ref
to the uncertainty in the evaluation of aj and bj . A qi (gi (a)) = max {qi , q0i · gi (a)} and
simpler approach, but with loss of information, is to
pi (gi (a)) = p0 · qi (gi (a)),
derive a countermeasure’s public acceptance score as
e.g. the percentage of respondents agreeing with a ref
countermeasure. with p0 > 1, a fixed value and qi ≥ 0 and 0 ≤ q0i < 1
Despite the inherent uncertainty connected to parameters depending on the criterion gi .
assessing the public acceptance of countermeasures
in ‘‘peace time’’ we consider that such a study is use- 4.5 Comprehensive preferences
ful for emergency planning purposes, especially for
situations when there is a time constraint as it is the In order to derive comprehensive preferences, we dis-
case for the management of contaminated milk. cussed with the stakeholders interviewed about the
relative importance of evaluation criteria. This notion
can be interpreted differently (Roy & Mousseau 1996),
4.4 Formal modelling of evaluation criteria depending on the type of preference aggregation
method used.
The preferences with respect to each criterion were We investigated the adequacy for our application of
modelled with "double threshold" model (Vincke four types of inter-criteria information: i) substitution
1992). Each criterion was thus represented by a real- rates (tradeoffs) between criteria; ii) criteria weights as
valued positive function associated with two types of intrinsic importance coefficients; iii) criteria ranking
discrimination thresholds: an indifference threshold with possible ties; iv) a partial ranking of subfamilies
q(·) and a preference threshold p(·). For a criterion g of criteria.
to be maximised and two potential actions a and b, we For each of these we asked the stakeholders inter-
can define the following relations: viewed if such a way to express priorities is suit-
able and, most importantly, if they are willing and
accept to provide/receive such information. Our dis-
a I b (a indifferent to b) cussions revealed a higher acceptance of the qualitative
⇔ g(a) ≤ g(b) + q(g(b)) and approaches, which indicates that outranking methods
might be better suited. The concept of weights as
g(b) ≤ g(a) + q(g(a)); intrinsic importance coefficients proved hard to under-
a P b (a strictly preferred to b) stand, but encountered a smaller number of opponents
than weights associated with substitution rates. The
⇔ g(a) > g(b) + p(g(b)); main argument against the latter can be seen in ethi-
a Q b (a weakly preferred to b) cal motivations, e.g. the difficulty to argue for a value
trade-off between the doses received and the economic
⇔ g(b) + q(g(b)) < g(a) and cost. Methods of outranking type that can exploit a
g(a) ≤ g(b) + p(g(b)). qualitative expression of inter-criteria information are
for instance the MELCHIOR method (Leclerq 1984)
or ELECTRE IV (Roy 1996).
Under certain consistency conditions for p and q, Let us consider in the following the case when the
this criterion model corresponds to what is called a inter-criteria information is incomplete -because the
pseudo-criterion (see Roy 1996). decision-maker is not able or not willing to give this
The choice of the double threshold model is moti- information- is the following. Let’s suppose that the
vated by the fact that for certain criteria (e.g. economic information about the relative importance of criteria is
cost) it might not be possible to conclude a strict available in the form of a function assumed irreflexive
preference between two actions scoring similar val- and asymmetric:
ues, e.g. due to the uncertainties involved, while an
intermediary zone exists between indifference and ι : G × G → {0, 1}, such that
strict preference. The double threshold model is a
ι(gm , gp ) = 1 ⇔ criterion gm is ‘‘more important
general one, easy to particularise for other types
of criteria. For example, by setting both thresholds than’’ criterion gp ,
to zero, one obtains the traditional, no-threshold
model. where G is the complete set of evaluation criteria.
In order to account in an intuitive way for both the The function ι, comparing the relative importance
situations when a fixed or a variable threshold could of individual criteria, can be extended to subsets of
93
criteria in a manner inspired from the MELCHIOR Table 2. Evaluation criteria: Example.
method: we test if favourable criteria are more impor-
tant than the unfavourable criteria. Variable Minimal
Formally stated, we define recursively a mapping indifference indifference
ι∗ : ℘ (G) × ℘ (G) → {0, 1} as: threshold threshold Optimis.
Criterion (q0i ) (qi ref ) direction
∗
ι (F, ø) = 1, ∀ø = F ⊂ G, C1 Residual collective 10% 10 person min
ι∗ (ø, F) = 0, ∀ F ⊂ G, effective dose Sv
(person . Sv)
ι∗ ({gm }, {gp }) = 1 ⇔ ι(gm , gp ) = 1, C2 Maximal individual 0.5 mSv min
∗ 5% (thyroid)
ι ({gm } ∪ F, H) = 1, with {gm } ∪ F ⊂ G and dose (mSv)
∗ C3 Implementation 10% 20 kC
= min
H ⊂ G ⇔ ι (F, H) = 1 or ∃ gp ∈ H: ι(gm , gp ) = 1
cost (kC
=)
and ι∗ (F, H\{gp }) = 1. C4 Waste (tonnes) 10% 1t min
C5 Public 0 0 max
acceptance
We further define a binary relation R represent-
C6 (Geographical) 0 0 max
ing comprehensive preferences on the set of potential feasibility
actions A as follows: C7 Dairy industry’s 0 0 max
acceptance
∀a, b ∈ A, R(a, b) = ι∗ (F, H), where C8 Uncertainty of 0 0 min
outcome
F = {gi ∈ G|aPi b}, H = {gi ∈ G|b(Pi ∪ Qi )a}, C9 Farmers’ 0 0 max
acceptance
and (Pi , Qi , Ii ) is the preference structure associated C10 Environmental 0 0 min
with criterion gi . impact
C11 Reversibility 0 0 max
4.6 An illustrative example ∗ p0 = 2 for all cases.
In this section we discuss a hypothetical (limited scale)
131
I milk contamination. The potential actions (suit-
able decision alternatives) are described in Table 1. Table 3. Impact of potential actions∗ .
Table 2 gives the complete list of evaluation criteria
and Table 3 summarises the impact of potential actions Criterion C1 C2 C3 C4 C5 C6 C7 C8
with respect to these criteria.
When inter-criteria information is not available, Person
Action Sv mSv kC
= t – – – –
the comprehensive preferences resulting from the
aggregation method given above are illustrated in A1 4 100 0 0 0 1 0 3
Fig. 3. For instance, the arrow A4 → A3 means that A2 0.1 3.6 240 16 3 1 2 1
action A4 is globally preferred to action A3 . We can A3 0.3 4.6 17 16 3 1 2 1
see that there are also actions which are incomparable, A4 0.3 4.6 27 16 3 2 2 1
A5 0.8 20 1.3 0 2 1 1 2
Table 1. Potential actions: Example. A6 0.8 20 2.5 0 2 2 1 2
∗ On criteria C –C
Action Description 9 11 all actions score the same, therefore
they are not mentioned in the table.
A1 Do Nothing
A2 Clean feed in area defined by sector
(100◦ , 119◦ , 25 km):
A3 Clean feed in area where deposit activity for instance actions A4 and A6 ; the situation changes
>4000 Bq/m2 : however, when some information is given concerning
A4 Clean feed in area where deposited activity the relative importance of criteria.
>4000 Bq/m2 , extended to full Let us assume that the decision-maker states that
administrative zones the maximal individual dose is more important than
A5 Storage for 32 days in area where deposited any other criterion and that public acceptance is more
activity >4000 Bq/m2
important than the cost of implementation and the
A6 Storage for 32 days in area where deposited
geographical feasibility. We then obtain the results pre-
activity >4000 Bq/m2 , extended to full
administrative zones sented in Fig. 4, highlighting both actions A4 and A2
as possibly interesting choices.
94
Table 4. Results from the multi-criteria analysis.
A2 A4 A6
Multi-criteria analysis Stakeholder process results
A3
makers and decision advisers, as well as practition-
ers in the field (e.g. from dairy industry or farmers’
union) contributed to a better understanding of many
aspects of the problem considered. For our case study,
A6 A2
this process triggered further research in two direc-
tions: flexible tools for generating potential actions
A5 and social research in the field of public acceptance of
food chain countermeasures.
MCDA can be thus viewed as bridging between var-
ious sciences—decision science, radiation protection,
A1 radioecological modelling and social science—and a
useful tool in all emergency management phases.
The research presented here represents one step in
Figure 4. Comprehensive preferences with inter-criteria an iterative cycle. Further feedback from exercises and
information. workshops will contribute to improving the proposed
methodology.
Naturally, results such as those presented above
must be subjected to a detailed robustness analysis
(Dias 2006) as they depend on the specific val-
ues chosen for the parameters used in the model, REFERENCES
i.e. discrimination thresholds. For instance, if
q2 ref = 1 mSv, instead of 0.5 mSv as set initially (see Allen, P., Archangelskaya, G., Belayev, S., Demin, V.,
Drotz-Sjöberg, B.-M., Hedemann-Jensen, P., Morrey, M.,
Table 2), while the rest of the parameters remain at Prilipko, V., Ramsaev, P., Rumyantseva, G., Savkin, M.,
their initial value, both actions A4 and A3 would be Sharp, C. & Skryabin, A. 1996. Optimisation of health
globally preferred to action A2 . protection of the public following a major nuclear
accident: interaction between radiation protection and
social and psychological factors. Health Physics 71(5):
5 CONCLUSIONS 763–765.
Belton, V. & Stewart, T.J. 2002. Multiple Criteria Decision
In this paper we have discussed the application of Analysis: An integrated approach. Kluwer: Dordrecht.
multi-criteria analysis for a case study dealing with the Carter, E. & French, S. 2005. Nuclear Emergency Manage-
management of contaminated milk. Our main findings ment in Europe: A Review of Approaches to Decision
are summarised in Table 4. Making, Proc. 2nd Int. Conf. on Information Systems for
Crisis Response and Management, 18–20 April, Brussels,
One important conclusion is that consultation with Belgium, ISBN 9076971099, pp. 247–259.
concerned stakeholders is a key factor that can lead Dias, L.C. 2006. A note on the role of robustness analy-
to a more pragmatic decision aid approach and pre- sis in decision aiding processes. Working paper, Institute
sumably to an increased acceptance of the resulting of Systems Engineering and Computers INESC-Coimbra,
models. The stakeholder process, involving decision Portugal. www.inesc.pt.
95
Dodgson, J., Spackman, M., Pearman, A. & Phillips, L. 2000. Leclercq, J.P. 1984. Propositions d’extension de la notion
Multi-Criteria Analysis: A Manual. London: Depart- de dominance en présence de relations d’ordre sur les
ment of the Environment, Transport and the Regions, pseudo-critères: MELCHIOR. Revue Belge de Recherche
www.communities.gov.uk. Opérationnelle, de Statistique et d’Informatique 24(1):
Ehrhardt, J. & Weiss, A. 2000. RODOS: Decision Support 32–46.
for Off-Site Nuclear Emergency Management in Europe. Mustajoki, J., Hämäläinen, R.P. & Sinkko, K. 2007. Interac-
EUR19144EN. European Community: Luxembourg. tive computer support in decision conferencing: Two cases
French, S. 1996. Multi-attribute decision support in the event on off-site nuclear emergency management. Decision
of a nuclear accident. J Multi-Crit Decis Anal 5: 39–57. Support Systems 42: 2247–2260.
French, S., Kelly, G.N. & Morrey, M. 1992. Decision confer- Nisbet, A.F., Mercer, J.A., Rantavaara, A., Hanninen, R.,
encing and the International Chernobyl Project. J Radiol Vandecasteele, C., Carlé, B., Hardeman, F., Ioannides,
Prot 12: 17–28. K.G., Papachristodoulou, C., Tzialla, C., Ollagnon, H.,
Gallego, E., Brittain, J., Håkanson, L., Heling, R., Jullien, T. & Pupin, V. 2005. Achievements, difficulties
Hofman, D. & Monte, L. 2000. MOIRA: A Computerised and future challenges for the FARMING network. J Env
Decision Support System for the Restoration of Radionu- Rad 83: 263–274.
clide Contaminated Freshwater Ecosystems. Proc. 10th Panov, A.V., Fesenko, S.V. & Alexakhin, R.M. 2006. Method-
Int. IRPA Congress, May 14–19, Hiroshima, Japan. ology for assessing the effectiveness of countermeasures
(http://www2000.irpa.net/irpa10/cdrom/00393.pdf). in rural settlements in the long term after the Cher-
Geldermann, J., Treitz, M., Bertsch, V. & Rentz, O. 2005. nobyl accident on the multi-attribute analysis basis. Proc.
Moderated Decision Support and Countermeasure Plan- 2nd Eur. IPRA Congress, Paris, 15–19 May, France.
ning for Off-site Emergency Management. In: Loulou, R., www.irpa2006europe.com.
Waaub, J.-P. & Zaccour, G. (eds) Energy and Envi- Papamichail, K.N. & French, S. 2000. Decision support in
ronment: Modelling and Analysis. Kluwer: Dordrecht, nuclear emergencies, J. Hazard. Mater. 71: 321–342.
pp. 63–81. Perny, P. & Vanderpooten, D. 1998. An interactive multiob-
Geldermann, J., Bertsch, V., Treitz, M., French, S., jective procedure for selecting medium-term countermea-
Papamichail, K.N. & Hämäläinen, R.P. 2006. Multi- sures after nuclear accidents, J. Multi-Crit. Decis. Anal.
criteria decision-support and evaluation of strategies for 7: 48–60.
nuclear remediation management. OMEGA—The Inter- Roy, B. 1996. Multicriteria Methodology for Decision Aid-
national Journal of Management Science (in press). Also ing. Kluwer: Dordrecht.
downloadable at www.sal.hut.fi/Publications/pdf-files/ Roy, B. & Mousseau, V. 1996. A theoretical framework for
MGEL05a.doc. analysing the notion of relative importance of criteria.
Hämäläinen, R.P., Sinkko, K., Lindstedt, M.R.K., Amman, J Multi-Crit Decis Anal 5: 145–159.
M. & Salo, A. 1998. RODOS and decision conferencing Royal Decree, 2003. Plan d’Urgence Nucléaire et Radi-
on early phase protective actions in Finland. STUK-A 159 ologique pour le Territoire Belge, Moniteur Belge,
Report, STUK—Radiation and Nuclear Safety Authority, 20.11.2003.
Helsinki, Finland, ISBN 951-712-238-7. Turcanu, C. 2007. Multi-criteria decision aiding model for
Hämäläinen, R.P., Lindstedt, M.R.K. & Sinkko, K. 2000a. the evaluation of agricultural countermeasures after an
Multi-attribute risk analysis in nuclear emergency man- accidental release of radionuclides to the environment.
agement. Risk Analysis 20(4): 455–468. PhD Thesis. Université Libre de Bruxelles: Belgium.
Hämäläinen, R.P., Sinkko, K., Lindstedt, M.R.K., Amman, Turcanu, C., Carlé, B. & Hardeman, F. 2006. Agri-
M. & Salo, A. 2000b. Decision analysis interviews on cultural countermeasures in nuclear emergency man-
protective actions in Finland supported by the RODOS agement: a stakeholders’ survey for multi-criteria
system. STUK-A 173 Report, STUK—Radiation and model development. J Oper Res Soc. DOI 10.1057/
Nuclear Safety Authority, Helsinki, Finland. ISBN 951- palgrave.jors.2602337
712-361-2. Turcanu, C., Carlé, B., Hardeman, F., Bombaerts, G. & Van
Howard, B.J., Beresford, N.A., Nisbet, A., Cox, G., Oughton, Aeken, K. 2007. Food safety and acceptance of manage-
D.H., Hunt, J., Alvarez, B., Andersson, K.G., Liland, A. & ment options after radiological contaminations of the food
Voigt, G. 2005. The STRATEGY project: decision tools chain. Food Qual Pref 18(8): 1085–1095.
to aid sustainable restoration and long-term management Vandecasteele, C., Hardeman, F., Pauwels, O., Bernaerts, M.,
of contaminated agricultural ecosystems. J Env Rad 83: Carlé, B. & Sombré, L. 2005. Attitude of a group of
275–295. Belgian stakeholders towards proposed agricultural coun-
IAEA. 2006. Environmental consequences of the Chernobyl termeasures after a radioactive contamination: synthesis
accident and their remediation: twenty years of experi- of the discussions within the Belgian EC-FARMING
ence/report of the Chernobyl Forum Expert Group ‘Envi- group. J. Env. Rad. 83: 319–332.
ronment’. STI/PUB/1239, International Atomic Energy Vincke, P. 1992. Multicriteria decision aid. John Wiley &
Agency. Vienna: Austria. Sons, Chichester.
Kahneman, D. & Tversky, A. 1979. A. Prospect Theory: An Zeevaert, T., Bousher, A., Brendler, V., Hedemann Jensen, P. &
Analysis of Decision under Risk. Econometrica 47(2): Nordlinder, S. 2001. Evaluation and ranking of restoration
263–291. strategies for radioactively contaminated sites. J. Env. Rad.
Kottemann, J.E. & Davis, F.D. 1991. Decisional conflict and 56: 33–50.
user acceptance of multi-criteria decision-making aids.
Dec Sci 22(4): 918–927.
96
Decision support systems and software tools for safety and reliability
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: The paper presents a complex assessment system developed for Small and Medium Enterprises.
It assesses quality, safety and environment on three layers starting from basic to complete assessment (including
management and organizational culture). It presents the most interesting attributes of this system together with
some of the results obtained by testing this system on a statistical lot of 250 Romanian SME.
1 GENERAL ASPECTS
2 VULNERABILITY ANALYSIS
99
in an enterprise infrastructure. In adition vulnerabil- Table 1. Vulnerability scores.
ity analysis can forecast the effectiveness of proposed
prevention measures and evaluate their actual effec- Mark Semnification
tiveness after they are put into use. Our vulnerability
0 Non-vulnerable
analysis is performed in the basic safety assessment
1 Minimal
layer and consist mainly on the next steps: 2 Medium
1. Definition and analysis of the existing (and avail- 3 Severe vulnerability-loss
able) human and material resources; 4 Severe vulnerability-accidents
5 Extreme vulnerability
2. Assignment of relative levels of importance to the
resources;
3. Identification of potential safety threats for each
resource;
4. Identification of the potential impact of the threat Past Incident Coefficient.
on the specific resource (will be later used in
scenario analysis). Ov = Av ∗ Pik (1)
5. Development of a strategy for solving the threats
hierarchically, from the most important to the last where
important.
6. Defining ways to minimise the consequences if a Pik = 0—if there were no previous incidents;
threat is acting(TechDir 2006). Pik = 1.5—if there were near misses, loss incidents
and/or minor accidents;
We have considered a mirrored vulnerability Pik = 2—if there were severe accidents before.
(Kovacs 2006b)—this analysis of the vulnerability
being oriented inwards and outwards of the assessed
workplace. The Figure 3 shows this aspect.
3 PRE-AUDIT
So, the main attributes for which vulnerability is
assessed are:
The pre-audit phase of the basic safety assessment
1. the human operator: plays many roles (Mahinda 2006). The most important
2. the operation of these are connected with the need to have regu-
3. the process; larly a preliminary safety assessment (Kovacs 2001a)
which:
The mirrored vulnerability analysis follows not just
how much are these three elements vulnerable but also – identifies the most serious hazards;
how much they affect the vulnerability of the whole – maps the weak spots of the SME, where these
SME. hazards could act more often and more severly;
Vulnerability is estimated in our system on a 0 to 5 – estimates the impact of the hazards action upon man
scale like in Table 1. and property;
We are also performing a cross-over analysis taking – verifies basic conformity with safety law and basic
into account past five year incident statistical data. safety provisions;
So we are computing an Operational Vulnerability • assures consistency to the following assessments,
as means of Assessed Vulnerability multiplied by an recordings and also the management of previous
assessments;
Pre-audit is centered around two attributes of the
workplace:
Pre-audit of the human operator(Kovacs 2001b)—its
findings leads to two main measures: the improvement
of training or the change of workplace for the operator
which performance could endanger the safety at the
workplace.
Pre-audit of machines and the technological pro-
cess—the findings of this part of safety pre-audit
could lead to machine/process improvement or to
machine/process revision or to the improvement
of machines maintenance or if necessary to the
elimination of the machine—if the machine is beyond
Figure 3. Vulnerability analysis schema. repair.
100
Table 2. Pre-audit scores. The pre-audit assessment system uses the rating
presented in the Table 2.
Level of Pre-audit main guideline is represented by ISO
Pre- Minimum Pre- transition to 9001.
audit corresponding level audit move to next Pre-audit main instruments are checklists. A very
score of safety ranges level
short example of such a checklist is presented in the
0 Nothing in place 0–1 Identification of Table 3.
basic safety
needs, some
activities 4 SAFETY SCENARIO ANALYSIS
performed
1 Demonstrate a basic 1–2 Local safety
knowledge and procedures
As SME’s are performing often routine activities it is
willingness to developed and possible to develop and use as a safety improvement
implement safety implemented tool safety scenarios in order to be aware of what could
policies/procedures/ happen if risks are acting (TUV 2008).
guidelines A schema of our scenario analysis module is given
2 Responsibility and 2–3 Responsibility in the Figure 4.
accountability documented and The previous safety assessment data is used in order
identified for most communicated for to build a scenario plan—firstly. For example, in a
safety related tasks the main safety specific area of the SME were recorded frequent near
tasks
3 OHS Policies/ 3–4 Significant level
misses in a very short period of time. The previ-
Procedures and of implementation ous assessment data is used in order to estimate the
Guidelines through audit site trend of components and their attributes. One of such
implemented components is represented by the Human Operator
4 Comprehensive level 4–5 Complete
of implementation implementation
across audit site across audit site
5 Pre-audit results Industry best
used to review practice
and improve
safety system;
demonstrates
willingness for
continual
improvement
Question
nr. Question Yes No
101
and one of its attributes would be the preparedness • The Human Operator;
in emergency situations. In our example we could • The Machine(s)—including facilities;
consider the sudden apparition of a fire at one of • The Working Environment;
the control panels at the workplace. If the prepared-
ness in emergency situations is set on in scenario, the together with a derived component which includes the
operator is able to put down the fire and no other specific work task and also the interaction between
loss occurs. If the attribute is set off the operator is components;
frightened and runs—the fire propagates and there is All these components- and their interaction—are
an accidental spill—because some valves got out of analysed in the best case-worst case framework con-
control. sidering also an intermediary state, the medium case.
Our scenario analysis instrument assures the rule of The medium case is (if not mentioned otherwise) is
the 3 P’s (Kovacs 2006b): the actual situation in the SME. One point of attention
is the transition between the cases, in order to analyse
• Plan: what happens if, for example, safety resources allo-
◦ Establish goals and objectives to follow; cation is postponed in order to allocate resources in a
◦ Develop procedures to follow; more hotter places.
• Predict:
◦ Predict specific risk action; 5 OBTAINED RESULTS
◦ Predict component failure;
◦ Predict soft spots where risks could materialize We have tested our system on a statistically significant
more often; lot of 250 Romanian SME (Kovacs 2006a) from all the
• Prevent: economic activities, on a half year period, taking into
account the following assessments:
◦ Foresee the necessary prevention measures; some
of these measures could be taken immediately; • General management assessment;
other are possible to be postponed for a more • Safety management assessment;
favourable period (for example the acquisition of • Incident rate after implementation (comparatively
an expensive prevention mean), other are sim- with incidents on a 5 year period);
ply improvements of the existing situation—for • Assessment of the ground floor work teams;
example a training that should include all the
workers at the workplace not just the supervisors; The SME’s test shown that such a system—which
The actual development of the scenario is per- is not very complicated—in order to be able to be used
formed in a best case—medium case—worst case by SME’s alone—is a very efficient tool in order to:
framework. This framework could be seen in the
Figure 5. – assess more objectively safety together with quality
Mainly there are considered three essential compo- and environment;
nents: – perform an efficient assessment of the SME man-
agement regarding quality, safety and environment;
– offers a realistic image to the SME management
in order to be convinced about the necessity of
improvement, not just for safety but also for envi-
ronment, as quality improvement is a must for every
SME in order to be able to remain in the market.
– tells the SME manager that quality must not be con-
sidered alone but only in connexion with safety and
environment;
– offers a valuable assessment instrument for exter-
nal assessment firms, inspection authorities and risk
assurance companies (Kovacs 2003a);
102
Vulnerability analysis results REFERENCES
103
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
F. Flammini
ANSALDO STS, Ansaldo Segnalamento Ferroviario S.p.A., Naples, Italy
Università di Napoli ‘‘Federico II’’, Dipartimento di Informatica e Sistemistica, Naples, Italy
C. Pragliola
ANSALDO STS, Ansaldo Segnalamento Ferroviario S.p.A., Naples, Italy
ABSTRACT: Critical Infrastructure Protection (CIP) against potential threats has become a major issue in
modern society. CIP involves a set of multidisciplinary activities and requires the adoption of proper protection
mechanisms, usually supervised by centralized monitoring systems. This paper presents the motivation, the
working principles and the software architecture of DETECT (DEcision Triggering Event Composer & Tracker),
a new framework aimed at the automatic and early detection of threats against critical infrastructures. The
framework is based on the fact that non trivial attack scenarios are made up by a set of basic steps which have to
be executed in a predictable sequence (with possible variants). Such scenarios are identified during Vulnerability
Assessment which is a fundamental phase of the Risk Analysis for critical infrastructures. DETECT operates
by performing a model-based logical, spatial and temporal correlation of basic events detected by the sensorial
subsystem (possibly including intelligent video-surveillance, wireless sensor networks, etc.). In order to achieve
this aim, DETECT is based on a detection engine which is able to reason about heterogeneous data, implementing
a centralized application of ‘‘data fusion’’. The framework can be interfaced with or integrated in existing
monitoring systems as a decision support tool or even to automatically trigger adequate countermeasures.
105
With respect to traditional approaches of infrastruc- or radiological material in underground stations, com-
ture surveillance, DETECT allows for: bined attacks with simultaneous multiple train halting
and railway bridge bombing, etc. DETECT has proven
• A quick, focused and fully automatic response to be particularly suited for the detection of such artic-
to emergencies, possibly independent from human ulated scenarios using a modern SMS infrastructure
supervision and intervention (though manual con- based on an extended network of cameras and sensing
firmation of detected alarms remains an option). In devices. With regards to the underlying security infras-
fact, human management of critical situations, pos- tructure, a set of interesting technological and research
sibly involving many simultaneous events, is a very issues can also be addressed, ranging from object
delicate task, which can be error prone as well as tracking algorithms to wireless sensor network inte-
subject to forced inhibition. gration; however, these aspects (mainly application
• An early warning of complex attack scenarios since specific) are not in the scope of this work.
their first evolution steps using the knowledge base DETECT is a collaborative project carried out by
provided by experts during the qualitative risk anal- the Business Innovation Unit of Ansaldo STS Italy
ysis process. This allows for preventive reactions and the Department of Computer and System Science
which are very unlikely to be performed by human of the University of Naples ‘‘Federico II’’.
operators given the limitation both in their knowl- The paper is organized as follows: Section 2
edge base and vigilance level. Therefore, a greater presents a brief summary of related works; Section 3
situational awareness can be achieved. introduces the reference software architecture of the
• An increase in the Probability Of Detection (POD) framework; Section 4 presents the language used to
while minimizing the False Alarm Rate (FAR), due describe the composite events; Section 5 describes the
to the possibility of logic as well as temporal correla- implementation of the model-based detection engine;
tion of events. While some SMS/SCADA software Section 6 contains a simple case-study application;
offer basic forms of logic correlation of alarms, Section 7 draws conclusions and provides some hints
the temporal correlation is not implemented in any about future developments.
nowadays systems, to the best of our knowledge
(though some vendors provide basic options of on-
site configurable ‘‘sequence’’ correlation embedded 2 RELATED WORKS
in their multi-technology sensors).
Composite event detection plays an important role
The output of DETECT consists of:
in the active database research community, which
• The identifier(s) of the detected/suspected sce- has long been investigating the application of Event
nario(s). Condition Action (ECA) paradigm in the context of
• An alarm level, associated to scenario evolution using triggers, generally associated with update, insert
(only used in deterministic detection as a linear or delete operations. In HiPAC (Dayal et al. 1988)
progress indicator; otherwise, it can be set to 100%). active database project an event algebra was firstly
• A likelihood of attack, expressed in terms of proba- defined.
bility (only used as a threshold in heuristic detection; Our approach for composite event detection follows
otherwise, it can be set to 100%). the semantics of the Snoop (Chakravarthy & Mishra
1994) event algebra. Snoop has been developed at the
DETECT can be used as an on-line decision sup- University of Florida and its concepts have been imple-
port system, by alerting in advance SMS operators mented in a prototype called Sentinel (Chakravarthy
about the likelihood and nature of the threat, as well et al. 1994, Krishnaprasad 1994). Event trees are used
as an autonomous reasoning engine, by automati- for each composite event and these are merged to form
cally activating responsive actions, including audio an event graph for detecting a set of composite events.
and visual alarms, emergency calls to first respon- An important aspect of this work lies in the notion
ders, air conditioning flow inversion, activation of of parameter contexts, which augment the semantics
sprinkles, etc. of composite events for computing their parameters
The main application domain of DETECT is home- (parameters indicate ‘‘component events’’). CEDMOS
land security, but its architecture is suited to other (Cassandra et al. 1999) refers to the Snoop model
application fields like environmental monitoring and in order to encompass heterogeneity problems which
control, as well. The framework will be experi- often appear under the heading of sensor fusion. In
mented in railway transportation systems, which have (Alferes & Tagni 2006) the implementation of an event
been demonstrated by the recent terrorist strikes to detection engine that detects composite events speci-
be among the most attractive and vulnerable targets. fied by expressions of an illustrative sublanguage of
Example attack scenarios include intrusion and drop the Snoop event algebra is presented. The engine has
of explosive in subway tunnels, spread of chemical been implemented as a Web Service, so it can also be
106
used by other services and frameworks if the markup • Event History database, containing the list of basic
for the communication of results is respected. events detected by sensors or cameras, tagged with
Different approaches for composite event detec- a set of relevant attributes including detection time,
tion are taken in Ode (Gerani et al. 1992a, b) and event type, sensor id, sensor type, sensor group,
Samos (Gatziu et al. 1994, Gatziu et al. 2003). Ode object id, etc. (some of which can be optional, e.g.
uses an extended Finite Automata for composite event ‘‘object id’’ is only needed when video-surveillance
detection while Samos defines a mechanism based on supports inter-camera object tracking).
Petri Nets for modeling and detection of composite • Attack Scenario Repository, providing a database
events for an Object Oriented Data-Base Management of known attack scenarios as predicted in Risk
System (OODBMS). Analysis sessions and expressed by means of an
DETECT transfers to the physical security the Event Description Language (EDL) including log-
concept of Intrusion Detection System (IDS) which ical as well as temporal operators (derived from
is nowadays widespread in computer (or ‘‘logical’’) (Chakravarthy et al. 1994)).
security, also borrowing the principles of Anomaly • Detection Engine, supporting both determinis-
Detection, which is applied when an attack pattern is tic (e.g. Event Trees, Event Graphs) and heuris-
known a priori, and Misuse Detection, indicating the tic (e.g. Artificial Neural Networks, Bayesian
possibility of detecting unknown attacks by observing Networks) models, sharing the primary requirement
a significant statistical deviation from the normality of real-time solvability (which excludes e.g. Petri
(Jones & Sielken 2000). The latter aspect is strictly Nets from the list of candidate formalisms).
related to the field of Artificial Intelligence and related • Model Generator, which has the aim of building
classification methods. the detection model(s) (structure and parameters)
Intelligent video-surveillance exploits Artificial starting from the Attack Scenario Repository by
Vision algorithms in order to automatically track parsing all the EDL files.
object movements in the scene, detecting several type • Model Manager, constituted by four sub-modules
of events, including virtual line crossing, unattended (grey-shaded boxes in Figure 1):
objects, aggressions, etc. (Remagnino et al. 2007).
Sensing devices include microwave/infrared/ultra- ◦ Model Feeder (one for each model), which
sound volumetric detectors/barriers, magnetic detec- instantiates the inputs of the detection engine
tors, vibration detectors, explosive detectors, and according to the nature of the models by cyclically
advanced Nuclear Bacteriologic Chemical Radio- performing proper queries and data filtering on
logical (NBCR) sensors (Garcia 2001). They can be the Event History (e.g. selecting sensor typolo-
connected using both wired and wireless networks, gies and zones, excluding temporally distant
including ad-hoc Wireless Sensor Networks (WSN) events, etc.).
(Lewis 2004, Roman et al. 2007). ◦ Model Executor (one for each model), which
triggers the execution of the model, once it has
been instantiated, by activating the related (exter-
3 THE SOFTWARE ARCHITECTURE nal) solver. An execution is usually needed at each
new event detection.
The framework is made up by the following main ◦ Model Updater (one for each model), which
modules (see Figure 1): is used for on-line modification of the model
EVENT MODEL k
QUERIES FEEDER
HISTORY
DETECTION SMS / SCADA
INPUTS MODEL k ALARMS ->
MODEL k MODEL k
<- CONFIG
SOLVER EXECUTOR
COUNTERMEASURES
DETECTION
OUTPUT
MANAGER
ENGINE
107
(e.g. update of a threshold parameter), with- • Standard communication protocols (OPC3 ,
out regenerating the whole model (whenever ODBC4 , Web-Services, etc.) needed to interop-
supported by the modeling formalism). erate with open databases, SMS/SCADA, or any
◦ Output Manager (single), which stores the out- other client/server security subsystems which are
put of the model(s) and/or passes it to the interface compliant to such standards.
modules.
The last two points are necessary to provide
• Model Solver, that is the existing or specifically DETECT with an open, customizable and easily
developed tool used to execute the model. upgradeable architecture. For instance, by adopt-
ing a standard communication protocol like OPC,
Model Generator and Model Manager are depen- an existing SMS supporting this protocol could inte-
dent on the formalisms used to express the models grate DETECT as it was just a further sensing
constituting the Detection Engine. In particular, the device.
Model Generator and Model Feeder are synergic in At the current development state of DETECT:
implementing the detection of the event specified in
EDL files: in fact, while the Detection Engine plays • A GUI has been developed to edit scenarios and
undoubtedly a central role in the framework, many generate EDL files starting from the Event Tree
important aspects are demanded to the way the query graphical formalism.
on the database is performed (i.e. selection of proper • A Detection Engine based on Event Graphs (Buss
events). As an example, in case the Detection Engine 1996) is already available and fully working, using
is based on Event Trees (a combinatorial formalism), a specifically developed Model Solver.
the Model Feeder should be able to pick the set of last • A Model Generator has been developed in order to
N consecutive events fulfilling some temporal proper- generate Event Graphs starting from the EDL files
ties (e.g. total time elapsed since the first event of the in the Scenario Repository.
sequence <T), as defined in the EDL file. In case of • A Web Services based interface has been developed
Event Graphs (a state-based formalism), instead, the to interoperate with external SMS.
model must be fed by a single event at a time. • The issues related to the use of ANN (Jain et al.
Besides these main modules, there are others which 1996) for heuristic detection have been addressed
are also needed to complete the framework with useful, and the related modules are under development and
though not always essential, features (some of which experimentation.
can also be implemented by external tools or in the
SMS):
4 THE EVENT DESCRIPTION LANGUAGE
• Scenario GUI (Graphical User Interface) used to
draw attack scenarios using an intuitive formalism The Detection Engine needs to recognize combination
and a user-friendly interface (e.g. specifically of events, bound each other with appropriate operators
tagged UML Sequence Diagrams stored in the in order to form composite events of any complexity.
standard XMI2 format (Object Management Group Generally speaking, an event is a happening that occurs
UML 2008)). in the system, at some location and at some point in
• EDL File Generator, translating GUI output into time. In our context, events are related to sensor data
EDL files. variables (i.e. variable x greater than a fixed threshold,
• Event Log, in which storing information about variable y in a fixed range, etc.). Events are classified
composite events, including detection time, sce- as primitive events and composite events.
nario type, alarm level and likelihood of attack A primitive event is a condition on a specific sen-
(whenever applicable). sor which is associated some parameters (i.e. event
• Countermeasure Repository, associating to each identifier, time of occurrence, etc.). Event parameters
detected event or event class a set of operations to can be used in the evaluation of conditions. Each entry
be automatically performed by the SMS. stored in the Event History is a quadruple:
• Specific drivers and adapters needed to interface < IDev, IDs, IDg, tp >, where:
external software modules, possibly including anti- • IDev is the event identifier;
intrusion and video-surveillance subsystems. • IDs is the sensor identifier;
108
• IDg is the sensor group identifier (needed for In the following, we briefly describe the semantics of
geographical correlation); these operators. For a formal specification of these
• tp is the event occurrence time which should be a semantics, the reader can refer to (Chakravarthy et al.
sensor timestamp (when a global clock is available 1994).
for synchronization) or the Event History machine OR. Disjunction of two events E1 and E2 , denoted
clock. (E1 OR E2 ). It occurs when at least one of its
components occurs.
Since the message transportation time is not instan- AND. Conjunction of two events E1 and E2 ,
taneous, the event occurrence time can be different denoted (E1 AND E2 ). It occurs when both E1 and
from the registration time. Several research works E2 occur (the temporal sequence is ignored).
have addressed the issue of clock synchronization in ANY. A composite event, denoted ANY (m, E1 ,
distributed systems. Here we assume that a proper E1 , . . . , En ), where m ≤ n. It occurs when m out of n
solution (e.g. time shifting) has been adopted at a lower distinct events specified in the expression occur (the
level. temporal sequence is ignored).
A composite event is a combination of primitive SEQ. Sequence of two events E1 and E2 , denoted
events defined by means of proper operators. The (E1 SEQ E2 ). It occurs when E2 occurs provided that
EDL of DETECT is derived from Snoop event alge- E1 has already occurred. This means that the time
bra (Chakravarthy & Mishra 1994). Every composite of occurrence of E1 has to be less than the time of
event instance is a triple: occurrence of E2 .
<IDec, parcont, te>, where: The sequence operator is used to define composite
• IDec is the composite event identifier; events when the order of its component events is rel-
• parcont is the parameter context, stating which evant. Another way to perform a time correlation on
occurrences of primitive events need to be con- events is by exploiting temporal constraints.
sidered during the composite event detection (as The logic correlation could loose meaningfulness
described below); when the time interval between component events
• te is the temporal value related to the occurrence of exceeds a certain threshold. Temporal constraints can
the composite event (corresponding to the tp of the be defined on primitive events with the aim of defin-
last component event). ing a validity interval for the composite event. Such
constraints can be added to any operator in the formal
Formally an event E (either primitive or composite) expression used for event description.
is a function from the time domain onto the boolean For instance, let us assume that in the composite
values, True and False: event E = (E1 AND E2 ) the time interval between the
occurrence of primitive events E1 and E2 must be at
E: T → {True, False}, given by: most T. The formal expression is modified by adding
the temporal constraint [T] as follows:
True, if E occurs at a time t
E (t) =
False, otherwise
(E1 AND E2 )[T] = True
The basic assumption of considering a boolean
function is quite general, since different events can ⇔
be associated to a continuous sensor output according ∃ t1 ≤ t|(E1 (t) ∧ E2 (t1 ) ∨ E1 (t1 ) ∧ E2 (t)) ∧ |t − t1 | ≤ T
to a set of specified thresholds. Furthermore, negate
conditions (!E) can be used when there is the need for
checking that an event is no longer occurring. This
allows considering both instantaneous (‘‘occurs’’ = 5 THE SOFTWARE IMPLEMENTATION
‘‘has occurred’’) and continuous (‘‘occurs’’ = ‘‘is
occurring’’) events. However, in order to simplify This section describes some implementation details of
EDL syntax, negate conditions on events can be sub- DETECT, referring to the current development state
stituted by complementary events. An event Ec is of the core modules of the framework, including the
complementary to E when: Detection Engine. The modules have been fully imple-
mented using the Java programming language. JGraph
Ec ⇒!E has been employed for the graphical construction of
the Event Trees used in the Scenario GUI. Algorithms
Each event is denoted by an event expression, whose have been developed for detecting composite events in
complexity grows with the number of involved events. all parameter contexts.
Given the expressions E1 , E2 , . . . , En , every applica- Attack scenarios are currently described by Event
tion on them through any operator is still an expression. Trees, where leaves represent primitive events while
109
• Chronicle: the (initiator, terminator) pair is unique.
The oldest initiator is paired with the oldest termi-
nator.
• Continuous: each initiator starts the detection of the
event.
• Cumulative: all occurrences of primitive events are
accumulated until the composite event is detected.
The effect of EDL operators is then conditioned
by the specific context, which is implemented in the
Event Dispatcher. Theoretically, in the construction of
the model a different node should be defined for each
context. Whilst a context could be associated to each
operator, currently a single context is associated to
each detection model. Furthermore, a different node
object for each context has been implemented.
Figure 2. Event tree for composite event ((E1 OR E2) AND In the current implementation, Event Graphs are
(E2 SEQ (E4 AND E6))). used to detect the scenarios defined by Event Trees,
which are only used as a descriptive formalism. In
fact, scenarios represented by more Event Trees can
internal nodes (including the root) represent EDL lan- be detected by a single Event Graph produced by the
guage operators. Figure 2 shows an example Event Model Generator. When an Event Detector receives
Tree representing a composite event. a message indicating that an instance of a primitive
After the user has sketched the Event Tree, the Sce- event Ei has occurred, it stores the information in the
nario GUI module parses the graph and provides the node associated with Ei . The detection of compos-
EDL expression to be added to the EDL Repository. ite events follows a bottom-up process that starts from
The parsing process starts from the leaf nodes rep- primitive event instances and flows up to the root node.
resenting the primitive events and ends at the root So the composite event is detected when the condition
node. Starting from the content of the EDL Repository, related to the root node operator is verified. The propa-
the Model Generator module builds and instantiates gation of the events is determined by the user specified
as many Event Detector objects as many composite context. After the detection of a composite event, an
events stored in the database. The detection algorithm object of a special class (Event Detected) is instanti-
implemented by such objects is based on Event Graphs ated with its relevant information (identifier, context,
and the objects include the functionalities of both the component event occurrences, initiator, terminator).
Model Solver and the Detection Engine.
In the current prototype, after the insertion of attack
scenarios, the user can start the detection process on 6 AN EXAMPLE SCENARIO
the Event History using a stub front-end (simulating
the Model Executor and the Output Manager mod- In this section we provide an application of DETECT
ules). A primitive event is accessed from the database to the case-study of a subway station. We consider
by a specific Model Feeder module, implemented by a a composite event corresponding to a terrorist threat.
single Event Dispatcher object which sends primitive The classification of attack scenarios is performed by
event instances to all Event Detectors responsible for security risk analysts in the vulnerability assessment
the detection process. process.
The Event Dispatcher requires considering only The attack scenario consists of an intrusion and drop
some event occurrences, depending on a specific of an explosive device in a subway tunnel. Let us sup-
policy defined by the parameter context. The policy pose that the dynamic of the scenario follows the steps
is used to define which events represent the begin- reported below:
ning (initiator) and the end (terminator) of the sce-
nario. The parameter context states which component 1. The attacker stays on the platform for the time
event occurrences play an active part in the detec- needed to prepare the attack, missing one or more
tion process. Four contexts for event detection can be trains.
defined: 2. The attacker goes down the tracks by crossing the
limit of the platform and moves inside the tunnel
portal.
• Recent: only the most recent occurrence of the 3. The attacker drops the bag containing the explosive
initiator is considered. device inside the tunnel and leaves the station.
110
Obviously, it is possible to think of several variants A partial alarm can be associated to the scenario
of this scenario. For instance, only one between step 1 evolution after step 1 (left AND in the EDL expres-
and step 2 could happen. Please note that the detection sion), in order to warn the operator of a suspect
of step 1 (person not taking the train) would be very abnormal behavior.
difficult to detect by a human operator in a crowded In order to activate the detection process, a sim-
station due to the people going on and off the train. ulated Event History has been created ad-hoc. An
Le us suppose that the station is equipped with on-line integration with a real working SMS will
a security system including intelligent cameras (S1 ), be performed in the near future for experimentation
active infrared barriers (S2 ) and explosive sniffers (S3 ) purposes.
for tunnel portal protection. The formal description of
the attack scenario consists of a sequence of events
which should be detected by the appropriate sensors
and combined in order to form the composite event. 7 CONCLUSIONS & FUTURE WORKS
The formal specification of primitive events consti-
tuting the scenario is provided in following: In this paper we have introduced the working principles
and the software architecture of DETECT, an expert
a. extended presence on the platform (E1 by S1 ); system allowing for early warnings in security critical
b. train passing (E2 by S1 ); domains.
c. platform line crossing (E3 by S1 ); DETECT can be used as a module of a more com-
d. tunnel intrusion (E4 by S2 ); plex hierarchical system, possibly involving several
e. explosive detection (E5 by S3 ). infrastructures. In fact, most critical infrastructures
For the sake of brevity, further steps are omitted. are organized in a multi-level fashion: local sites,
The composite event drop of explosive in tunnel grouped into regions and then monitored centrally by
can be specified in EDL as follows: a national control room, where all the (aggregated)
events coming from lower levels are routed. When
the entire system is available, each site at each level
(E1 AND E2 ) OR E3 SEQ (E4 AND E5 )
can benefit from the knowledge of significant events
happening in other sites. When some communication
Figure 3 provides a GUI screenshot showing the links are unavailable, it is still possible to activate
Event Tree for the composite event specified above. countermeasures basing on the local knowledge.
The user chooses the parameter context and builds the We are evaluating the possibility of using a single
tree (including primitive events, operators and inter- automatically trained multi-layered ANN to comple-
connection edges) by the user-friendly interface. If a ment deterministic detection by: 1) classification of
node represents a primitive event, the user has to spec- suspect scenarios, with a low FAR; 2) automatic detec-
ify event (Ex ) and sensor (Sx ) identifiers. If a node tion of abnormal behaviors, by observing deviations
is an operator, the user can optionally specify other from normality; 3) on-line update of knowledge trig-
parameters such as a temporal constraint, the partial gered by the user when a new anomaly has been
alarm level and the m parameter (ANY operator). Also, detected. The ANN model can be trained to under-
the user can activate/deactivate the composite events stand normality by observing the normal use of the
stored in the repository carrying out the detection infrastructure, possibly for long periods of time. The
process. Model Feeder for ANN operates in a way which is
similar to the Event Tree example provided above. A
ANN specific Model Updater allows for on-line learn-
ing facility. Future developments will be aimed at a
more cohesive integration between deterministic and
heuristic detection, by making the models interact one
with each other.
REFERENCES
111
Cassandra, A.R., Baker, D. & Rashid, M. 1999. CEDMOS: Jain, A.K., Mao, J. & Mohiuddin, K.M. 1996. Artificial Neu-
Complex Event Detection and Monitoring System. MCC ral Networks: A tutorial. In IEEE Computer, Vol. 29, No.
Tecnical Report CEDMOS-002-99, MCC, Austin, TX. 3, pp. 56–63.
Chakravarthy, S. & Mishra, D. 1994. Snoop: An expressive Jones, A.K. & Sielken, R.S. 2000. Computer System Intru-
event specification language for active databases. Data sion Detection: A Survey. Technical Report, Computer
Knowl. Eng., Vol. 14, No. 1, pp. 1–26. Science Dept., University of Virginia.
Chakravarthy, S., Krishnaprasad, V., Anwar, E. & Kim, S. Krishnaprasad, V. 1994. Event Detection for Supporting
1994. Composite Events for Active Databases: Seman- Active Capability in an OODBMS: Semantics, Architec-
tics, Contexts and Detection. In Proceedings of the ture and Implementation. Master’s Thesis. University of
20th international Conference on Very Large Data Bases Florida.
(September 12–15, 1994). LENEL OnGuard 2008. http://www.lenel.com.
Bocca, J.B., Jarke, M. & Zaniolo, C. Eds. Very Large Data Lewis, F.L. 2004. Wireless Sensor Networks. In Smart Envi-
Bases. Morgan Kaufmann Publishers, San Francisco, CA, ronments: Technologies, Protocols, and Applications, ed.
pp. 606–617. D.J. Cook and S.K. Das. John Wiley, New York.
Dayal, U., Blaustein, B.T., Buchmann, A.P., Chakravarthy, S., Lewis, T.G. 2006. Critical Infrastructure Protection in
Hsu, M., Ledin, R., McCarthy, D.R., Rosenthal, A., Sarin, Homeland Security: Defending a Networked Nation. John
S.K., Carey, M.J., Livny, M. & Jauhari, R. 1988. The Wiley, New York.
HiPAC Project: Combining Active Databases and Timing Object Management Group UML, 2008. http://www.omg.
Constraints. SIGMOD Record, Vol. 17, No. 1, pp. 51–70. org/uml.
Garcia, M.L. 2001. The Design and Evaluation of Physical OLE for Process Communication. http://www.opc.org.
Protection Systems. Butterworth-Heinemann, USA. Remagnino, P., Velastinm, S.A., Foresti G.L. & Trivedi, M.
Gatziu, S. & Dittrich, K.R. 1994. Detecting Composite 2007. Novel concepts and challenges for the next genera-
Events in Active Databases Using Petri Nets. In Proceed- tion of video surveillance systems. In Machine Vision and
ings of the 4th International Workshop on Research Issues Applications (Springer), Vol. 18, Issue 3–4, pp. 135–137.
in data Engineering: Active Database Systems, pp. 2–9. Roman, R., Alcaraz, C. & Lopez, J. 2007. The role of Wire-
Gatziu, S. & Dittrich, K.R. 2003. Events in an Object- less Sensor Networks in the area of Critical Information
Oriented Database System. In Proceedings of the 1st Infrastructure Protection. In Information Security Tech.
International. Report, Vol. 12, Issue 1, pp. 24–31.
Gerani, N.H., Jagadish, H.V. & Shmueli, O. 1992a. Event Tzafestas, S.G. 1999. Advances in Intelligent Autonomous
Specification in an Object-Oriented Database. In Systems. Kluwer.
Gerani, N.H., Jagadish, H.V. & Shmueli, O. 1992b. COM-
POSE A System For Composite Event Specification and
Detection. Technical report, AT&T Bell Laboratories,
Murray Hill, NJ.
112
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: This paper introduces an integrated framework and software platform that uses a three layer
approach to modeling complex systems. The multi-layer PRA approach implemented in IRIS (Integrated Risk
Information System) combines the power of Event Sequence Diagrams and Fault Trees for modeling risk
scenarios and system risks and hazards, with the flexibility of Bayesian Belief Networks for modeling non-
deterministic system components (e.g. human, organizational). The three types of models combined in the IRIS
integrated framework form a Hybrid Causal Logic (HCL) model that addresses deterministic and probabilistic
elements of systems and quantitatively integrates system dependencies. This paper will describe the HCL
algorithm and its implementation in IRIS by use of an example from aviation risk assessment (a risk scenario
model of aircraft taking off from the wrong runway.
113
The Dutch National Aerospace Laboratory (NLR) crew and fatigue and workload contributed to decision
used the NLR air safety database and aviation experts errors made by ATC. The details from the flight 5191
to created a hierarchical set of 31 generic ESDs rep- and the group of models for use of the incorrect run-
resenting the possible accident scenarios from takeoff way during takeoff will be used throughout this paper
to landing (Roelen et al. 2002). to show how the HCL methodology can be applied to
Another layer of the aviation safety model was cre- a real example.
ated by Hi-Tec Systems. Hi-Tec created a comprehen-
sive model for the quality of air carrier maintenance
(Eghbali 2006) and the flight operations (Mandelapu 2 OVERVIEW OF HCL METHODOLOGY
2006). NLR has also created FTs for specific accident
scenarios (Roelen & Wever 2004a, b). 2.1 Overview of the HCL modeling layers
The NLR and Hi-Tec models were built and ana-
lyzed in IRIS. One set of models pertains to the use The hybrid causal logic methodology extends con-
of the incorrect runway during takeoff. These models ventional deterministic risk analysis techniques to
became especially pertinent after the August 2006 fatal include ‘‘soft’’ factors including the organizational and
Comair Flight 5191 crash in Lexington, Kentucky. The regulatory environment of the physical system. The
pilot of flight 5191 taxied onto the wrong runway dur- HCL methodology employs a model-based approach
ing an early morning takeoff due to a combination of to system analysis; this approach can be used as the
human and airport factors. The incorrect runway was foundation for addressing many of the issues that are
shorter than the minimum distance required for the air- commonly encountered in system safety assessment,
craft to takeoff. The aircraft was less than 300ft from hazard identification analysis, and risk analysis. The
the end of the runway before pilots realized the error integrated framework is presented in Figure 1.
and attempted to takeoff at below-optimal speed. The ESDs form the top layer of the three layer model,
attempted takeoff resulted in a runway overrun and the FTs form the second layer, and BBNs form the bottom
death of 49 of the 50 people onboard. layer. An ESD is used to model temporal sequences of
The NTSB (2007) cited human actions by crew events. ESDs are similar to event trees and flowcharts;
and air traffic control (ATC) contributing to the acci- an ESD models the possible paths to outcomes, each
dent. The crew violated cockpit policy by engaging in of which could result from the same initiating event.
non-pertinent conversation during taxiing and by com- ESDs contain decision nodes where the paths diverge
pleting an abbreviated taxi briefing. Signs indicating based on the state of a system element. As part of the
the runway number and cockpit displays indicating the hybrid causal analysis, the ESDs define the context
direction of takeoff were not mentioned by either pilot or base scenarios for the hazards, sources of risk, and
during the takeoff. During takeoff the flight crew noted safety issues.
that there were no lights on the runway as expected, but The ESD shown in Figure 2 models the probability
did not double check their position as the copilot had of an aircraft taking off safely, stopping on the run-
observed numerous lights out on the correct runway way, or overrunning the runway. As can be seen in
the previous day. Pre-flight paperwork also indicated the model, the crew must reject the takeoff and the
that the centerline lights on the proper runway were speed of the aircraft must be lower than the critical
out. The flight crew did not use the available cues to speed beyond which the aircraft cannot stop before the
reconsider takeoff.
At the time of the accident only one of two required
air traffic controllers were on duty. According to post- IE PE-1 PE-2
accident statements, the controller on duty at the time
of the accident was also responsible for monitoring
PE-3
radar and was not aware that the aircraft had stopped
short of the desired runway before he issued takeoff
clearance. After issuing takeoff clearance the con-
troller turned around to perform administrative tasks
B D
during take-off and was not engaged in monitoring the C Top layer: ESD
progress of the flight. Fatigue likely contributed to the E
Middle layer: FT
performance of the controller as he had only slept for C Bottom layer: BBN
2 hours in the 24 hours before the accident. B
A B
Impaired decision making and inappropriate task
prioritization by both crew members and ATC were
major contributing factors to this accident. The reduc-
ing lighting on both the correct and incorrect runways
at the airport contributed to the decision errors made by Figure 1. Illustration of a three-layered IRIS model.
114
Figure 2. Case study top layer—ESD for an aircraft using the wrong runway (Roelen et al. 2002).
end of the runway. By the time the Flight 5191 crew of BBNs to the traditional PRA modeling techniques
realized the mistake, the plane was above critical speed extends conventional risk analysis by capturing the
and the runway overrun was inevitable. diversity and complexity of hazards in modern sys-
The initiating event of the ESD, ATC event, is tems. BBNs can be used to model non-deterministic
directly linked to the top gate of the FT in Figure 3. casual factors such as human, environmental and
This FT provides three reasons an aircraft could be organizational factors.
placed in this situation: loss of separation with traffic, BBNs offer the capability to deal with sequential
takeoff from incorrect runway, or a bird strike. dependency and uncertain knowledge. BBNs can be
FTs uses logical relationships (AND, OR, NOT, connected to events in ESDs and FTs. The connections
etc.) to model the physical behaviors of the system. In between the BBNs and logic models are formed by
an HCL model, the top event of a FT can be connected binary variables in the BBN; the probability of the
to any event in the ESD. This essentially decomposes linked BBN node is then assigned to the ESD or FT
the ESD event into a set of physical elements affecting event.
the state of the event, with the node in the ESD taking The wrong runway event in the center of the FT is
its probability value from the FT. the root cause of the accident. Factors that contribute
BBNs have been added as the third layer of the to this root cause are modeled in the BBNs in Figure 4
model. A BBN is a directed acyclic graph, i.e. it can- and 5. Figure 4 is part of the wrong runway BBN
not contain feedback loops. Directed arcs form paths developed by NLR (Roelen and Wever 2007); the
of influence between variables (nodes). The addition wrong runway FT event is linked to the output node
115
Figure 5. Case study bottom layer—BBN of flight operations (Mandelapu 2006).
of this BBN. The flight plan node in Figure 5 feeds BBN nodes are quantified in conditional proba-
into the wrong runway node in Figure 4. Figure 5 bility tables. The size of the conditional probability
is fed by the Hi-Tec air carrier maintenance model table for each node depends on the number of parent
(Eghbali 2006; not pictured) with the end node of the nodes leading into it. The conditional probability table
maintenance model feeding information into the fleet requires the analyst to provide a probability value for
availability node at the top of the flight operations each state of the child node based on every possible
model. combination of the states of parent nodes. The default
Since many of the casual factors in BBNs may have number of states for a BBN node is 2, although addi-
widespread influence, BBN nodes may impact multi- tional states can be added as long as the probability of
ple events within ESDs and FTs. The details of the all states sums to 1. Assuming the child and its n par-
HCL quantification procedure can be found in the ent nodes all have 2 states, this requires 2n probability
references (Groen & Mosleh 2008, Wang 2007). values.
In order to quantify the hybrid model it is neces-
sary to convert the three types of diagrams into a set
2.2 Overview of HCL algorithm quantitative
of models that can communicate mathematically. This
capabilities
is accomplished by converting the ESDs and FTs into
An ESD event can be quantified directly by inputting a Reduced Ordered Binary Decision Diagrams (BDDs).
probability value for the event, or indirectly by linking The set of reduced ordered BDDs for a model are all
it to a FT or a node in a BBN. Linked ESD events take unique and the order of variables along each path from
on the probability value of the FT or node attached to it. root node to end node is identical. Details on the algo-
This allows the analyst to set a variable probability for rithms used to convert ESDs and FTs into BDDs have
ESD events based on contributing factors from lower been described extensively (Bryant 1992, Brace et al.
layers of the model. Likewise, FT basic events can be 1990, Rauzy 1993, Andrews & Dunnett 2000, Groen
quantified directly or linked to any node in the BBN. et al. 2005).
116
BBNs are not converted into BDDs; instead, a of using the wrong runway is a continued takeoff with
hybrid BDD/BBN is created. In this hybrid structure, no consequences. The bottom half of the figure dis-
the probability of one or more of the BDD variables plays the cut-sets only for the scenarios that end with
is provided by a linked node in the BBN. Additional a runway overrun. As can be seen in the figure, the
details about the BDD/BBN link can be found in most likely series of event reading to an overrun is the
Groen & Mosleh (2008). combination of using the incorrect runway, attempt-
ing a rejected takeoff, and having speed in excess of
the critical stopping speed (V1). This is the pattern
3 HCL-BASED RISK MANAGEMENT displayed by flight 5191.
METRICS
Figure 6. Probability values and cut sets for the base wrong runway scenario.
117
importance measures to identify the elements that most system risks and to track changes in risk over time.
contribute to a risk scenario and then target system Risk significance is calculated with respect to selected
changes to maximize the safety impact. ESD scenarios or end states. It can be calculated for
There are numerous ways to calculate importance any BBN node, FT gate or event, or ESD pivotal event.
measures for Boolean models. However, due to the The risk indicator is calculated by Equation 3,
dependencies in HCL models introduced by inclu- where R is the total risk, φ is the frequency of the
sion of BBNs, the methods cannot be applied in their event.
original form. Four conventional importance measures
have been modified and implemented in HCL: Risk R = Pr(S| f ) · φ (3)
Achievement Work (RAW), Risk Reduction Worth
(RRW), Birnbaum, and Vesely-Fussel (VF). Pr(S| f ) is the risk weight of a BBN node or FT event or
The standard Vesely-Fussel importance measure gate ( f ) and S is the selected ESD end state or group of
(Eq. 1) calculates the probability that event e has end states. If S consists of an end state category or mul-
occurred given that ESD end state S has occurred tiple end states in the same ESD Equation 3 is modified
(Fussel 1975). using the same logic explained for modifying Equa-
tion 1. For multiple end states in different ESDs the
p(e · S) risk indicator value can be calculated using the upper
p(e|S) = (1)
P(S) bound approximation. The procedure for performing
precursor analysis and hazard ranking follows directly
For hybrid models, event e is a given state of a model from the risk indicator procedure.
element, e.g. a FT event is failed or a BBN node is Figure 8 displays individual risk indicators and total
‘‘degraded’’ instead of ‘‘fully functional’’ or ‘‘failed.’’ risk for several BBN nodes from the example model.
By addressing a particular state, it is possible to extend Frequency values are to be provided by the analyst. In
importance measures to all layers of the hybrid model. the example case, the frequency values were selected
Importance measures must be calculated with to show how IRIS could be used to monitor the risks
respect to an ESD end state. To ensure independence before the accident; these are not values from data.
in ESDs with multiple paths, it is necessary to treat The top graph in Figure 8 shows the changing risk
the end state S as the sum of the Si mutually exclusive values for each of the three selected indicators. The
paths leading to it. The importance measure can then bottom graph shows the aggregated risk value over
be calculated by using Equation 2. time. Based on the risk values obtained from the mod-
els and the hypothetical frequency data, it becomes
i p(e · Si ) p(Si |e) apparent that the risk associated with airport ade-
p(S) = = i (2) quacy increased sharply between May and July. The
i p(S i ) i p(Si ) hypothetical risks associated with the adequacy of the
airport could have been identified in July and steps
For a set of scenarios belonging to two or more
ESDs the probability can be calculated as a func-
tion of the results from each ESD or by use of the
mean upper bound approximation. Additional details
on HCL importance measure calculations can be found
in Zhu (2008).
Figure 7 provides importance measure results for
the runway overrun model. The importance measures
in the figure are arranged by the Vesely-Fussel impor-
tance measure. The items in the components column
are FT events and some selected BBN nodes. The BBN
nodes selected reflect the factors that contributed to the
runway overrun of Flight 5191. From the figure it is
obvious that take-off from incorrect runway is the most
important contributing factor to the runway overrun
end state.
118
could have been taken to reduce these risks before the flight 5191 flight crew. Airport adequacy was set to
serious consequences occurred. the state inadequate because of the lack of proper light-
ing on both runways. The takeoff plan was deemed
3.3 Risk impact substandard.
By comparing the results of the base case, Figure 6,
Analysts can use IRIS to visualize the change in system to the case updated with scenario evidence, Figure 9,
risk based on observed or postulated conditions. This it is possible to quantify the change in risk accompany
can be achieved by using the set evidence function certain behaviors. The updated probability of a runway
to make assumptions about the state of one or more overrun based on human actions, airport conditions,
BBN nodes. Once assumptions are made the model is and the takeoff plan is an order of magnitude greater
updated to reflect the new information, providing new than the probability of the base scenario. Again, the
probability values for all nodes subsequently affected series of events leading to the flight 5191 crash is the
by the changes. most probable sequence leading to an overrun in the
When the BBN is linked to an ESD or FT, the new model.
ESD and FT models will also display new probabil- It is evident from Figure 10 that the three BBN
ity values. The set evidence function allows users to nodes strongly impact the probability of taking off
see the impact of soft factors on risk scenarios. The from the incorrect runway. This probability increases
result is a more tangible link between the actions of by almost a factor of 2 when the model is updated with
humans/organizations and specific system outcomes. the scenario evidence.
Setting evidence will provide users with a better
understanding of how low-level problems propagate
through the system and combine to form risk scenar-
ios. Figure 9 displays updated scenario results for the 4 CONCLUSION
flight 5191 overrun. In this scenario, evidence was set
for three nodes in the BBN (Fig. 5). Human actions This paper provides an overview of the hybrid
was set to the state unsafe because of errors made by causal logic (HCL) methodology for Probabilistic Risk
Figure 9. Updated scenario results for the runway overrun with information about flight 5191 specified.
Figure 10. Fault tree results showing the probability of taking off from the wrong runway for the base case (top) and the case
reflecting flight 5191 factors (bottom).
119
Assessment and the IRIS software package developed REFERENCES
to use the HCL methodology for comprehensive risk
analyses of complex systems. The HCL methodol- Andrews, J.D. & Dunnett, S.J. 2000. Event Tree Analysis
ogy and the associated computational engine were using Binary Decision Diagrams. IEEE Transactions on
designed to be portable and thus there is no specific Reliability 49(2): 230–239.
HCL GUI. The computational engine can read mod- Brace, K., Rudell, R. & Bryant, R. 1990. Efficient Implemen-
tation of a BDD Package. The 27th ACM/IEEE Design
els from files and can be accessed through use of Automation Conference, IEEE 0738.
an API. Bryant, R. 1992. Symbolic Boolean Manipulation with
The three-layer The flexible nature of the HCL Ordered Binary Decision Diagrams. ACM Computing
framework allows a wide range of GUIs to be devel- Surveys 24(3): 293–318.
oped for many industries. The IRIS package is Eghbali, G.H. 2006. Causal Model for Air Carrier Mainte-
designed to be used by PRA experts and systems ana- nance. Report Prepared for Federal Aviation Administra-
lysts. Additional GUIs can be added to allow users tion. Atlantic City, NJ: Hi-Tec Systems.
outside of the PRA community to use IRIS without in Fussell, J.B. 1975. How to Hand Calculate System Relia-
depth knowledge of the modeling concepts and all of bility and Safety Characteristics. IEEE Transactions on
Reliability R-24(3): 169–174.
the analysis tool. Groen, F. & Mosleh, A. 2008 (In Press). The Quantifica-
Two FAA specific GUIs were designed with two tion of Hybrid Causal Models. Submitted to Reliability
different target users in mind. Target users provided Engineering and System Safety.
information about what information they needed from Groen, F., Smidts, C. & Mosleh, A. 2006. QRAS—the quan-
IRIS and how they would like to see it presented. The titative risk assessment system. Reliability Engineering
GUIs were linked to specific IRIS analysis tools, but and System Safety 91(3): 292–304.
enabled the results to be presented in a more qualitative Groth, K. 2007. Integrated Risk Information System Vol-
(e.g. high/medium/low) way. ume 1: User Guide. College Park, MD: University of
The GUIs were designed to allow target users to Maryland.
Groth, K., Zhu, D. & Mosleh, A. 2008. Hybrid Methodology
operate the software immediately. Users are also able and Software Platform for Probabilistic Risk Assess-
to view underlying models and see full quantitative ment. The 54th Annual Reliability and Maintainability
results if desired. Symposium, Las Vegas, NV.
HCL framework was applied to the flight 5191 Mandelapu, S. 2006. Causal Model for Air Carrier Mainte-
runway overrun event from 2006, and the event was nance. Report Prepared for Federal Aviation Administra-
analyzed based on information obtained about the tion. Atlantic City, NJ: Hi-Tec Systems.
conditions contributing to the accident. Mosleh, A. et al. 2004. An Integrated Framework for
The three layer HCL framework allows different Identification, Classification and Assessment of Avia-
modeling techniques to be used for different aspects of tion Systems Hazards. The 9th International Probabilistic
Safety Assessment and Management Conference. Berlin,
a system. The hybrid framework goes beyond typical Germany.
PRA methods to permit the inclusion of soft causal fac- Mosleh, A., Wang, C. & Groen, F. 2007. Integrated Method-
tors introduced by human and organizational aspects ology For Identification, Classification and Assessment
of a system. The hybrid models and IRIS software of Aviation Systems Hazards and Risks Volume 1: Frame-
package provide a framework for unifying multiple work and Computational Algorithms. College Park, MD:
aspects of complex socio-technological systems to per- University of Maryland.
form system safety analysis, hazard analysis and risk National Transportation Safety Board (NTSB) 2007. Aircraft
analysis. Accident Report NTSB/AAR-07/05.
The methodology can be used to identify the most Rauzy, A. 1993. New Algorithms for Fault Trees Analysis.
Reliability Engineering and System Safety 40: 203–211.
important system elements that contribute to spe- Roelen, A.L.C. & Wever, R. 2004a. A Causal Model
cific outcomes and provides decision makers with a of Engine Failure, NLR-CR-2004-038. Amsterdam:
quantitative basis for allocating resources and making National Aerospace Laboratory NLR.
changes to any part of a system. Roelen, A.L.C. &. Wever, R. 2004b. A Causal Model of
A Rejected Take-Off. NLR-CR-2004-039. Amsterdam:
National Aerospace Laboratory NLR.
ACKNOWLEDGEMENT Roelen, A.L.C et al. 2002. Causal Modeling of Air Safety.
Amsterdam: National Aerospace Laboratory NLR.
The work described in this paper was supported by Wang, C. 2007. Hybrid Causal Methodology for Risk Assess-
ment. PhD dissertation. College Park, MD: University of
the US Federal Aviation Administration. The authors Maryland.
are indebted to John Lapointe and Jennelle Derrick- Zhu, D. et al. 2008. A PRA Software Platform for Hybrid
son (FAA—William J. Hughes Technical Center) for Causal Logic Risk Models. The 9th International Proba-
overall monitoring and coordination. The opinions bilistic Safety Assessment and Management Conference.
expressed in this paper are those of the authors and Hong Kong, China.
do not reflect any official position by the FAA.
120
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: This paper surveys the current status of Spanish Nuclear Safety Council (CSN) work made to
establish an Integrated Safety Analysis (ISA) methodology, supported by a simulation framework called SCAIS,
to independently check the validity and consistency of many assumptions used by the licensees in their safety
assessments. This diagnostic method is based on advanced dynamic reliability techniques on top of using classical
Probabilistic Safety Analysis (PSA) and deterministic tools, and allows for checking at once many aspects of
the safety assessments, making effective use of regulatory resources. Apart from a theoretical approach that is at
the basis of the method, application of ISA requires a set of computational tools. Steps done in the development
of ISA started by development of a suitable software package called SCAIS that comprehensively implies an
intensive use of code coupling techniques to join typical TH analysis, severe accident and probability calculation
codes. The final goal is to dynamically generate the event tree that stems from an initiating event, improving the
conventional PSA static approach.
1 NEED OF RISK-BASED DIAGNOSTIC Important examples are for instance the analy-
TOOLS sis justifying the PSA success criteria and operating
technical specifications, which are often based on
Most often, in defending their safety cases within potentially outdated base calculations made in older
the licensing process, industry safety analysis have times in a different context and with other spectrum of
to rely on computational tools including simulation applications in mind.
of transients and accidents and probabilistic safety This complex situation generates a parallel need
assessments. Such an assessment capability, even if in regulatory bodies that makes it mandatory to
reduced to its analytical aspects, is a huge effort increase their technical expertise and capabilities in
requiring considerable resources. this area. Technical Support Organization (TSO) have
The increasing trend towards Risk Informed Regu- become an essential element of the regulatory pro-
lation (RIR) and the recent interest in methods that cess1 , providing a substantial portion of its technical
are independent on the diversity of existing nuclear and scientific basis via computerized safety analy-
technologies motivate an even greater demand for sis supported on available knowledge and analytical
computerized safety case analysis. It has been further methods/tools.
fostered by: TSO tasks can not have the same scope as their
industry counterparts, nor is it reasonable to expect
• new nuclear power plant designs;
• the large time span and evolution of the old generic
safety analysis, that requires confirmation of its
present applicability; and
• the need to extend the life of the existing plants with 1 Examples are GRS, IRSN, PSI, Studvik, of TSOs
associated challenges to the potential reduction in supporting the regulatory bodies of Germany, France,
their safety margins. Switzerland, Sweden, respectively.
121
the same level of resources. Instead, in providing its • their relationships when addressing high level
technical expertise, they shall: requirements such as defense in depth and safety
margins.
• review and approve methods and results of
licensees, and Analysis of PSA success criteria and operating
• perform their own analysis/calculations to verify the technical specifications and its mutual consistency are
quality, consistency, and conclusions of day to day important chapters of the optimization of the pro-
industry assessments. tection system design encompassing, for instance,
problems like:
The last is a difficult, different and very special reg-
ulatory task, requiring specific TSO diagnostic tools • To ensure that the protection system is able to
to independently check the validity and consistency of cope with all accident scenarios and not only with
the many assumptions used and conclusions obtained a predetermined set. This umbrella character is
by the licensees in their safety assessments. hard to prove, particularly within an atmosphere of
The approach and the tools shall include a sound reduced safety margins, (SMAP Task Group 2007).
combination of deterministic and probabilistic sin- It requires careful regulatory attention to the historic
gle checks, pieces however of an ISA methodology, evolution of the deterministic assessments and it is
that together constitute a comprehensive sample ver- a source of potential conflicts when risk techniques
ifying all relevant decision making risk factors and are combined.
ensuring that the decision ingredients are properly and • To ensure the adequacy of success criteria,
consistently weighted. that become critical and sensitive, (Siu, N. &
Hilsmeier, T. 2006). Many studies demonstrating
the umbrella condition are old and perhaps unsuit-
able under these more restrictive circumstances.
2 ISSUES OF PARTICULAR RELEVANCE Extension to operator actions of the automatic
protection design is one such source of potential
In recent years efforts are being devoted to the clari- inconsistencies with complex aspects like available
fication of the relative roles of deterministic and times for operator action. Emergency procedures
probabilistic types of analysis with a view towards verification is also worth mentioning, because they
their harmonization, in order to take benefit of their imply longer than automatic design accident time
strengths and to get rid of identified shortcomings, scales to consider and important uncertainties in the
normally related with inter-phase aspects, like the timing of interventions, both potentially altering the
interaction between the evolution of process variables umbrella conditions of the deterministic design.
and its influence in probabilities. Different organi- • Another important extension of the scope of the
zations, (Hofer 2002) and (Izquierdo 2003a), have analysis is the need to consider degraded core sit-
undertaken some initiatives in different contexts with uations to ensure acceptable residual risks, (IAEA
claims such as the need for ‘‘an integration of proba- 2007). Again consistency issues appear requiring
bilistic safety analysis in the safety assessment, up to regulatory checks.
the approach of a risk-informed decision making pro-
cess’’ as well as for ‘‘proposals of verification methods These consistency checks call for an appropriate
for application that are in compliance with the state of extension of the probabilistic safety metrics currently
the art in science and technology’’. used. Different exceedance frequency limits for differ-
These initiatives should progressively evolve into ent barrier safety limit indicators have been extensively
a sound and efficient interpretation of the regulations discussed and may be used as a sound risk domain
that may be confirmed via computerized analysis. It interpretation of the existing regulations. For instance,
is not so much a question of new regulations from frequency limits for partial core damage or few core
the risk assessment viewpoint, but to ensure com- fuel failures may correctly interpret the present deter-
pliance with existing ones in the new context by ministic rules for safety margins in a way consistent
verifying the consistency of individual plant assess- with a probabilistic approach.
ment results through a comprehensive set of checks.
Its development can then be considered as a key and
novel topic for research within nuclear regulatory 3 DEVELOPEMENTS FOR AN INTEGRATED
agencies/TSO. PSA TO INDEPENDENT VERIFICATION OF
More precisely, issues that require an integrated SAFETY CASES
approach arise when considering:
The CSN branch of Modelling and Simulation (MOSI)
• the process by which the insights from these com- has developed its own ISA methodology for the above
plementary safety analysis are combined, and referred purposes. This diagnostic method has been
122
designed as a regulatory tool, able to compute the and to overcome difficulties derived from particular
frequency of PSA sequences and the exceedance fre- models and computational methods.
quency of specified levels of damage, in order to
check in an independent way the results and assump-
tions of the industry PSAs, including their RIR 3.1 Software package description
extensions/applications. This approach harmonizes A consolidation and modernization program,
the probabilistic and deterministic safety assessment (Izquierdo 2003b), is currently being executed to
aspects via a consistent and unified computer frame- enhance capabilities and functionality of the soft-
work. ware package that would also facilitate an easier
Apart from a theoretical approach that is at the basis maintenance and extensibility.
of the method, application of ISA requires a set of com- The current SCAIS development includes as main
putational tools. A suitable software package called elements the Event Scheduler, the Probability Calcu-
SCAIS (Figure 1) at each time step couples, (Izquierdo lator, the Simulation Driver (BABIECA) and the Plant
2003a): Models (Figure 2):
• simulation of nuclear accident sequences, resulting 1. Event scheduler (DENDROS), that drives the
from exploring potential equipment degradations dynamic simulation of the different incidental
following an initiating event (i.e. simulation of ther- sequences. Its design guarantees modularity of the
mal hydraulics, severe accident phenomenology and overall system and the parallelization of the event
fission product transport); tree generation, (Muñoz 1999).
• simulation of operating procedures and severe acci- It is designed as a separate process that controls
dent management guidelines; the branch opening and coordinates the differ-
• automatic delineation (with no a-priori assump- ent processes that play a role in the generation
tions) of event and phenomena trees; of the Dynamic Event Tree (DET). The idea is
• probabilistic quantification of fault trees and to use the full capabilities of a distributed com-
sequences; and putational environment, allowing the maximum
• integration and statistic treatment of risk metrics. number of processors to be active. To this end, it
Since the final goal is to generate dynamically the manages the communications among the different
event tree that stems from an initiating event, improv- processes that intervene in the event tree develop-
ing the conventional PSA static approach, this simula- ment, namely, the distributed plant simulator, the
tion technique is called tree simulation. The activation probability calculator, and an output processor.
of branching conditions is referred to as stimuli activa- The scheduler arranges for the opening of the
tion. Stimulus Driven Theory of Probabilistic Dynam- branch whenever certain conditions are met, and
ics (SDTPD), (Hofer 2002) and (Izquierdo 2003a), is stops the simulation of any particular branch that
the underlying mathematical risk theory (basic con- has reached an absorbing state. The scheduler must
cepts, principles and theoretical framework) on which know the probability of each branch in order to
it is inspired and supported. The massive use of cou- decide which branch is suitable for further devel-
pled codes has led to the definition and development opment. Each new branch is started in a separate
of a Standard Software Platform that allows a given process, spawning a new transient simulator pro-
code to be incorporated quickly into the overall system cess and initializing it to the transient conditions
that were in effect when the branching occurred.
123
This saves a substantial amount of computation connection scheme to be applied to any set of codes
time, since common parts of the sequences are not regardless of the particular codes. This feature
recomputed. The applications of a tree structured increases the power of calculation since large codes
computation extend beyond the scope of the DETs. can be split and executed in different machines.
In fact, the branch opening and cutoff can obey any This feature allows BABIECA to be coupled with
set of criteria not necessarily given by a probability itself, enhancing an easier modeling and simulation
calculation as, for instance, sensitivity studies or management of large model topologies.
automatic initialization for Accident Management 4. Plant Models. Sequences obtained in ISA involve
Strategy analysis. Tasks distribution among the dif- very often a wide range of phenomena, not cov-
ferent processors is managed by the Parallel Virtual ered by a single simulation code. On the other
Machine (PVM) interface. hand, Emergency Operation Procedures (EOPs) are
2. Probability calculator module that incrementally a very complex set of prescriptions, essential to the
performs the boolean product of the fault trees cor- sequence development and branching and hard to
responding to each system that intervene in the represent in detailed codes. A plant model suitable
sequence, additionally computing its probability. for ISA purposes does not comprise then a single
The fault trees that will be used for the probability input deck for just one code, but several inputs
calculations are those of PSA studies. This imposes for several codes, each one being responsible for
a strong computational demand that is optimized the simulation of certain phenomena. The coupling
by preprocessing the header fault trees as much as entails different although interrelated interfaces
possible. The current approach is trying to use fast (see Figure 2).
on-line probability computation based on the rep- Codes as MELCOR, MAAP, RELAP, TRACE
resentation of fault trees using the Binary Decision can adapted to perform tree simulations under
Diagram (BDD) formalism, fed from the industry control of the scheduler. At present Modular Acci-
models. dent Analysis Program (MAAP4) is coupled to
3. BABIECA, the consolidated simulation driver, BABIECA to build up a distributed plant simu-
solves step by step topologies of block diagrams. A lation. MAAP4 performs the calculation of the
standardized linkage method has also been defined plant model when the transient reaches the severe
and implemented to incorporate as block-modules accident conditions, being then initialized with the
other single-application oriented codes, using par- appropriate transient conditions. Some parts of the
allel techniques. BABIECA driver allows also to simulation (specially the operator actions, but also
change the simulation codes at any time to fit the control systems) may still be performed by the orig-
model to the instantaneous conditions, depend- inal code and the appropriate signals be transferred
ing on the need of the given simulation. Two as boundary conditions.
coupling approaches, namely by boundary and ini-
tial conditions, have been implemented, (Herrero Consolidated versions of both driver simulator
2003): BABIECA and DENDROS scheduler have been
designed with an object oriented architecture and
• Initial Conditions Coupling. This type of cou- implemented in C++ language. They have been devel-
pling is used when a certain code is reaching oped using OpenSource standards (Linux, XercesC,
validity and applicability limits, and new models libpq ++). The code system has been equipped
and codes are necessary to further analysis. The with a Structured Query Language (SQL) Relational
typical example of this type of coupling is the Database (PostgreSQL), used as repository for model
transition from conventional Thermal hydraulic input and output. The input file has been also modern-
(TH) codes to severe accident codes. BABIECA ized using XML standards since it is easy to read and
accomplish that allowing parts of the model understand, tags can be created as they are needed, and
(modules) remaining active or inactive depend- facilitates treating the document as an object, using
ing on a specific variable (called simulation object oriented paradigms.
mode).
• Boundary Conditions Coupling. Some of the
output variables obtained at the time advance- 3.2 Features of SCAIS coupled codes and future
ment in one of the codes are sent to the compu- extensions
tation of the model boundary conditions in the
In order to connect BABIECA with external codes
other code. This type of coupling is used to build
has been developed a wrapper communication code
a wide scope code starting from several codes
based on PVM. BABIECA solves a step by step cou-
with a more limited scope.
pled blocks topology. The solution follows an Standard
The synchronization points are external to the Computational Scheme in a well defined synchroniza-
solution advancement; this subject allows the tion points that allows an easy code coupling with other
124
codes following the Standard. Two blocks are in charge • New developments in sequence dynamics. A gen-
of BABIECA communication with coupled codes: eralization of the transfer function concepts for
sequences of events, with potential for PSA applica-
• SndCode supplies the boundary conditions; and tion as generalized dynamic release factors is under
• RcvCode. Receives messages of every spawned investigation.
code in each time step. • New developments about classical PSA aspects.
For any desired code to be coupled, an specific They include rigorous definitions for concepts like
wrapper, consistent with the Standard Computational available time for operations or plant damage states.
Scheme, must be developed and implemented. It needs
the message passing points defined by BABIECA in
each synchronization point, allowing the communica- 4 TEST CASE: MBLOCA SEQUENCES
tion between both codes. Three wrappers have been
developed and are being tested at present: A full scale test application of this integrated software
package to a Medium Break Loss of Coolant Accident
• BABIECA—Wrapper allows BABIECA to be con- (MBLOCA) initiating event of a Spanish PWR plant
nected, and used to split big topologies into smaller is currently under development.
ones in order to save computation time parallelizing The specific objective of this analysis is to demon-
the processes. strate the methodology and to check the tool, focusing
• Probability—Wrapper allows BABIECA and DEN- on an independent verification of the event tree delin-
DROS connections with the probability calculator eation and assessment of realistic EOPs for LOCA
module. plant recovery. SCAIS provides a huge amount of
• MAAP4—Wrapper allows BABIECA-MAAP4 results for the analyst, when unfolding the Dynamic
connections. Event Tree (DET), even though methodology reduces
This wrapper, implemented in FORTRAN77 as to manageable the number of sequences. The follow-
MAAP4, gives us the advantage to analyze MAAP4 ing sections outline some conclusions of the assess-
sequences with the data processing tools devel- ment, including sequence evolution and operator
oped to BABIECA. The interface module has the actions analysis.
following functions:
1. To initialize the MAAP4 simulation using input 4.1 Sequence analysis: MBLOCA sequence with
data values provided by the BABIECA model. accumulators failure
2. To initialize MAAP4 from a restart image data.
In a first step MBLOCA sequences are simulated with
3. To accomplish the exchange of dynamic vari-
MAAP code. Results show that for breaks up to 6
ables between MAAP4 and other codes.
(inches) no action to achieve the primary depressuriza-
4. To drive MAAP4 time-advancement calculation.
tion is necessary and LPSI starts automatically about
5. To save results and restart image data in
3000 seconds. However, for 2 break and lower, pri-
BABIECA Data Base.
mary system is stabilized at a higher pressure than low
Recent extensions under development are pressure safety injection pump head, being necessary
oriented to: the operator action to achieve low-pressure controlled
conditions, Figure 3.
• Develop the Paths and Risk assessment modules of Main actions of set of operator actions, correspond-
SCAIS system. ing to EOP E-1 (loss of reactor or secondary coolant)
They implement a dynamic reliability method and EOP ES-1.2 (cooling and decrease of pressure
based on the Theory of Stimulated Dynamics TSD after a LOCA), are the following:
which is a variant of the more general SDTPD in its
path and sequence version, (Izquierdo 2006) and 1. Check the need of reactor coolant pump trip (E-1,
(Queral 2006). step 1).
• Development and application of advanced proba- 2. Check the steam generators (SG) levels (E-1,
bilistic quantification techniques based on Binary step 3).
Decision Diagrams (BDDs) that would release some 3. Check pressure decreasing and cooling in the Reac-
traditional drawbacks (e.g. truncation and rare event tor Coolant System (RCS) (E-1, step 11). If RCS
approximation) of the currently used quantification pressure is higher than 15 kg/cm2 a transition to
approaches. EOP ES-1.2 is required.
• New modeling algorithms to simulate standard 4. Check SG levels (ES-1.2, step 5).
PSA, correcting for dynamic effects. 5. Start the RCS cooling until cool shutdown condi-
• New wrapper module allowing BABIECA-TRACE tions (ES-1.2, step 6).
connections. 6. Check if sub-cooling margin greater than 0◦ C.
125
Figure 3. MAAP4 simulation. Comparison with/without Figure 5. Simplified topology scheme of BABIECA-
operator actions. Primary Pressure System (MBLOCA 2 ). MAAP simulation.
126
consistency of probabilistic and deterministic aspects.
It is our opinion this need could be framed on an
international cooperative effort among national TSOs.
We have also shown that SCAIS is a powerful tool
that carries out the CSN Integrated Safety Analysis. Its
versatility and extensibility makes it an appropriate set
of tools that may be used either together or separately
to perform different regulatory checks.
ACKNOWLEDGMENTS
NOMENCLATURE
127
Hofer, E. (2002). Dynamic Event Trees for Probabilistic Muñoz, R. (1999). DENDROS: A second generation sched-
Safety Analysis. EUROSAFE Forum, Berlin. uler for dynamic event trees. M & C 99 Conference,
IAEA (2007, September). Proposal for a Technology-Neutral Madrid.
Safety Approach for New Reactor Designs. Technical Queral, C. (2006). Incorporation of stimulusdriven theory
Report TECDOC 1570, International Atomic Energy of probabilistics dynamics into ISA (STIM). Joint project
Agency, http://wwwpub.iaea.org/mtcd/publications/pdf/ of UPM, CSN and ULB founded by Spanish Ministry of
te_1570 web.pdf. Education & Science (ENE2006 12931/CON), Madrid.
Izquierdo, J.M. & Cañamón, I. (2006). Status report Siu, N. & Hilsmeier, T. (2006). Planning for future probabilis-
on dynamic reliability: SDTPD path and sequence tic risk assessment research and development. In G.S. Zio
TSD developments. Application to the WP5.3 bench- (Ed.), Safety and Reliability for Managing Risk, Number
mark Level 2 PSA exercise. DSR/SAGR/FT 2004.074, ISBN 0-415-41620-5. Taylor & Francis Group, London.
SARNET PSA2 D73 [rev1]. SMAP Task Group (2007). Safety Margins Action Plan. Final
Izquierdo, J. (2003a). An integrated PSA Approach Report. Technical Report NEA/CSNI/R(2007)9, Nuclear
to Independent Regulatory Evaluations of Nuclear Energy Agency. Committee on the Safety of Nuclear
Safety Assessments of Spanish Nuclear Power Stations. Installations, http://www.nea.fr/html/nsd/docs/2007/csnir
EUROSAFE Forum, Paris. 2007-9.pdf.
Izquierdo, J. (2003b). Consolidation plan for the Integrated
Sequence Assessment (ISA) CSN Code system SCAIS.
CSN internal report.
128
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Using GIS and multivariate analyses to visualize risk levels and spatial
patterns of severe accidents in the energy sector
P. Burgherr
Paul Scherrer Institut (PSI), Laboratory for Energy Systems Analysis, Villigen PSI, Switzerland
ABSTRACT: Accident risks of different energy chains are analyzed by comparative risk assessment, based on
the comprehensive database ENSAD established by the Paul Scherrer Institut. Geographic Information Systems
(GIS) and multivariate statistical analyses are then used to investigate the spatial variability of selected risk
indicators, to visualize the impacts of severe accidents, and to assign them to specific geographical areas.
This paper demonstrates by selected case studies how geo-referenced accident data can be coupled with other
socio-economic, ecological and geophysical contextual parameters, leading to interesting new insights. Such an
approach can facilitate the interpretation of results and complex interrelationships, enabling policy makers to
gain a quick overview of the essential scientific findings by means of summarized information.
129
The aim of this paper is to present and discuss – 200 or more evacuations
results of comparative risk assessment by means of – a far-reaching ban on the consumption of food
so-called disaster maps. The selected case studies – a release of at least 10000 tonnes of hydrocarbons
address different spatial scales and resolution as well as – the cleanup of a land or water surface of 25 km2 or
different analytical techniques to calculate aggregated more
risk indicators, based on summary statistics, multivari- – economic damages of at least 5 million USD (year
ate statistical analyses to produce a single index, and 2000 exchange rates).
spatial interpolation techniques.
In the literature there is no unique definition of a This section describes the methodological details of
severe accident. Differences concern the actual dam- the four selected examples that are presented in this
age types considered (e.g. fatalities, injured persons, publication. In the remainder of this paper they are
evacuees or economic costs), use of loose categories referred to as case studies 1–4.
such as ‘‘people affected’’, and differences in damage Case Study 1: The total fatalities per country of
thresholds to distinguish severe from smaller acci- severe accidents (≥5 fatalities) in fossil energy chains
dents. Within the framework of PSI’s database ENSAD (coal, oil, natural gas and Liquefied Petroleum Gas
an accident is considered to be severe if it is charac- (LPG)) are plotted on a world map. Additionally, the
terized by one or more of the following consequences top ten countries in terms of number of accidents, and
(Burgherr et al. 2004; Hirschberg et al. 1998): the ten most deadly accidents are also indicated.
Case Study 2: Geo-referenced data for all fatal
– 5 or more fatalities oil chain accidents stored in ENSAD are mapped for
– 10 or more injuries European Union (EU 27), candidate countries, and
130
the European Free Trade Association (EFTA). A mul- of major state-owned mines in different provinces was
tivariate risk score was then calculated for individual investigated.
countries to analyze their differences in susceptibility
to accident risks. The proposed risk score consists of
four indicators: 3 RESULTS AND DISCUSSION
– total number of accidents (accident proneness) The ENSAD database currently contains 21549
– total number of fatalities (accident gravity) accident records, of which 90.2% occurred in the
– maximum consequences (most deadly accident) years 1970–2005. Within this period, 7621 accidents
– fatality rate (expectation value expressed in GWe yr resulted in at least five fatalities, of which 31.1% were
(Gigawatt-electric-year) using a generic load factor man-made, energy-related accidents. Table 1 sum-
of 0.35) marizes the number of accidents and fatalities that
occurred in fossil energy chains of different coun-
try groups. Results are separated for countries of the
Each variable was scaled between 0 and 1 using the
Organisation for Economic Co-operation and Devel-
equation xij = (zij − min)/(max − min), where zij is
opment (OECD), European Union (EU 27), and states
the value of the jth variable for the ith country, and min
that are not OECD members (non-OECD), due to
and max are the minimum and maximum values of the
the large differences in technological development,
jth variable. The resulting matrix was then analyzed
institutional and regulatory frameworks, and general
by means of Principal Components Analysis (PCA)
safety culture of OECD and EU 27 versus non-OECD.
(Ferguson 1998; Jolliffe 2002). Non-centred PCA was
Calculations were complemented by separate values
used because the first component (PC1) of such an
for the Chinese coal chain that has a significantly
analysis is always unipolar (Noy-Meir 1973), and can
worse performance than all other non-OECD countries
thus be used as a multivariate risk score (a lower value
(Burgherr & Hirschberg 2007).
indicates a lower accident risk).
Case Study 3: Tanker oil spills in the Euro-
pean Atlantic, the Mediterranean Sea (including the 3.1 Main findings and insights of case studies
entrance to the Suez Canal) and the Black Sea were
analyzed because these maritime areas pertain to Case Study 1: Figure 1 shows the worldwide distri-
the geographical region addressed in Case Study 2. bution of total fatalities per country of severe (≥5
Additionally, large parts of the Northeast Atlantic fatalities) accidents in the period 1970–2005. The top
(including the North Sea and the Baltic Sea), the ten countries in terms of total numbers of accidents
Canary current and the Mediterranean Sea belong to are also indicated in Figure 1, as well as the ten most
the so-called Large Marine Ecosystems (LME) that deadly accidents.
are considered ecologically sensitive areas (Hempel & China was the most accident prone country with
Sherman 2003). Distribution patterns of oil spills 25930 fatalities, of which almost 95% occurred in
(≥700 tonnes) were analyzed using the kriging tech- 1363 accidents attributable to the coal chain. How-
nique, which is a geo-statistical method for spatial ever, only 15 of these resulted in 100 or more fatalities.
interpolation (Krige 1951; Matheron 1963). In a pre-
liminary step, locations were assigned to a Marsden Table 1. Numbers of accidents (Acc) and fatalities (Fat)
Square Chart, which divides the world into grids of of severe (≥5 fatalities) accidents in fossil energy chains
10 degrees latitude by 10 degrees longitude, because in are given for OECD, EU 27, and non-OECD countries
some cases only approximate coordinates were avail- (1970–2005). For the coal chain, non-OECD w/o China (first
able. Afterwards, the number of spills per Marsden line) and China alone (second line) are given separately.
Square was calculated, and coordinates set to the cen-
ter of each grid cell. Ordinary point kriging was then Natural
applied to compute a prediction surface for the number Coal Oil Gas LPG Total
of spills to be expected in a particular region, i.e. to
evaluate regional differences in susceptibility to acci- OECD Acc 81 174 103 59 417
dental tanker spills. For methodological details on the Fat 2123 3388 1204 1875 8590
applied kriging procedure see Burgherr (2007) and EU 27 Acc 41 64 33 20 158
Burgherr & Hirschberg (2008). Fat 942 1236 337 559 3074
Case Study 4: Severe (≥5 fatalities) accidents in Non-OECD Acc 144 308 61 61 574
the Chinese coal chain were analyzed at the province 1363
Fat 5360 17990 1366 2610 27326
level (ADMIN1). Fatality rates were calculated for 24456
large state-owned and local mines, and for small town- World total Acc 1588 482 164 120 2354
ship and village mines, respectively. The influence of Fat 31939 21378 2570 4485 60372
mechanization levels in mining as well as the number
131
Figure 1. Individual countries are shaded according to their total numbers of severe accident fatalities in fossil energy
chains for the period 1970–2005. Pie charts designate the ten countries with most accidents, whereas bars indicate the ten
most deadly accidents. Country boundaries: © ESRI Data & Maps (ESRI 2006a).
Figure 2. Locations of all fatal oil chain accidents and country-specific risk scores of EU 27, accession candidate and
EFTA countries for the period 1970–2005. Country boundaries: © EuroGeographics for the administrative boundaries
(Eurostat 2005).
In contrast, the cumulated fatalities of the non-OECD to OECD, of which the USA and Turkey have been
countries Philippines, Afghanistan, Nigeria, Russia, founder members of 1961, whereas Mexico gained
Egypt and India were strongly influenced by a few very membership more than three decades later in 1994.
large accidents that contributed a substantial share of The LPG chain contributed almost 50% to total fatal-
the total (see Figure 1 for examples). Among the ten ities in Mexico because of one very large accident
countries with most fatalities, only three belonged in 1984 that resulted in 498 fatalities. In Turkey the
132
coal chain had the highest share with 531 fatalities of accidents and 70% of fatalities taking place in the
or about 55%, of which 272 fatalities are due to a sin- oil and gas chains.
gle accident, i.e. a methane explosion in a coal mine in Case Study 2: The map of Figure 2 shows the
north-western Turkey in 1992. Finally, the USA exhib- locations of all fatal oil chain accidents contained in
ited a distinctly different pattern compared to the other ENSAD for EU 27, accession candidate and EFTA
countries with no extremely large accidents (only three countries in the period 1970–2005. The calculated
out of 148 with more than 50 fatalities), and over 75% risk score is a measure of the heterogeneous accident
Figure 3. Individual geo-referenced oil spills for the period 1970–2005 are represented by different-sized circles correspond-
ing to the number of tonnes released. Regional differences in susceptibility to accidents were analyzed by ordinary kriging,
resulting in a prediction map of filled contours. The boundaries of the Large Marine Ecosystems (LME) are also shown.
Country boundaries: © EuroGeographics for the administrative boundaries (Eurostat 2005).
133
Figure 4. For individual provinces in China, average fatalities per Mt produced coal are given for severe (≥5 fatalities)
accidents in large and small mines for the period 1994–1999. Provinces were assigned to three distinct levels of mechanization
as indicated by their shading. Locations of major state-owned coal mines are also indicated on the map. Administrative
boundaries and coal mine locations: © U.S. Geological Survey (USGS 2004).
risk patterns among countries. Four countries had risk Figure 3 also provides results of ordinary kriging
scores greater than 0.40, namely the United Kingdom, that are based on a spherical model for the fitted semi-
Italy, Norway and Turkey. This is largely due to variogram (SV) function. Cross-validation indicated
the substantially higher values for total fatalities and that the model and subsequently generated predic-
maximum consequences, and to a lesser extent also tion map provided a reasonably accurate prediction
for total accidents compared to the respective aver- (details on the methodology are given in Burgherr and
age values for all countries. In contrast, fatality rates Hirschberg (2008) and Matheron (1963)). The predic-
(i.e. fatalities per GWe yr) of these four countries tion map based on spatial interpolation by ordinary
were clearly below the overall average. These find- kriging provides useful information for identification
ings support the notion that besides fatality rates other and assessment of regional differences in susceptibil-
performance measures should be evaluated, particu- ity to oil spills from tankers. Such an interpolated
larly in the context of multi-criteria decision analy- surface layer is also superior to a simple point rep-
sis (MCDA) because preference profiles may differ resentation because it enables estimates for areas with
among stakeholders (e.g. Hirschberg et al. 2004b). few or no sample points. The map clearly identifies
Case Study 3: Geographic locations were avail- several maritime regions that are particularly prone
able for 128 out of a total of 133 tanker accidents in to accidental oil spills, namely the English Channel,
the years 1970–2005 that occurred in the European the North Sea, the coast of Galicia, and the Eastern
Atlantic, the Mediterranean Sea and the Black Sea, Mediterranean Sea. Finally, those spills were iden-
and each resulted in a spill of at least 700t. The severity tified that occurred in ecologically sensitive areas
of the spills is divided into different spill size classes, because they are located within the boundaries of the
based on the amount of oil spilled. Large Marine Ecosystems (LME) of the world. In
134
total, 82.8% of all mapped spills were located within ACKNOWLEDGEMENTS
LME boundaries. However, tankers can generally
not avoid passing LMEs because shipping routes are The author thanks Drs. Stefan Hirschberg and Warren
internationally regulated, and because LMEs also Schenler for their valuable comments on an earlier
include large fractions of coastal areas that ships version of this manuscript. This study was partially
have to pass when approaching their port of desti- performed within the Integrated Project NEEDS (New
nation. Therefore, recent efforts to reduce this share Energy Externalities Development for Sustainabil-
have focused on technical measures, for example ity, Contract No. 502687) of the 6th Framework
improved navigation and the replacement of single Programme of European Community.
hull tankers by modern double hull designs. The sub-
stantial decrease in total spill volume (also in these
ecologically sensitive areas) since the 1990s reflects
the achieved improvements of this ongoing process REFERENCES
(Burgherr 2007).
Case Study 4: The Chinese coal chain is a worri- Anemüller, S., Monreal, S. & Bals, C. 2006. Global Cli-
some case with more than 6000 fatalities every year, a mate Risk Index 2006. Weather-related loss events and
their impacts on countries in 2004 and in a long-term
fatality rate about ten times higher than in other non- comparison, Bonn/Berlin, Germany: Germanwatch e.V.
OECD countries, and even about 40 times higher than Bastianoni, S., Pulselli, F.M., Focardi, S., Tiezzi, E.B.P. &
in OECD countries (Burgherr & Hirschberg 2007). Gramatica, P. 2008. Correlations and complementarities
Average values of fatalities per million tonne (Mt) of in data and methods through Principal Components Anal-
coal output for the years 1994–1999 showed a dis- ysis (PCA) applied to the results of the SPIn-Eco Project.
tinct variation among provinces (Figure 4). The figure Journal of Environmental Management 86: 419–426.
also demonstrates how fatality rates are influenced by Berz, G. 2005. Windstorm and storm surges in Europe: loss
the level of mechanization in mining. When results trends and possible counter-actions from the viewpoint
of individual provinces were assigned to three groups of an international reinsurer. Philosophical Transactions
of the Royal Society A—Mathematical Physical and
according to differences in mechanized levels, average Engineering Sciences 363(1831): 1431–1440.
fatality rates were inversely related to mechanization Burgherr, P. 2007. In-depth analysis of accidental oil spills
indicating that higher mechanized levels of mining do from tankers in the context of global spill trends from all
contribute to overall mine safety. Furthermore, aver- sources. Journal of Hazardous Materials 140: 245–256.
age fatality rates for large state-owned and local mines Burgherr, P. & Hirschberg, S. 2007. Assessment of severe
were significantly lower than for small township and accident risks in the Chinese coal chain. International
village mines with very low safety standards. Finally, Journal of Risk Assessment and Management 7(8):
major state-owned mines exhibit predominantly high 1157–1175.
and medium levels of mechanization. Burgherr, P. & Hirschberg, S. 2008. Severe accident risks
in fossil energy chains: a comparative analysis. Energy
33(4): 538–553.
Burgherr, P. & Hirschberg, S. in press. A comparative anal-
ysis of accident risks in fossil, hydro and nuclear energy
4 CONCLUSIONS chains. Human and Ecological Risk Assessment.
Burgherr, P., Hirschberg, S., Hunt, A. & Ortiz, R.A. 2004.
The coupling of ENSAD with a GIS-based approach Severe accidents in the energy sector. Final Report to the
has proven to be useful in determining spatial distri- European Commission of the EU 5th Framework Pro-
bution patterns of accident risks for selected energy gramme ‘‘New Elements for the Assessment of External
chains and country groups at global and regional Costs from Energy Technologies’’ (NewExt), Brussels,
Belgium: DG Research, Technological Development and
scales. Multivariate statistical methods (PCA) and Demonstration (RTD).
spatial interpolation techniques (kriging) have been Carlon, C., Critto, A., Marcomini, A. & Nathanail, P. 2001.
successfully used to extract additional value from Risk based characterisation of contaminated industrial
accident data and to produce illustrative maps of site using multivariate and geostatistical tools. Environ-
risk scores and contour plots. The potential benefits mental Pollution 111: 417–427.
of such an approach are threefold: First, it allows Critto, A., Carlon, C. & Marcomini, A. 2005. Screening
the identification of spatial patterns including acci- ecological risk assessment for the benthic community in
dent hotspots and extreme events. Second, powerful, the Venice Lagoon (Italy). Environment International 31:
flexible and understandable visualizations facilitate 1094–1100.
Dilley, M., Chen, R.S., Deichmann, U., Lerner-Lam, A.L.,
the interpretation of complex risk assessment results. Arnold, M., Agwe, J., Buys, P., Kjekstad, O., Lyon, B. &
Third, the results summarized by means of GIS pro- Yetman, G. 2005. Natural disaster hotspots. A global
vide a simple and comprehensive set of instruments risk analysis. Disaster Risk Management Series No.
to support policy makers in the decision and planning 5, Washington D.C., USA: The World Bank, Hazard
process. Management Unit.
135
ESRI 2006a. ArcGIS 9: ESRI Data & Maps, Redlands Krige, D.G. 1951. A statistical approach to some basic mine
(CA), USA: Environmental Systems Research Institute valuation problems on the Witwatersrand. Journal of the
Inc. (ESRI). Chemical, Metallurgical and Mining Society of South
ESRI 2006b. ArcGIS 9: using ArcGIS Desktop, Redlands Africa 52: 119–139.
(CA), USA: Environmental Systems Research Institute Matheron, G. 1963. Traité de Géostatistique Apliquée. Tome
Inc. (ESRI). II: Le krigeage, Paris, France: Ed. Bureau du Recherches
Eurostat 2005. Guidelines for geographic data intended for Geologiques et Minieres.
the GISCO Reference Database, Witney, UK: Lovell Munich Re 2003. NatCatSERVICE—A guide to the Munich
Johns Ltd. Re database for natural catastrophes, Munich, Germany:
Ferguson, C.C. 1998. Techniques for handling uncer- Munich Re.
tainty and variability in risk assessment models, Berlin, Noy-Meir, I. 1973. Data transformations in ecological ordi-
Germany: Umweltbundesamt. nation. Some advantages of non-centering. Journal of
Hempel, G. & Sherman, K. (Eds.) 2003 Large Marine Ecology 61: 329–341.
Ecosystems of the world: trends in exploitation, protec- Swiss Re 2003. Natural catastrophes and reinsurance, Zurich,
tion, and research, Amsterdam, Elsevier B.V. Switzerland: Swiss Reinsurance Company.
Hirschberg, S., Burgherr, P., Spiekerman, G. & Dones, R. UNDP Bureau for Crisis Prevention and Recovery 2004
2004a. Severe accidents in the energy sector: comparative Reducing disaster risk. A challenge for development.
perspective. Journal of Hazardous Materials 111(1–3): New York, UNDP, Bureau for Crisis Prevention and
57–65. Recovery.
Hirschberg, S., Dones, R., Heck, T., Burgherr, P., USGS 2004. Open-File Report 01–318: Coal geology, land
Schenler, W. & Bauer, C. 2004b. Sustainability of elec- use, and human health in the People’s Republic of China
tricity supply technologies under German conditions: a (http://pubs.usgs.gov/of/2001/ofr-01-318/), Reston (VA),
comparative evaluation. PSI-Report No. 04–15, Villigen USA: U.S. Geological Survey.
PSI, Switzerland: Paul Scherrer Institut. Yoffe, S., Wolf, A.T. & Giordano, M. 2003. Conflict and
Hirschberg, S., Spiekerman, G. & Dones, R. 1998. Severe cooperation over international freshwater resources: Indi-
accidents in the energy sector—first edition. PSI Report cators of basins at risk. Journal of the American Water
No. 98-16, Villigen PSI, Switzerland: Paul Scherrer Resources Association 39(5): 1109–1126.
Institut. Zhou, F., Huaicheng, G. & Hao, Z. 2007. Spatial distribution
IFRC (International Federation of the Red Cross and Red of heavy metals in Hong Kong’s marine sediments and
Crescent Societies) 2007. World Disasters Report 2007, their human impacts: a GIS-based chemometric approach.
Bloomfield, USA: Kumarian Press Inc. Marine Pollution Bulletin 54: 1372–1384.
Jolliffe, I.T. 2002. Principal Component Analysis. Springer
Series in Statistics, 2nd ed., New York, USA: Springer.
136
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: At industrial facilities where the legislation on major accident hazard is enforced, near misses,
failures and deviations, even though without consequences, should be recorded and analyzed, for an early
identification of factors that could precede accidents. In order to provide duty-holders with tools for capturing
and managing these weak signals coming from operations, a software prototype, named NOCE, has been
developed. ‘‘Client-server’’ architecture has been adopted, in order to have a palmtop computer connected to an
‘‘experience’’ data base at the central server. The operators shall record by the palmtop any non-conformance, in
order to have a ‘‘plant operational experience’’ database. Non-conformances are matched with the safety system
for finding breaches in the safety system and eventually remove them. A digital representation of the plant and
its safety systems shall be developed, step by step, by exploiting data and documents, which are required by the
legislation for the control of major accident hazard. No extra job is required to the duty holder. The plant safety
digital representation will be used for analysing non-conformances. The safety documents, including safety
management system, safety procedures, safety report and the inspection program, may be reviewed according
to the ‘‘plant operational experience’’.
137
equipment deterioration and potential consequences analysis methods, such as the IEC 61882 HAZOP
of the failure should be considered. method (IEC 2001) or eventually the MOND Fire,
Explosion and Toxic index (Lewis 1979), which is
less probing, but also less difficult. In other words at a
2 WEAK SIGNALS FOR POTENTIAL Seveso facility, a structured and documented safety
ACCIDENTS system is always present. It is definitely ruled by
regulations and standards.
Many operators suppose that the non conformances At ‘‘Seveso’’ establishment there is already a quite
have to be recorded only in the cases of loss of complex system to manage risks, with its tools, its
hazardous materials, stop of production or damaged documents and its data, which are described in many
equipment; on the contrary every little anomaly, papers, including Fabbri et al. (2005), OECD (2006).
defect, deviation or minor failure should be taken into For that reason the first objective of the research has
account, as even a silly event could be the very first been to organize and to exploit in a better way the infor-
precursor or a potential concurrent to an accident. The mation already present, minimizing the efforts for the
personnel should be encouraged in not discriminating operator. No new models have to be implemented but
significant and silly events, as any event is potentially the items already present in the safety system have to
useful for finding latent conditions which might lead to be exploited. The results of non-conformances and
an accident after a long time. That could also motivate deviation analysis should be completely transferred
personnel in taking responsibility and stewardship. in the safety procedures, in the SMS manual and in
The inspiration for this research comes from the the safety report, in order to improve the overall risk
widespread use of personal wireless telecommunica- management in the establishment.
tion equipment, such as a palmtop, even in the indus-
trial premises. The palmtops should be exploited for
recording immediately any non conformance detected 3 THE PROPOSED APPROACH
in the plant, by writing notes, descriptions or com-
ments, but also by capturing the event through pictures. A new approach is proposed here for filling the gap
The analysis of non conformances recorded is very between safety documents and operational experi-
useful for the early detection of conditions, which ence. According to standards and regulations, which
might lead to an accident. For this purpose it is are enforced at major hazard facilities, the safety
essential to have sound methodologies, supported by system is well defined and may be digitally repre-
adequate tools, for understanding whether a single non sented. The basic idea is to exploit this representation
conformance could open a breaching in the safety bar- for analyzing non conformances and improving the
riers and for finding weak points of the safety system, safety system. That model is suitable for unscholarly
which could be improved. As the non conformance operators, including depot workers.
is perturbing the safety system, it has to be quickly The backbone of the proposed system is the digital
notified, looking for a solution. representation of the equipment, as used in opera-
For the follow-up of near misses and anomalies tion. In the present paper the equipment representation
many models have been proposed in the literature. has been integrated with a digital representation of
The systemic approach is quite new for this matter. the safety system, tailored expressly for small sized
An adequate model of industrial safety systems may ‘‘Seveso’’ plants.
be found just in a few recent papers, including Beard & The potential of the digital models coming from
Santos Reyes (2003), Santos-Reyes & Beard (2003), computer aided design system, for supporting hazard
Beard (2005), Santos Reyes & Beard (2008). The analysis has been demonstrated by Venkatasubrama-
development of a general systemic methodology for nian et al. (2000), Chung et al. (2001), Zhao et al.
finding latent accident precursors would be an over- (2005) Bragatto et al. (2007). In our approach, the
whelming task indeed. As the scope of the research scrutiny of the plant, required by the HAZID and
is restricted to the facilities where major accident leg- HAZAN methods, is exploited to build step by step a
islation is enforced and the goal is a demonstrative plausible representation of the plant. The hierarchical
prototype, the effort is instead affordable. The Euro- structure has basically five nested levels: Facility, Unit,
pean legislation on major accident hazard (‘‘Seveso’’ Assembly, Component, Accessory or Instrument.
Legislation) defines a framework, which structures the Furthermore, as a result of hazard and conse-
safety system along the lifecycle of the plant, including quences analysis, critical components and accessories
hazard identification and risk analysis, safety policy are discriminated. Components and accessories are
and management, operational procedures, emergency considered critical if their failures or anomalies are
management and periodical safety audit. Furthermore, in a chain of single events, which could lead to a
in most plants a scrutiny of equipment is performed, major accident. They are tagged and linked to the sin-
according to the best known hazard identification and gle event, present in the top events list, as handled in
138
the SR. In this way the top event list is embedded in
the digital representation of the plant.
At the end, the emergency plan may be included
in the net, too. For each major event found by the
hazard analysis, the plan should have an action or a
sequence of actions. In this way any emergency action
is linked to an event, which is in the top events list.
Furthermore the actions require usually operations to
be done on accessories (e.g. valves), which have to be
included in the plant digital representation. It is any-
way to be stressed again that this whole representation
of the plant does not require any new duty for the plant
holder.
Just SR and safety manual, which are mandatory
according to the Seveso legislation, have been used.
The pieces of information, usually lost after the job
of preparing mandatory safety documents, are stored
in a quite structured way, in order to have a com-
plete representation of the whole system, including the
equipment, the hazard ranked according to the Mond
index, the list of the top events, the sequences of fail-
ures that lead a top event, the sequence of actions
in the emergency plan, the SMS and the operating
manual.
In this structured digital environment, the non-
conformances shall be recorded. The backward path
from the single event (failure, near miss or accident)
to the safety system is supported by the complete dig-
ital representation of the plant. When a failure or near
miss is reported, it is connected to a piece of equip- Figure 1. The proposed digital model for the management
ment (component or accessory), present in the plant of non conformances.
digital representation.
There are many links between equipment and safety number of notes, which should be used for the periodic
documents, which may be used. Namely any sin- reviewing.
gle items of the Mond check list is linked to one or
more components or assembly, any event in a chain
4 IMPLEMENTATION OF THE PROPOSED
leading to a top event is linked to a component, any
MODEL
action of a safety procedure is linked to an acces-
sory or a component. A few components could be
In order to widespread the proposed methodology,
found without a direct link to safety documents; in
NOCE (NO-Conformance Events analysis), a soft-
this case, the parent assembly or unit will be con-
ware prototype, has been developed. ‘‘Client-server’’
sidered. In other words the path of the equipment
architecture has been adopted, in order to have a
tree will be taken backward, in order to retrieve the
palmtop computer on the field, connected to an
pieces of information about the assembly or the unit
‘‘experience’’ data base on the central server.
affected by the failure. If the failed item is linked to
The basic objectives of the software prototype are
a chain, which could lead to a top event, it shall be
noticed. • to keep track of the present event happened in the
If the non conforming item is corresponding to a plant by collecting all feasible information and tak-
credit factor in the Mond index method, the credit ing into account all the events occurred in the past
will be suspended, until the non conformance will be in the same context;
removed. • to access directly into the Safety Management
The basic result of this continuous trial of report- System for updating the documents, having the
ing any non conformance, which happens somewhere possibility to properly look at the risk analysis
in the plant, and walks inside the plant digital safety results;
representation, is to have, after a short time, the • To evaluate the new event in the appropriate envi-
safety documents (basically Mond check list, top ronment, for instance in safety management or in
event sequences and safety procedures) with a large risk analysis.
139
In order to define an adequate architecture for the 4.1 Software architecture
software, the workflow has been outlined. In the work-
The architecture of the proposed system is basically
flow two phases have been defined. The first phase is
composed by an application for workers, which have
basically the event recording and it is supposed to be
to record events, and application for safety managers,
performed by each single worker, which detects the
which have to analyze events and to update safety
failure or the non-conformance. The worker, or even-
documents. The application for the worker side has
tually the squad leader, is enabled to record directly
been supposed running on a palmtop computer, featur-
the event by means of a palmtop system. Immediate
ing Windows CE; while the application for the safety
corrective actions should be recorded too. The event
manager side has been running on a desktop computer
is associated to a component, which is supposed to be
featuring Windows XP. The palmtop application is
present in the plant data base. The worker may verify
aimed to record the non-conformances; to retrieve past
whether other failures had been recorded in the past.
events from the database; to upload the new events in
The very basic data are introduced by the worker, the
the database. The desktop application has all the func-
follow up of this information are instead managed on
tionalities needed to analyze new recorded events and
the desktop, by some safety supervisor. As the safety
to access to the databases, which contain equipment
manual addresses basic and general issues, this has
digital representation, structured safety documents in
always to be verified, as the very first follow up. This
digital format and recorded non-conformances. The
check is required for any type of non-conformances;
following paragraphs describe the modules into more
but it has to be deepened, in the case of human or orga-
details.
nizational failure; which could require intensifying
audits on the safety management system or review-
ing safety procedures. In the case of a mechanical
failure, asset active monitoring should be intensified 4.2 Palmtop application
to prevent equipment deterioration. As the last step
the safety report has to be considered, as well as in 4.2.1 Event information
the study about hazard identification and risk assess- As explained above, an event is considered something
ment, including check list and HAZOP when present. happened in the facility, all weak signals coming from
The workflow above described is summarized by the operational experience, such as failures, incidents and
‘‘flow-chart’’ shown in figure 2. near-misses, which may involve specific components,
or a logic or process unit, but also a procedure of the
safety management system. For this reason the event
has to be associated to an item of the establishment,
which may be an equipment component or a procedure.
The worker is required to input the basic infor-
mation about the event. The event is characterized
by some identifiers (e.g. worker’s name, progres-
sive id number, date and time). Required information
includes
140
Figure 3. Consulting precedents related to a non conform-
Figure 4. Recording a non conformance.
ing component.
141
In this way a detected non conformance or failure may 4.3.4 Session closing
generate a procedure revision. Discussion session may be suspended and resumed
many times. At the end, the discussion may be defi-
nitely closed. After discussion closing, lessons learnt
4.3.2 Safety report
are put in the DB and may be retrieved both from the
The following steps are the reviewing of the safety
palmtop and from the desktop.
report and its related documents. These two mod-
ules are aimed to discuss the follow up of the event.
They exploit a hierarchical representation of the estab- 4.4 A case study
lishment, where equipment components, with their
The NOCE prototype has been tested at a small-
accessories are nested in installations, which are
medium sized facility, which had good ‘‘historical’’
nested in units, which are nested in plants. In the safety
collections of anomalies and near misses. These
report, the point related to the failed components, or
data have been used to build an adequate experience
to the affected plant unit, will be highlighted in order
database. The following documents have been found
to be analyzed. In many cases it will be enough to
in the safety reports:
understand better the risk documents; in a few cases a
reviewing could be required. A tag will be added in the • Index method computation;
safety report. This tag will be considered when safety • hazard identification;
report will be reviewed or revised. • list of top events;
• Fault tree and event tree for potential major accident.
4.3.3 Active monitoring intensification They have been used to develop the plant safety
In the case of a failure, inspection plan may be digital model. Both technical and procedural failures
reviewed, in order to intensify active monitoring have been studied, using the prototype. The analysis
and prevent equipment deterioration. Affected acces- determined many annotations in the safety report and
sories, components and units are found in the com- in the related documents, as well in the procedures of
ponent database and proposed for maintenance. In the the safety management system. In figure 5 the list of
case of unexpected failures on mechanical part the data non conformances is shown, as presented in the NOCE
base may used to find in the plant all the parts, which user interface.
comply with a few criteria (e.g. same type or same In figure 6 a sample of a NOCE window is shown.
constructor). Extraordinary inspections may be con- In the window each single pane is marked by a letter.
sidered as well as reduced inspection period. Potential The order of the letters from A to F is according the
consequences of the failure may be considered too for logical flow of the analysis. In A the digital represen-
intensifying inspections. tation of the plant is shown; the affected component
Figure 5. The list of near misses, failures and deviation, as presented in the NOCE graphical user interface.
142
Figure 6. A. The tree plant representation. B. The event data, as recorded via palmtop. C. The computation of Mond FE&T
index. D. Basic representation of the top event. E. The paragraph of the Safety Report that has been tagged. F. The lesson
learnt from the non-conformance.
is highlighted. In B the event data, as recorded via The case study is quite simple. In a more complex
palmtop, are shown. The computation of Mond FE&T establishment, such as a process plant, the number
index is shown in pane C. the basic representation of of failures and non-conformances is huge and many
the event chain that leads to the top event is shown in D. workers have to be involved in the job of recording
From left to right there are three sub panes, with the as soon as possible the failures and the non-
initiating event, the top event and the event sequence, conformances. Their cooperation is essential for a
which has the potential to give a top event. The para- successful implementation of the proposed system.
graph of the Safety Report where the component is Furthermore advanced IT mobile technologies could
mentioned is shown in pane E. The paragraph has been be exploited for achieving good results even in com-
tagged for a future review. The lessons learnt from the plex industrial environment.
non-conformance are shown in F.
5 CONCLUSIONS ACKNOWLEDGEMENTS
The software presented in this paper exploits the ‘‘plant The authors wish to thank Mr Andrea Tosti for his pro-
safety’’ digital representation, for reporting and ana- fessional support in implementing palmtop software.
lyzing anomalies and non conformances, as recorded
in the operational experience, as well as for updat-
ing safety report, safety management system and REFERENCES
related documents. For building the digital represen-
tation, no extra duties are required; but exploiting in Lewis, D.J. (1979). The Mond fire, explosion and toxicity
a smarter way documents that are compelled by the index a development of the Dow Index AIChE on Loss
major accident hazard legislation. Prevention, New York.
143
Hursta, N.W., Young, S., Donald, I., Gibson, H. & Muyselaar, Uth, H.J. & Wiese, N. (2004). Central collecting and evaluat-
A. (1996). Measures of safety management performance ing of major accidents and near-miss-events in the Federal
and attitudes to safety at major hazard sites. J. of Loss Republic of Germany—results, experiences, perspectives
Prevention in the Process Industries 9(2), 161–172. J. of Hazardous Materials 111(1–3), 139–145.
Ashford, N.A. (1997). Industrial safety: The neglected issue Beard, A.N. (2005). Requirements for acceptable model use
in industrial ecology. Journal of Cleaner Production Fire Safety Journal 40, 477–484.
5(1–2), 115–121. Beard, A.N. (2005). Requirements for acceptable model use
Jones, S., Kirchsteiger, C. & Bjerke, W. (1999). The Fire Safety J. 40(5), 477–484.
importance of near miss reporting to further improve Zhao, C., Bhushan, M. & Venkatasubramanian, V. (2005).
safety performance. J. of Loss Prevention in the Process ‘‘Phasuite: An automated HAZOP analysis tool for
Industries 12(1), 59–67. chemical processes’’, Process Safety and Environmental
Venkatasubramanian, V., Zhao, J. & Viswanathan, V. (2000). Protection, 83(6B), 509–548.
Intelligent systems for HAZOP analysis of complex Fabbri, L., Struckl, M. & Wood, M. (Eds.) (2005). Guidance
process plants. Computers & Chemical Engineering, 24, on the Preparation of a Safety Report to meet the require-
2291–2302. ments of Dir 96/82/EC as amended by Dir 03/105/EC EUR
Chung, P.W.H. & McCoy, S.A. (2001). Trial of the 22113 Luxembourg EC.
‘‘HAZID’’ tool for computer-based HAZOP emulation Sonnemans, P.J.M. & Korvers P.M.W. (2006). Accidents in
on the medium-sized industrial plant, HAZARDS XVI: the chemical industry: are they foreseeable J. of Loss
Analysing the past, planning the future. Institution of Prevention in the Process Industries 19, 1–12.
Chemical Engineers, IChemE Symposium Series 148, OECD (2006). Working Group on Chemical Accident (2006)
391–404. Survey on the use of safety documents in the control of
IEC (2001). Hazop and Operability Studies (HAZOP Stud- major accident hazards ENV/JM/ACC 6 Paris.
ies) Application Guide IEC 61882 1st Geneva. Agnello, P., Ansaldi, S., Bragatto, P. & Pittiglio, P. (2007).
Phimister, J.R., Oktem, U., Kleindorfer, P.R. & The operational experience and the continuous updating
Kunreuther, H. (2003). Near-Miss Incident Management of the safety report at Seveso establishments Future Chal-
in the Chemical Process Industry. Risk Analysis 23(3), lenges of Accident Investigation Dechy, N Cojazzi, GM
445–459. 33rd ESReDA seminar EC-JRC-IPS.
Beard, A.N. & Santos-Reyes, J.A. (2003). Safety Man- Bragatto, P., Monti, M., Giannini,F. & Ansaldi, S. (2007).
agement System Model with Application to Fire Safety Exploiting process plant digital representation for risk
Offshore. The Geneva Papers on Risk and Insurance 28(3) analysis J. of Loss Prevention in the Process Industry 20,
413–425. 69–78.
Santos-Reyes, J.A. & Beard, A.N. (2003). A systemic Santos-Reyes, J.A. & Beard, A.N. (2008). A systemic
approach to safety management on the British Railway approach to managing safety J. of Loss Prevention in the
system. Civil Eng. And Env. Syst. 20, 1–21. Process Industries 21(1), 15–28.
Basso, B., Carpegna, C., Dibitonto, C., Gaido, G. &
Robotto, A. (2004). Reviewing the safety management
system by incident investigation and performance indica-
tors. J. of Loss Prevention in the Process Industry 17(3),
225–231.
144
Dynamic reliability
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Bernhard Fechner
FernUniversität in Hagen, Hagen, Germany
ABSTRACT: In this paper, we introduce a novel and simple fault rate classification scheme in hardware. It is
based on the well-known threshold scheme, counting ticks between faults. The innovation is to introduce variable
threshold values for the classification of fault rates and a fixed threshold for permanent faults. In combination
with field data obtained from 9728 processors of a SGI Altix 4700 computing system, a proposal for the
frequency-over-time behavior of faults results, experimentally justifying the assumption of dynamic and fixed
threshold values. A pattern matching classifies the fault rate behavior over time. From the behavior a prediction
is made. Software simulations show that fault rates can be forecast with 98% accuracy. The scheme is able to
adapt to and diagnose sudden changes of the fault rate, e.g. a spacecraft passing a radiation emitting celestial
body. By using this scheme, fault-coverage and performance can be dynamically adjusted during runtime.
For validation, the scheme is implemented by using different design styles, namely Field Programmable Gate
Arrays (FPGAs) and standard-cells. Different design styles were chosen to cover different economic demands.
From the implementation, characteristics like the length of the critical path, capacity and area consumption
result.
1 INTRODUCTION 6500
[4]. Figure 1 shows the number of neutron impacts per Time in hours
hour per square centimeter for Kiel, Germany (data
from [5]). Figure 1. Number of neutron impacts per hour for Kiel,
This work deals with the handling of faults after Germany (2007).
they have been detected (fault diagnosis). We do not
use the fault rate for the classification of fault types related work. Section 4 introduces History Voting.
such as transient, intermittent or permanent faults. We We seamlessly extend the scheme to support multi-
classify the current fault rate and forecast its develop- ple operating units used in multicore or multithreaded
ment. On this basis the performance and fault coverage systems. The scheme was modeled in software and
can be dynamically adjusted during runtime. We call its behavior simulated under the influence of faults.
this scheme History Voting. Section 5 presents experimental results and resource
The rest of this work is organized as follows: in demands from standard-cell and FPGA (Field Pro-
Section 2, we present and discuss observations on fault grammable Gate Array)-implementations. Section 6
rates in real-life systems. In Section 3, we discuss concludes the paper.
147
2 OBSERVATIONS and caches of all 19 partitions for the SGI Altix 4700
installation at the Leibniz computing center (Techni-
Figure 2 shows the number of transient single bit cal University of Munich) [8] is shown. The data was
errors (x-axis) for 193 systems and the number of gained from the system abstraction layer (salinfo). In
systems which shows faulty behavior (y-axis) over the observation interval (24.07.-31.08.2007, x-axis)
16 months [7]. For many systems the number of faults two permanent faults in Partition 3 and 13 can be rec-
is small. Few systems encounter an increased fault ognized, since we have a massive increase of errors
rate. From this, intermittent or permanent faults can (y-axis). If permanent faults would be concluded from
be concluded. a history, they would be recognized too late, leading to
Figure 3 shows the daily number of transient sin- a massive occurrence of side-effects. For the detection
gle bit memory errors for a single system [7]. The of permanent faults, the fault rate in the observation
faults within the first seven months were identified as interval alone is relevant. In partitions 2, 5, 9, 10 and
transient. The first burst of faults appears at the begin- 14, an increase of the fault rate before a massive fault
ning of month eleven, leading to the assessment of appearance can be depicted. As much as a sudden
intermittent faults. growth, a decrease of the fault rate can be observed.
Actual data is depicted in Figure 4. Here, the num- From [7] further properties of intermittent faults
ber of detected faults (y-axis) in the main memory can be derived which help to classify these faults: a
repeated manifestation at the same location and that
they occur in bursts. Naturally, intermittent and per-
100 manent faults and can be recovered by replacing the
faulty component.
80
Number of systems
60 3 RELATED WORK
40
A state-comparator detects faults in a duplex-system.
For three or more results or states a majority voter is
used for the selection of a correct state, being able
20
to mask a fault. Besides majority voting many other
selection criteria exist [17]. The classification of faults
0 from their frequency was done in early IBM main-
frames. One example is the automated fault diagnosis
in the IBM 3081 [14]. In [10] an analysis of faults
Number of transient faults
over time is used to forecast and separate permanent
from intermittent faults. The ES/9000 Series, model
Figure 2. Number of transient errors for 193 systems. 900 [15] implements a retry and threshold mechanism
to tolerate transient faults and classify fault types. In
30
[12] the fault rate is used to construct groups of faults.
Detailed logs from IBM 3081 and CYPER-systems
25 help to detect similarities and permanent faults. In [16]
the history of detected faults within a NMR-system is
used to identify the faultiest module. The offline dis-
Number of faults
20
persion frame mechanism by Lin and Siewiorek [11]
15 diagnoses faults in a Unix-type filesystem. The heuris-
tic is based on the observation of faults over time.
Different rules are derived, e.g. the two-in-one rule
10
which generates a warning if two faults occur within
an hour. Similar is the approach from Mongardi [13].
5
Here, two errors in two consecutive cycles within a
unit lead to the interpretation of a permanent fault. In
0 [9] the α-count mechanism is developed. It permits to
1–May–
1–May–
1–Sep–
1–Nov–
1–Mar–
1–Jul–99
1–Jul–00
1–Jan–00
99
00
99
00
148
Figure 4. Field data for the SGI Altix 4700.
Bennett [16] develop and analyze a flexible major- technology and circuit will determine the frequency
ity voter for TMR-systems. From the history of faults of faults. History Voting for redundant (structural
the most reliable module is determined. In [18] the and temporal) systems classifies fault rates during
processor that will probably fail in the future is deter- runtime. It predicts if the fault rate will increase. Based
mined from the list of processors which took part in on this forecast, the performance of a system can be
a redundant execution scheme. Therefore, processors dynamically adjusted if the prediction has a certain
are assigned weights. Like [9] we separate between quality.
techniques which incur interference from outside and We hereby exclude the possibility that the system
mechanisms based on algorithms. The latter are used performance is decreased unreasonable due to a false
in this work. prediction. A trust γ is assigned to units. These can be
e.g. the components of a NMR-system, the cores in a
multicore system or threading units in a multithreaded
4 DIAGNOSIS AND PREDICTION system. If the trust is zero, a faulty unit can be identi-
fied. An additional innovation is to dynamically adjust
From the mentioned work and the observations, we the threshold values to the fault scenario. From this we
can conclude that a classification of faults is possi- can exclude a false detection of a permanent fault on
ble by measuring the time between them. The limits an unexpected high fault rate, e.g. the bypass flight of
for a classification are fluent, since the application, a space probe on a radiation emitting celestial body.
149
History Voting consists of two parts: transient or intermittent (e.g. through frequent usage
of a faulty component) fault occurred. Thus, it can-
1. Adjustment of threshold values to the operating not predict these faults and cannot derive the system
environment behavior over time. Therefore, we include a small
2. Prediction of the fault rate and calculation of trust memory (the history). The history holds the last three
and prediction quality. fault rates interpreted by i(a, b).
For a prediction, neuronal nets or methods like
4.1 Adjustment of threshold values branch prediction can be used. However, these meth-
ods are costly regarding time and area. We use a
All related works from above use fixed threshold limits simple pattern matching depicted in Table 2. Here,
for the classification of fault types. This assumption the predicted fault rate and a symbolic representa-
only matches an environment where the fault rate is tion are shown. For a time-efficient implementation,
known. To flexibly classify the fault rate we intro- the history is limited in size. Three recent fault rates
duce three threshold variables: ϕι , ϕτ and ϕπ . These are considered. If the prediction matches the current
represent the upper borders for the rate of permanent fault rate development, the prediction quality η is
(ϕπ ), intermittent (ϕι ) and transient faults (ϕτ ). After increased, else decremented. Here, also the field data
a reset the variables are set to known maximum val- from Figure 4 was taken into account. The symbols
ues of the expected fault scenario. For security and are shown in Table 3.
from the observations, ϕπ is set to a fixed value and
is not dynamically adjusted. A counter i is needed
to measure the time (in cycles) between faults. In the Table 2. History and forecasted fault rates.
fault-free case, i is increased every cycle, else the
H[1][2][3] Fault rate Prediction
trend of the fault rate is classified by the function
i(a, b), defined by: 0 0 0 0
0 0 1 0
i : N × N → {0, 1}
0 1 0 0
0 if ϕι < (a, b) ≤ ϕτ and
i(a, b) := 0 1 1 1
1 if ϕπ < (a, b) ≤ φι
1 0 0 0
:N×N→N
1 0 1 1
with 1 1 0 0
(a, b) := |a − b| . (1) 1 1 1 1
Table 1 shows the coding of i(a, b) and the conse-
quence on the trust (γ). γ represents the bitwise
shifting of value γ to the right, γ++ an increase of
value γ. If a fault cannot be tolerated, the trust is Table 3. Symbols (History voting).
decremented until the minimum (null) is reached.
If i is substantially greater than ϕτ , this could Symbol Description
mean that the diagnose unit does not respond. In this
γi Trust of unit i
case, tests should be carried out to prevent further ϕτ Upper threshold: normal fault rate
faulty behavior. ϕι Mid-threshold: increased fault rate
ϕπ Lower (fixed) threshold:
4.2 Forecast of fault rates, calculation permanent fault
of trust and prediction quality η Quality of prediction
υ If η > υ, trust can be adjusted
A further observation is that a fault-tolerant system (quality-threshold)
which does not know its past cannot express if a Δi Value of cycle-counter
when detecting fault i
H[i] Entry i in the history
Table 1. Coding of fault rates. Entries Maximal number of entries
in the history
Coding i(a, b) Fault rate Consequence Prediction Prediction of the fault rate
from the history (s. Figure 5)
0 Normal γ++ Predict Pattern matching to forecast
1 Increase γ the fault (s. Figure 5)
150
Figure 5. Calculation of trust and prediction.
Figure 5 shows the algorithm for the calculation of distance of faults in time will be compared with the
trust, the prediction and its quality. actual i . If the elevation or decrease is over 50%
First, we test if an irreparable internal (INTFAULT) ((i > (i−1 1)), (i ≤ (i−1 1))), we have a
or external fault (EXTFAULT) was signaled. If so, sudden change of the fault rate and threshold values
the fail-safe mode must be initiated. If no such will not be adjusted.
fault occurred, the cycle counter i is increased. Two possibilities to signal permanent internal faults
If a fault is detected (INT-/ and EXTFAULT are exist:
excluded here), the forecasted fault rate i(a, b) is
• The trust γi in unit i is less than the value pt (slow
entered into the history H. Over Predict, a pre-
degradation, not shown in Figure 5)
diction (Prediction) is made. The last fault rate is
• i is less than threshold ϕπ (sudden increase)
compared with the current one. If the prediction
is correct, η is increased. Else it will be decre- Hereby, we assume that no unit permanently locks
mented until the minimum is reached. Only if η > resources, since then the trust of other units will
υ the prediction can modify the trust γ and thus decrease disproportionately.
the system behavior. The more dense faults occur
in time, the less trust a unit gets. The greater the
trust, the higher the probability of a correct exe- 5 EXPERIMENTAL RESULTS
cution. A slow in- or decrease of the fault rate
signals a change within the operating environment To judge the mechanism, it was modeled in software.
and threshold values are modified. i−1 , the last Figure 6 shows the successful adjustment of threshold
151
values (fault rate λ = 10−5 ). The distance of faults in Table 5. Resource demands (standard-cell).
time, the threshold values and the accuracy are shown
(from top to bottom: ϕτ , ϕι , ϕπ and accuracy in %). We Place and route
purposely chose nearly equal (difference 100 cycles)
Critical path (ps) 3308
starting values for ϕι and ϕτ , since we wanted to show
Area (λ2 ) 1175 × 1200
the flexibility of the mechanism. We see how the fault Transistors 5784
rate is framed by threshold values. Threshold ϕπ is set Capacity (pF) 8.8
to a value where a permanent fault can be ascertained
(100 cycles).
In the beginning, the accuracy is low due to the
initial values of ϕτ and ϕι but evening out at about 98%.
If these values are correctly initialized, the accuracy Table 5 shows the resource demands for History
would have been 100%. Table 4 shows the resource Voting for a standard-cell design by using a 130 nm,
demands for History Voting (FPGA, Xilinx Virtex-e 6 metal layer CMOS technology.
XCV1000).
6 CONCLUSION
152
[5] National Geophysical Data Center (NGDC). Cosmic [12] R.K. Iyer et al. Automatic Recognition of Intermittent
Ray Neutron Monitor (Kiel). ftp://ftp.ngdc.noaa.gov/ Failures: An Experimental Study of Field Data. IEEE
STP/SOLAR_DATA/COSMIC_RAYS/kiel.07. Revi- Trans. on Computers, vol. 39, no. 4, pp. 525–537,
sion 12/2007/cited 21.01.2008. 1990.
[6] The International Technology Roadmap for [13] G. Mongardi. Dependable Computing for Railway
Semiconductors (ITRS). Front End Processes. Control Systems. In Proc. of the 3rd Depend-
http://www.itrs.net/Links/2005ITRS/FEP2005.pdf, able Computing for Critical Applications (DCCA-3),
2005 Edition/cited 18.01.2008. pp. 255–277, 1993.
[7] C. Constantinescu. Trends and Challenges in VLSI [14] N.N. Tendolkar, R.L. Swann. Automated Diagnostic
Circuit Reliability. IEEE Micro, vol. 23, no. 4, Methodology for the IBM 3081 Processor Complex.
pp. 14–19, 2003. IBM Journal of Research and Development, vol. 26,
[8] M. Brehm, R. Bader, R. Ebner, Leibniz- pp.78–88, 1982.
Rechenzentrum (LRZ) der Bayerischen Akademie der [15] L. Spainhower et al. Design for fault-Tolerance in
Wissenschaften, Hardware Description of HLRB II, System ES/9000 Model 900. In Proc. of the 22nd
http://www.lrz-muenchen.de/services/compute/hlrb/ Int’l Symp. Fault-Tolerant Computing (FTCS-22),
hardware. Revision 29.03.2007/ cited 30.11.2007. pp. 38–47, 1992.
[9] A. Bondavalli, et al. Threshold-Based Mechanisms to [16] G. Latif-Shabgahi, P. Bennett. Adaptive Majority
Discriminate Transient from Intermittent faults. IEEE Voter: A Novel Voting Algorithm for Real-Time fault-
Trans. on Computers, vol. 49, no. 3, pp. 230–245, Tolerant Control Systems. In Proc. of the 25th
2000. Euromicro Conference, vol. 2, p. 2113ff, 1999.
[10] M.M. Tsao, D.P. Siewiorek. Trend Analysis on Sys- [17] J.M. Bass, G. Latif-Shabgahi, P. Bennett. Experi-
tem Error Files. In Proc. of the 13th Int’l Symp. on mental Comparison of Voting Algorithms in Cases
fault-Tolerant Computing (FTCS-13), pp. 116–119, of Disagreement. In Proc. of the 23rd Euromicro
1983. Conference, pp. 516–523, 1997.
[11] T.-T.Y. Lin, D.P. Siewiorek. Error Log Analysis: Sta- [18] P. Agrawal. Fault Tolerance in Multiprocessor Sys-
tistical Modeling and Heuristic Trend Analysis. IEEE tems without Dedicated Redundancy. IEEE Trans. on
Trans. on Reliability, vol. 39, pp. 419–432, 1990. Computers, vol. 37, no. 3, pp. 358–362, 1988.
153
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: In dynamic reliability, the evolution of a system is governed by a piecewise deterministic Markov
process, which is characterized by different input data. Assuming such data to depend on some parameter p ∈ P,
our aim is to compute the first-order derivative with respect to each p ∈ P of some functionals of the process,
which may help to rank input data according to their relative importance, in view of sensitivity analysis. The
functionals of interest are expected values of some function of the process, cumulated on some finite time interval
[0, t], and their asymptotic values per unit time. Typical quantities of interest hence are cumulated (production)
availability, or mean number of failures on some finite time interval and similar asymptotic quantities. The
computation of the first-order derivative with respect to p ∈ P is made through a probabilistic counterpart of the
adjoint point method, from the numerical analysis field. Examples are provided, showing the good efficiency of
this method, especially in case of large P.
155
where ρ0 is the initial distribution of the process. 2 ASSUMPTIONS
Such quantities include e.g. cumulative availability
or production availability on some time interval [0, t], The jump rates a(i, j, x), the jump distribution μ(i,j,x) ,
mean number of failures on [0, t], mean time spent by the velocity field v(i, x) and the function h(i, x) are
(Xs )0≤s≤t on [0, t] between two given bounds. . . assumed to depend on some parameter p, where p
For such types of quantity, our aim is to study their belongs to an open set O ⊂ R or Rk . All the results are
sensitivity with respect of different parameters p ∈ P, written in the case where O ⊂ R but extension to the
from which may depend both the function h and the case O ⊂ Rk is straightforward. We add exponent(p) to
input data of the process (It , Xt )t≥0 . More specifically, (p)
each quantity depending on p, such as h(p) or Rρ0 (t).
the point is to study the influence of variations of p ∈ P (p)
We denote by ρt (i, dx) the distribution of the pro-
on Rρ0 (t), through the computation of the first-order (p) (p)
derivative of Rρ0 (t) with respect to each p ∈ P. In view cess (It , Xt )t≥0 at time t with initial distribution ρ0
of comparing the results for different p ∈ P, we pre- (independent on p). We then have:
fer to normalize such derivatives, and we are actually t
interested in computing the dimensionless first-order R(p) ρs(p) h(p) ds
ρ0 (t) =
logarithmic derivative of Rρ0 (t) with respect to p: 0
t
= h(p) (i, x) ds ρs(p) (i, dx)
p ∂Rρ0 (t) i∈E V 0
IFp (t) =
Rρ0 (t) ∂p
In order to prove existence and to calculate deriva-
(p)
tives of the functional Rρ0 , we shall need the following
assumptions (H1 ): for each p in O, there is some
which we call importance factor of parameter p in neighborhood N (p) of p in O such that, for all i,
Rρ0 (t). In view of long time analysis, we also want j ∈ E × E:
to compute its limit IFp (∞), with
• the function (x, p) −→ a(p) (i, j, x) is bounded on
V ×N (p), belongs to C2 (V ×O) (twice continuously
differentiable on V × O), with all partial derivatives
p ∂(Rρ0 (t)/t)
IFp (∞) = lim uniformly bounded on V × N (p),
t→+∞ Rρ0 (t)/t ∂p • for all function f (p) (x) ∈ C2 (V ×O), with all partial
derivatives uniformly bounded on V × N (p), the
(p)
function (x, p) −→ f (p) (y)μ(i,j,x) (dy) belongs to
Noting that IFp (t) and IFp (∞) only make sense C2 (V × O), with all partial derivatives uniformly
when considering never vanishing parameter p, we bounded on V × N ( p),
consequently assume p to be positive. • the function (x, p) −→ v(p) (i, x) is bounded on
This kind of sensitivity analysis was already studied V × N (p), belongs to C2 (V × O), with all partial
in (Gandini 1990) and in (Cao and Chen 1997) for pure derivatives uniformly bounded on V × N ( p),
jump Markov processes with countable state space, • the function (x, p) −→ h(p) (i, x) is bounded on
and extended to PDMP in (Mercier and Roussignol V × N (p), almost surely (a.s.) twice continuously
2007), with more restrictive a model than in the pre- differentiable on V ×O with a.s. uniformly bounded
sent paper however. partial derivatives on V × N ( p), where a.s. means
Since the marginal distributions of the process with respect to Lebesgue measure in x.
(It , Xt )t≥0 are, in some sense, the weak solution
of linear first order hyperbolic equations (Cocozza- In all the paper, under assumptions H1 , for each p
Thivent, Eymard, Mercier, and Roussignol 2006), the in O, we shall refer to a N (p) fulfilling the four points
expressions for the derivatives of the mathematical of the assumption without any further notice. We
expectations can be obtained by solving the dual prob- recall that under assumptions H1 (and actually under
lem (adjoint point method), as suggested in (Lions much milder assumptions), the process (It , Xt )t≥0 is a
1968) for a wide class of partial differential equations. Markov process, see (Davis 1984) e.g. Its transition
(p)
We show here that the resolution of the dual prob- probability distribution is denoted by Pt (i, x, j, dy).
lem provides an efficient numerical method, when the
marginal distributions of the PDMP are approximated
using a finite volume method. 3 TRANSITORY RESULTS
Due to the reduced size of the present paper, all
proofs are omitted and will be provided in a forth- We first introduce the infinitesimal generators of
coming paper. both Markov processes (It , Xt )t≥0 and (It , Xt , t)t≥0 :
156
Definition 1.1 Let DH0 be the set of functions f (i, x) Theorem 1.1 Let t > 0 be fixed. Under assumptions
from E × V to R such that for all i ∈ E the function (p)
H1 , the function p −→ Rρ0 (t) is differentiable with
x −→ f (i, x) is bounded, continuously differentiable respect of p on N (p) and we have:
on V and such that the function x −→ v(p) (i, x) ·
∇f (i, x) is bounded on V . For f ∈ DH0 , we define (p)
∂Rρ0 t
∂h(p)
(t) = ρs(p) ds
(p)
(p)
∂p 0 ∂p
H0 f (i, x) = a(p) (i, j, x) f (j, y)μ(i,j,x) (dy) t
∂H (p) (p)
j∈E − ρs(p) ϕ (., ., s) ds (3)
(p) 0 ∂p t
+ v (i, x) · ∇f (i, x)
where we set:
where we set a(p) (i, i, x) = − j
=i a(p) (i, j, x) and
(p) ∂H (p)
μ(i,i,x) = δx . ϕ(i, x, s)
Let DH be the set of functions f (i, x, s) from E × ∂p
V × R+ to R such that for all i ∈ E the function ∂a(p)
(p)
(x, s) −→ f (i, x, s) is bounded, continuously dif- = (i, j, x) ϕ(j, y, s)μ(i,j,x) (dy)
∂p
ferentiable on V × R+ and such that the function j∈E
x −→ ∂f (p)
∂s (i, x, s) + v (i, x) · ∇f (i, x, s) is bounded ∂ (p)
on V × R+ . For f ∈ DH , we define + a(p) (i, j, x) ( ϕ(j, y, s)μ(i,j,x) (dy)))
j∈E
∂p
(p)
H (p) f (i, x, s) = a(p) (i, j, x) f (j, y, s)μ(i,j,x) (dy) ∂v(p)
+ (i, x) · ∇ϕ(i, x, s)
j ∂p
∂f
+ (i, x, s) + v(p) (i, x) · ∇f (i, x, s) (1) for all ϕ ∈ DH and all (i, x, s) ∈ E × V × R+ .
∂s
We now introduce what we called importance Formula (3) is given for one single p ∈ R∗+ . In case
functions: Rρ0 (t) depends on a family of parameters P = (pl )l∈L ,
we then have:
Proposition 1 Let t > 0 and let us assume H1 to be
(p) ∂R(P)
ρ0
t
∂h(P)
true. Let us define the function ϕt by, for all (i, x) ∈ (t) = ρs(P) ds
E × V: ∂pl 0 ∂pl
t
∂H (P) (P)
(p)
ϕt (i, x, s) − ρs(P) ϕ (., ., s) ds (4)
∂pl t
t−s 0
157
data ∂h(P) /∂pl and ∂H (P) /∂pl (see (4)), which is done differential equation:
simultaneously to the solving.
(p)
This has to be compared with the usual finite differ-
(P)
H0 Uh(p) (i, x) = π (p) h(p) − h(p) (i, x) (7)
∂R
ences method, for which the evaluation of ∂pρl0 (t) for
for all (i, x) ∈ E × V . Any other element of DH0 solu-
one single pl requires the computation of R(P)
ρ0 for two
different families of parameters (P and P with pl sub- tion of (7) is of the shape: Uh(p) + C where C is a
∂R
(P) constant.
stituted by some pl + ε). The computation of ∂pρl0 (t) The function Uh(p) is called the potential function
for all l ∈ L by finite differences hence requires associated to h(p) .
1+card(L) computations. When the number of param-
eters card(L) is big, the advantage clearly is to the The following theorem provides an extension to
present method. PDMP of the results from (Cao and Chen 1997).
158
stands for the time elapsed at time t since the last Under assumption H2 , we get the following closed
instantaneous repair (the backward recurrence time). form for ∂Q(∞)
∂p :
There is one single discrete state so that component It
is here unnecessary. The failure rate for the compo- +∞
nent at time t is λ(Xt ) where λ(·) is some non negative ∂Q(∞) 1 ∂λ
= (x)
function. The process (Xt )t≥0 is ‘‘renewed’’ after each ∂p E0 (T1 ) 0 ∂p
repair so that μ(x) (dy) = δ0 (dy) and (Xt )t≥0 evolves x
v
between renewals with speed v(x) = 1. × (1 − Q(∞) e− 0 λ(u)du dv) dx
We are interested in the rate of renewals on [0, t], 0
namely in the quantity Q(t) such that:
t 5.2 Numerical results
R(t) 1
Q(t) = = E0 λ(Xs ) ds
t t 0 We assume that T1 is distributed according to some
Weibull distribution, which is slightly modified to
where R(t) is the renewal function associated to the meet with our assumptions:
underlying renewal process.
The function λ(x) is assumed to depend on some ⎧
⎨ αβxβ−1 if x < x0
parameter p > 0. λ (α,β)
(x) = Pα,β,x0 (x) if x0 ≤ x < x0 + 2
Assuming λ(x) to meet with H1 requirement, the ⎩
αβ(x0 + 1)β−1 = constant if x0 + 2 ≤ x
results from Section 3 here writes:
∂Q(p) (t) 1 t s (p) ∂λ(p) where (α, β) ∈ O = [0, +∞] × [2 + ∞], x0 is cho-
= ρs (dx) (x) sen such that T1 > x0 is a rare event (P0 (T1 > x0 ) =
∂p t 0 0 ∂p β
(p) (p)
e−αx0 small) and Pα,β,x0 (x) is some smoothing func-
× (1 − ϕt (0, s) + ϕt (x, s)) ds tion which makes x −→ λ(α,β) (x) continuous on R+ .
For such a failure rate, it is then easy to check that
where ϕt is solution of assumptions H1 and H2 are true, using Proposition 6.
∂ Taking (α, β) = (10−5 , 4) and x0 = 100 (which
λ(x)(ϕt (0, s) − ϕt (x, s)) + ϕt (x, s) ensures P0 (T1 > x0 )
5 × 10−435 ), we are now able
∂s to compute IFα (t) and IFβ (∞) for t ≤ ∞. In order to
∂ validate our results, we also compute such quantities
+ ϕt (x, s) = λ(x)
∂x by finite differences (FD) using:
for all s ∈ [0, t] and ϕt (x, t) = 0 for all x ∈ [0, t].
∂Q(t) 1
Assuming E(T1 ) < +∞, the process is known to
(Q(p+ε) (t) − Q(p) (t))
have a single stationary distribution π (p) which has the ∂p ε
following probability density function (p.d.f.):
x for small ε and t ≤ ∞. For the transitory results, we
(p) λ(p) (u)du
P(T1 > x) e− 0 use the algorithm from (Mercier 2007) which provides
fπ(p) (x) = (p)
= (p)
(9) an estimate for the renewal function R(p) (t) and hence
E(T1 ) E(T1 ) (p)
for Q(p) (t) = R t (t) to compute Q(p) (t) and Q(p+ε) (t).
Using a result from (Konstantopoulos and Last For the asymptotic results, we use the exact formula
1999), one may then prove the following proposi- Q(p) (∞) = 1
(p) to compute such quantities, which
E0 (T1 )
tion, which ensure the process to be uniformly ergodic, is a direct consequence of the key renewal theorem.
meeting with H2 : The results are gathered in Table 1 for the asymp-
totic importance factors IFp (∞).
Proposition 3 Let us assume that E(eδT1 ) < +∞ The results are very stable for IFβ (∞) by FD choos-
for some 0 < δ < 1 and that T1 is new better than ing different values for ε and FD give very similar
used (NBU: for all x, t ≥ 0, we have F̄(x + t) ≤ results as EMR. The approximation for IFα (∞) by FD
F̄(x)F̄(t), where F̄ is the survival function F̄(t) = requires smaller ε to give similar results as EMR. Sim-
P(T1 > t)). Then, there are some C < +∞ and ilar remarks are valid for the transitory results, which
0 < ρ < 1 such that: are plotted in Figures 1 and 2 for t ∈ [0, 50] and differ-
ent values of ε. This clearly validates the method. As
(p)
|Pt h(p) (x) − π (p) h(p) | ≤ Cρ t for the results, we may note that, for a Weibull distri-
bution, the shape parameter β is much more influent
for all x ∈ R+ . on the rate of renewals than the scale parameter α.
159
Table 1. IFα (∞) and IFβ (∞) by finite differences (FD) A tank is considered, which may be filled in or
and by the present method (EMR). emptied out using a pump. This pump may be in two
different states: ‘‘in’’ (state 0) or ‘‘out’’ (state 1). The
ε IFα (∞) IFβ (∞) level of liquid in the tank goes from 0 up to R. The
state of the system ‘‘tank-pump’’ at time t is (It , Xt )
FD 10−2 4.625 × 10−3 2.824
10−4 8.212 × 10−2 2.821
where It is the discrete state of the pump (It ∈ {0, 1})
10−6 2.411 × 10−1 2.821 and Xt is the continuous level in the tank (Xt ∈ [0, R]).
10−8 2.499 × 10−1 2.821 The transition rate from state 0 (resp. 1) to state 1
10−10 2.500 × 10−1 2.821 (resp. 0) at time t is λ0 (Xt ) (resp. λ1 (Xt )). The speed
EMR – 2.500 × 10−1 2.821 of variation for the liquid level in state 0 is v0 (x) =
r0 (x) with r0 (x) > 0 for all x ∈ [0, R] and r0 (R) =
0: the level increases in state 0 and tends towards R.
Similarly, the speed in state 1 is v1 (x) = −r1 (x) with
r1 (x) > 0 for all x ∈ [0, R] and r1 (0) = 0: the level
1
FD 10
-2 of liquid decreases in state 1 and tends towards 0. For
0.9 FD 10
-3
i = 0, 1, the function λi (respectively ri ) is assumed to
-4
0.8
FD 10
-5
be continuous (respectively Lipschitz continuous) and
consequently bounded on [0, R]. The level in the tank
FD 10
-6
0.7 FD 10
FD 10
-7
is continuous so that μ(i, 1−i, x)(dy) = δx (dy) for i ∈
{0, 1}, all x ∈ [0, R]. In order to ensure the process to be
-8
0.6 FD 10
EMR
0.5 IF (∞)
α positive Harris recurrent, we also make the following
0.4 -7
additional assumptions: λ1 (0) > 0, λ0 (R) > 0 and
EMR 10
-6
10 -8
0.3 10
10
-5
R y
0.2 1 1
10
-4
du = +∞, du = +∞
0.1
10
-2
10
-3
x r0 (u) 0 r1 (u)
0
0 10 20 30 40 50
t
for all x, y, ∈ [0, R]. We get the following result:
10
4
π(i, dx) = fi (x) dx
2 -1
FD 10
FD 10 -2
FD 10
-3 for i = 0, 1 and
0 FD 10
-4
IF (∞)
β
EMR Kπ R/2 x λ (u) λ (u)
( r 1(u) − r 0(u) ) du
-2
0 10 20 30 40 50 f0 (x) = e 1 0 (10)
t r0 (x)
Figure 1&2. IFα (t) and IFβ (t) by finite differences and by Kπ R/2 x λ (u) λ (u)
( r 1(u) − r 0(u) ) du
f1 (x) = e 1 0 (11)
the present method (EMR). r1 (x)
160
we set: 6.3 Numerical example
t We assume the system to be initially in state (I0 , X0 ) =
1
Q1 (t) = Eρ 1 R −a≤Xs ≤ R +b ds (0, R/2). Besides, we take:
t 0 0 2 2
1 t
λ0 (x) = xα0 ; r0 (x) = (R − x)ρ0 ;
2 +b
R
1
= ρs (i, dx) ds
t λ1 (x) = (R − x)α1 ; r1 (x) = xρ1
2 −a
R
i=0 0
t
=
1
ρs h1 ds (12) for x ∈ [0, R] with αi > 1 and ρi > 1. All conditions
t 0 for irreducibility are here achieved.
We take the following numerical values:
with h1 (i, x) = 1[ R −a, R +b] (x).
2 2
The second quantity of interest is the mean number α0 = 1.05; ρ0 = 1.2; α1 = 1.10;
of times the pump is turned off, namely turned from ρ1 = 1.1; R = 1; a = 0.2; b = 0.2.
state ‘‘in’’ (0) to state ‘‘out’’ (1) by unit time, namely:
Similarly as for the first method, we test our results
1
Q2 (t) = Eρ0 1{Is− =0 and Is =1} using finite differences (FD). The results are here
t 0<s≤t
rather stable choosing different values for ε and the
results are provided for ε = 10−2 in case p ∈
1 t
{α0 , α1 , r0 , r1 } and for ε = 10−3 in case p ∈ {a, b}.
= Eρ0 λ0 (Xs )1{Is =0} ds
t 0
The asymptotic results are given in Tables 2 and 3,
t R and the transitory ones are given in Table 4 and 5 for
=
1
λ0 (x)ρs (0, dx) ds t = 2.
t 0 0 The results are very similar by FD and MR both for
the asymptotic and transitory quantities, which clearly
1 t
= ρs h2 ds (13) validate the method. Note that the asymptotic results
t 0 coincides by both methods, even in the case where the
velocity v(i, x) field depends on the parameter (here
with h2 (i, x) = 1{i=0} λ0 (x). ρi ), which however does not fit with our technical
For i = 0, 1, the function λi (x) is assumed to depend assumptions from Section 4. Due to that (and to other
on some parameter αi (but no other data depends on the examples where the same remark is valid), one may
same parameter). Similarly, the function ri (x) depends conjecture that the results from Section 4 are valid
on some ρi for i = 0, 1. By definition, the function h1
also depends on parameters a and b.
We want to compute the importance factors with Table 2. IFp(1) (∞) by the present method (EMR) and by
respect to p for p ∈ {α0 , α1 , r0 , r1 , a, b} both in Q1 and finite differences (FD).
Q2 , except for parameters a and b which intervenes
only in Q1 . p FD EMR Relative error
As told at the end of Section 13, we have to compute
the marginal distribution (ρs (i, dx))i=0,1 for 0 ≤ s ≤ t α0 −3.59 × 10−2 −3.57 × 10−2 5, 40 × 10−3
and the importance function associated to hi0 and t α1 −4.45 × 10−2 −4.43 × 10−2 3, 65 × 10−3
ρ0 3.19 × 10−1 3.17 × 10−1 6, 95 × 10−3
for i0 = 1, 2. This is done through solving two dual
ρ1 2.80 × 10−1 2.78 × 10−1 7, 19 × 10−3
implicit finite volume schemes. A simple summation
a 4.98 × 10−1 4.98 × 10−1 1, 06 × 10−7
associated to each p, which is done simultaneously to b 5.09 × 10−1 5.09 × 10−1 1, 53 × 10−7
the solving, then provides the result through (4).
As for the asymptotic results, the potential functions
Uhi0 are here solutions of
Table 3. IFp(2) (∞) by the present method (EMR) and by
d finite differences (FD).
vi (x) (Uhi0 (i, x)) + λi (x)(Uhi0 (1 − i, x)
dx
p FD EMR Relative error
− Uhi0 (i, x)) = Qi0 (∞) − hi0 (i, x)
α0 −1.81 × 10−1 −1.81 × 10−1 1, 67 × 10−4
for i0 = 0, 1, which may be solved analytically. α1 −1.71 × 10−1 −1.71 × 10−1 1, 30 × 10−4
∂Q 0 (∞) ρ0 −6.22 × 10−2 −6.19 × 10−2 5, 21 × 10−3
A closed form is hence available for i∂p using
ρ1 −6.05 × 10−2 −6.01 × 10−2 5, 58 × 10−3
(10–11) and (8).
161
Table 4. IFp(1) (t) for t = 2 by the present method (EMR) ACKNOWLEDGEMENT
and by finite differences (FD).
The authors would like to thank Anne Barros,
p FD EMR Relative error Christophe Bérenguer, Laurence Dieulle and Antoine
Grall from Troyes Technological University (Univer-
α0 −8.83 × 10−2 −8.82 × 10−2 1, 08 × 10−3 sité Technologique de Troyes) for having drawn their
α1 −9.10 × 10−3 −9.05 × 10−3 5, 29 × 10−3 attention to the present subject.
ρ0 4.89 × 10−1 4.85 × 10−1 7, 51 × 10−3
ρ1 1.97 × 10−1 1.97 × 10−1 4, 04 × 10−3
a 2.48 × 10−1 2.48 × 10−1 4, 89 × 10−4
REFERENCES
b 7.11 × 10−1 7.11 × 10−1 7, 77 × 10−6
Boxma, O., H. Kaspi, O. Kella, and D. Perry (2005). On/off
storage systems with state-dependent input, output, and
switching rates. Probab. Engrg. Inform. Sci. 19(1), 1–14.
Table 5. IFp(2) (t) for t = 2 by the present method (EMR) Cao, X.-R. and H.-F. Chen (1997). Perturbation realization,
and by finite differences (FD). potentials, and sensitivity analysis ofMarkov processes.
IEEE trans. automat. contr. 42(10), 1382–1393.
p FD EMR Relative error Cocozza-Thivent, C., R. Eymard, S. Mercier, and
Roussignol, M. (2006). Characterization of the marginal
α0 −2.06 × 10−1 −2.06 × 10−1 9, 12 × 10−4 distributions of Markov processes used in dynamic relia-
α1 −6.80 × 10−2 −6.79 × 10−2 2, 12 × 10−3 bility. J. Appl. Math. Stoch. Anal., Art. ID 92156, 18.
ρ0 −1.25 × 10−1 −1.24 × 10−1 4, 27 × 10−3 Davis, M.H.A. (1984). Piecewise-deterministic Markov
ρ1 −4.11 × 10−3 −4.03 × 10−3 2, 00 × 10−2 processes: a general class of nondiffusion stochastic
models. J. Roy. Statist. Soc. Ser. B 46(3), 353–388. With
discussion.
Devooght, J. (1997). Dynamic reliability. Advances in
Nuclear Science and Technology 25, 215–278.
under less restrictive assumptions than those given in Eymard, R., S. Mercier, and A. Prignet (2008). An implicit
that section. finite volume scheme for a scalar hyperbolic problem with
As for the results, one may note that the importance measure data related to piecewise deterministic markov
factors at t = 2 of α0 and ρ0 in Qi (i = 1, 2) are processes. J. Comput. Appl. Math. available online 1 Nov.
clearly higher than the importance factors of α1 and 2007.
ρ1 in Qi (i = 1, 2). This must be due to the fact that Eymard, R., S. Mercier, A. Prignet, and M. Roussignol
the system starts from state 0, so that on [0, 2], the (2008, jun). A finite volume scheme for sensitivity anal-
ysis in dynamic reliability. In Finite Volumes for Complex
system spends more time in state 0 than in state 1. The
Applications V, Aussois, France.
parameters linked to state 0 hence are more important Gandini, A. (1990). Importance & sensitivity analysis in
than the ones linked to state 1. Similarly, the level is assessing system reliability. IEEE trans. reliab. 39(1),
increasing in state 0 so that the upper bound b is more 61–70.
important than the lower one a. Konstantopoulos, T. and G. Last (1999). On the use of
In long-time run, the importance factors of α0 and Lyapunov function methods in renewal theory. Stochastic
α1 in Qi (i = 1, 2) are comparable. The same remark Process. Appl. 79(1), 165–178.
is valid for ρ0 and ρ1 , as well as for a and b. Lions, J.-L. (1968). Contrôle optimal de systèmes gouvernés
Finally, parameters ρ0 and ρ1 are more important par des équations aux dérivées partielles. Paris: Dunod.
Mercier, S. (2007). Discrete random bounds for general ran-
than parameters α0 and α1 in Q1 , conversely to what
dom variables and applications to reliability. European J.
happens in Q2 . This seems coherent with the fact that Oper. Res. 177(1), 378–405.
quantity Q1 is linked to the level in the tank, and con- Mercier, S. and M. Roussignol (2007). Sensitivity estimates
sequently to its evolution, controlled by ρ0 and ρ1 , in dynamic reliability. In Proceedings of MMR 2007 (Fifth
whereas quantity Q2 is linked to the transition rates, International Conference on Mathematical Methods on
and consequently to α0 and α1 . Reliability), Glasgow, Scotland.
162
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
J.M. Izquierdo
Consejo de Seguridad Nuclear, Madrid, Spain
I. Cañamón
Universidad Politécnica de Madrid, Madrid, Spain
ABSTRACT: The present status of the developments of both the theoretical basis and the computer imple-
mentation of the risk and path assessment modules in the SCAIS system is presented. These modules are
supplementary tools to the classical probabilistic (i.e. fault tree event tree and accident progression, PSA-
ET/FT/APET) and deterministic (dynamic accident analysis) tools that are able to compute the frequency of
exceedance in a harmonized approach, based on a path and sequences version (TSD, theory of stimulated
dynamics) of the general stimulus driven theory of probabilistic dynamics. The contribution examines the
relation of the approach with classical PSA and accident dynamic analysis, showing how the engineering
effort already made in the nuclear facilities may be used again, adding to it an assessment of the damage
associated to the transients and a computation of the exceedance frequency. Many aspects of the classi-
cal safety assessments going on from technical specifications to success criteria and event tree delineation/
evaluation may be verified at once, making effective use of regulatory and technical support organizations
resources.
163
They may also be written as integral equations rep- that is
resenting the solution of the semi Markov system for
the frequency of entering state j, (ingoing density) seq j
ϕj (t), and its probability πj (t) given by ϕj (t) = ϕj (t)
t
j
0
where the first term is the initiating event frequency;
(3) seq j
Qj (t, τn ) will be called the path Q-kernel.
Vector j is called ‘‘a sequence’’ and the couple of
where δ stands for the Dirac delta, and qjk dt is the vectors (j, τ ) ‘‘a path’’. This type of solution will then
probability that, being in state k at time τ , event jk be named the ‘‘path and sequence’’ approach. In static
takes place at exactly time t; it is then given by PSA, each component of j is a header of an event tree
t
− τ pk→l (s)ds and there is no distinction in principle between paths
qjk (t, τ ) = pk→j (t)e l =k
(4) and sequences.
We notice that in a semi-Markov system like the
The solution (eq. 2) may also be found in terms of one above, the factors q of the Qseq product are all the
the iterative equations same functions, irrespective of n. An extension of this
approach may be made, however, when these functions
∞
depend on n and j, as will be the case with the TPD and
ϕj (t) = ϕjn (t) SDTPD theories. However, the normalization condi-
n=1 tions of equations (5a) and (5b) above should always
t be respected for all n. It is obvious that the path and
ϕjn (t) = dτ ϕkn−1 (τ ) qjk (t, τ ) sequence approach looses interest when the number of
k =j 0 paths is unmanageable. Below we show cases where
this is not the case.
ϕj1 (t) = πk (0) qjk (t, 0) (5)
k =j
2.2 Extension to TPD dynamic reliability
where n stands for the number of experienced events.
In TPD, the transition rates p are also allowed to be
Note that the q’s satisfy a strong closure relation for
functions of process variables (temperatures, pres-
all τ1 < τ2 < t
sures, etc.) that evolve with time along a dynamic
⎛ ⎞
τ2 trajectory. The transitions come together with a change
qk,j (t, τ2 ) ⎝1 − dvql,j (ν, τ1 )⎠ = qk,j (t, τ1 ) in the trajectory (a change in dynamics or dynamic
l =j τ1 event).
Let x be the vector of process variables describing
(6a)
the dynamic behavior of the system. We denote by i the
group of system configurations in which the dynamic
that ensures that at all times evolution is given by the equivalent explicit form
πj (t) = 1 (6b)
j
x = x(t, i) = g i (t, x0 ), x0 = g i (0, x0 ) (9)
If we replace the iterations in eq. 5, we may express We will assume in the following that:
ϕj (t) in terms of an aggregate of so called ‘‘path
frequencies’’ built upon the products • the system starts at a steady point state u0 , j0 with
given probability. A random instantaneous initiat-
seq j ing event with a known frequency triggers the time
Qj (t/
τn ) = qj,jn (t, τn )qjn ,jn−1 (τn , τn−1 ).....qj2 ,j1
evolution.
× (τ2 , τ1 )τ1 < · · · < τn−1 < τn < t • process variable x can be reached from the ini-
tial point state only after one sequence of dynamic
τn ≡ (τ1 , . . . , τn ) (7) events through a compound path defined by
164
x = x(t, j ) = gjn (t − τn+ , ūˆ n ) τn > t > τn−1 sub states jn of (jn , I ), associated with the different
(10) dynamics are defining the dynamic paths as in the no-
ūˆ n = gn−1 (τn− − τn−1
+
, ūˆ n−1 ) stimuli case, but the stimuli state is kept in Markov
vector format.
where τn−,+ account for the ‘natural’ discontinuity in Let Qi,j I ,J (t, τ )dt be the probability of the transition
slopes when the dynamic events take place. (j, J ) → (i, I ), a time interval dt around t after entering
Under the given assumptions, once the possible dynamic substate j at time τ . In TSD terms, Q may be
dynamics and initial point state are defined, the paths written in the following way
possible may be determined including its timing. We
will call a sequence the set of paths {j, τjn } with the J ,J ,seq j seq j
Qjnn,jn−1
n−1
(τn , τn−1 ) ≡ qjn ,jn−1 (τn , τn−1 )
same j, but differing in the timing. Then the gen-
−
eral path and sequences approach may be applied such × π(Jn , τn− /Jn−1 , τn−1 ) (12)
that we associate the dynamic paths with the paths of
equation (6), (7) and (8) above. For every path, we The last factor means the stimuli probability vec-
−
now have a deterministic transient that may be sim- tor at time t = τn− conditioned to be π Jn−1 (τn−1 ) at
ulated with deterministic simulators, providing then −
τn−1 . To compute this stimuli probability is then a typ-
functions q vía ical problem of the classical PSA binary λ, μ Markov
t problem with the stimuli matrix, STn , associated with
− pjn→l (s,x(s,j ))ds
seq j τ the (+ activated, − deactivated) state of each stimuli
qjjn (t, τ ) = pjn →j (t, x(t, j ))e l =jn
(i.e. A ≡ STn in eq. 2) and compound-stimuli state
(11) vector I , once a dynamic path is selected, i.e. the
solution is
2.3 Extension to stimuli: modeling the plant states
t
SDTPD includes an additional extension of the π J (t) = exp STn (u)du π Kn (τn+ ) (13)
state space: stimulus activation states are consid- Kn τn J ,Kn
ered through a stimulus label indicating the activated
(IG = +) or deactivated (IG = −) state of stimulus G. with initial conditions at τn+ with probability vector
The notation I will be reserved to label these state
configurations when considering all stimuli together.
A so-called stimulus is either an order for action (in π Kn (τn+ ) = [+ Jn −
n ]Kn ,Jn π (τn ) (14)
many cases given by an electronic device or corre- Jn
sponding to an operator diagnosis), or the fulfillment
of conditions triggering a stochastic phenomenon. Yet Matrix [+ n ] models the potential reshuffling of the
it can take many different forms, such as the crossing state of the stimuli that may take place as a result of
of a setpoint or the entry in a region of the process vari- the occurrence of dynamic event n, i.e. some activate,
ables space. In general, the term stimulus covers any some deactivate, some stay as they were. It also incor-
situation which potentially causes, after a given time porates the essential feature of SDTPD that stimuli
delay, an event to occur and subsequently a branch- G n , responsible for the nth dynamic transition, should
ing to take place. Thus, if Gn denotes the stimulus be activated for the transition to take place. Then the
that leads to transition jn → jn+1 , it should be in the equivalent to eq (8) may be applied with:
activated state for the transition to take place. J ,J ,seq j J ,J ,seq j
j (t/
τ) = (t, τn )Qjnn,jn−1
SDTDP models the activation/deactivation of stim- J
Qj,seq Qj,jn n n−1
165
becomes the extended next event frequency of the TSD Repeating the process
approach. This situation is very common and covers
the cases of setpoint related stimuli activation events
as well as those independent on the dynamics that may I
Qj,seq τn ) = δG+1 ∈J δG+ ∈J − . . . . . . δG+ ∈J − ...−
j (t/
be uncoupled, as extensively discussed1 in ref. 3. Once 2 G1 n G1 Gn−1
3.2 Example
seq j
where Qj (t/ τn ) is given in eq. (7). For n > N all
As an academic example, assume that all stimuli,
initially deactivated, only activate as a result of the stimuli would be deactivated and then the [+ n ]I ,J con-
initiating event, and only deactivate again when its cor- tribution would be zero, as well as in any sequence with
responding dynamic event do occur. For a sequence of repeated headers.
N headers, we label 1 to N the first N header-stimuli, In other words, the result reduces to a standard
i.e. stimuli whose activation triggers the dynamic tran- semi Markov case, but in the solution equation (8)
sition. Then all λF (t, x), μF (t, x) are zero and the only sequences of non-repeated, up to N events are
following results: allowed. This academic case illustrates the reduction
Define compound state JG± , such that differs from in the number of sequences generated by the stimuli
compound state J only in the state of stimulus G, being activation condition that limits the sequence explosion
it activated or deactivated. Also define problem of the TPD in a way consistent with explicit
and implicit PSA customary practice.
1 if Gn ∈ I is activated Results of this example in case of N = 2 are shown
δG+n ∈I = (17)
0 if Gn ∈ I is deactivated in sections 4–5 below, mainly as a way of checking the
method for integration over the dynamic times, that is
Then the subject of the next section.
t
STn = 0 ⇒ exp STn (u)du = Identity matrix
τn
(18) 3.3 Damage exceedance frequency
In TSD, additional stimuli are also defined, including
for instance stimulus ‘‘Damage’’ that, when activated,
−
π I (τn+ < t < τn+1 ) = π I (τn+ ) = [+ J −
n ]I ,J π (τn ) corresponds to reaching unsafe conditions. Then, the
J damage exceedance frequency is given by
= δG+n ∈J δI ,J − π J (τn− ) (19)
J
Gn
damage J damage
ϕj (t) = ϕjJ11 (0) d τ N,
Qj,seq j (t/
τ)
Because after the initial event all stimuli become j ,JN Vn,j (
τ <t)
activated
(23)
J1 + 1 for J1 = (+, +, · · · · +N ) all stimuli activated
π (0 ) =
0 all other states
(20) To obtain the damage exceedance frequency, only
the aggregate of those paths that exceed a given amount
and of damage are of interest. Because they are expected
rare, it is of paramount importance to first find the
damage domains, i.e. the time combinations for which
π I (τ1+ < t < τ2− ) = π I (τ1+ ) = δG+1 ∈J δI ,J − π J (τ1− )
G1 damage may occur. This is the main purpose of the
J
searching approach that follows.
1 for I = JG−1 = (−, +, · · ·+N ) Next sections provide algorithms to perform this
= (21) aggregation and show results as applied to a simple
0 all other states
example. An air/steam gas mixture where hydrogen is
injected as initiator event and its rate suddenly changed
as a header event, (SIS), has been considered. See
1 This uncoupling allows to factor-out the traditional fault Table 1 and section 5. In addition to those in table 1, a
trees when the basic events depend on the pre-accident combustion header stimulus is activated if the mixture
period time scales. becomes flammable, and (section 4 only) a combustion
166
Table 1. Dynamic/stimuli events used in the verification
tests.
Event Description
167
4.2 Paths sampling strategy: Search of the damage perfectly determined by equation (21), being ti
domain the sampling step through the axis direction i.
As stated before, we are only interested in the damage Remark from Figure 4 that:
paths, as they are the only ones contributing to the
damage exceedance frequency. Therefore, a sampling – For the same number of sampling points (N = 136),
strategy has been designed to: the damage domain is better determined with the
mesh grid sampling strategy.
– Minimize the number of non-damage paths (safe – Incremental volume associated to each damage path
and impossible paths) being sampled and analyzed; is much easier and more accurate to quantify in the
– Search and define the shape and size of the damage mesh grid sampling strategy.
domain within the sampling domain. – For refining purposes, neighboring points to each
sampled path are better defined in the mesh grid
Three main sampling strategies may be considered sampling strategy.
to do that:
We adopt then the mesh-grid sampling strategy.
1. Non-uniform Monte Carlo (MC). This sampling
strategy uses the probability density functions of
each event to perform the sampling, leading to a 4.3 Adaptive search algorithm
non-uniform sampling distribution. This approach The ultimate goal is therefore to be able to precisely
can not be used here, as probability density func- define the size of the damage domain within the
tions are already taken into account in the TSD sequence sampling domain, in order to multiply it by
formulae for the computation of the probability the ‘weighting factors’ given by the Q-kernels of each
Q-kernels. path. An adaptive search algorithm has been designed,
2. Uniform Monte Carlo (MC). Points are sam- based on the mesh grid sampling strategy, to refine
pled uniformly within the sequence time interval the search where damage paths are detected. The basic
(N alleatory numbers between tini and tAD ordered idea is to analyze the neighbors of each damage path,
in increasing order). However, even with a uni- and to sample in a finer mesh grid around them until
form sampling, the damage zone inside the sam- non-damage paths (limits of the damage domain) are
pling domain may be irregularly shaped, leading found.
again to a heterogeneous sampling density of the The algorithm is formed by one initial stage and an
damage points along the sampling domain (see adaptive search stage divided in three parts: refining
Figure 2a). We could partition the sampling domain stage, seeding stage and growing stage. The adaptive
into smaller subdomains where a homogeneous dis- search stage is repeated at successively higher scales
tribution of the sampling points could be assumed, (more refined mesh grids), until convergence of the
and approximate the differential volume of each damage exceedance frequency is reached. We describe
point as the subdomain volume divided by the the different stages as follows:
number of points lying inside.
3. Meshgrid sampling. In this sampling strategy, sam- • Initial stage: An initial mesh grid is defined and
pling points are obtained from a cartesian meshgrid points within that grid are sampled and analyzed,
partition of the sampling domain (see Figure 2b). In
this case, the volume associated to each sampling
point (damage, safe or impossible path-point) is
Sequence [1 2 4] Sequence [1 2 4]
14000 14000
12000 12000
10000 10000
COMB
COMB
8000 8000
6000
6000
168
via the simplified dynamic models to determine damage domain, i.e. if a neighbor of an exist-
whether they are a damage, success or impossible ing damage point is not a damage one, then a
path. In order to assure that the ulterior refinement new point is sampled between them and evalu-
of the mesh grid does not ly at points contradict- ated. Figure 4b shows the result of this stage for
ing the dynamic model time step, the time step of the same example sequence [1 2 4].
this initial stage, dt, is chosen following a dyadic ◦ Seeding stage: An aleatory seeding of new sam-
scale of that one (and equal for all the axes). Addi- pling points along the whole domain has been
tionally, information about the neighbors of each included here, in order to discover new damage
sampled path is registered in an array, assigning a zones disjoint from the previous ones. Several
value of 1 when the neighbor is a damage path, and parameters control the stopping criteria in this
a value of 0 in any other case (success or impossible stage. In particular, we stop when a number of
path). Neighbors are defined here only those paths seeding points proportional to the refinement of
at ±dt on each axis direction (see highlighted points the initial sampling mesh grid has been reached.
around the cross damage path in Figure 3), instead Figure 4c shows the result of this stage for the
of all the surrounding points (8 in 2D, 26 in 3D, etc). actual example.
The last option would lead to an unaffordable num- ◦ Growing stage: At this stage, the algorithm
ber of new sampled points as sequence dimension extends the sampling through all the interior zone
increases. Figure 4a shows an example of this ini- of the damage domain. With the combination of
tial stage for the ‘simplified benchmark’ sequence the refining stage + growing stage, we optimize
[1 2 4] where 4 means the damage stimuli activation the number of new points being sampled while
event. This stage is defined here as scale 1. refining all inside the damage domain.
• Adaptive search stage: A loop is performed with
successively higher scales 2, 3, 4, etc. until a Figure 4d shows the result of this stage in the
stopping criterium is reached. This stage has the example sequence.
following parts:
◦ Refining stage: When entering a higher scale, the 5 VERIFICATION TESTS
new time step for the sampling process is half the
previous one, dt/2. Then, the algorithm samples To verify the integration routines we took the sim-
new points through the borders of the existing ple case of the section 3.2 example, already used in
a) Sequence [1 2 4] b) Sequence [1 2 4]
14000
13000 13000
12000 12000
11000 11000
10000 10000
COMB
COMB
9000 9000
8000 8000
7000 7000
6000 6000
5000 5000
6000 8000 10000 12000 14000 6000 8000 10000 12000 14000
SIS SIS
c) Sequence [1 2 4] d) Sequence [1 2 4]
14000 14000
13000 13000
12000 12000
11000 11000
10000 10000
COMB
COMB
9000 9000
8000 8000
7000 7000
6000 6000
5000 5000
6000 8000 10000 12000 14000 6000 8000 10000 12000 14000
SIS SIS
Figure 4. Stages of the adaptive search algorithm in the sequence [1 2 4]: a. Initial stage; b. Refining stage; c. Seeding stage;
d. Growing stage.
169
section 4, with two header events and constant, given Table 2. State probabilities at t = tAD .
values of the two events transition rates, p. The ini- Analytical computation.
tial event frequency has been set equal to 1. The
conditioned-to-the-initiating event path probability is Sequence Probability
computed for each possible sequence built with those 1 0.1250
two header events and the TSD integral of each ana- 13 0.1250
lyzed sequence is then computed by aggregation of 12 0.3750
the paths probabilities multiplied by the incremental 132 0.1875
volume V as in section 4. 123 0.1875
The dynamics of this section 4 and 5 example are
based on a benchmark exercise performed in the work
frame of the SARNET research network. It analyzes
the risk of containment failure in a nuclear power plant Table 3. State probability at t = tAD . TSD computation
stopping criterium πi − πi−1 ≤ 5%.
due to overpressurization caused by hydrogen com-
bustion (see ref. 4 for detailed specifications of the Sequence # Total paths Probability
benchmark). In the results presented in this section,
combustion has not been modeled. Instead, entering 1 1 0.1250
the flammability region for H2 concentration has been 13 16 0.1231
selected as the damage stimulus. 12 16 0.3717
The events involved are given in Table 1. The details 132 136 0.1632
about the dynamics of the transients are not within the 123 136 0.2032
scope of this article, and can be consulted in ref. 4.
The cumulative probabilities q for the single dynamic
events 2 and 3 are 0.75 and 0.5 respectively, during
Table 4. State probability at t = tAD . TSD computation
the accident time interval. Transition rates have been stopping criterium πi − πi−1 ≤ 1%.
extracted from them by integrating eq. (4) (with only
one event) within that interval and forcing q to be the Sequence # Total paths Probability
given values. In the analytical case compared below,
single event q’s were additionally approximated by 1 1 0.1250
functions linear with time. 13 64 0.1251
As the transient ends when activating the damage 12 32 0.3742
stimulus only five sequences are possible. 132 2080 0.1672
123 2080 0.2091
170
Table 5. Damage exceedance relative frequency TSD com- new TSD methodology based on it is feasible, com-
putation of the verification example; stopping criterium patible with existing PSA and accident dynamic tools.
ϕiexc − ϕi−1
exc ≤ 5%.
It is able to find the damage exceedance frequency
that is the key figure of merit in any strategy for
Sequence # Damage paths # Total paths Exceed. freq.
safety margins assessment. We have discussed some
1 0 1 0.0000 issues associated to the development of its com-
13 9 15 0.1718 puter implementation, and given results of preliminary
12 14 15 0.5188 verification tests.
132 3155 3308 0.0700
123 1178 1314 0.0350
REFERENCES
171
Fault identification and diagnostics
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
D. Ginestar
Department of Applied Mathematics, Universidad Politécnica de Valencia, Valencia, Spain
S. Martorell
Department of Chemical and Nuclear Engineering, Universidad Politécnica de Valencia, Valencia, Spain
ABSTRACT: Faults in Heating Ventilating and Air-Conditioning (HVAC) systems can play a significant
role against the system in terms of energy efficiency loss, performance degradations, and even environmental
implications. Being the chiller one of the most important components of an HVAC system, the present work
is focused on it. A lumped model is proposed to predict the chiller fault free performance using data easily
obtained from an industrial facility. This model predicts the chilled water temperature, the operating pressures
and the system overall energy performance. The fault detection methodology is based on comparing actual and
fault free performances, using the proposed model, and operating variables thresholds. The technique has been
successfully applied for fault detection of a real installation in different faulty conditions: refrigerant leakage,
and water reduction in the condenser and in the secondary circuit.
175
based on physical models. These physical models are The thermodynamic state of the refrigerant and
based on first principles involving mass, energy and secondary fluids at each point is determined using
momentum balances and mechanical characteristics. the measurements of 14 K-type thermocouples and
The ability of a model-based FDD technique to detect 8 piezoelectric pressure transducers. The pressure and
faults during chiller operation depends on the model temperature sensors are calibrated in our own labora-
performance. It is desirable that the model presents a tory using certified references, obtaining a degree of
good prediction capability in any operating condition uncertainty of 0.3 K in the thermocouples and a preci-
and that it could be obtained in a fully automatic way, sion of 10 kPa in the pressure sensors. The refrigerant
combining simplicity with low degree of data require- mass flow rate is measured by a Coriolis-effect mass
ment. In this way, we will present a simplified physical flow meter with a certified accuracy within ±0.22% of
model for a chiller facility and we will use it to develop the reading, and the secondary fluids mass flow rates
a fault detection methodology for three typical faults are measured with electromagnetic flow meters, intro-
in this kind of facilities, as faults in the condenser cir- ducing a maximum error of ±0.25%. Furthermore, a
cuit, faults in the evaporator circuit and leakage in the capacitive sensor is installed to obtain the compressor
refrigerant circuit. rotation speed, with a maximum error after calibration
The rest of the paper is organized as follows. of ±1%. The electrical power consumption of the com-
Section 2 is devoted to the description of the exper- pressor is evaluated using a digital Wattmeter (with a
imental facility used to develop and to test the fault
detection methodology. In section 3, the proposed
T10
fault detection methodology is presented and a sim- T5, P5 T6, P6 T11
T
described. The commonest failures of this kind of T7, P7
T13
For the development of the fault detection method- Figure 1. Scheme of the installation.
ology, a monitored vapour-compression chiller, which
develops a simple compression cycle, has been used.
This facility consists of the four basic components:
an open-type compressor driven by a variable speed
electric motor, an isolated shell-and-tube (1–2) evapo-
rator, where the refrigerant is flowing inside the tubes,
using a brine (water-glycol mixture 70/30% by vol-
ume) as secondary fluid, an isolated shell-and-tube
(1–2) condenser, with the refrigerant flowing along
the shell, where water is used inside the tubes as sec-
ondary fluid, and a thermostatic expansion valve. In
(Fig. 1) a scheme of the installation is shown.
In order to introduce modifications in the chiller
operating conditions, we use the secondary fluids
loops, which help to simulate the evaporator and con-
denser conditions in chillers. The condenser water
loop consists of a closed-type cooling system, (Fig. 2),
which allows controlling the temperature of the water
and its mass flow rate.
The cooling load system (Fig. 3) also regulates
the secondary coolant temperature and mass flow rate
using a set of immersed electrical resistances and a
variable speed pump. Figure 2. Condenser water loop.
176
calibration specified uncertainty of ±0.5%). Finally, 3 FAULT DETECTION METHODOLOGY
all these measurements are gathered by a National
Instruments PC-based data acquisition system (Fig. 4), The fault detection is accomplished by evaluating the
based on LABVIEW and REFPROP subroutines. residuals obtained from the comparison between the
actual performance of the installation, determined
from experimental measurements, and some expec-
tation of performance obtained by using a physical
model of the system (Fig. 5). If the residuals exceed a
given threshold, then a fault is indicated.
It has to be noted that the selected output variable,
xk , must be proven to be representative of the system
operation, and its selection depends on the kind of fault
to be detected. For this reason, a previous analysis of
how a specific fault affects the main chiller operat-
ing variables is needed, being the most sensitive and
‘‘inexpensive’’ ones selected as output variable for the
fault detection technique.
USER INTERFACE
xk
Actual
performance
Residual Residuals
System
generator evaluation
~x
Model (expected k
performance)
Figure 4. Scheme of the data acquistion system. Figure 5. Fault detection technique scheme.
177
A typical fault on both the evaporator and the con-
Refrigerant thermophysical properties
denser circuits may be the reduction of the mass flow
rate of the secondary fluids through the interchang-
Tb ,out ers. These reductions can deteriorate the compliance
Tw,out of installation objectives and, on the other hand, can
mb , Tb ,in cause energy efficiency reduction due to mass flow
pe rate reduction of the secondary fluids at the condenser
mw , Tw,in Model
pk and evaporator, which produces an increase of the
N compression rate.
PC
Thus, in the following, we will analyze these three
COP kinds of failures. The first step for the correct identifi-
cation of each type of fault is to analyze the variations
produced bye each kind of faulty operation, followed
Geometric characteristics of the system
by the selection of a reduced group of variables that
have a significant variation during the fault that can be
Figure 6. Model scheme. used to detect it.
In order to identify these variables some variations
have been forced in the facility in such a way that they
water water
can simulate those failures. Then, the correlation of
vapour to saturated liquid superheated vapour
each variable with each fault has been calculated both
in the short term and medium term or quasi-steady
air state after it.
superheated vapour
Expansion valve
Compressor
4.1 Fault in the condenser’s circuit
In order to simulate a fault in the condenser circuit, a
valve has been partially shut down to reduce water
refrigerant to saturated vapour
N
mass flow rate. In a real facility this fault may be
brine
caused by an obstruction in a filter of the circuit, or
a failure in the impulsion pump. Table 1 shows the
variation of each one of the main operating variables
Figure 7. Schematic structure of the model kernel. of the facility after the shut down of the valve.
The variable that shows best conditions to be mon-
itored is the condenser pressure, Pk . The evolution
Special attention must be paid to the assignation of
of this variable is shown in (Fig. 8). Some temper-
those confidence thresholds. On one hand, too narrow
atures also show deviations such as the condenser
thresholds will increase the possibility of false alarms
outlet’s temperature, but they are not only smaller, but
by confusing a noisy signal with a deviation due to
also slower as the variation can only be seen after the
a fault. On the other hand, too wide thresholds will
transient state.
increase the possibility of ignoring a fault.
178
4.2 Fault in the evaporator circuit As shown in (Table 2), both the pressure at the con-
denser and the pressure at the evaporator are likely to
The simulation of this failure has been carried out in
be monitored. Furthermore both have a clear reaction
a similar way to the one for the condenser’s circuit.
in the transient state and after it, however the evap-
A valve at the secondary fluid loop has been partially
orator pressure has approximately three times higher
shut down in order to reduce its mass flow rate. An
deviation than the pressure at the condenser and thus,
obstruction in a filter or an impulsion’s pump failure
it will be a more reliable indicator for the failure detec-
may be the real causes of this kind of failure. (Table 2)
tion. The response of the pressure in the condenser is
shows the deviations of the main operating variables
shown in (Fig. 9).
of the facility.
!b
3.85 4.10
3.80
4.05
3.75
4.00
Pressure [bar]
Pressure [bar]
3.70
3.65 3.95
Evaporator Evaporator
3.60 Pressure Pressure
3.90
3.55
3.85
3.50
3.45 3.80
17300 17800 18300 18800 19300 7700 7900 8100 8300 8500 8700 8900
Time(s) Time (s)
Figure 9. Response of the condenser pressure after a fault Figure 10. Response of the evaporator pressure in a
forced in the condenser’s circuit. refrigerant leakage.
179
5 RESULTS 0.8
+3
In this section the methodology is validated, using 0.6
180
0.10 heat load variations, in order to see if it is possible to
distinguish this kind of transients from the ones associ-
0.05
ated with a fault in the chiller. Once a fault is detected,
0.00 an interesting subject is to couple the fault detection
Residuals
-0.20 REFERENCES
8000 8200 8400 8600 8800
Time (s) ASHRAE 2001. Handbook of Fundamentals, Chap. 21.
Breuker M.S., Braun J.E., 1998. Common Faults and their
Figure 13. Evaporator pressure residuals in the refrigerant Impacts for Rooftop Air Conditioners. International Jour-
leakage. nal of Heating, Ventilating, and Air Conditioning and
Refrigerating Research, 4 (3): 303–318.
Buzelina L.O.S., Amico S.C., Vargas J.V.C., Parise J.A.R.,
As it can be observed in this Figure, the residuals 2005. Experimental development of an intelligent refrig-
suffer a sharp deviation out of the thresholds, showing eration system, International Journal of Refrigeration 28:
the capability of the methodology proposed to detect 165–175.
this kind of fault. Himmenlbau D.M., 1978. Fault Detection and Diagno-
sis in Chemical and Petrochemical Processes. Chemical
Engineering Monographs, Vol. 8, Elsevier.
Isermann R., 1984. Process Fault Detection Based on Mod-
6 CONCLUSIONS eling and Estimalion—A Survey. Automatica, 20 (4):
387–404.
The aim of this article has been to present a Lemmon E.W., Mc Linden M.O., Huber M.L., 2002. Ref-
methodology to detect common faults in a vapour- erence Fluid Thermodynamic and Transport Properties.
compression chiller. REFPROP v7.0. NIST Standard Reference Database 23.
Two kinds of experiments have been carried out. McKellar M.G., 1987. Failure Diagnosis for a House-
A set of experimental tests used to analyze the vari- hold Refrigerator. Master’s thesis, School of Mechanical
ations of the operating variables during the faults, in Engineering, Purdue University.
Navarro-Esbrí J., Torrella E., Cabello R., 2006. A vapour
order to set the most fault-sensitive variables. Another compression chiller fault detection technique based on
set of experiments or validation tests, used to test the adaptative algorithms. Application to on-line refriger-
performance of the fault detection methodology. ant leakage detection. Int. Journal of Refrigeration 29,
In the methodology a simple steady state model has 716–723.
been used to obtain the fault-free expected values of Potter J.E., Suman M.C., 1978 Thresholdless redundancy
the fault-sensitive variables. These values have been management with arrays of skewed instruments. Ingegrity
used to obtain the residuals between the expected and in Electronic Flight Control Systems, AGARDigraph-
measured variables. Finally, a methodology based, on 224, 1977, 15: 1–25.
static thresholds, has been applied. The experimental Rossi T.M., Braun J.E., 1997. A Statistical Rule-Based Fault
Detection and Diagnostic Method for Vapor Compression
results have shown the capability of the technique to Air Conditioners. HVAC&R Research, 3 (1): 19–37.
detect the faults. Stallard, L.A., 1989. Model Based Expert System for Failure
In a future work the behaviour of the fault detection Detection and Identification of Household Refrigera-
methodology should be tested with transients associ- tors. Master’s thesis, School of Mechanical Engineering,
ated with the normal operation of the installation, as Purdue University.
181
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
S. Sarshar
OECD Halden Reactor Project/Institute for energy technology, Halden, Norway
R. Winther
Østfold University College, Halden, Norway
ABSTRACT: It is inevitable that software systems contain faults. If one part of a system fails, this can affect
other parts and result in partial or even total system failure. This is why critical systems utilize fault tolerance
and isolation of critical functions. However, there are situations where several parts of a system need to interact
with each other. With today’s fast computers, many software processes run simultaneously and share the same
resources. This motivates the following problem: Can we, through an automated source code analysis, determine
whether a non-critical process can cause a critical process to fail when they both run on the same computer?
183
The errors identified in this approach were erro- error propagation that do not involve usage of the sys-
neous values in the variables passed to the system tem call interface will not be covered by this approach.
call interface and errors caused when return, or mod- Eternal loop structures in code is an example of a fail-
ified, pointer variables were not handled properly. ure mode that does not make use of system calls. This
From the analysis we know not only which func- failure mode can cause error propagation because it
tions behave non-robustly, but also the specific input uses a lot of CPU time.
that results in errors and exceptions being thrown
by the operating system. This simplifies identifi-
cation of the characteristics a failure mode has in 3 ANALYSIS
source code.
Our proposed approach of analyzing error propa- In (Sarshar 2007) we analyzed several system calls and
gation between processes concerns how the process identified almost 200 failure modes related to their
of interest can interact with and affect the environ- usage. Because these have their manifestation in the
ment (the operating system and other processes). code, it is expected that they also have characteristics
A complementary approach could be to analyze how that can make them detectable when analyzing source
a process can be affected by its (execution) environ- code. This section describes general issues regarding
ment. In (Johansson et al. 2007), the authors inject the characteristics the identified failure modes will
faults in the interface between drivers and the operat- have in code.
ing system, and then monitor the effect of this faults The identified failure modes can be categorized
in the application layer. This is an example where pro- depending on the object they apply to:
cesses in the application layer are affected by their
• Arguments (syntax analysis)
execution environment. Comparing this method to our
• Return variable (logical analysis)
approach, it is clear that both methods make use of
• The functions sequential issues and limitations
fault injection to determine different types of failure
(logical analysis)
effects on user programs. However, the examination
in (Johansson et al. 2007) only concerns incorrect val- Determination of whether arguments contain a spe-
ues passed from the driver interface to the operating cific failure mode can be done with syntax analysis.
system. Passing of incorrect values from one compo- Syntax analysis can identify the passed arguments
nent to another is a mechanism for error propagation variable type and value and check it against the list
and relate to problems for intended communication of failure modes for that specific argument. For the
channels. Fault injection is just one method to evalu- return variable, and for the functions’ sequential issues
ate a process robustness in regards to incorrect values and limits, logical analysis is required. This involves
in arguments. In (Sarshar 2007), the failure effects tracking of variables and analysis of the control flow
of several mechanisms were examined: passing of for the code.
arguments and return value, usage of return value, Failure modes related to passing of arguments can
system-wide limitations, and sequential issues. These be divided into two groups: (1) variables and (2)
methods complement each other. Brendan Murphy, pointers. A passed argument variable can have fail-
co-author of (Johansson et al. 2007), from Microsoft ure modes related to its type which will be common
Research1 pointed out his worries at ISSRE 2007: for all arguments of that given type. In addition it may
‘‘The driver developers do not use the system calls have failure modes related to the context it is used, that
correctly. They do for instance not use the return val- is in the context of the system call. Pointer arguments
ues from the system calls. It is nothing wrong with the can in a similar way have failure modes related to their
API, it is the developer that does not have knowledge type, but will in addition have failure modes related to
about how to use the system calls.’’ its usage in the code. Pointer variables or structures are
Understanding the failure and error propagation often used to return data from a function when used as
mechanisms in software-based systems (Fredriksen & an argument.
Winther 2006) (Fredriksen & 2007) will provide the The following failure modes may occur for a return
knowledge to develop defences and avoid such mecha- variable (applies to all system calls with a return
nisms in software. It is therefore important to be aware variable):
of the limitations for the proposed approach. This anal-
A. The value is not used in the code
ysis only identifies failure modes related to the using
B. The value is stored in a variable of wrong type
of system calls in source code. Other mechanisms for
C. The external variable errno is not used if return
value indicates an error
To determine whether failure mode A occurs in
a given source code: (1) the return variable must be
1 Cambridge, UK. retrieved, that is, not ignored with e.g. usage of void;
184
Table 1. Some failure mode characteristics in code for shmget().
F.29.1.D Parameter key is Check that value is not below zero Value
less than type key_t
F.29.1.E Parameter key is Check that value is not higher than Value
greater than type key_t type key_t
F.29.1.F Parameter key is Check the type of the passed variable Type
of wrong type to be type key_t
F.29.1.G IPC_PRIVATE specified Logical error that can be difficult
as key when it should not to identify without program documentation
F.29.2.F Parameter size is Check the type of the passed variable Type
of wrong type to be type size_t
F.29.3.B Parameter shmflg is Calculate the values of legal flags Value
not legal (documented in man page) and verify that
the passed value is legal
F.29.3.C Parameter shmflg is Check the type of the passed variable Type
of wrong type to be type int
F.29.3.D Permission mode is not Check the least 9 bits of shmflg to get hold Value
set for parameter shmflg of permission mode for user, group and all.
If none of these are equal to 5, 6 or 7,
permission mode is not set correct
F.29.3.E Access permission is Can be detected using the same approach as for Value
given to all users instead 29.3.D, but whether it is intended is
of user only difficult to predict without documentation
F.29.3.F Permission mode is Mode should have value 5 but has value 7, Value
write when it should but the intention is difficult to predict without
have been read documentation
F.29.3.G Permission mode is Mode should have value 7 but has value 5, Value
read when it should not an issue unless a write is performed on
have been write the segment later in the code
F.29.4.A Return value is not used Track the variable to the end of scope Variable
and check whether it is used in the code usage
(2) the variable must be traced to the end of its scope of the underlying operating system for e.g. maximum
to determine whether it has been used in some way. number of files one process can have open, it is dif-
Failure mode B can be checked with syntax analysis ficult to predict such a failure mode. However, with
by verifying that the variable storing the return value is use of logical analysis and control flow graphs, one
of the same type as described in the documentation for may be able to determine whether the code open many
that specific function. In order to determine whether files and warn the user that such a failure mode may
failure mode C is present in the code: (1) the return be present in the code.
value must be used in a statement to check whether Though not all failure modes can be detected when
it indicates an error; (2) the errno variable must be analyzing source code, a warning can be given when a
checked in a statement before the end of the function given failure mode might be of concern. For instance,
block. if it cannot be determined whether a return variable is
Detection of sequential issues using system calls used, a warning can be issued to the programmer.
requires logical analysis. One must keep track of return Table 1 lists an excerpt of failure modes with their
variables that are used as arguments for other system characteristics in source code for the shmget()2 system
calls, to determine which calls that are related. This call and Table 2 lists failure modes and their character-
information can then be used to determine whether istics in source code related to sequential issues when
they are run in the correct order. Use of control flow using shared memory services.
graphs can be very helpful for analyzing source code
for such failure modes.
Failure modes related to functional and system wide
limits can be difficult to determine when analyzing
source code only. If we do not know the limitations 2 Allocates a shared memory segment.
185
Table 2. Failure mode characteristics in code related to sequential issues for shared memory.
F.shm.A shmdt() Target segment Check line nr of shmdt() and shmat() Line numbers
is not attached to verify that shmat() is run prior
to shmdt() for a specific segment
F.shm.B shmat() Segment to attach Check line nr of shmat() and shmget() Line numbers
is not allocated to verify that shmget() is run prior
to shmat() for a specific segment
F.shm.C shmctl() Target segment Check line nr of shmctl() and shmat() Line numbers
is not identified to verify that shmat() is run prior
to shmctl() for a specific segment
F.shm.D shmat() Segment is not Check line nr of shmat(), shmdt() and Line numbers
detached prior end of scope (return), to verify
to end of scope that shmdt() is run prior to return
for a specific segment from shmat()
A tool search was made on the internet in order to Tool Rel. Checks
find descriptions of existing analysis tools. We iden-
Coverity Some Passing of arguments
tified 27 tools related to analysis of C code based
and return values
on this search3 . These can be grouped in commer- Klockwork Some Ignored return values
cial tools, and academic research tools. Although cost PolySpace No –
prevented actual testing of the commercial tools, the Purify Some Passing of arguments
available documentation has been examined to deter- Flexelint Some Passing of arguments
mine whether they can detect failure modes that can and return values
cause error propagation. The academic and research LintPlus Unkn. –
tools that are open source or free have been tested with CodeSonar Some Ignored return values
a test program to determine their capabilities regarding Safer C toolset Some Passing of arguments
and sequential issues
the error propagation issues.
DoubleCheck Some Sequential issues
These tools were examined in (Sarshar 2007) based Sotoarc No –
on the available documentation. Table 3 lists the avail- Astree Some –
ability and relevance of some of the tools; whether Mygcc Some User-defined checks
they might detect the kind/category of failure modes Splint (LC-Lint) Some Passing of arguments,
we have unveiled in our analysis. The relevance of a ignored return values
tool is divided in the following categories: and sequential issues
RATS Unkn. –
Sparce No –
• Unknown (conclusion based on available documen-
tation)
• No (does not detect any of our failure modes)
• Some (detects some of our failure modes)
• All (detects all of our failure modes) 5 ASSESSMENT OF SOURCE CODE
AND PROTOTYPE TOOL
As expected, we found no tools that could detect all This section describes development of a prototype
of our failure mode categories. tool aimed at evaluating to what extent the process
of detecting the characteristics of the identified fail-
ure modes can be automated. The aim is to identify the
challenges involved in automating such a code analy-
sis process and not to develop a complete tool capable
3 Available online: http://www.spinroot.com/static/, of detecting all failure modes.
http://www.testingfaqs.org/t-static.html, and For this prototype we chose to use bash scripting,
http://en.wikipedia.org/wiki/List_of_tools_for_static_ which makes use of the available utilities provided by
code_analysis. the Linux operating system.
186
Figure 1 illustrates the logic and architecture of the • Compile the target source code (using gcc), exit
tool where the arrows indicate control flow and the if any error(s)
curved-arrows indicate reporting a message to the user • Create a control flow graph (CFG) of the code
without interfering with the normal control flow. The (using gcc -fdump-tree-fixcfg)
algorithm for analyzing the code is shaded.
2. Analysis part
The prototype tool is designed in modules to allow
easy updates. The tool it self performs the prelimi- • Search for system call usage in the CFG (using
nary part, analysis part and the report part, but the the standard C library invoke method)
checks that are performed to determine each failure • For each system call:
mode are placed in external modules. This will ease
the work of adding additional failure modes and sys- • Identify usage of parameters and determine
tem call checks. When a specific parameter is to be their variable type and value by backtrack-
checked, the prototype tool identifies its type and ing, then send data for each parameter to
value and sends this information to the check-module the check-module relevant for the system call
that holds the check for that specific system call. The being analyzed.
module then performs all available checks for the spec- • Check whether return variable is used, deter-
ified parameter and reports the results of the analysis. mine its type and name and send this data
The return value is checked similarly. We have also to both the general check-module, and to
included a general module which contains checks that the check-module for the system call being
apply to all system calls. This is necessary to avoid analyzed.
duplication of modules containing the same checks. • Store line number and system call info for
The tool performs the following steps: return value, and parameters for sequential
analysis.
1. Preliminary part: • Perform sequential analysis
187
3. Report part C. In line 22: permission mode not set for user when
passing argument shmflg (failure mode F.29.3.D)
• This part is integrated with the analysis part in
D. In line 30: no use of the return value from shmdt()
this prototype. Printed messages are in different
(failure mode F.67.2.A)
color depending on their contents. Warnings are
E. In line 30: passing of argument workaddr which is
printed in orange and errors are printed in red.
not attached (failure mode F.shm.A)
As a test program, consider the code of shm.c in F. In line 37 and 41: segment referred to by workaddr
Listing 1. is not released prior to return (failure mode
F.shm.D)
Listing 1: The code of shm.c The control flow graph of this code is created using:
1 # i n c l u d e < s t d i o . h>
2 # i n c l u d e < s y s / t y p e s . h> |gcc − fdump − tree − fixupcfgshm.c
3 # i n c l u d e < s y s / i p c . h>
4 # i n c l u d e < s y s / shm . h> An excerpt of the output is illustrated in Listing 2
5 e x t e r n vo i d p e r r o r ( ) ; (empty lines are removed). The notation is in GIM-
6 i n t main ( ) {
7 / / k e y t o be p a s s e d t o s h m g e t PLE4 which is an intermediate representation of the
8 i n t key = 1 0 0 ; program in which complex expressions are split into
9 / / s h m f l g t o be p a s s e d t o s h m g e t a three address code using temporary variables. GIM-
10 i n t shmflg = 00001000; PLE retains much of the structure of the parse trees:
11 / / r e t u r n v a l u e f ro m s h m ge t
12 i n t shmid ; lexical scopes are represented as containers, rather
13 / / s i z e t o be p a s s e d t o s h m ge t than markers. However, expressions are broken down
14 i n t s i z e = 1024; into a tree-address form, using temporary variables to
15 / / shmaddr t o be p a s s e d t o s hm a t
16 char * shmaddr = 0 0 0 0 0 0 0 0 ;
hold intermediate values. Also, control structures are
17 / / r e t u r n e d w o rk i n g a d d re s s lowered to gotos. Figure 2 illustrates the nodes of this
18 c o n s t char * wo r k a d d r ; control flow graphically. The three nodes ‘‘<bb 0>’’,
19 int ret ; ‘‘<L0>’’ and ‘‘<L1>’’ are marked in the figure.
20
21 / / C re a t e a new s h a re d memory s eg m e n t
22 i f ( ( shmid = s h m g e t ( key , s i z e , s h m f l g ) )
== 1) { Listing 2: Excerpt of the control flow graph for shm.c
23 p e r r o r ( “ s hm g e t f a i l e d ” ) ; generated by gcc
24 re t u r n 1 ;
25 } else { <bb 0> :
26 ( vo i d ) f p r i n t f ( s t d o u t , “ s h m g e t key = 1 0 0 ;
r e t u r n e d %d\ n ” , shmid ) ; shmflg = 512;
27 } s i z e = 1024;
28 shmaddr = 0B ;
29 / / Make t h e d e t a c h c a l l and r e p o r t t h e size .0 = ( s i z e t ) size ;
results D. 2 0 3 8 = s h mg e t ( key , s i z e . 0 , s h m f l g ) ;
30 r e t = shmdt ( wo r k a d d r ) ; shmid = D. 2 0 3 8 ;
31 p e r r o r ( “ shmdt ” ) ; i f ( shmid == 1) g o t o < L0> ; e l s e g o t o <
32 L1> ;
33 / / Make t h e a t t a c h c a l l and r e p o r t t h e < L0 > : ;
results p e r r o r (& “ s h m g e t f a i l e d ” [ 0 ] ) ;
34 wo r k a d d r = s h m a t ( shmid , shmaddr , s i z e ) ; D. 2 0 3 9 = 1 ;
35 i f ( wo r k a d d r == ( char * ) ( 1) ) { go t o < bb 5> (< L4> ) ;
36 p e r r o r ( “ shmat f a i l e d ” ) ; < L1 > : ;
37 re t u r n 1 ; stdout .1 = stdout ;
38 } else { f p r i n t f ( s t d o u t . 1 , &“ s h m g e t r e t u r n e d %d
39 ( vo i d ) f p r i n t f ( s t d o u t , “ s h m a t \ n ” [ 0 ] , shmid ) ;
returned succesfully ” ) ; D. 2 0 4 1 = shmdt ( wo r k a d d r ) ;
40 } r e t = D. 2 0 4 1 ;
41 re t u r n 0 ; p e r r o r (& “ shmdt : ” [ 0 ] ) ;
42 } D. 2 0 4 2 = s h m a t ( shmid , shmaddr , s i z e ) ;
wo r k a d d r = ( c o n s t char * ) D. 2 0 4 2 ;
The test program contains selected failure modes, i f ( wo r k a d d r == 4294967295B) go t o < L2> ;
e l s e go t o < L3> ;
and we will use the program to show how the proto-
type tool can detect failure modes. The injected failure
modes are:
A. In line 22: passing of argument key with type 4 This representation was inspired by the SIMPLE rep-
different than key_t (failure mode F.29.1.F) resentation proposed in the McCAT compiler project
B. In line 22: passing of argument size with type at McGill University for simplifying the analysis and
different than size_t (failure mode F.29.2.F) optimization of imperative programs.
188
Figure 2. Control flow graph of shm.c.
189
will provide safety checks for programs that use REFERENCES
dynamic input as parameters for system calls.
We developed a conceptual model for a static anal- Fredriksen R. & Winther R. 2006. Error Propa-
ysis tool which we implemented as a prototype. The gation—Principles and Methods. Halden Internal
tool managed to detect many of the failure modes Report, Norway, HWR-775, OECD Halden Reac-
causing error propagation automatically, but not all. tor Project.
It is difficult, if not impossible, to control and check
Fredriksen R. & Winther R. 2007. Challenges Related
dynamic variables that are passed to system services
when performing static analysis. to Error Propagation in Software Systems. in Safety
The implemented prototype tool is not restricted to and Reliability Conference, Stavanger, Norway,
only check for failure modes that can cause error prop- June 25–27. Taylor & Francis, 2007, pp. 83–90.
agation. In our analysis of system calls we identified Johansson A., Suri N. & Murphy B. 2007. On the
numerous failure modes which could cause other types Impact of Injection Triggers for OS Robustness
of failures than error propagation. Using the same Evaluation. International in Proceedings of the 18th
principles as for automatic identification of error prop- IEEE International Symposium on Software Relia-
agation related failure modes, it is possible to extend bility Engineering (ISSRE 2007). Npvember, 2007,
the tool to also identify these other types of failure pp. 127–136.
modes. Thus, the tool can determine whether error
Koenig A. 1988. C Traps and Pitfalls. Reading, Mass.,
propagation is a concern when using system calls; the
tool can indicate which part of the software code is Addison-Wesley.
erroneous, and can pin-point the parts of the software Sarshar S. 2007. Analysing Error Propagation
that should be focused on during testing. One should between Software Processes in Source Code. Mas-
also test the component(s) this process affects; the ter’s thesis, Norway, Østfold University College.
tool can be used by driver and software developers Sarshar S., Simensen J.E., Winther R. & Fredriksen R.
which make use of system calls, to verify that these 2007. Analysis of Error Propagation Mechanisms
calls are used correctly (in regards to the documenta- between Software Processes. in Safety and Relia-
tion); and the tool can be used to identify failure modes bility Conference, Stavanger, Norway, June 25–27.
which needs special attention and exception handling Taylor & Francis, 2007, pp. 91–98.
routines.
190
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: In maintenance field, prognostic is recognized as a key feature as the estimation of the remaining
useful life of an equipment allows avoiding inopportune maintenance spending. However, it can be difficult to
define and implement an adequate and efficient prognostic tool that includes the inherent uncertainty of the
prognostic process. Within this frame, neuro-fuzzy systems are well suited for practical problems where it
is easier to gather data (online) than to formalize the behavior of the system being studied. In this context,
and according to real implementation restrictions, the paper deals with the definition of an evolutionary fuzzy
prognostic system for which any assumption on its structure is necessary. The proposed approach outperform
classical models and is well fitted to perform a priori reliability analysis and thereby optimize maintenance
policies. An illustration of its performances is given by making a comparative study with an other neuro-fuzzy
system that emerges from literature.
191
2 PROGNOSTIC AND RELIABILITY – prognostic is mostly assimilated to a prediction
process (a future situation must be caught),
2.1 From maintenance to prognostic – prognostic is based on the failure notion, which
implies a degree of acceptability.
Maintenance activity combines different methods,
tools and techniques to reduce maintenance costs A central problem can be pointed out from this:
while increasing reliability, availability and security the accuracy of a prognostic system is related to its
of equipments. Thus, one usually speaks about fault ability to approximate and predict the degradation of
detection, failures diagnosis, and response develop- equipment. In other words, starting from a ‘‘current sit-
ment (choice and scheduling of preventive and/or cor- uation’’, a prognostic tool must be able to forecast the
rective actions). Briefly, these steps correspond to the ‘‘future possible situations’’ and the prediction phase
need, firstly, of ‘‘perceiving’’ phenomena, secondly, is thereby a critical one. Next section of this paper
of ‘‘understanding’’ them, and finally, of ‘‘acting’’ emphasizes on this step of prognostic.
consequently. However, rather than understanding a
phenomenon which has just appeared like a failure
(a posteriori comprehension), it seems convenient to 2.3 From prediction to reliability
‘‘anticipate’’ its manifestation in order to take ade- As mentioned earlier, an important task of prognostic
quate actions as soon as possible. This is what could is to predict the degradation of equipment. Follow-
be defined as the ‘‘prognostic process’’ and which is ing that, prognostic can also be seen as a process that
the object of this paper. Prognostic reveals to be a very allows the a priori reliability modeling.
promising maintenance activity and industrials show Reliability (R(t)) is defined as the probability that
a growing interest in this thematic which becomes a a failure does not occur before time t. If the random
major research framework; see recent papers dedi- variable ϑ denotes the time to failure with a cumulative
cated to condition-based maintenance (CBM) (Jardine distribution function Fϑ (t) = Prob(ϑ ≤ t), then:
et al. 2006; Ciarapica and Giacchetta 2006). The rel-
ative positioning of detection, diagnosis, prognostic R(t) = 1 − Fϑ (t) (1)
and decision/scheduling can be schematized as pro-
posed in Fig. 1. In practice, prognostic is used to be Let assume now that the failure is not characterized
performed after a detection step: the monitoring sys- by a random variable but by the fact that a degrada-
tem detects that the equipment overpass an alarm limit tion signal (y) overpass a degradation limit (ylim ), and
which activates the prognostic process. that this degradation signal can be predicted (ŷ) with a
degree of uncertainty (Fig. 2). At any time t, the failure
2.2 From prognostic to prediction probability can be predicted as follows:
Although there are some divergences in literature, F(t) = Pr ŷ(t) ≥ ylim (2)
prognostic can be defined as proposed by the Interna-
tional Organization for Standardization: ‘‘prognostic Let note g(ŷ/t) the probability distribution function
is the estimation of time to failure and risk for one or that denotes the prediction at time t. Thereby, by anal-
more existing and future failure modes’’ (ISO 13381-1 ogy with reliability theory, the reliability modeling can
2004). In this acceptation, prognostic is also called
the ‘‘prediction of a system’s lifetime’’ as it is a pro-
cess whose objective is to predict the remaining useful
life (RUL) before a failure occurs given the current
machine condition and past operation profile (Jardine
et al. 2006). Thereby, two salient characteristics of
prognostic appear:
Figure 1. Prognostic within maintenance activity. Figure 2. Prediction and reliability modeling.
192
be expressed as follows: major ANNs drawback (lack of knowledge explana-
tion) while preserving their learning capability. In this
∞ way, neuro-fuzzy systems are well adapted. More pre-
R(t) = 1 − Pr[ŷ(t) ≥ ylim ] = 1 − g(ŷ/t) · dy cisely, first order Tagaki-Sugeno (TS) fuzzy models
ylim have shown improved performances over ANNs and
(3) conventional approaches (Wang et al. 2004). Thereby,
they can perform the degradation modeling step of
The remaining useful life (RUL) of the system can prognostic.
finally be expressed as the remaining time between
the time in which is made the prediction (tp) and the 3.2 Takagi-Sugeno models: Principles
time to underpass a reliability limit (Rlim ) fixed by the
practitioner (see Fig. 2). a) The inference principle
These explanations can be generalized with a multi- A first order TS model provides an efficient and
dimensional degradation signal. See (Chinnam and computationally attractive solution to approximate a
Pundarikaksha 2004) or (Wang and Coit 2004) for nonlinear input-output transfer function. TS is based
more details. Finally, the a priori reliability analy- on the fuzzy decomposition of the input space. For
sis can be performed if an accurate prognostic tool each part of the state space, a fuzzy rule can be con-
is used to approximate an predict the degradation of structed to make a linear approximation of the input.
an equipment. This is the purpose of next sections of The global output approximation is a combination
this paper. of the whole rules: a TS model can be seen as a
multi-model structure consisting of linear models that
are not necessarily independent (Angelov and Filev
2004).
3 FUZZY MODELS FOR PREDICTION
Consider Fig. 3 to explain the first order TS model.
In this illustration, two inputs variables are considered,
3.1 Takagi-Sugeno system: A fitted prediction tool
two fuzzy membership functions (antecedent fuzzy
Various prognostic approaches have been developed sets) are assigned to each one of them, and the TS
ranging in fidelity from simple historical failure rate model is finally composed of two fuzzy rules. That
models to high-fidelity physics-based models (Vacht- said, a TS model can be generalized to the case of n
sevanos et al. 2006: Byington et al. 2002). Similarly to inputs and N rules (see here after).
diagnosis, these methods can be associated with one The rules perform a linear approximation of inputs
of the following two approaches, namely model-based as follows:
and data-driven. That said, the aim of this part is not
to dress an exhaustive overview of prediction tech- Ri : if x1 is A1i and . . . and xn is Ani
niques but to explain the orientations of works that are
THEN yi = ai0 + ai0 x1 + · · · + ain xn (4)
taken.
Real systems are complex and their behavior is
where Ri is the ith fuzzy rule, N is the number of
often non linear, non stationary. These considerations
fuzzy rules, X = [x1 , x2 , . . . , xn ]T is the input vector,
make harder a modeling step, even impossible. Yet, a j
prediction computational tool must deal with it. More- Ai denotes the antecedent fuzzy sets, j = [1, n], yi is
over, monitoring systems have evolve and it is now the output of the ith linear subsystem, and aiq are its
quite esay to online gather data. According to all this, parameters, q = [0, n].
data-driven approaches have been increasingly applied Let assume Gaussian antecedent fuzzy sets (this
to machine prognostic. More precisely, works have choice is justified by its generalization capabilities and
been led to develop systems that can perform nonlin- because it covers the whole domain of the variables)
ear modeling without a priori knowledge, and that are
able to learn complex relationships among ‘‘inputs and
outputs’’ (universal approximators). Indeed, artificial
neural networks (ANNs) have been used to support the
prediction process (Zhang et al. 1998), and research
works emphasize on the interest of using it. Never-
theless, some authors remain skeptical as ANNs are
‘‘black-boxes’’ which imply that there is no explicit
form to explain and analyze the relationships between
inputs and outputs. According to these considera-
tions, recent works focus on the interest of hybrid
systems: many investigations aim at overcoming the Figure 3. First order TS model.
193
to define the regions of fuzzy rules in which the local defines himself the architecture of the model and the
linear sub-models are valid: antecedents parameters values (Espinosa et al. 2004).
Gradient Descent (GD). The principle of the GD
μij = exp−[4x−x
i∗
j ]/[(σj ) ]
i 2
(5) algorithm is to calculate the premise parameters by
the standard back-propagation algorithm. GD has
where (σji )2 is the spread of the membership func- been implemented in a special neuro-fuzzy system:
the ANFIS model (Adaptive Neuro-Fuzzy Inference
tion, and xi∗ is the focal point (center) of the ith rule System) proposed by (Jang and Sun 1995).
antecedent.
The firing level of each rule can be obtained by the Genetic Algorithms (GAs). GAs are well known
product fuzzy T-norm: for their optimization capabilities. The GAs are used
by coding the problem into chromosomes and setting
τi = μi1 (x1 ) × · · · × μin (xn ) (6) up a fitness function. Since the consequent part of a
TS model can be calculated by using a least squares
method, only the premise part of the model is coded
The normalized firing level of the ith rule is: into chromosomes and optimized by the GAs.
Clustering Methods (CMs). The basic idea behind
N
fuzzy clustering is to divide a set of objects into self-
λi = τi τj (7)
similar groups (cluster). The main interest of this type
j=1
of methods is that the user does not need to define the
number of membership functions, neither the number
The TS model output is calculated by weighted of rules: CMs adapt the structure of the TS model by
averaging of individual rules’ contributions: the learning phase.
Evolving algorithms. These algorithms are based on
N
N
CMs and therefore, do not require the user to define the
y= λi yi = λi xeT πi (8) structure of the TS model. In opposition to all previous
i=1 i=1 approaches, they do not need a complete learning data
set to start the identification process of the TS model
where πi = [ai0 ai1 ai2 . . . ain ] is the vector parameter (start from scratch): they are online algorithms with
of the ith sub-model, and xe = [1 X T ]T is the expanded self constructing structure. These approaches were
data vector. recently introduced (Angelov and Filev 2003; Kasabov
A TS model has two types of parameters. The and Song 2002).
non-linear parameters are those of the membership
functions (a Gaussian membership like in equation 5 3.3 Discussion: exTS for prognostic application
has two parameters: its center x∗ and its spread devi-
ation σ ). This kind of parameter are referred to as The selection of an identification approach for TS
premise or antecedent parameters. The second type of model depends obviously on the prediction context.
parameters are the linear ones that form the consequent According to the degradation modeling problem, a
part of each rule (aiq in equation 4). prediction technique for prognostic purpose should not
be tuned by an expert as it can be too difficult to catch
b) Identification of TS fuzzy models the behavior of the monitored equipment. Thereby, the
Assuming that a TS model can approximate an input- first approach for identification (table lookup scheme)
output function (previous section), in practice, this should be leaved aside.
kind of model must be tuned to fit to the studied Descent gradient and genetic algorithms approaches
problem. This implies two task to be performed: allow updating parameters by a learning process but
are based on a fixed structure of the model, which sup-
– the design of the structure (number and type of poses that an expert is able to indicate the adequate
membership functions, number of rules), architecture to be chosen. However, the accuracy of
– the optimization of the model’s parameters. predictions is fully dependent on this, and such iden-
For that purpose, different approaches can be used tification techniques suffer from the same problems
to identify a TS model. In all cases, the consequent as ANNs. Yet, the ANFIS model is known as a fit-
parameters of the system are tuned by using a least ted tool for time-series prediction and has been used
squares approach. for prognostic purpose (Goebel and Bonissone 2005;
Wang et al. 2004).
Mosaic or table lookup scheme. It is the simplest In opposition, clustering approaches require less
method to construct TS fuzzy system as the user a priori structure information as they automatically
194
determine the number of membership functions and of Step 1. Starting from k = 2, the potential Pk of the
rules. However, in practical applications, the learning data point zk is recursively calculated at time k:
process is effective only if sufficient data are avail-
able. In addition to it, when trained, such a TS model is
fixed. Thereby, if the behavior of the monitored system k −1
Pk (zk ) = j=1 i=1 j
(9)
changes significantly (like in a degradation phase), k −1+ n+m k−1 zi − zk 2
predictions can suffer from the lack of representative
learning data.
Considering the applicative restrictions that sup- Step 2. The potential of the cluster/rule centers is
poses the implementation of a prognostic tool, evolv- recursively updated:
ing TS models appear to be the more promising for
prognostic applications. Firstly, they are able to update (k − 1)Pk−1 (z ∗ )
the parameters without the intervention of an expert Pk (z ∗ ) = n+m ∗
k − 2 + Pk (z ∗ ) + P ∗
k (z ) j=1 z − zk−1 j
2
(evolving systems with regard to the parameters). Sec-
ondly, they can be trained in online mode as they (10)
have a flexible structure that evolves with the data
gathered from the system: data are collected continu-
ously which enables to form new rules or to modify an Step 3. The potential of the data point (step 1) is
existing one. This second characteristics is very use- compared to boundaries issued from the potential of
ful to take into account the non-stationary aspect of the cluster centers (step 2):
degradation.
According to all this, an accurate TS prediction
(P ≤ Pk (zk ) ≤ P) (11)
technique for online reliability modeling is the evolv-
ing one. A particular model is this one proposed by
(Angelov and Zhou 2006): the ‘‘evolving eXtended where (P = maxNi=1 {Pi (z ∗ )}) is the highest den-
Takagi-Sugeno’’ system (exTS). The way of learning
sity/potential, (P = minNi=1 {Pi (z ∗ )}) is the lowest
this type of model is presented in next section and the
density/potential and N is number of centers clusters
interest of using it is illustrated in section 4.2.
(xi∗ , i = [1, N ]) formed at time k.
Step 4. If, the new data point has a potential in
3.4 Learning procedure of exTS between the boundaries (11) any modification of the
rules is necessary. Else, they are two possibilities:
The learning procedure of exTS is composed of two
phases:
1. if the new data point is closed to an old center
σi
– Phase A: an unsupervised data clustering technique (minNi xk − x∗i j < 2j ), then the new data point
is used to adjust the antecedent parameters, (zk ) replaces this center (zj∗ := zk ),
– Phase B: the supervised Recursive least squares 2. else, the new data point is added as a new center
(RLS) learning method is used to update the conse- and a new rule is formed (N = N + 1; xN∗ ).
quent parameters.
Note that, the exTS learning algorithm presents an
a) Clustering phase: Partitioning data space adaptive calculation of the radius of the clusters (σji ).
The exTS clustering phase processes on the global See (Angelov and Zhou 2006) for more details.
input-output data space: z = [xT , yT ]T ; z ∈ Rn+m ,
b) RLS phase: update of the consequent parameters
n + m defines the dimensionality of the input/output
The exTS model is used for on-line prediction. In this
data space. Each one of the sub-model of exTS oper-
case, equation (8) can be expressed as follows:
ates in a sub-area of z. This TS model is based on
the calculus of a ‘‘potential’’ (see after) which is the
capability of a data to form a cluster (antecedent of
N
N
a rule). ŷk+1 = λi yi = λi xeT πi = ψkT θ̂k (12)
The clustering procedure starts from scratch assum- i=1 i=1
ing that the first data point available is a center of a
cluster: the coordinates of the first cluster center are
those of the first data point (z1∗ ← z1 ). The poten- ψk = [λ1 xeT , λ2 xeT , . . . , λn xeT ]Tk is a vector of the
tial of the first data point is set to the ideal value: inputs, weighted by normalized firing (λ) of the
P1 (z1 ) → 1. Four steps are then performed for each rules, θ̂k = [π1T , π2T , . . . , πNT ]Tk are parameters of the
new data gathered in real-time. sub-models.
195
The following RLS procedure is applied:
where is a large positive number, C1 is a R(n + 1) × Figure 4. Architecture of an ANFIS with 4 inputs.
R(n + 1) co-variance matrix, and θˆk is an estimation
of the parameters based on k data samples.
196
Table 1. Simulation results.
ANFIS exTS
Industrial dryer
t+1 Rules 32 18
RMSE 0.12944 0.01569
MASE 16.0558 2.16361
t+5 Rules 32 17
RMSE 0.84404 0.05281
MASE 114.524 7.38258
t + 10 Rules 32 17
RMSE 1.8850 0.18669
MASE 260.140 27.2177 Figure 5. Predictions—industrial dryer, t + 1.
Air temperature
t+1 Rules 32 4
RMSE 0.01560 0.01560
MASE 0.4650 0.47768
t+5 Rules 32 6
RMSE 0.13312 0.12816
MASE 2.01818 1.97647
t + 10 Rules 32 6
RMSE 0.23355 0.22997
MASE 3.66431 3.66373
sets were used to train and test both models. Pre- Figure 6. Pdf error—air temperature, t + 10.
dictions were made at (t + 1), (t + 5) and (t + 10)
in order to measure the stability of results in time.
The prediction performance was assessed by using Table 2. Complexity of the prediction systems.
the root mean square error criterion (RMSE) which Structural properties for the air temperature benchmark
is the most popular prediction error measure, and the at t + 10
Mean Absolute Scaled Error (MASE) that, according
to (Hyndman and Koehler 2006), is the more adequate Criteria ANFIS exTS
way of comparing prediction accuracies.
For both data sets, the learning phase was stopped nb inputs 5 5
after 500 samples and the reminding data served to test nb rules 32 6
the models. Results are shown in table 1. type of mf Gaussian Gaussian
antecedent parameters
mf/input 2 = nb rules = 6
4.4 Discussion tot. nb of mf 2×5 6×6
parameters/mf 2 2
a) Accuracy of predictions ant. parameters 2 × 2 × 5 = 20 2 × 6 × 5 = 60
According to the results of table 1, exTS performs consequent parameters
better predictions than ANFIS model. Indeed, for the parameters/rule 6 (5 inputs +1) 6
industrial dryer (data set 1), both RMSE and MASE cons. parameters 6 × 32 = 192 6 × 6 = 36
are minors with exTS than with ANFIS. An illustration parameters 20 + 192 = 212 60 + 36 = 96
of it is given in Fig. 5.
However, in the case of the air temperature data
set, exTS do not provide higher results than ANFIS
(RMSE and MASE are quite the same). Moreover, as b) Complexity of the prediction systems
it is shown in Fig. 6, the error spreadings of both model Let take the example of the last line of table 1 to com-
are very similar. Yet, one can point out that exTS only pare the structures of the ANFIS and exTS models.
needs 6 fuzzy rules to catch the behavior of the studied The number of parameters for both systems is detailed
phenomenon (against 32 for the ANFIS model). This in table 2.
lead us to consider the complexity of the structure of As there are 5 inputs for the Air Temperature appli-
both prediction systems. cation (see 4.2), and assuming Gaussian membership
197
functions for the antecedent fuzzy sets, the ANFIS and to the changing data. It is thereby an efficient
model is composed of 212 parameters. Following that, tool for complex modeling and prediction. Moreover,
with a more complex application than that of the any assumption on the structure of exTS is neces-
benchmark studied in the paper, an ANFIS system can sary, which is an interesting characteristic for practical
be quickly limited by the number of inputs (because problems in industry. The exTS is finally a promising
the numbers of parameters to be updated increases). tool for reliability modeling in prognostic applications.
In addition, classically, one says that the number of Developments are at present extended in order to
learning samples for the ANFIS model must be more characterize the error of prediction at any time and
than five times the numbers of parameters, which can thereby provide confidence interval to practitioners.
be critical for industrial practitioners. The way of ensuring a confidence level is also studied.
In opposition, exTS evolves only if there are sig- This work is led with the objective of being integrated
nificant modifications on the input-output variables to an e-maintenance platform at a French industrial
as it has an on-line learning process: exTS start partner (em@systec).
from scratch with a single rule and modifications or
additions of rules are made only if relevant. As a con-
sequence, for the same prediction purpose, an exTS REFERENCES
system can have the same prediction accuracy that an
ANFIS model but with less rules (6 vs 32 in the case Angelov, P. and D. Filev (2003). On-line design of takagi-
considered in table 2). This complexity reduction of sugeno models. Springer-Verlag Berlin Heidelberg: IFSA,
the prediction system can also be pointed out by con- 576–584.
sidering the total number of parameters (96 vs 212). Angelov, P. and D. Filev (2004). An approach to online iden-
tification of takagi-sugeno fuzzy models. IEEE Trans. on
c) Computation efficiency Syst. Man ad Cybern.—Part B: Cybernetics 34, 484–498.
Finally, although it can not be fully developed in the Angelov, P. and X. Zhou (2006). Evolving fuzzy systems
paper, exTS is much more computationally effective from data streams in real-time. In Proceedings of the Int.
than the ANFIS system. This can be explained from Symposium on Evolving Fuzzy Systems, UK, pp. 26–32.
two complementary point of views. Firstly, as stated IEEE Press.
Byington, C., M. Roemer, G. Kacprzynski, and T. Galie
before, an exTS system can perform predictions with
(2002). Prognostic enhancements to diagnostic systems
a slightly structure that the ANFIS, which implies for improved condition-based maintenance. In 2002 IEEE
that fewer parameters have to be updated. Secondly, Aerospace Conference, Big Sky, USA.
when using an exTS system, all learning algorithms Chinnam, R. and B. Pundarikaksha (2004). A neurofuzzy
are recursive ones which allows the on-line use of the approach for estimating mean residual life in condition-
system and ensure the rapidity of treatments. based maintenance systems. Int. J. materials and Product
Technology 20:1–3, 166–179.
Ciarapica, F. and G. Giacchetta (2006). Managing the
condition-based maintenance of a combined-cycle power
5 CONCLUSION plant: an approach using soft computing techniques. Jour-
nal of Loss Prevention in the Process Industries 19,
In maintenance field, prognostic is recognized as a 316–325.
key feature as the estimation of the remaining use- Espinosa, J., J. Vandewalle, and V. Wertz (2004). Fuzzy
ful life of an equipment allows avoiding inopportune Logic, Identification and Predictive Control (Advances
maintenance spending. However, it can be difficult to in Industrial Control). N.Y., Springer-Verlag.
define and implement an adequate and efficient prog- Goebel, K. and P. Bonissone (2005). Prognostic information
nostic tool that includes the inherent uncertainty of the fusion for constant load systems. In Proceedings of 7th
annual Conference on Fusion, Volume 2, pp. 1247–1255.
prognostic process. Indeed, an important task of prog- Hyndman, R. and A. Koehler (2006). Another look at
nostic is that of prediction. Following that, prognostic measures of forecast accuracy. International Journal of
can also be seen as a process that allows the reliabil- Forecasting 22–4, 679–688.
ity modeling. In this context, the purpose of the work ISO 13381-1 (2004). Condition monitoring and diagnostics
reported in this paper is to point out an accurate pre- of machines—prognostics—Part1: General guidelines.
diction technique to perform the approximation and Int. Standard, ISO.
prediction of the degradation of an equipment. Iung, B., G. Morel, and J.B. Léger (2003). Proactive mainte-
According to real implementation restrictions, nance strategy for harbour crane operation improvement.
neuro-fuzzy systems appear to be well suited for prac- Robotica 21, 313–324.
Jang, J. and C. Sun (1995). Neuro-fuzzy modeling and
tical problems where it is easier to gather data (online) control. In IEEE Proc., Volume 83, pp. 378–406.
than to formalize the behavior of the system being Jardine, A., D. Lin, and D. Banjevic (2006). A review
studied. More precisely, the paper point out the accu- on machinery diagnostics and prognostics implementing
racy of the exTS model in prediction. The exTS model condition-based maintenance. Mech. Syst. and Sign. Proc.
has a high level of adaptation to the environment 20, 1483–1510.
198
Kasabov, N. and Q. Song (2002). Denfis: Dynamic evolvinf Wang, P. and D. Coit (2004). Reliability prediction based on
neural-fuzzy inference system and its application for time- degradation modeling for systems with multiple degra-
series prediction. IEEE Transaction on Fuzzy Systems dation measures. In Proc. of Reliab. and Maintain. Ann.
10–2, 144–154. Symp.—RAMS, pp. 302–307.
Muller, A., M.C. Suhner, and B. Iung (2008). Formalisation Wang, W., M.F. Goldnaraghi, and F. Ismail (2004). Prognosis
of a new prognosis model for supporting proactive main- of machine health condition using neurofuzzy systems.
tenance implementation on industrial system. Reliability Mech. Syst. and Sig. Process. 18, 813–831.
Engineering and System Safety 93, 234–253. Zhang, G., B.E. Patuwo, and M.Y. Hu (1998). Forecasting
Vachtsevanos, G., F.L. Lewis, M. Roemer, A. Hess, and with artificial neural networks: the state of the art. Int.
B. Wu (2006). Intelligent Fault Diagnosis and Prognosis Journal of Forecasting 14, 35–62.
for Engineering Systems. New Jersey, Hoboken: Wiley &
Sons.
199
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
J.C. García-Díaz
Applied Statistics, Operations Research and Quality Department,
Polytechnic University of Valencia, Valencia, Spain
ABSTRACT: Fault detection and diagnosis is an important problem in continuous hot dip galvanizing and the
increasingly stringent quality requirements in automotive industry has also demanded ongoing efforts in process
control to make the process more robust. Multivariate monitoring and diagnosis techniques have the power
to detect unusual events while their impact is too small to cause a significant deviation in any single process
variable. Robust methods for outlier detection in process control are a tool for the comprehensive monitoring
of the performance of a manufacturing process. The present paper reports a comparative evaluation of robust
multivariate statistical process control techniques for process fault detection and diagnosis in the zinc-pot section
of hot dip galvanizing line.
201
17
7
18
4
3
19
2
7
0
0 1 2 3 4 5 6
202
25 4 Var1 Var2 Var3 Var4 Var5 Var6
3
20 99 % limit
2
Contribution
15 95 % 1
0
10
90 % -1
5 -2
-5 70 Var6
Integrated Contribution
60
-10 50
40
- 15 30
Var5
20
- 20 10 Var1 Var3
17 0 Var2 Var4
-25
- 30 -20 - 10 0 10 20 30
t[1]
Figure 5. Batch unfolding PCA SPE statistic chart for
batch 17.
Figure 3. Batch unfolding PCA score plot for all variables
and all batches with 90%, 95% and 99% confidence limits.
#7 16 #7
12 99 %
Hotelling T 2 - statistic SPE
12
20 8
18 95 % 8
14 4
99% 4
15
99% 10 0 0
95 % 0 20 40 60 0 20 40 60
10 6
# 18 16 # 18
95 % 12
2
5 12
0 20 40 60 0 20 40 60 8
Time Time 8
4
4
Figure 4. On-line hotelling T 2 -statistic and SPE control 0 0
charts with 95% and 99% control limits for batch 17. 0 20 40 60 0 20 40 60
# 19 # 19
12 16
203
Contribution Plot to the Overall SPE advantage because this trend towards abnormal oper-
70
ation may be the start of a serious failure in the
batch # 7
process. This paper show the performance monitor-
30 ing potential of MSPC and the predictive capability
Var4 Var5 of robust statistical control by application to an indus-
0
-10 Var1 Var2 Var3 Var6 trial process. The paper has provided an overview of
an industrial application of multivariate statistical pro-
50
cess control based performance monitoring through
Contribution
Var1
Outliers were identified, based on the robust dis-
Var3 Var4 Var5 Var6
-50 tance.
batch #18
-100 Again, we remove all detected outliers and repeat
the process until a homogeneous set of observations
40
batch #19
is obtained. The final set of data is the in-control set
20
data or reference data. The robust estimates of loca-
Var1 Var2 Var3 Var4 Var6
tion and scatter were obtained by the MCD method of
0
Var5
Rousseeuw.
-10
A T 2 Hotelling and SPE control charts for reference
data process are carried out for nonitoring de multivari-
ate process. Contributions from each fault detected
Figure 7. Contribution plots of the variables contributing to using a PCA model are used for fault identification
the SPE for batch 7, batch 18, and batch 19. approach to identify the variables contributing most to
abnormal situation.
control charts shows that the process itself evolves
over time as it is exposed to various disturbances such REFERENCES
as temperature changes; after the process instability
occurred, the projected process data returned to the Dunia, R. and Qin, S.J. 1998a. Subspace approach to multi-
confidence limits. The disturbance will be discussed dimensional fault identification and reconstruction. The
below using the contribution plots. American Institute of Chemical Engineering Journal 44,
Contribution plots of the variables, at the time when 8: 1813–1831.
the SPE limit is violated, are generated and the vari- Dunia, R. and Qin, S.J. 1998b. A unified geometric approach
ables with abnormally high contribution to SPE are to process and sensor fault identification. Computers and
identified. Figure 7 illustrates the results of fault clas- Chemical Engineering 22: 927–943.
Himmelbau, O.M. 1978. Fault Detection and Diagno-
sification in batch # 7, 18 and 19. In order to identify
sis in Chemical and Petrochemical Process. Elsevier,
the variables that caused this abnormal situation, con- Amsterdam.
tribution plots of the variables contributing to the Jackson, J.E. 1991. A user’s guide to principal components,
SPE at the time when the SPE violated the limits are Wiley-Interscience, New York.
generated. Variables 2, 5 and 6 (bath temperatures Nomikos, P. and MacGregor, J.F. 1995. Multivariate SPC
in strategic points of the pot) seem to be the major charts for monitoring batch processes. Technometrics 37,
contributors in the SPE. 1: 41–59.
Rousseeuw, P.J. and Van Driessen, K. 1999. A Fast Algorithm
for the minimum Covariance Determinant Estimator.
Technometrics, 41: 212–223.
4 CONCLUSIONS
Tang, N.-Y. 1999. Characteristics of continuous galvaniz-
ing baths. Metallurgical and Materials Transactions B, 30:
Multivariate monitoring and diagnosis techniques 144–148.
have the power to detect unusual events while their Verboven, S.; Hubert, M. 2005. LIBRA: a Matlab library for
impact is too small to cause a significant deviation robust analysis, Chemometrics and Intelligent Laboratory
in any single process variable. This is an important Systems 75: 127–136.
204
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
M.L. Penalva
Fatronik. San Sebastian, Spain
ABSTRACT: The motivation of this paper is to minimize the flatness errors in hard turning (facing) operations
of hardened tool steel F-5211 (AISI D2) discs using Polycrystalline Cubic Boron Nitride (PCBN) tools with
finishing cutting conditions. To achieve this, two strategies have been developed. First an on-line Conditional
Preventive Maintenance (CPM) system based on monitoring a parameter that correlates well with the geometrical
error, namely, the passive component of the force exerted by the workpiece on the tool. The second strategy
is more sophisticated and consists of the development of an on-line Error Compensation System that uses the
error value estimated using the first strategy to modify the tool trajectory in such a way that flatness errors are
kept within tolerances. Moreover, this procedure allows the life of the tools to be extended beyond the limit
established by the first CPM system and also the reduction of part scrap and tool purchasing costs.
205
ef (d) Ef
Chip Workpiece
Tool
(II)
V
(III) (I) t
Figure 3. Flatness error profile on a hard turned disc of
Workpiece 150 mm external and 50 mm internal diameters.
Real path
3 TEST CONDITIONS
206
Table 1. Experimental work done to the analysis of flatness 50
error. tool 1
tool 2
Material UNE F-5211 (62 HRC hardness) 40
207
60
Room
Temperature 50
20
10
Workpiece
Fp 0
Figure 6. Diagram of tool tip expansion and force generated 0 50 100 150 200
due to heat power.
-10
unacceptable errors, the correlation of the two curves
-20 is good and therefore ef error can be estimated by
150 125 100 75 50
recording the Fp
Diameter(mm)
Once it is demonstrated that a linear relationship
160 exists between ef (d) and Fp , the next step is to find
140 its arithmetic expression. To do this, 7 diameters were
Fp (N)
Figure 7. Flatness error (above) and passive force (below) ef (d) = 5, 52 + 0, 23(Fp (150) − Fp (d)) (1)
during the facing of a hard steel disc with: V = 180 m/min.,
feed and a cutting depth of = 0.1 mm with a PCBN tool with
VB max = 0, 15 mm.
with a linear regression value of 77.6% that is statisti-
cally significant.
Since experiments have shown that for any pass the
maximum value of the error variation is always located
larger than the cutting and feeding forces and, as a at the minimum diameter (50 mm), equation (1) par-
result, could be a facing error estimator although, so ticularized for this point can identify at the pass where
far, it has not received much attention in the literature the total error Ef has reached such a critical value that
(Lazoglu, 2006). the operator should proceed to replace the worn out
Figure 7 depicts the evolution of the local flatness tool. Therefore a Conditional Preventive Maintenance
error ef (d) at the top and the Fp force at the bottom of (CPM) Strategy has been developed. It indicates when
a randomly selected pass and a remarkable similarity a tool should be replaced to keep errors below a critical
in their shapes can be observed. This suggests that the level.
correlation between the two may be high.
The correlation coefficient between ef (d) and
(Fp (150) − Fp (d)) was calculated for all the tools and
results shows that it is greater than 0,95 for 90% of 5 FLATNESS ERROR COMPENSATION
all the cases. Fp (d) is the passive force in the diameter STRATEGY
d and Fp (150) is the force at the external diameter of
the disk where all passes begin. The remaining 10%, One step further in the direction of tool use optimiza-
(8 passes) with a value below 0.95, corresponded to tion is the development of an Error Compensation
fresh tools (cut length below 500 m), but since fresh System that allows the ‘‘on-line’’ correction on the
tools always give acceptable errors, it can be concluded tool tip trajectory as it deviates during the facing pass
that, where tool wear level is high enough to produce as result of the tool tip expansion.
208
1) Signal (Fp(d)) Dynamometer 6 CONCLUSIONS
PC
A Conditional Preventive Maintenance (CPM)
2) Flatness error Z
Mz System has been developed for the estimation of the
(ef (d)) carriage
part error value in a hard turning (facing) operation. It
is based on the passive component of the force exerted
Clamping
by the workpiece on the tool. This system presents two
Workpiece Z Motor
advantages over the well known Systematic Preventive
Maintenance Systems: important reduction in work-
CNC piece scrap and a more efficient use of the tools.
An Error Compensation System (ECS) has also
been developed. It employs the error value that has
Figure 9. ‘‘On-line’’ Compensation strategy diagram. been estimated with the CPM mentioned above, to
compensate the tool trajectory in such a way that flat-
ness errors are kept within tolerances even using tools
with a wear level that had been rejected by the CPM
This is possible by implementing equation (1) in a system. Compared to the CPM system, the ECS gives
machine tool with an open CNC control. The system better part quality and extends the life of the tools.
(Figure 9) performs the following tasks:
1 Data Acquisition and analysis
2 PC-CNC Communication ACKNOWLEDGEMENTS
3 New tool position generation
This work has been made under the CIC marGUNE
framework and the authors would like to thank the
5.1 Data acquisition and analysis Basque Government for its financial support.
In this module, the passive force Fp (d) signal is first
obtained by a dynamometer mounted on the tool tur- REFERENCES
ret, then it is captured by a National Instruments DAQ
board and is then analyzed by a PC using a specific Grzesik W., Wanat T. 2006. Surface finish generated in hard
software application that has been developed in Lab turning of quenched alloy steel parts using conventional
View. In the PC the (Fp (150) − Fp (d)) values are cal- and wiper ceramic inserts. Int. Journal of Machine Tools
culated for a number of positions which depend on the & Manufacture.
required accuracy, and finally through equation 1 the König W.A., Berktold A., Kich K.F. 1993. Turning vs
corresponding ef (d) are estimated grinding—A comparison of surface integrity aspects and
attainable accuracies. CIRP Annals 42/1: 39–43.
Lazoglu I., Buyukhatipoglu K., Kratz H., Klocke F. 2006.
5.2 PC-CNC communication Forces and temperatures in hard turning. Machining
Science and Technology 10/2: 157–179.
Once ef (d) has been calculated in 5.1, an analog signal, Luce S. 1999. Choice criteria in conditional preventive main-
with the appropriate compensation value is generated tenance. Mechanical Systems and Signal Processing 13/1:
in the Lab View application and sent to the CNC unit 163–168.
of the machine via a DAQ board analog output. Özel T., Karpat Y. 2005. Predictive modelling of surface
roughness and tool wear in hard turning using regression
and neural networks. Int. Journal of Machine Tools &
5.3 New tool position generation Manufacture 45/4–5: 467–479.
Penalva M.L., Arizmendi M., Díaz F., Fernández J. 2002.
The machine PLC (Programmable Logic Controller), Effect of tool wear on roughness in hard turning. Annals
that analyses periodically all the machine parame- of the CIRP: 51/1: 57–60.
ters, registers the compensation value of the signal Rech J., Lech M., Richon, J. 2002. Surface integrity in fin-
input that has been received by the CNC and writes it ish hard turning of gears. Metal cutting and high speed
in the tool compensation parameter of the machine so machining, Ed. Kluwer, pp. 211–220.
that the Z drive motor can modify the Z coordinate of Santos J., Wysk Richrad A., Torres, J.M. 2006. Improving
the tool tip to compensate for the flatness error. The production with lean thinking. John Wiley & Sons, Inc.
Scheffer C., Kratz H., Heyns P.S., Klocke F. 2003, ‘‘Develop-
correction period can be selected by the operator but it ment of a tool wear-monitoring system for hard turning’’,
will always be higher than the Z axis cycle time (a few International Journal of Machine Tools & Manufacture,
centiseconds). For common hard facing cutting speeds Vol. 43, pp. 973–985.
and feeds, periods between 0,1 and 1 seconds can give Schwach D.W., Guo Y.B. 2006, ‘‘A fundamental study
decent compensation results. on the impact of surface integrity by hard turning on
209
rolling contact fatigue’’, Int. Journal of Fatigue, 28/12: Zhou J.M., Andersson M., Ståhl J.E. 2004, ‘‘Identification
pp. 1838–1844. of cutting errors in precision hard turning process’’, Jour-
Sukaylo V., Kaldos A., Pieper H.-J., Bana V., Sobczyk nal of Materials Processing Technology. Vol. 153–154,
M. 2005, ‘‘Numerical simulation of thermally induced pp. 746–750.
workpiece deformation in turning when using various cut-
ting fluid applications’’, Journal of Materials Processing
Technology, Vol. 167, pp. 408–414.
210
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Maintenance policies are driven by specific needs as availability, time and cost reduction.
In order to achieve these targets, the recent maintenance approach is based on a mix of different policies such
as corrective, planned, and curative. The significance of the predictive activities is becoming more and more
important for the new challenges concerning machines and plants health management.
In the present paper we describe our experience about the development of a rule-based expert system for the
electric locomotive E402B used in the Italian railways system, in order to carry out an automated prognostic
process. The goal of the project was to develop an approach able to improve the maintenance performance. In
particular we would like to develop an advanced prognostic tool able to deliver the work orders. This specific
issue has been identified and requested from the maintenance operators as the best and the only solution that
could ensure some results.
211
of the true integration of the prognostic approach Table 2. Maintenance data & information.
within the maintenance strategies.
Data Description Database
212
A maintenance note can have three different origins,
each one of which its specific identification code:
• ZA, if it comes from a note on the trip book of
the drivers. They are advices collected during the
mission and generally point out some abnormal
conditions;
• ZB, if it comes from the inspection of the locomotive
when it enters in the maintenance workshop;
• ZC, this code has been provided for a future
automated monitoring system that will be able to
diagnosis the state of the vehicles.
The opinion of the experts is simply recorded in a
worksheet. Nevertheless the information included are
very useful to understand what has really happened to
a locomotive in case of a alarming failure. Sometimes Figure 1. Work order generation process.
also some suggestions for the development of a correct
approach to manage the fault are reported, and some
indications about when it should be better to intervene.
Moreover the maintenance notes can be generated
After reporting the list of data & information avail-
from a maintenance worker when the locomotive is in
able into the three different not-integrated databases,
maintenance operation for a planned task or for a prob-
the next paragraph will explain how they are managed
lem detected in the general inspection when it enters
and used to perform the diagnosis of the degradation
in the workshop. This general beginning inspection
state of a locomotive and the subsequent maintenance
includes obviously the analysis of the travel book.
activities.
This approach doesn’t allow to have a clear cor-
respondence between maintenance notes and work
orders because, as predictable, very often a work
3 THE CURRENT MAINTENANCE
order contains the reports of a few maintenance notes.
MANAGEMENT PROCESS—‘‘AS IS’’
Sometimes it can also happen that a single work order
contains contemporarily tasks coming from the main-
A diagnostic system has the main goal to execute an
tenance plan and from abnormal conditions signaled
on condition maintenance policy in order to prevent
in operational state.
failures and, when eventually faults occur, may help in
The next image is meant to represent the different
precisely identifying the root causes.
process that can lead to a definite maintenance activity
At the present time the maintenance process of the
on the vehicles.
locomotives’ owner provides two different procedures
for carrying out a work order. Both of them generate
either corrective or planned maintenance operations.
Usually a locomotive goes in a maintenance workshop 3.2 What happens to a locomotive?
only if a deadline of the maintenance plan is expired The maintenance process just described provokes a
or if there is an heavy damage that causes some delays strong lack of balance in the maintenance frequen-
or a reserve. cies. For a long period (three or four weeks) a vehicle
The fact remains that the suggestions of the on board is not maintained and it is recalled in the workshop
diagnostic system are currently ignored. The only way only if a severe fault occurs or if a planned task must
to look at the operational data is the on board driver’s be accomplished. This approach generates a big heap
logbook. In such a document the abnormal conditions, of stress due to the natural process of decay of the
episodes or events (event code) are reported as long as locomotive’s main equipments. This behavior usually
the on board operator considers them important for the involves a series of serious damages, a debacle for the
future maintenance activities. mission of the train.
213
for a long time and sometimes it is very difficult to
restore the right knowledge.
Since the locomotive’s manufacturers are not longer
traceable while the diagnostic system’s manufacturer
are still in good relations, a lot of helpful information
has been lost.
On the other hand the maintenance data are very
often extremely poor in terms of information. This is
due mainly to the maintenance operators’ approach
which doesn’t give the right value to the collection
of maintenance data. Hence the maintenance activi-
ties description doesn’t allow to understand accurately
which tasks have been actually accomplished.
Although our locomotives belong to a previous
generation, without any chance of improvement, the Figure 3. Rule construction approach.
medium age of the means is very low. For this rea-
son the fleet has hopefully before itself still many
years of operation, justifying the efforts, in terms of
human resources (experts) and technological invest- On the other side of the picture we can see the main-
ments (diagnostic system), aiming at improving the tenance data. Unfortunately their poor quality doesn’t
maintenance strategy. allow us to use them to drive the rules construction
In the next paragraphs we will report about the process, as expected for an ideal system configura-
analysis and studies performed to carry out a diagnos- tion. At the moment the maintenance information can
tic and prognostic approach, able to take some more be used barely to receive a confirmation after a diag-
advantage from the existing data. nosis carried out from the diagnostic code of the on
board monitoring system.
A diagnostic rule is a proposition composed by two
arguments, the hypothesis and the thesis. The Hypoth-
4 EXPERT SYSTEM DEVELOPMENT esis (XX, YY) are the events that must happen in
order to generate an event (ZZ) and therefore verify
The available data and their attributes suggested us a thesis. If the diagnostic rule is maintenance oriented,
that a rule based system would have been the most as a replacement for the cause the rule can contain
suitable approach in order to improve the maintenance the specific maintenance activity able to interrupt the
performance. degradation or to resolve a breakdown if the fault is
Considering Figure 2, on the one side we have already occurred.
the data coming from operational phase—they are In case of advanced diagnostic systems the rule
very unmanageable, as we will show in the next should can be prognostics oriented. This means that
paragraph—but if properly treated, they represent the thesis statement is a prediction of the remaining
a very important information and a signal of the life to failure of the monitored component.
incipient fault. In case of an on condition based maintenance, the
thesis statement contains the prediction of the deadline
for performing the appropriate maintenance activities.
This actions should be able to cut off or at least manage
the incoming component failure. The following chart
is meant to explain these different rule methods.
In this project one of the goals is to gain a prog-
nostic approach from the diagnostic system. Possibly
it should also be biased toward conducting an on con-
dition maintenance. So the thesis declaration will be
generated by matching the user’s manual indications,
the experts’ suggestions and the work orders activities
descriptions.
Since the hypothesis are the most critical element in
the rule, they will be extracted from the on board diag-
nostic database by a significant statistical treatment.
We used the techniques developed for the process
Figure 2. Scheme of the available data. control in order to manage a huge number of data.
214
5 DATA ANALYSIS AND TREATMENT those codes whose related information are not enough.
This unpleasant circumstance is due to a bad manage-
As mentioned in paragraph 2, at the moment the avail- ment of the fleet’s documentation; many events, such
able data of the on board diagnostic system are only as diagnostic system’s upload or modification, are not
those of locomotives number (#) 107 and 119. As still mapped from the user so now and then impor-
reported in the following table the data comparison tant knowledge is lost. The final number is achieved
shows significant difference for each means of trans- through the cutting of the many life messages and of
portation. The locomotive #107 has nearly twice the some codes considered not reliable after a technical
number of codes per kilometer of the #119. Con- discussion with some maintenance experts.
versely the maintenance activities are distributed with In Figure 4 data of locomotive #119 are shown.
the opposite ratio: #119 has roughly the 33% of main- Starting from this point of the paper until the end, we
tenance operations more than #107. The data used will show the study results of these data. The same
in the analysis were collected in five months, from process was made for the other vehicle but, for brief-
January to May 2007. ness’s sake it won’t be described since the results are
Although they are identical for the design, for all significantly similar.
subsystems’ characteristics and for the operational and
maintenance management, each rolling stock has its
own specific behavior. 5.2 Pareto analysis and codes classification
So the diagnostic approach, basing on statistical
methods, can’t be developed without considering the The diagnostic system is based on about two hundred
specific vehicle. Aging, obviously, causes a natural different codes. Their great number led us to perform
and not avoidable drift of the functional parameters. a Pareto analysis in order to identify the most impor-
This phenomenon is strongly amplified in complex tant code. The results in terms of codes occurrence is
systems, as is a modern electric locomotives, where all reported in the following diagram.
the subsystems are dependent on each other. Accord- As clearly visible the most frequent eight codes cor-
ingly the time dependence of the reference parameters respond to the 80% of the occurrences. Although they
will be appreciated to guarantee a dynamic diagnostic
process.
5.1 Filtering
First of all the main important action of the data treat-
ment was the filtering that allowed the management of
a suitable number of information.
As reported in Table 3, the initial number of codes
was very high, the average production is 1,8 codes·km-
1 and 0,8 codes·km-1 respectively for #107 and #119.
The progressive filtering procedure and its results
in terms of code identification is reported in the fol-
lowing table. For each step is also reported the reason Figure 4. Filtering process.
of the choice.
The first step of the filtering process is due to the
indications reported on the user’s manuals where it
is shown which codes are useful in support of the
driver for the management of the abnormal condi-
tions in the mission occasions. The next removal hits
the codes whose meaning is completely unknown and
215
could be easily clustered in two different sets refer- Control charts may be classified into two general
ring to two subsystems of the locomotive (engineer’s types:
cab HVAC and AC/DC power transformation), we will
treat them separately without considering any mutual • variables control charts (Shewhart, CUSUM,
interaction. EWMA), when the variable is measurable and its
Another important element is the logic of codes distribution has a central tendency;
generation by the on board diagnostic system. As • attributes control charts (p-chats, np-charts,
mentioned in paragraph 2 a diagnostic code is gen- c-charts, u-charts), when the variable is not measur-
erated when a set of specific physical parameters able and its occurrence is characterized by a Poisson
reach their threshold values. This means that you have distribution.
reached abnormal operating conditions. Each code Traditional control charts are univariate, for exam-
record has a start time and an end time field, repre- ple the monitoring of an individual variable. This
senting respectively the appearance and disappearance implies the assumption that the variables or the
of the anomalous conditions. The values of these attributes used for describing the system are inde-
attributes allow us to suggest a classification of codes pendent from each other. Using multivariate control
basing on the duration of the abnormal conditions: charts, all the meaningful variables or attributes are
used together. The information residing in their cor-
• Impulsive signal, code with the same value for the relation structure is extracted and it allows a more
start time and end time. It means that the duration efficient tracking of the process over time for iden-
of the abnormal conditions is less than a second; tifying anomalous process points. Although the multi-
• Enduring signal, code with different values for the variate control charts seem more useful for describing
start time and the end time. The durations has an complex process, they are used less than the univari-
high variability (from some seconds up to some ate. This is due to two reasons: the univariate charts
hours); utilization is simpler and more efficient, moreover
• Ongoing signal, code characterize by a value for a successful implementation of multivariate control
the start time but without end time. It means an chart often requires further statistical studies as the
abnormal condition still persistent. principal components’ analysis.
Many codes are generated by different arrange-
ments of signals. Nevertheless they represent an 6.2 Control chart application
alteration of the equipment’s state so they are able to
describing the states of the locomotive’s subsystems. A diagnostic code represents an attribute describing
the state of its corresponding subsystem. We have
applied the u-chart, an attributes dedicated control
chart, to the daily codes occurrences.
6 THE PROPOSED METHODOLOGY Our resulting control chart differs from the standard
ones for some important parameters differentiations.
6.1 Statistical process control The used parameters expressions are the following:
Production processes will often operate under control, m
producing acceptable product for quite long periods. i=1 ui
Central line, CL = = ū (1)
Occasionally some assignable cause will occur and it m
results in a shift to an out-of-control state, where a large
proportion of the process output does not conform any- ū
more to the user’s requirements. The goal of statistical Upper control limit, UCL = ū + 3 · (2)
process control is to quickly detect the occurrence ni
of precise causes or process shifts so that investi-
gation of the process and corrective actions might ū
be undertaken before many nonconforming units are Lower control limit, LCL = max ū − 3 · 0
ni
manufactured.
The control chart is an online process-monitoring (3)
technique widely used for this purpose. It is a tool
useful for describing what is exactly meant by statis- ū
tical control. Sample data are collected and used to Upper warning limit, UWL = ū + 1, 5 · (4)
construct the control chart, and if the sampled values ni
fall within the control limits and do not exhibit any
systematic pattern, we can say that the process is in where ui is the daily frequency per kilometer of the
control at the level indicated by the chart. code, m is the number of days when the process is
216
defined: UWL, UCL. Both of them correspond to a
specific deadline:
• when a code occurrence gets over the UWL, the
maintenance activity should be performed within
five days;
• when a code occurrence gets over the LCL, the
maintenance activity should be performed as soon
as possible.
The execution of the control charts as a monitoring
tool of the reliability performance of the train intro-
duces another important element: the trend analysis.
Figure 6. u-chart for a diagnostic code.
Or else matching the trend occurrence with experts’
experience. When a code occurrence falls for three
times consecutively between CL and UWL a degra-
dation process must be in progress so a maintenance
considered under control and ni is the daily distance activity should be scheduled inside the ten following
covered from the vehicle. days.
The central limit of the control chart has been
calculated in a time interval (m days) where the con-
sidered locomotive is under statistical control, so the 7 FINAL CONSIDERATION
recorded diagnostic codes can be regarded just as
noise because they’re generated from not identifiable 7.1 The next step of the analysis
stochastic events.
The choice of the daily frequency per km as There are a lot of opportunities for the extension of
chart variable, forces us to introduce the variance this project, following various directions. First of all
of the control limits depending on the daily covered we could investigate the likelihood to detecting spe-
distance. cific thresholds and maintenance deadlines for each
As above reported, the lower control limit is equal diagnostic code.
to the standard expression only when it is more than A second step could be the investigation of the daily
zero; otherwise it’s zero. This solution is adopted codes frequency in terms of run hours by a different
because the definition of a negative threshold for an attribute control chart (c-chart).
event occurrence hasn’t any meaning. Moreover we After that we could try to carry out a multivariate
have introduced a further limit: the upper warning statistical analysis, trying to cluster the codes belong-
threshold. Its value is the half of the UCL. ing to the same subsystems. As foreseeable they are
In the following diagram an example of the appli- conditioned by each other but in this first phase of
cation of the control chart to a diagnostic code is the analysis we didn’t have enough time to study their
reported. correlations.
Another important issue is the opportunity to inves-
tigate the daily permanence time of diagnostic codes
6.3 The prognostic approach using the control charts as variables. Probably this data
is more helpful in terms of information than the code
In the paragraph 4, we have underlined how the expert
occurrence.
system should be based on a rules approach with a
prognostic focus. The data analysis process identi-
fies the hypotheses of the rules as a threshold of the 7.2 Suggestion for the maintenance process
occurrence of a diagnostic code.
The project has highlighted some criticalities in the
On the other hand the thesis of the rule is a main-
maintenance process management. On the other side
tenance note for the subsystem including a deadline
a wide set of opportunities and possible improvements
warning for achieving the appropriate maintenance
has been outlined.
activity.
First of all, in order to return some helpful mainte-
Hence the rule model sounds like the following
nance data, an important quality improvement should
assertion: if a diagnostic code’s occurrence rises above
be carried out. This can be obtained by two main
a specific value, a maintenance action must performed
actions:
within a fixed time.
The definition of the control chart parameter was • a strong simplification of the data entry for the main-
performed looking at the problem from this point of tenance operators. A computerized check list of the
view, consequently two different thresholds have been possible entries for each field of the documents is
217
the only solution suggested from the maintenance Jardine, A.K.S., Lin, D. & Banjevic, D. 2006. A review
expert experience. A fixed number of choices for on machinery diagnostics and prognostics implementing
field can decrease the richness of an information condition-based maintenance. Mechanical Systems and
but can improve the data reliability and availability; Signal Processing 20: 1483–1510.
• an effective awareness campaign for the operators Leger, R.P., Garland, Wm.J. & Poehlmanb, W.F.S. 1998. Fault
detection and diagnosis using statistical control charts
that should be properly motivated by a specific and artificial neural networks. Artificial Intelligence in
training course and, eventually offering financial Engineering 12: 35–41.
rewards. MacGregor, J.F. & Kourtl, T. 1995. Statistical process con-
Then we suggest the implementation of a computer- trol of multivariate process. Control engineering Practice
3(3): 403–414.
based platform able to: Mann, L. Jr., Saxena, A. & Knapp, G.M. 1995. Statistical-
• integrate all the data, coming from different sources, based or condition-based preventive maintenance? Jour-
helpful for the prognostic approach; nal of Quality in Maintenance Engineering 1(1): 45–49.
• carry out the analysis process that has been devel- Montgomery, D.C. & Runger, G.C. 2007. Applied Statistics
and Probability for Engineers, 4th Edition. New York,
oped in this paper. New Jersey: John Wiley & Sons.
Another important issue of the platform could be the Niaki, S.T.A. & Abbassi, B. 2005. Fault diagnosis in mul-
chance to automatically generating the maintenance tivariate control charts using artificial neural networks.
notes, when a rule of the expert system based on the Quality and Reliability Engineering International 21(8):
825–840.
statistical process control would be verified. Only this Price, C. 1999. Computer-Based Diagnostic Systems.
type of integration and automation can be helpful to London, Berlin, Heidelberg: Springer-Verlag.
perform a properly predictive maintenance strategy. Ryan, T.P. 2000. Statistical methods for quality improvement,
2nd edition. New York, New Jersey: John Wiley & Sons.
Schein, J. & House, J.M. 2003. Application of control
7.3 Overview charts for detecting faults in variable-air-volume boxes.
This paper reports the partial results of a project that ASHRAE Transactions.
is still in progress but gives the possibility to face the Thomson, M., Twigg, P.M., Majeed, B.A. & Ruck, N. 2000.
most relevant and typical problems of the maintenance Statistical process control based on fault detection of
CHP units. Control Engineering Practice 8: 13–20.
field. Tokatli, F.K., Ali Cinar, A. & Schlesser, J.E. 2005. HACCP
As foreseeable, nowadays, the available technol- with multivariate process monitoring and fault diagnosis
ogy guarantees any data and information without any techniques: application to a food pasteurization process.
storage constraints or communication limits. Food Control 16: 411–422.
So the current challenges are on the one side the data Vachtsevanos, G., Lewis, F.L., Roemer, M., Hess, A. &
management, in terms of integration and treat-ment Wu, B. 2006. Intelligent fault diagnosis and prognosis
from the expert system. On the other side the human for engineering systems. New York, New Jersey: John
resource management in terms of expert experience Wiley & Sons.
formalization and field operator activities. Wikstro, C., Albano, C., Eriksson, L. et al. 1998. Multivariate
process and quality monitoring applied to an electroly-
These issues became necessary to implement a sis process, Part I. Process supervision with multivariate
maintenance strategy basing on a prognostic approach control charts. Chemometrics and Intelligent Laboratory
that should be able to meet the requirements of a Systems 42: 221–231.2.
competitive market. Yam, R.C.M., Tse, P.W., Li, L. & Tu, P. 2001. Intelli-
gent predictive decision support system for condition-
based maintenance. The international journal of advanced
REFERENCES manufacturing technology 17(5): 383–391.
Zhang, J., Martin, E.B. & Morris, A.J. 1996. Fault detection
Chain, L.H., Russel, E. & Braatz, R.D. 2001. Fault detec- and diagnosis using multivariate statistical techniques.
tion and diagnosis in industrial systems. London, Berlin, Chemical Engineering Research and Design 74a.
Heidelberg: Springer-Verlag.
218
Human factors
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: In this study, in order to validate the appropriateness of R-TACOM measure that can quantify
the complexity of tasks included in procedures, an operator’s response time that denotes the elapsed time to
accomplish a given task was compared with the associated R-TACOM score. To this end, operator response time
data were extracted under simulated Steam Generator Tube Rupture (SGTR) conditions of two reference nuclear
power plants. As a result, it was observed that operator response time data seem to be soundly correlated with the
associated R-TACOM scores. Therefore, it is expected that R-TACOM measure will be useful for quantifying
the complexity of tasks stipulated in procedures.
221
Figure 1. The overall structure of TACOM measure.
In this regard, Park et al. developed a measure called 2.3 The revision of TACOM measure
TACOM that can quantify the complexity of emer-
As illustrated in Fig. 1, TACOM measure quantifies
gency tasks stipulated in the EOPs of NPPs (Park and
the complexity of a given task using Euclidean norm
Jung 2007a). Fig. 1 briefly depicts the overall structure
of five sub-measures. This is based on the assumption
of TACOM measure.
such that ‘‘all the five complexity factors are mutually
As shown in Fig. 1, TACOM measure consists of
independent.’’ Unfortunately, in the course of compar-
five sub-measures that represent five kinds of factors
ing response time data with the associated TACOM
making the performance of procedures complicated.
scores, a clue indicating that the independent assump-
Detailed explanations about these complexity factors
tion could be doubtful was observed from the analysis
are provided in the references (Jung et al. 1999).
of correlation coefficients among five sub-measures.
That is, three variables (SSC, AHC and EDC) seem
to be mutually dependent because they have relatively
2.2 Validating TACOM measure
strong correlations (Park and Jung 2007c). In statis-
If the complexity of tasks stipulated procedure can tics, this problem is known as multicollinearity (Cohen
be properly quantified by TACOM measure, then it et al. 2003).
is natural to assume that ‘‘the performance of human Accordingly, it is indispensable to prevent against
operators can be soundly explained by the associated the possibility of the multicollinearity problem among
TACOM scores.’’ Accordingly, in order to validate five sub-measures.
the appropriateness of TACOM measure, it is crucial In order to unravel this problem, creating a multi-
to elucidate what kinds of human performance data item scale was regarded because this approach has
should be compared with TACOM scores. been frequently applied to the treatment of psycholog-
In this regard, two kinds of human performance ical and sociological data. In creating a new scale, the
data, response time data and OPAS (Operator Per- scores of two or more variables are summated and/or
formance Assessment System) scores, were com- averaged to form a single scale that represents the char-
pared with the associated TACOM scores. As a acteristics of included variables. However, without a
result, response time data as well as OPAS scores systematic framework that can provide a theoretical
showed significant correlations with the associated basis, it is likely to fail in creating an appropriate
TACOM scores (Park and Jung 2007a, Park and Jung scale. For this reason, the theory of a task complexity
2007b). is revisited.
222
3 R-TACOM MEASURE In the light of this expectation, five sub-measures
were reorganized along with the definition of three
On the basis of existing literatures, Harvey suggested dimensions included in the generalized task complex-
a generalized task complexity model that consists of ity model. Fig. 3 shows the reorganized structure of
three complexity dimensions as depicted in Fig. 2 TACOM measure (i.e., R-TACOM measure) (Park and
(Harvey & Koubek 2000). Jung 2007c).
In Fig. 2, it should be emphasized that this complex-
ity model provides the three orthogonal dimensions
that affect the complexity of tasks. In other words, 4 COMPARING RESPONSE TIME DATA
although many researchers have identified various WITH THE ASSOCIATED R-TACOM SCORE
kinds of dominant factors that can make the perfor-
mance of tasks complicated, a model that provides the In order to investigate the appropriateness of R-
overall structure as well as the dependency among task TACOM measure, two sets of response time data
complexity factors (e.g., the three orthogonal dimen- collected from nuclear power plants (NPPs) were com-
sions) seems to be very rare. From this regard, it is pared with the associated R-TACOM scores. In the
expected that this complexity model can be used as a case of emergency tasks included in the emergency
technical basis to resolve the multicollinearity problem operating procedures (EOPs) of NPPs, a task perfor-
of the TACOM measure. mance time can be defined as an elapsed time from the
commencement of a given task to the accomplishment
of it. Regarding this, averaged task performance time
data about 18 emergency tasks were extracted from
the emergency training sessions of the reference NPP
(plant 1) (Park et al. 2005). In total 23 simulations
were conducted under steam generator tube rupture
(SGTR) conditions.
Similarly, averaged task performance time data
about 12 emergency tasks under SGTR conditions
were extracted from six emergency training sessions
of another reference NPP (plant 2). It is to be noted
that, although the nature of simulated scenario is very
similar, the emergency operating procedures of two
NPPs are quite different.
Fig. 4 represents the result of comparisons
between averaged task performance time data and the
associated TACOM as well as R-TACOM scores. For
the sake of convenience, equal weights were used to
Figure 2. Generalized task complexity model by Harvey. quantify complexity scores (α = β = γ = ε = δ = 0.2
223
Figure 4. Comparing two sets of response time data with the associated R-TACOM scores.
224
plants. International Atomic Energy Agency, IAEA- Park, J. and Jung, W. 2007b. The appropriateness of TACOM
TECDOC-341. for a task complexity measure for emergency operating
Johannsen, G., Levis, A.H. and Stassen, H.G. 1994. The- procedures of nuclear power plants—a comparison with
oretical problems in man-machine systems and their OPAS scores. Annals of Nuclear Energy, vol. 34, no. 8,
experimental validation. Automatica, vol. 30, no. 2, pp. 670–678.
pp. 217–231. Park, J. and Jung, W. 2007c. A Study on the Revision of
Jung, W., Kim, J., Ha, J. and Yoon, W. 1999. Compara- the TACOM Measure. IEEE Transactions on Nuclear
tive evaluation of three cognitive error analysis methods Science, vol. 54, no. 6, pp. 2666–2676.
through an application to accident management tasks in Park, J., Jung, W., Kim, J. and Ha, J. 2005. Analysis of human
NPPs. Journal of the Korean Nuclear Society, vol. 31, performance observed under simulated emergencies of
no. 6, pp. 8–22. nuclear power plants. Korea Atomic Energy Research
Melamed, S., Fried, Y. and Froom, P. 2001. The interactive Institute, KAERI/TR-2895/2005.
effect of chronic exposure to noise and job complex- Stassen, H.G., Johannsen, G. and Moray, N. 1990. Inter-
ity on changes in blood pressure and job satisfaction: nal representation, internal model, human performance
A longitudinal study of industrial employees. Journal model and mental workload. Automatica, vol. 26, no. 4,
of Occupational Health and Psychology, vol. 5, no. 3, pp. 811–820.
pp. 182–195. Topi, H., Valacich, J.S. and Hoffer, J.A. 2005. The effects
O’Hara, J.M., Higgins, J.C., Stubler, W.F. and Kramer, J. of task complexity and time availability limitations on
2000. Computer-based Procedure Systems: Technical human performance in database query tasks. Interna-
Basis and Human Factors Review Guidance. US Nuclear tional Journal of Human-Computer Studies, vol. 62,
Regulatory Commission, NUREG/CR-6634. pp. 349–379.
Park, J. and Jung, W. 2007a. A study on the development of Yoshikawa, H. 2005. Human-machine interaction in nuclear
a task complexity measure for emergency operating pro- power plants. Nuclear Engineering and Technology,
cedures of nuclear power plants. Reliability Engineering vol. 37, no. 2, pp. 151–158.
and System Safety, vol. 92, no. 8, pp. 1102–1116.
225
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Kent Bladh
Vattenfall Power Consultant, Malmö, Sweden
Jan-Erik Holmberg
VTT (Technical Research Centre of Finland), Espoo, Finland
Pekka Pyy
Teollisuuden Voima Oy, Helsinki, Finland
ABSTRACT: The Enhanced Bayesian THERP (Technique for Human Reliability Analysis) method has been
successfully used in real PSA-studies at Finnish and Swedish NPPs. The method offers a systematic approach
to qualitatively and quantitatively analyze operator actions. In order to better know its characteristics from a
more international perspective, it has been subject to evaluation within the framework of the ‘‘HRA Methods
Empirical Study Using Simulator Data.’’ This paper gives a brief overview of the method with major findings
from the evaluation work including identified strengths and potential weaknesses of the method. A number of
possible improvement areas have been identified and will be considered in future development of the method.
227
2.2 Scenarios 3 ENHANCED BAYESIAN THERP
In the pilot study, two variants of a steam gener-
The Enhanced Bayesian THERP (Technique for
ator tube rupture (SGTR) scenario were analyzed:
Human Reliability Analysis) method is based on the
1) a basic case, i.e., a familiar/routinely practiced case,
use of the time-reliability curve introduced in the
and 2) a more challenging case so called complex case.
Swain’s human reliability analysis (HRA) handbook
In the complex case, the SGTR was masked by a simul-
(Swain & Guttmann 1983) and on the adjustment of the
taneous steamline break and a failure of all secondary
time-dependent human error probabilities with per-
radiation indications/alarms. It could be expected that
formance shaping factors (PSFs) (Pyy & Himanen
operators have difficulties to diagnose the SGTR. The
1996). The method is divided into a qualitative and
event sequence involves several operator actions, but
quantitative analysis part.
this paper is restricted to the first significant operator
action of the scenarios, i.e., isolation of the ruptured
steam generator (SG). 3.1 Qualitative analysis
The qualitative analysis consists of a modelling of the
scenario with a block diagram and a description of
2.3 HRA analysis teams
the basic information of each operator action. The
In order to facilitate the human performance pre- purpose of the block diagram is to define the oper-
dictions, the organizers of the experiment prepared ator actions in relation to relevant process events. The
an extensive information package for the HRA anal- block diagram representation is close to a PSA event
ysis teams including descriptions of the scenarios, tree but is usually a somewhat more detailed model
description of the simulator and its man-machine inter- than an event tree. The block diagram can also be used
face, differences between the simulator and the home to present the dependencies between operator actions
plant of the crews, procedures used in the simula- belonging to the same scenario. The purpose of the
tor, characterization of the crews, their work practices description of the basic information of each operator
and training. The task of the HRA analysis teams action is to consistently characterize main aspects of
was to predict failure probabilities of operator actions an operator action, e.g., initiating event, scenario, time
defined, e.g., isolation of the ruptured steam generator, windows, support from procedures and MMI, practical
and to qualitatively assess which PSFs affect posi- maneuvers needed in the action and other noteworthy
tively or negatively to success or failure of the crew. information.
The members of the Enhanced Bayesian THERP team The block diagram is also used to show the assumed
included the authors of this paper. dependencies between operator actions belonging to
the same scenario. The blocks used in the diagram
should have exact correspondence with functional
2.4 Time criterion events (in event trees or system fault trees) of the
PSA-model. This is important in cases where operator
On the empirical side, time was used as the criterion
action basic events are modeled in system fault trees
for defining success/failure of the crew performance.
so that the link to event tree branches is not obvious.
In the SG isolation case, the available time for the
In this study, the operator actions were given, so that
operator action was considered from the radiological
the construction of the block diagrams did not serve
consequence point of view, not from a core damage
as defining the operator action basic events.
point of view. In order to avoid opening of a SG pres-
sure relief valve, the crew should isolate the SG before
overfilling it. 3.2 Quantitative analysis
The human error probability is derived using the time-
2.5 Performance shaping factors dependent human error probability model as follows,
The empirical identification of PSFs was based on
5
a detailed analysis of simulator performances. Ana- p(t) = min 1, p0 (t) Ki , (1)
lysts viewed the video und transcribed key commu- i=1
nications and events, and used also additional data
sources, such as crew interview, crew PSF question- where p0 (t) is the basic human error probability taken
naire, and observer comments. Finally, the analyst from Swain & Guttmann 1983, see Figure 2, t is the
summarized the observed episode in the form of an time available for identification and decision making,
operational story, highlighting performance character- and K1 , . . . , K5 are the performance shaping factors.
istics, drivers, and key problems. A specific method The min-function ensures that the final probability
was used to rate the PSFs (Lois et al 2007). stays within the range 0 to 1.
228
5 min 8-10 min to go through E -0 and enter E -3 5 min for step 3 of E-3
Steam generator
tube rupture
(SGTR )
Valves closed in
Feedwater to Safety injection Identification and
all outlet and Sequence
Manual scram SGs to primary circuit isolation of the
inlet paths of the continues
(auto-function) (auto-function) ruptured SG
ruptured SG
P=0 P=0 P=0
Automatic scram
(on low
pressurizer
pressure )
P=0
Anticipated SG dry -out , Loss of core Unisolated SGTR ,
transient without major SG rupture cooling contamination of the
scram secondary side ,
loss of primary coolant
Figure 1. Block diagram of the beginning of the SGTR basic scenario. Light grey boxes are operator actions, white boxes
process events, and dark gray boxes end states of the event sequences. E-0 and E-3 are emergency operating procedures.
Possibility of technical failures is not considered in this analysis (P = 0).
1E+0
1E-1
1E-2
Probability of failure
Swain 95%
1E-3
Swain Median
Swain 5%
1E-4 Base probability
1E-5
1E-6
1E-7
1 10 100 1000 10000
Time for identification and decision making t [min]
The time available for identification and decision where tind is time for first indication, t time for identi-
making is shorter than the total time available for the fication and decision making and tact time for action.
operator action ttot which is assumed to be composed The following performance shaping factors are used
of three parts as follows (Pyy & Himanen 1996):
229
K3 : Quality and relevance of feedback from pro- 4 PREDICTIONS ACHIEVED BY USING
cess (MMI) THE METHOD
K4 : Mental load in the situation
K5 : Need for coordination and communication. 4.1 Human error probabilities
Table 1 summarizes numerical results from the HRA
Each performance shaping factor can receive a made using the Enhanced Bayesian THERP method.
value 1/5, 1/2, 1, 2 or 5. A level above 1 means that Time available for identification and decision making
the action has a complicating character compared to was taken from the information package submitted by
a ‘‘nominal’’ situation. Consequently, a level below 1 Halden. The prior human error probability is derived
means that the action is easier than the nominal case. from the Swain’s curve, see Figure 2. Four experts
Level ‘‘1’’ means that the factor plays no major role or assessed independently the performance shaping fac-
that this factor is in a nominal level. tors and the assessments were aggregated using the
The meaning of each value for each PSF is Bayesian procedure. Mean values (i.e., posterior mean
explained qualitatively in the method. For instance, values) are shown in Table 1.
regarding ‘‘Quality and relevance of procedures,’’ According to this analysis failure probability is in
K1 = 1/5 is interpreted as ‘‘Very good instructions, the base case 0,03 and in the complex case much higher
operators should not make any mistake,’’ K1 = 1/2 as 0,2. In the simulator experiments, 1 out of 14 crews
‘‘Good instructions, applicable for the situation and failed to isolate the SG within the critical time window
they support well the selection of correct actions,’’ in the base case, and in the complex case 7 out of
K1 = 1 as ‘‘Instructions play no major role in the sit- 14 crews failed. Numerically, the predictions and the
uation,’’ K1 = 2 as ‘‘Instructions are important but outcome are well in balance.
they are imperfect,’’ and K1 = 5 as ‘‘No instruc-
tions or misleading instructions, instructions would
be needed.’’ Explanations for the other PSFs are 4.2 Performance shaping factors
analogous. The values of the performance shaping factors can
The performance shaping factors will be given be interpreted so that in the base scenario the crew
independently by a number of experts, and these judg- should get good support from procedures, training
ments are consolidated with a Bayesian approach. and process feedback to identify the situation and to
In this approach, the performance shaping factors make correct decision in time. Mental load is some-
are assumed to be random variables following a what higher than in a normal case, and there is also
multinomial probability distribution, some coordination and communication needs related
to the action. The experts commented in free text
that ‘‘good instructions, often training, clear indica-
P(Ki = j|qj ) = qj , j = 1/5, 1/2, 1, 2, 5,
(3) tions, radiation alarm gives a clear indication of SGTR,
q1/5 + · · · + q5 = 1. scram and shortage of time are likely to increase
mental load.’’ These judgments were in accordance
with empirical PSF ratings except maybe the proce-
The prior distribution for the parameters of the dural guidance where some difficulties were found
multinomial distribution is assumed to be a Dirichlet empirically.
distribution. The convenient feature of Dirichlet dis- In the complex scenario, procedures are rated to
tribution is that if we assume the expert judgments as provide good support, but the situation is now con-
independent observations from a multinomial distri- sidered unfamiliar from the training point of view,
bution, the posterior distribution is also Dirichlet and and feedback from process is considered poor or mis-
can be easily derived. The prior distribution is chosen leading. Mental stress is considered higher than in
by maximizing the entropy function. This distribution the base case. The experts commented in free text
has an interpretation to represent maximal uncertainty. that ‘‘good instructions, often training, clear indica-
The mathematical procedure is presented in Holmberg tions, radiation alarm gives a clear indication of SGTR,
& Pyy 2000. scram and shortage of time are likely to increase men-
Four experts have participated in this exercise, and tal load.’’ good instructions, situation is unfamiliar,
made their assessments independently of each other less trained, normal feedback missing, and mental
based on material obtained from Halden and processed load is high for various reasons.’’ Empirically, it was
by VTT (see e.g. the block diagrams and definitions judged that the procedures do not provide good sup-
for the operator actions). It should be observed that port. Otherwise predictions and observations were in
experts normally include also members from the oper- line. The difference in the PSF judgments can be seen
ation crews at the actual plant, which was not possible as an expert opinion issue, and not as an HRA method
during this experiment. issue.
230
Table 1. Predictions for operator failure to isolate the ruptured steam generator in time.
Base Complex
1 Difference in time window between the base case and complex case is that, in the complex case, the plant trip is actuated
immediately in the beginning of the scenario, while in the base scenario an alarm is received first and the first indication of
increasing level in the ruptured SG is received 3 min after the alarm.
2 Interpretation of the scale: 0.2 = very good condition, 0.5 = good condition, 1 = normal, 2 = poor condition, 5 = very
poor condition. Note that full scale is not used for all PSFs.
3 Due to the min-function in the human error probability model, see formula (1).
5 EVALUATION FINDINGS results from this pilot study did not clarify the actual
need for calibration.
5.1 Strengths
The enhanced Bayesian THERP method seems to be 5.3 Possible improvement areas
a cost-effective approach for these type of standard
‘‘PSA operator actions’’ when the aim is to model and A significant empirical observation was the variability
quantify operator actions for a PSA model. between crews with regard to affecting performance
As mentioned above, the predictions of the method shaping factors which means that PSFs are not only
are well in line with the outcomes of the simulator action dependent but also crew dependent. This vari-
experiments. This is true for the quantification as well ability is not explicitly accounted in the enhanced
as for most of the PSFs. Bayesian THERP method, even though the method
produces a probability distribution for each PSF. These
probability distributions, however, reflect variability
5.2 Potential weaknesses of expert judgements not the variability of crews.
Assessment of the time window is critical in this Method development may be needed to account the
method. It seems, however, that the time reliability variability of the crews.
curve is quite reasonable at least for operator actions Experts should be urged to justify the rates. This
with a time window between 5–30 min. It should is an essential way to collect insights, e.g., for
be noted that the time window in this case can be improvements of the human factors.
defined quite accurately since the operator action is Another finding was that the method could be com-
the first one of the event sequence. There is much plemented with a discussion phase after the expert
more variability in time windows for the subsequent judgements where experts could jointly comment the
actions, which is a challenge for this type of HRA results and draw conclusions from the assessments.
models. This would facilitate the interpretation of the results
Another critical point in the method is the inter- which is now based on pure interpretation of the
pretation of the performance shaping factors and their numbers.
numerical rating. It is obvious that different experts
will always interpret differently the explanations given
for the scaling. As long as an expert is consistent in 6 CONCLUSIONS
his/her judgments, values given for different opera-
tor actions can be compared. From the absolute level The experiment shows that the Enhanced Bayesian
point of view, some calibration may be needed. So far, THERP method gives results in close match with
231
simulator data, at least within the experimental REFERENCES
limitations.
Concerning the quantitative results, no significant Lois, E. et al 2007. International HRA Empirical Study—
deviations were identified. Description of Overall Approach and First Pilot Results
For negative PSFs, there was a difference in com- from Comparing HRA Methods to Simulator Data. Report
mon for both scenarios. While the Enhanced Bayesian HWR-844, OECD Halden Reactor Project, draft, limited
distribution.
THERP method predicted mental load/stress and defi- Dang, V.N. et al 2008. Benchmarking HRA Methods Against
cient feedback as important factors, the simulation Simulator Data—Design and Organization of the Halden
focused more on procedural feedback and task com- Empirical Study. In: Proc. of the 9th International Confer-
plexity. The reasons behind this might be method ence on Probabilistic Safety Assessment and Management
related, but could also depend on limitations in expert (PSAM 9), Hong Kong, China.
selection and/or differences in stress level between real Swain, A.D. & Guttmann H.E. 1983. Handbook of Human
operation and simulator runs. Reliability Analysis with Emphasis on Nuclear Power
The comparison of empirical observations with pre- Plant Applications. NUREG/CR-1278, Sandia National
dictions was found as a useful exercise to identify areas Laboratories, Albuquerque, USA, 554 p.
Pyy, P. & Himanen R. 1996. A Praxis Oriented Approach
of improvements in the HRA method. An aspect not for Plant Specific Human Reliability Analysis—Finnish
covered by the method is the variability between the Experience from Olkiluoto NPP. In: Cacciabue, P.C., and
crews with regard to importance of different PSFs. Papazoglou, I.A. (eds.), Proc. of the Probabilistic Safety
Also explanations for numerical scales for PSFs could Assessment and Management ’96 ESREL’96—PSAMIII
be improved to harmonize the way experts interpret Conference, Crete. Springer Verlag, London, pp.
the scales. In this way, empirical tests are necessary to 882–887.
validate an HRA method. Holmberg, J. & Pyy, P. 2000. An expert judgement based
Otherwise the evaluation gives confidence that the method for human reliability analysis of Forsmark 1
time reliability curve is a feasible and cost effective and 2 probabilistic safety assessment. In: Kondo, S. &
Furuta, K. (eds.), Proc. of the 5th International Confer-
method to estimate human error probabilities, at least ence on Probabilistic Safety Assessment and Management
when the time window is well defined and relatively (PSAM 5), Osaka, JP. Vol. 2/4. Universal Academy Press,
short. Tokyo, pp. 797–802.
232
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
L. Podofillini
Paul Scherrer Institut—PSI, Villigen PSI, Switzerland
B. Reer
Swiss Federal Nuclear Safety Inspectorate—HSK, Villigen HSK, Switzerland
(until July 2007 with the Paul Scherrer Institut)
ABSTRACT: The International Human Reliability Analysis (HRA) Empirical Study started in late 2006, with
the objective of assessing HRA methods based on comparing their results with data. The focus of the initial phase
is to establish the methodology in a pilot study. In the study, the outcomes predicted in the analyses of HRA teams
are compared with the findings obtained in a specific set of simulator studies. This paper presents the results of
one HRA analysis team and discusses how the predicted analysis compares to the observed outcomes from the
simulator facility. The HRA method used is the quantification module of the Commission Errors Search and
Assessment method (CESA-Q), developed within the HRA research project at the Paul Scherrer Institut (PSI). In
this pilot phase, the main focus of the comparison is on qualitative results: the method predictions, the scenario
features and performance factors that would mostly contribute to failure (or support success). The CESA-Q
predictions compare well with the simulator outcomes. This result, although preliminary, is encouraging since
it gives a first indication of the solidity of the method and on its capability of producing founded insights for
error reduction. Also, the comparison with empirical data provided input to improve the method, regarding
the treatment of the time factor and of knowledge- and training-based decisions. The next phases of the HRA
Empirical Study will address also the quantitative aspects of the HRA. It is planned to use further insights from
the next phases to a) refine the CESA-Q guidance and b) evaluate the method to see whether additional factors
need to be included.
233
non-performance of required actions. CESA-Q is still HRA analyses for evaluation against the data. In this
under development. Although preliminary, the evalu- way, initial results concerning the HRA methods as
ation of the method against empirical data has been well as feedback on the comparison methodology itself
very informative at this stage and provided insights were obtained.
(minor, but worthwhile) for further improvement. In this phase of the Empirical Study, two Steam
There are still methodological aspects to be resolved Generator Tube Rupture scenarios were defined,
on how to compare an HRA analysis with evidence specifically a straightforward or ‘‘base’’ scenario and
from the simulator. Together with the HRA teams, the a more difficult or ‘‘complex’’ scenario. The base sce-
steering committee of the international HRA empirical nario includes four main operator actions while the
study is currently working on resolving these. complex scenario included five operator actions.
The paper is organized as follows. Section 2 gives The HRA analysis teams performed predictive anal-
more details on the HRA empirical study. Section 3 yses with their chosen HRA method on the basis of
presents CESA-Q as it has been applied in the study, ‘‘reference’’ inputs (an information package) prepared
describing also how the method was adjusted to by the assessment group. Further details on the overall
address the EOOs. Section 4 describes the HFEs study methodology are presented in (Dang et al., 2007;
addressed in the comparison. The CESA-Q HRA of Lois et al., 2008) and in other related papers from this
the considered HFE is presented in Section 5. Section 6 conference.
presents the comparison between the method predic- In the pilot phase, the HRA analysis teams ana-
tions and the outcome from the simulator runs. Derived lyzed the failure of the nine actions or ‘‘human failure
insights for improvement of CESA-Q are discussed in events’’. The qualitative results of their analyses,
Section 7. Conclusions are given at closure. identify the scenario features and performance fac-
tors that would most contribute to the failures of
these actions (or support success); these make up
2 THE HRA EMPIRICAL STUDY the team’s predicted outcomes. Their quantitative
results are the estimated human error probabilities. On
The motivations for the Empirical Study are the differ- the empirical side, the Halden staff and the Study’s
ences in the scope, approach, and models underlying assessment group analyzed the data collected on the
the diversity of established and more recent HRA crews’ performance in these scenarios to identify the
methods (Dang et al., 2007; Lois et al., 2008). These scenario features and factors that were observed or
differences have led to a significant interest in assess- inferred to cause difficulties for the operators, lead-
ing the performance of HRA methods. As an initial ing to delays in completing the actions or to failures
step in this direction, this international study has been to complete the actions in time. At the qualitative
organized to examine the methods in light of data, level, the predicted features and factors from each
aiming to develop an empirically-based understanding HRA analysis of an action are compared with the
of their performance, strengths, and weaknesses. The features and factors observed in the data for that
focus of the study is to compare the findings obtained action.
in a specific set of simulator studies with the outcomes In view of the ambitious schedule and the desire to
predicted in HRA analyses. obtain feedback from the HRA analyst teams early in
Hosted by the OECD Halden Reactor Project, the the study, the comparison in this first pilot phase was
Empirical Study has three major elements: limited to two actions defined in the scenarios, the
identification and isolation of the faulted steam gen-
– predictive analyses where HRA methods are applied
erator in the base and complex scenarios respectively.
to analyze the human actions in a set of defined
For each action, the prediction results are compared
scenarios,
with the results from the observations.
– the collection and analysis of data on the perfor-
The simulator studies with the operator crews were
mance of a set of operator crews responding to
carried out in late 2006. To avoid biasing the com-
these scenarios in a simulator facility (the Hammlab
parison, the assessment group and HRA teams were
experimental simulator in Halden),
not provided information of any kind on the simulator
– and the comparison of the HRA results on predicted
observations until after the review of the HRA team
difficulties and driving factors with the difficulties
submissions were completed.
and factors found in the observed performances.
The second pilot phase planned for 2008 will
The tasks performed in 2007 aimed a) to establish address the remaining actions in the two SGTR scenar-
the methodology for the comparison, e.g. the proto- ios and include the comparison in quantitative terms,
cols for interacting with the HRA analyst teams, the in other words, it will address how well the HEPs
information exchanged, and the methods for the data estimated by an HRA method correlate with the level
analysis and comparison; and b) to test the comparison of difficulty observed in the empirical data for these
methodology with expert teams submitting predictive actions.
234
3 THE CESA-Q METHOD AS APPLIED Table 1. Steps of the CESA-Q analysis as applied in the
IN THE HRA EMPIRICAL STUDY HRA empirical study.
235
SGTR and leads to closure of the main steam isolation procedural transfers to the applicable EOP E-3 are
valves, with the consequence (in the reference plant) based. Indeed, the applicable EOPs for the refer-
that most of the secondary radiation indications read ence plant rely strongly on radiation indications. It
‘normal’. The remaining available secondary radiation should be noted that this may not be the case in other
indications is also failed as part of the scenario design. plants. Therefore the operators have to diagnose the
The Emergency Operating Procedures (EOPs) SGTR event based only on the level indications in the
guiding the crews are of the Westinghouse type. The ruptured SG.
immediate response is guided by procedure E-0. The Success in performing #1B requires that the crew:
response to the SGTR event is guided by proce-
dure E-3. There are a number of opportunities to – enters procedure E-3 (based on the various oppor-
enter E-3: tunities to enter E-3), and
– has closed/isolated all steam outlet paths from the
– step 19 of E-0, with instructions based on secondary ruptured SG (SG #1), and
radiation indications; – stopped all feed to the ruptured SG as long as the
– first transfer to ES-1.1 (‘‘Safety injection termina- ruptured SG level is at least 10% as indicated on the
tion’’) at step 21 of E-0 and then transfer to E-3 narrow range SG level indications (to ensure the SG
based on the ES-1.1 fold-out page, based on the U-tubes will remain covered).
check in the fold-out of secondary radiation con- – perform the above by 25 minutes once the steamline
ditions and whether level in any ‘intact SG’ is break occurs (which is the start of the event) consti-
increasing in an uncontrolled manner; tutes ‘‘failure’’ as this would be a slower response
– step 24b in E-0, based on whether the level in SG than expected/desired.
#1 cannot be desirably controlled; or
– step 25a in E-0, based on secondary radiation
indications.
5 THE CESA-Q ANALYSIS OF HFE #1B
The challenge connected with HFE#1B is the lack
of secondary radiation cues, which would be expected This Section reports the qualitative aspects of the
in case of a SGTR and on which a number of the HRA. As mentioned, these are the aspects on which the
Table 2. Critical decision points (selected) identified in the CESA-Q analysis of HFE #1B.
#1B.1 (E-0, step 1) Operators erroneously transfer from Potential delay (not within 25 min) to accomplish
E-0 step 1 to procedure FR-S.1 ‘‘response #1B. If error is not recovered, operator could go
to nuclear power generation/ATWS’’. as far as to inject boron, but this action has
consequences on the ‘‘safe side’’.
#1B.4 (E-0, step 16) Operators erroneously transfer Most likely consequence is potential delay (not
from E-0, step 16 to E-1 ‘‘Loss of within 25 min) to accomplish #1B. In addition,
reactor or secondary coolant’’. depending on how far operators go into E-1 they
may risk overfeeding the RCS or the SG.
#1B.6 (E-0, step 18) Operators erroneously transfer Potential delay (not within 25 min) to accomplish
from E-0, step 18 to E-2 ‘‘Isolation #1B.
of faulted SG’’.
#1B.7 (E-0, step 21, Operators erroneously do not transfer to E-3 Operators stay in ES-1.1 and become involved in the
and fold out page (transferring from E-0, step 21 to ES-1.1 steps required to control SI. Potential delay to
of ES-1.1) first and then from the fold out page accomplish #1B, i.e. not within 25 min.
of ES-1.1 to E-3).
#1B.8 (E-3, steps 2 Operators fail to identify and isolate the Primary to secondary leak is not controlled.
and 3) ruptured SG (E-3 step 3).
#1B.12 (E-3, Operators isolate PORV of ruptured SG Isolation of SG A PORV may lead to challenge of the
step 3b) when SG erroneously perceived below SG A safety valves which may stick open and
70.7 bar). thus disable isolation of SG A. It is assumed here
that the SG safety valves are not qualified for
water discharge and thus certainly fail under SG
fill-up conditions.
236
Table 3. Analysis of the situational factors for decision Table 4. Analysis of the situational factors for decision
point #1B.6 at step 18 of E-0—Operators erroneously transfer point #1B.7—Operators do not transfer to E-3 (first from
to procedure E-2 (instructing isolation of faulted SG). E-0, step 21 to ES-1.1 and then from fold-out page of ES-1.1
to E-3).
Situational Evalua-
factor tion Comment Situational Evalua-
factor tion Comment
Misleading No Indications are not misleading:
indication pressure in the SG is not Misleading Yes Cues on high secondary radiation
or instruc- decreasing in uncontrollable indication levels are missing. This is
tion (MI) manner as required in or Instruc- a consequence of the exceptional
step 18b for transfer to E-2. tion (MI) condition of SLB and SGTR
Procedures do not support combined.
transfer to E-2 in this scenario. Adverse Yes The exceptional condition of
Adverse No Transfer to E-2 is inadequate for exception combined SLB and SGTR
exception this scenario. It is not made (AE) results in the lost of important
(AE) inadequate by an exceptional cues: high secondary radiation
condition. levels. These are the first cues
mentioned in E-0 as indications
Adverse Yes There is an initial drop in all SG of a SGTR (E-0, step 19). Cues
distraction pressures due to the main SLB. related to differences in the SG
(AD) Although pressure recovers very levels come up later than expec-
fast upon main SL isolation, ted for a ‘‘normal’’ SGTR. Under
operators may fix on this initial this error-forcing condition, the
cue, quickly reach step 18 and operators are expected to enter
enter E-2. ES-1.1. At this point it is possible
that they get involved in termina-
Risky No There is no credible reason to ting SI and overlook the transfer
incentive transfer to E-2 in order to follow E-3 in the foldout page of ES-1.1.
(RI) conflicting goals.
Adverse Yes Lack of relevant cues (high radia-
distraction tion levels in the secondary) is a
(AD) distraction for the operators.
Risky No Operators would not miss the
current phase of the HRA empirical study is focused incentive transfer to E-3 in order to follow
on. The steps of the analysis related to quantification (RI) conflicting goals.
have been skipped in the following description.
5.1.1 Step 1—list decision points reports the analysis for decision point #1B.7, which,
Procedures were analyzed in order to identify the according to the analysis, dominates #1B.6. Note that
decision points that may contribute to HFE #1B. dominating decision points result from the quantitative
13 decision points were found, identified as #1B.1, analysis, which is not reported in this paper.
#1B.2, . . . , #1B.13. Selected decision points are
reported in Table 2. The consequence of the inap-
propriate decisions can be a delay in performing #1B 5.1.4 Step 7—evaluate recovery
(compared to the time window of 25 minutes) as well Recovery analysis is carried out for the most likely
as aggravation of the plant condition. decision errors identified in the previous step 6, i.e.
#1B.6 (E-0 step 18) and #1B.7 (E-3 step 2, step 3); see
5.1.2 Step 2—evaluate the situational factors Table 6.
The 13 decision points were analyzed in terms of
the four CESA-Q situational factors (Reer, 2006a), 6 COMPARISON OF THE CESA-Q ANALYSIS
which may motivate an inappropriate response. Poten- TO OPERATING CREW DATA
tial error-forcing conditions (EFCs) were identified at
two decision points, #1B.6 and #1B.7 (Table 2), the The CESA-Q analysis of HFE 1#B was submitted
analyses of which are reported in Table 3 and Table 4, by the HRA team to the assessment and comparison
respectively. group. The assessment and comparison group com-
pared the HRA predictions to the simulator outcomes.
5.1.3 Step 4—evaluate adjustment factors This Section highlights some points of the comparison,
The decision points #1B.6 and #1B.7, for which error which were used to derive the insights discussed in
forcing conditions were found, were further analyzed Section 7. The detailed comparison will be published
in terms of adjustment factors (Reer, 2006). Table 5 in the forthcoming study report (Lois et al., 2008).
237
Table 5. Analysis of the adjustment factors for decision Table 6. Recovery analysis for decision point
point #1B.7—Operators erroneously do not transfer to E-3 #1B.7—Operators do not transfer toE-3 (first from E-0, step
(transferring from E-0, step 21 to ES-1.1 first and then from 21 to ES-1.1 and then from fold-out page of ES-1.1 to E-3).
the fold out page of ES-1.1 to E-3).
Recovery Evalua-
Adjustment factor tion Comment
factor Evaluation Comment
RTP— Yes A time reserve of 5 min is defined
Verification 0.8 (slightly The foldout page of Recovery as a boundary condition for the
hint error-forcing) ES-1.1 gives indi- Timely HRA. This reserve is deemed
cation that the adequate Possible as sufficient for returning to the
to transfer to E-3. The appropriate path.
rate response is of 0.8
RCA— Yes Step 24b in E-0 provides
it is not known how has
Recovery alternative path from E-0 to E-3,
frequently the operators
Cue with cues based on the SG level.
the foldout page.
Available
Verification 1 (success Level indications are
means forcing) available and clearly ST— Yes Time reserve of 5 min (HRA
visible. Shortage boundary condition) indicates
Verification 0.8 (slightly Cognitive requirement been of Time shortage of time.
difficulty error-forcing) slightly increased, since MC— Probably Although the main indication is
lack of radiation indica- Masked masked, difference in the SGs
tions the given since Cue level becomes progressively
alrepresents a deviation evident.
from the base case of
trained rule application.
In addition, the level
indications are available. As a general statement, this prediction was well in
with some delay line with the observations. Indeed, the dominant crew
compared to the behaviors were as follows.
expectation.
Verification 1 (success Negligible physical effort – Six crews entered ES-1.1, thus passing the transfer
effort forcing) required for verification. to the SGTR procedure at E-0 step 19. All crews
Time 0.5 (mod- Time for taking decision eventually transferred to E-3, based on the instruc-
pressure erately error is around 10 minutes. tions in the fold-out page in ES-1.1, or on their
forcing) knowledge that increasing level in one SG provides
Benefit 1 (success No particular benefit a cue for SGTR (although half of the crews did not
prospect forcing) to stay in ES-1.1 in this do so in the required time of 25 minutes).
scenario. – Five crews transfer directly from E-0 to E-3, with-
Damage 0 (not success No particular damage out passing through ES-1.1. This transfer was
potential forcing) potential is implied to knowledge-based as well.
stay in ES-1.1.
The CESA-Q analysis predicted that the crews
would have eventually managed to transfer to E-3
According to the CESA-Q predictions, the way the using the fold-out page of ES-1.1. Actually, in the
human failure would most likely develop is as follows. observations, 2 crews did so, while many of the crews
As the result of the error-forcing condition of missing that entered ES-1.1 decided to transfer to E-3 from
radiation indications and (probably) delayed SG levels knowledge-based diagnosis. Indeed, as predicted by
indications, the operators are expected to pass the EOP the CESA-Q analysis, there was no particular benefit
step transferring to the SGTR EOP (E-0, step 19) and to stay in ES-1.1 too long in this scenario.
enter ES-1.1, as instructed by later steps of E-0 (step The CESA-Q analysis predicted that some short-
21). At this point it is possible that they get involved age of time may have been experienced by the crews if
in performing the necessary steps to terminate safety they eventually enter ES-1.1 and become involved in
injection as instructed by ES-1.1 and overlook the the ES-1.1 procedural steps. This would result in a dif-
transfer to E-3 in the foldout page of ES-1.1. The ficulty for the crews to meet the time requirement of 25
decision to transfer to E-3 in this case is not straight- minutes. Indeed, the observations from the simulator
forward due to the EFCs. However, it is expected that confirmed that the time of 25 minutes available for the
they would at some point transfer to E-3, realizing response was limited and this had an important impact
that the increasing level in one SG is a cue for SGTR on the crews’ performance. Although all of the 14
(procedures have additional later transfers to E-3). crews managed to enter the SGTR procedure E-3 and
238
isolate the ruptured SG, 7 out of the 14 crews did not do entailed to re-establish safety functions and ‘‘running
so within the 25 minutes (but 13 crews did it within 35 out of time’’ was not a concern.
minutes and the last one did it after 45 minutes). Com- It is planned to use the successive phases of the HRA
pared to the simulator outcome, the CESA-Q analysis empirical study to gather additional insights on how
did not recognize that the situation would slow the CESA-Q should address the adequacy of time factor
crews’ response such that as many as half of the crews and to provide guidance to the users as necessary.
did not meet the time requirement of 25 minutes (see
success criteria in Section 4). The implication of this
will be discussed in the next Section 7.1. 7.2 Focus of CESA-Q on aspects
However, it must be noted that the 25 minutes of knowledge-based behavior required
criterion is not a typical PSA success criterion for for EOC quantification
identification and isolation of the ruptured SG in a CESA-Q accounts for operator behavior based on
SGTR event. A typical PSA success criterion would knowledge (or training) in the following factors:
be to respond in time to avoid SG overfill or to avoid
damage of the SG safety valves due to flooding of • in the evaluation of EFCs represented by situational
the steam line. Although 25 minutes is about the time factors AD and RI. For example, concerning AD:
after which it is expected that the SG level will reach the distraction caused by an indication not referred
100% on the wide range indicators, the operators are to in the nominal path through the procedures may
aware that still some time is left before the SG over- suggest a response (inappropriate), followed by
fills. Indeed in their response, the goal the operators knowledge or training; and
have in mind is to avoid or limit overfill rather than • in the evaluation of adjustment factors (Table 5) and
respond in 25 minutes (indeed, except for one, all the recovery (Table 6), e.g. regardless of the guidance
other crews were just late up to 10 minutes). in the procedure, an abnormal SG level indication
may be credited as a hint to verify if an evaluation
of operator training concludes that the SG level is
7 INSIGHTS FOR IMPROVEMENT OF CESA-Q in the focus of the operator’s attention.
FROM THE COMPARISON
A thorough analysis of operational events with
EOC involved has shown that account of these aspects
7.1 Influence of the time available on the HEP
of knowledge-based behavior is required for EOC
CESA-Q treats the time factor by focusing on the quantification (Reer & Dang, 2006).
effect of time pressure, intended as urgency to act, However, some of the experimental results from this
on the quality of decision-making, and accounts for HRA empirical study suggest that additional consider-
shortage of time in decision error recovery. Time ation of knowledge-based behavior may be required,
pressure impacts the ability of the operators to think especially for EOO quantification. The observation
straight about alternative decisions and to possibly of the crews’ behaviors has shown that, especially in
revise an inappropriate decision. In CESA-Q, these the case in which the EOP guidance is not optimal
aspects enter into the evaluations of the situational like in the HFE#1B case, knowledge-based as well as
factors ‘‘Adverse distraction’’ and ‘‘Risky incentive’’, training-based decisions become important drivers for
in the adjustment factor ‘‘Time pressure’’ and in the successful performance, therefore for not committing
evaluation of the time available for recovery. the EOC or the EOO. Indeed, for many of the crews,
The evidence from the simulator showed that the the decision to transfer to E-3 was made based on their
failure in HFE #1B was influenced by the adequacy knowledge of the SGTR symptoms, after realizing that
of time, among other factors, rather then by time pres- the EOPs were not conducting them to E-3.
sure. The time frame of 25 minutes resulted to be short Guidance may therefore be helpful on when the
to reach consensus (or for the crew leader to reach CESA-Q analysis should extend the consideration
enough initiative) to enter E-3 in the complex scenario. of knowledge-based and training-based decisions in
But there was no evidence that the crews’ performance the scope of the analysis. Indeed, it should keep
was negatively influenced by time pressure. into account that how much the crews adhere to the
Therefore, it seems that the method, in its current procedures or integrate them with knowledge-based
version, does not give proper credit to the effect of and training-based decisions may vary depending on
‘‘running out of time’’ while making correct decisions plant-specific or country-specific work processes.
as guided by the procedure, which seems to be one of Consequently, also guidance should be included on
the drivers for HFE 1B. Indeed, CESA-Q was devel- when the analysis should consider multiple success
oped based on the analysis of catalogued reference paths, for example based on the likelihood of the crews
EOCs (identified from 26 operational events in Reer taking the different paths and in the identification of
& Dang, 2006), where the success of the operators the single, or eventually multiple, dominant path.
239
8 CONCLUSIONS The next steps planned for the HRA empirical study
are the comparison of the remaining HFEs in the Steam
This paper has concerned the results of the HRA per- Generator Tube Rupture scenarios and another com-
formed by the CESA-Q team on one of the nine HFEs parative analysis on a Loss of Feedwater scenario.
addressed by the HRA empirical study. The paper has Generally, it is planned to use the insights to a) refine
discussed how the predicted analysis compares to the the CESA-Q guidance and b) evaluate the method to
observed outcomes from the simulator facility. see whether additional factors need to be included. In
It should be emphasized that the application of this regard, empirical data provide invaluable input.
CESA-Q in this study is explorative: the method’s Although an empirical model of performance needs to
development and previous applications have focused be based on far more than one scenario (two variants in
on errors of commission, while this study addresses this case), this data contributes to such a model. This
errors of omissions. should lead to improvements in CESA-Q as well as
PSI’s CESA-Q method performed well on the qual- other HRA methods.
itative aspects of the exercise, i.e. how well the
methods predicted what elements of the actions may
be challenging. This result, although preliminary, is ACKNOWLEDGEMENTS
encouraging since it gives a first indication of the solid-
ity of the method and on its capability of producing This work is funded by the Swiss Nuclear Safety
founded insights for error reduction. These qualitative Inspectorate (HSK), under DIS-Vertrag Nr. 82610.
aspects were the main emphasis in this phase of the The views expressed in this article are solely those
study; currently, the assessment group is planning to of the authors.
treat the more quantitative aspects in the next phase. B. Reer contributed to this work mostly while he
The empirical data, consisting of systematic obser- was with the Paul Scherrer Institut (since July 2007,
vations of the performances of multiple crews on the he is with the HSK).
same scenarios, have been useful in deriving insights
on potential improvements of the CESA-Q method.
For instance, in treating time, CESA-Q focuses on LIST OF ACRONYMS
the effect of time pressure on the quality of decision-
making and accounts for shortage of time in decision CESA—Commission Errors Search and Assessment
error recovery. It seems that the method, in its current CESA-Q—Quantification module of CESA
version, does not give proper credit to the effect of EFC—Error Forcing Condition
‘‘running out of time’’ while making correct decisions EOP—Emergency Operating Procedures
as guided by the procedure. HAMMLAB—Halden huMan-Machine LABoratory
It should be also investigated whether guidance HFE—Human Failure Event
should be added to base the analysis on multiple HRA—Human Reliability Analysis
expected response paths and to consider knowledge- MSLB—Main Steam Line Break
based and training-based decisions in the definition of PSF—Performance Shaping Factor
the expected response paths and of the critical decision PSA—Probabilistic Safety Assessment
points. PSI—Paul Scherrer Institut
An aspect that makes CESA-Q well suited for SGTR—Steam Generator Tube Rupture
comparison against simulator data is that it produces
detailed descriptions of crews’ behaviors, in the form
of paths of response actions and critical decisions REFERENCES
taken along the response. These paths and decisions
could be indeed observed in the simulators. CESA and Dang, V.N., Bye, A. 2007. Evaluating HRA Methods in Light
CESA-Q shares this characteristic with some other of Simulator Findings: Study Overview and Issues for
recent HRA methods like EDF’s MERMOS and US an Empirical Test. Proc. Man-Technology Organization
NRC’s ATHEANA. Sessions, Enlarged Halden Programme Group (EHPG)
Finally, the study can provide an opportunity not Meeting, HPR-367, Vol. 1, paper C2.1, 11–16 March
only to compare CESA’s predictions with empirical 2007, Storefjell, Norway.
data but also to compare HRA methods and their Dang, V.N., Bye, A., Lois, E., Forester, J., Kolaczkowski,
resulting analyses on the same set of actions. In partic- A.M., Braarud, P.Ø. 2007. An Empirical Study of HRA
Methods—Overall Design and Issues’’ Proc. 2007 8th
ular, when performed in the context of empirical data, IEEE Conference on Human Factors and Power Plants
a method comparison has the added value that there is (8th HFPP). Monterey, CA, USA, 26–31 Aug 2007,
a shared basis (the data) for understanding the scope CD-ROM, (ISBN: 978-1-4244-0306-6).
of each factor considered by a method and how the Dang, V.N., Reer, B., Hirschberg, S. 2002. Analyzing Errors
method treats these in detail. of Commission: Identification and First Assessment for a
240
Swiss Plant. Building the New HRA: Errors of Commis- Reer, B. 2006b. An Approach for Ranking EOC Situations
sion—from Research to Application, NEA OECD report Based on Situational Factors. Paul Scherrer Institute,
NEA/CSNI/R(2002)3, 105–116. Villigen PSI, Switzerland, Draft.
Forester, J., Kolaczkowski, A., Dang, V.N., Lois, E. 2007. Reer, B. 2007. Notes on the Application of the CESA Quan-
Human Reliability Analysis (HRA) in the Context of HRA tification Method for Scenarios Simulated in the Halden
Testing with Empirical Data. Proc. 2007 8th IEEE Con- Reactor Experiments. Paul Scherrer Institute, Villigen
ference on Human Factors and Power Plants (8th HFPP). PSI, Switzerland, Draft.
Monterey, CA, USA, 26–31 Aug 2007. CD-ROM, (ISBN: Reer, B., Dang, V.N. 2006. Situational Features of
978-1-4244-0306-6). Errors of Commission Identified from Operating Expe-
Lois, E., Dang, V.N., Forester, J., Broberg, H., Massaiu, S., rience. Paul Scherrer Institute, Villigen PSI, Switzerland,
Hildebrandt, M., Braarud, P.Ø., Parry, G., Julius, J., Bor- Draft.
ing, R., Männistö, I., Bye, A. 2008. International HRA Reer, B., Dang, V.N. 2007. The Commission Errors
empirical study—description of overall approach and first Search and Assessment (CESA) Method. PSI Report
pilot results from comparing HRA methods to simulator Nr. 07-03, ISSN 1019-0643, Paul Scherrer Institut,
data. HWR-844. OECD Halden Reactor Project, Norway Switzerland.
(forthcoming also as US NRC report). Reer, B., Dang V.N., Hirschberg S. 2004. The CESA method
Reer, B., 2006a. Outline of a Method for Quantifying Errors and its application in a plant-specific pilot study on errors
of Commission. Paul Scherrer Institute, Villigen PSI, of commission. Reliability Engineering and System Safety
Switzerland, Draft. 83: 187–205.
241
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
J.L. Melià
University of Valencia, Valencia, Spain
ABSTRACT: Although several researchers have argued that social norms strongly affect health behaviors,
the measurement of health and safety norms has received very little attention. In this paper, we report the
results of our study designed to: 1) test the reliability and construct an effective questionnaire devoted to
the measurement of social influences on safety behavior; 2) assess the predictive validity of supervisor and
coworker’s descriptive and injunctive safety norms on safety behavior; 3) test a Four-Factor CFA model of social
influence on safety behavior (confirmatory factor analysis). The questionnaire has 11 items four-scales and
used a 7-point Likert-type scale of safety behavior. A self-reporting scale of safety behavior was also included.
A sample (N = 250) of operational team workers from a Portuguese company participated voluntarily and
anonymously in the study. Overall results from this study (EFA and CFA) confirmed the questionnaire structure
and provided support for a correlated, Four-Factor model of Safety Group Norms. Furthermore, this study
had demonstrated that coworker’s descriptive and injunctive safety norms were a strong predictor of safety
behavior.
243
structure of norms, can be valuable to the understand- be done and motivate by promising social rewards and
ing of the contextual normative influences on worker’s punishments.
health behaviors. It is usually that descriptive and injunctive norms
are mutually congruent. According to Cialdini et al.
(1990) ‘‘Because what is approved is often actually
2 OVERVIEW OF THEORETICAL what is done, it is easy to confuse these two meanings of
FRAMEWORK norms . . . it is important for a proper understanding of
normative influence to keep them separate, especially
The proposed conceptual framework in this paper in situations where both are acting simultaneously’’
relies on workplace safety literature (e.g. Zohar & (p. 1015).
Luria, 2005) and on social cognitive theories, namely Although the discriminant and convergent valid-
the theory of planned behavior (e.g. Ajzen, 2005) and ity of descriptive and injunctive norms (or subjective
focus theory of normative conduct (e.g. Cialdini, et al., norms) constructs have been supported by literature
1990, 1991) to understand how group norms impact (see for a review, Rivis & Sheeran, 2003) it remains
safety behavior. unclear, in the specific domain of safety, how both
According to Cialdini & Trost (1998) group norms normative components predict safety behaviors.
are guidelines for acceptable and unacceptable behav- Finally, in the present study, the definition of safety
ior that develop through interactions among group behavior comprises not only compliance behaviors
members and are informally agreed upon by group such as properly using personal protective equipment
members. They may be actively/verbal (e.g. explicit and engaging in work practices that reduce risk, but
statements) or passively transmitted/non-verbal (e.g. also more proactive safety behaviors or safety citizen-
modeling). Any social punishments for not comply- ship behaviors, such as helping teach safety procedures
ing with norms come from social networks and not to new crew members, assisting others to make sure
from formal systems established by the organization. they perform their work safely, making safety-related
Following these assumptions, it is our view that safety recommendations about work activities (see Burke,
group norms are internalized informal safety rules that Sarpy, Tesluk, & Smith-Crowe, 2002 and Hoffmann,
work groups adopt to regulate and regularize group Gerras & Morgeson, 2003).
member’s behavior.
Reviews of previous research indicate that, typ-
ically, normative influence on behavior has been 3 METHOD
studied in terms of subjective norm or person’s percep-
tions of whether specific salient others think he/she 3.1 Participants
should engage in the behavior and the motivation
to comply with such pressure (cf. Ajzen, 1991, Participants in this study were operational workers,
2005). For instance, an application of the theory of members of work teams employed in a Portuguese
planned behavior to the prediction of safe behavior (see company (passenger transportation company with
Johnson & Hall, 2005) used three items to measure high safety standards). The sample consisted of
subjective norms (e.g., ‘‘Most people who are impor- 250 workers, who provided anonymous ratings of
tant to me would strongly encourage/discourage me to the descriptive and injunctive safety norms of their
lift materials within my strick zone’’). coworkers and supervisors and of their own individual
But, there is an important distinction in the liter- safety behavior. All participants were male and most
ature on social influence between injunctive norms respondents (83,2%) were not supervisors and had het-
and descriptive norms. Cialdini and colleagues (e.g. erogeneous jobs in the company. Almost half of the
Cialdini et al., 2006) call the subjective norms, in participants (48,8%), were between 31 e 40 years old
the usual applications of the theory of planned behav- and the other half (42,5%) were over 41 years old.
ior, injunctive social norms, as they concern other’s Finally, 38,4% had tenure on the job between 6 and 15
social approval or disapproval. They argue that ‘‘when years and 41,6% tenure superior to 15 years.
considering normative influence on behavior, it is cru-
cial to discriminate between the is (descriptive) and
3.2 Material
the ought (injunctive), because each refers to a sepa-
rate source of human motivation (Deutsch & Gerard, In this study, data was collected from individual group
1955)’’ (cit. Cialdini et al., 1990, p. 1015). In other members, using a quantitative methodology (survey
words, whereas descriptive norms provide informa- administered in the form of a questionnaire).
tion about what is normal, what most people do and Four 11-item scales measured descriptive and
motivate human action providing evidence of what is injunctive safety group norms and we also considered
likely to be effective and adaptative action, injunc- the referent implied in the survey items. Therefore,
tive norms provide information about what ought to descriptive and injunctive norms were assessed in
244
relation to coworkers and supervisors. The scale items 4 RESULTS
(descriptive vs. injunctive) were based on the assump-
tions of the focus theory of normative conduct (e.g. This Two-step approach was comprised of exploratory
Cialdini et al., 2006) concerning the measurement analysis and confirmatory factor analysis.
of social norms, as prior applications to the study In the first step, exploratory analysis included fac-
of health behaviors in other contexts (e.g. Conner & tor analysis, reliability and predictive validity analysis.
McMillan, 1999). We should note that the four scales Data was analyzed using the Statistical Package for the
included generic items that can be applicable to many Social Sciences (SPSS). The method of factor extrac-
types of jobs involving safety issues. To begin scale tion was principal component (varimax rotation).
development, we departed from Zohar and Luria’s In the second step, a confirmatory factor analy-
(2005) group-level safety climate scale, we created a sis was performed with Structural Equation Modeling
pool of 11 items for the individual’s perceptions about (SEM) using the Maximum Likelihood Estimation
the supervisors’s descriptive safety norms (e.g. ‘‘My (MLE) method. All estimations were made with
direct supervisor checks to see if we are obeying safety AMOS 7.0 software. This multivariate technique was
regulations’’). Then, each item was adapted to the indi- used to test (confirm) the measurement construct
vidual’s perceptions of the descriptive safety norms of validity of a Four-Factor CFA model of safety group
their coworkers (e.g. ‘‘My team members check to see norms, and to compare this model with One-Factor
if other team members obey the safety rules’’) and that and Two-Factor CFA models.
we follow the same procedure for injunctive safety
norms (e.g. ‘‘My direct supervisor thinks that com-
pliance to safety rules should be checked’’ and ‘‘My
4.1 Exploratory factor analysis
team members think that compliance to safety rules
should be checked out’’). This procedure resulted in an Exploratory Factor Analysis (EFA) played an impor-
initial 44-item ‘‘Safety Group Norms’’ questionnaire. tant complementary role in evaluating the proposed
Respondents rated the frequency (using a 7-point scale dimensionality of constructs. The initial 44-item
ranging from never to always) with which cowork- Safety Group Norms Questionnaire was submitted
ers and direct supervisors performed/think should be for two independent principal components analysis
performed each of the 11 indicated behaviors. (rotation of varimax) with the purpose of identi-
‘‘The Safety Behavior’’ self-report was measured fying the underlying structure of the variables and
using a revised and updated version of the origi- also to create a subset of variables representative of
nal General Safety-Performance Scale (Burke et al., the factors, much smaller in number (four 5-item
2002), and Safety Citizenship Role Definitions and scales) for inclusion in subsequent analysis (confir-
Behavior Items (Hofmann et al, 2003). Because our matory factor analysis). The overall results of reli-
interest was in the overall safety behavior, we com- ability analysis of this smaller version is presented
bined these two measures, resulting in a 12-item Safety in Table 1. Four dimensions reflected by a separate
Behavior Scale (e.g. ‘‘I properly performed my work factor were identified (SDSN—Supervisor’s Descrip-
while wearing personal protective equipment’’ and tive Safety Norms; SISN—Supervisor’s Injunc-
‘‘I have made suggestions to improve safety’’). We tive Safety Norms; CDSN—Coworker’s Descriptive
assume that safety behaviors can be assessed with Safety Norms; CISN—Coworker’s Injunctive Safety
respect to the frequency that employees engage in Norms). All factor loadings were above .65, all Cron-
the behaviors, using a 7-point Likert-type scale rang- bach’s alpha coefficients exceed .80, corrected item-
ing from never (1) to always (7) with high scores to-total correlations were all above .60 and inter-item
representing more positive safety behaviors. correlations were greater than .40. In brief, exploratory
Given the limitations associated with the use of factor analysis results confirm the proposed multidi-
self-reports of behavioral safety, the present study also mensionality of constructs and the appropriateness of
used microaccidents1 as outcome criterion of behav- the variables.
ioral safety. Participants were also asked to self-report The 12-item Safety Behavior Scale was also submit-
the number of microaccidents they were involved in ted to factorial analysis (principal components analy-
the last 6 months. sis) and two factors were extracted. Only 9 items were
retained for further analysis. The first factor, was
denominated proactive safety practices (PASB -5
items) and explained 52,60% of variance; the sec-
ond factor was designated compliance safety prac-
1 In this study microaccidents were conceptualized tices (CPSB—4 items) and explained 11,48% of total
according to Zohar (2000) as on-job behavior-dependent variance. Both scales had Cronbach’s alphas higher
minor injuries requiring medical attention, but not incur than .70, coefficients indicative of a good internal
any lost workdays. consistency.
245
Table 1. Exploratory factor analysis results. and injunctive norms accounted for 31,7% of the
variation in compliance safety behavior (Adjusted
1A. Supervisor’s 1B. Coworker’s R 2 = .32). However, as found previously, compli-
safety norms. safety norms. ance safety behavior was only significantly associated
Items 1 2 Items 1 2
with coworker’s descriptive safety norms (Beta = .37,
p < .0001) and coworker’s injunctive safety norms
P1g .84 .38 P3a .22 .81 (Beta = .23, p < .0001).
Microaccidents did not predict safety behavior
P1h .87 .38 P3c .27 .81
(Adjusted R 2 = .02, p > .05).
P1i .86 .38 P3d .15 .75
P1j .83 .45 P3e .24 .78
4.2 Confirmatory factor analysis
P1k .79 .35 P3k .39 .65
P2b .42 .79 P4f .81 .26 With the purpose of confirming the dimensionality
P2c .42 .82 P4g .87 .26 of safety group norm constructs, a Four-Factor CFA
model was tested (Model 1). This model was compared
P2d .35 .84 P4h .90 .24
with a Two-Factor CFA model (Model 2) and One-
P2e .37 .85 P4i .83 .30 Factor CFA model (Model 3). Model fit was assessed
P2f .37 .86 P4j .87 .24 considering the Chi-square, overall goodness-of-fit
statistics, an analysis of residuals and the magnitudes
Alpha .96 .95 Alpha .86 .94
of item factor loadings (see Table 3 and Fig. 1).
Total variance 84,87% Total variance 72,54%
Table3. Summary of model fit statistics.
Table 2. Multiple regression analysis to predict safety Model 2/DF GFI CFI RMSEA AIC ECVI
behavior (variable criteria).
1 2.16 .90 .97 .07 287.8 1.19
PASB CPSB 2* 3.75 .93 .98 .11 105.5 .44
3 14.7 .48 .63 .24 1595.95 6.62
B SE B B B SE B β
* This values refers to supervisor’s scale
SDSN −0.02 0.06 −.03 −0.05 0.05 −.09
SISN 0.05 0.06 .07 0.08 0.05 .13 err1 p1g
,91
CDSN 0.27 0.07 .29∗∗ 0.28 0.06 .37∗∗ err2 p1h
,94
.29∗∗ .23∗
,93 SDSN
CISN 0.30 0.07 0.20 0.06 err3 p1i
,94
err6 p2c
,94
,62
,86
Regression analysis was used to assess the predic- err7 p2e
SISN
,92
tive validity of safety group norms on safety behavior
(variable criteria). The principal results of this multiple err8 p2f
,49
,55
regression are reported in Table 2.
err9 p3a
The results of the statistical test of the regression ,89
,91
model’s ability to predict proactive safety behav- err10 p3c
,59 CDSN ,51
iors reveals that the model is statistically significant err11 p3e ,69
(F = 24, 201; p < .0001); supervisor and coworker’s
err12 p3k
descriptive and injunctive safety norms accounted
,55
together for 28,1% of the variation in proactive safety
practices (Adjusted R 2 = .28). Nevertheless, proac- err13 p4g
,89
tive safety practices were only significantly associated err14 p4h
,95
.29, p < .0001) and coworker’s injunctive safety err15 p4i ,85
246
The whole set of fit statistics confirms the Four- ACKNOWLEDGEMENTS
Factor CFA model (according to Hu and Bentler,
1999 criteria for fit indexes). The examination of the This research was supported by Fundação para a Ciên-
first set of model fit statistics shows that the Chi- cia e Tecnologia—Portugal (SFRH/BDE/15635/2006)
square/degrees of freedom ratio for the Four-Factor and Metropolitano de Lisboa.
CFA model (2.16) is adequate; the GFI index (.90),
the CFI (.97) and the RMSEA (.07) are consistent
in suggesting that the hypothesized model represents REFERENCES
an adequate fit to the data; finally, the AIC and
the ECVI (criteria used in the comparison of two or Ajzen, I. 1991. The theory of planned behavior. Organi-
more models) presents smaller values than in the One- zational Behavior and Human Decision Processes, 50:
Factor CFA model, which represents a better fit of the 179–211.
hypothesized Four-Factor CFA model. Ajzen, I. 2005. Laws of human behavior: Symetry, compabil-
The standardized path coefficients are portrayed ity and attitude—behavior correspondence. In A. Beaudu-
in Figure 1. The parameters relating items to factors cel, B. Biehl, M. Bosniak, W. Conrad, G. Shönberger e D.
ranged between .59 and .95 (p < .0001). Correla- Wagener (eds.), Multivariate Research Strategies: 3–19.
Aachan, Germany: Shaker Verlag.
tions between the four factors were also significant Armitage, C.J. & Conner, M. 2001. Efficacy of the the-
(p < .0001) and ranged between .49 and .79. ory of planned behaviour: a meta-analytic review. British
Journal of Social Psychology, 40: 471–499.
Burke, M.J., Sarpy, S.A., Tesluk, P.E. & Smith-Crowe, K.
5 CONCLUSIONS 2002. General safety performance: A test of a grounded
theoretical model, Personnel Psychology, 55.
The results of the current study adds to the growing Cialdini, R.B., Kallgren, C.A. & Reno, R. 1991. A focus
body of literature for the valid measurement of safety theory of normative conduct. Advances in Experimental
group norms. Results of EFA and CFA confirms the Social Psychology, 24: 201–234.
Cialdini, R.B., Reno, R. & Kallgren, C.A. 1990. A focus the-
questionnaire structure. Supervisor’s and coworker’s ory of normative conduct: Recycling the concept of norms
descriptive and injunctive safety norms are not iso- to reduce littering in public places. Journal of Personality
morphic constructs, they refer to separate dimen- and Social Psychology, 58(6): 1015–1026.
sions of social influence on safety behavior. Overall Cialdini, R.B., Sagarin, B.J., Barrett, D.W., Rhodes, K. &
results provide support for a correlated, four-factor Winter, P.L. 2006. Managing social norms for persuasive
model. impact, Social Influence, 1(1): 3–15.
In addition, this study further examines the predic- Cialdini, R.B. & Trost, M.R. 1998. Social influence: Social
tive power of safety group norms on safety behavior. norms, conformity and compliance. In D.T. Gilbert,
In line with expectations, multiple regression results, S.T. Fiske, & G. Lindzey (Eds.), The Handbook of
Social Psychology (4th ed., Vol. 2): 151–192. New York:
have demonstrated that coworker’s descriptive and McGraw-Hill.
injunctive safety norms are a strong predictor of proac- Conner, M. & McMillan, B. 1999. Interaction effects in
tive and compliance safety behavior. Surprisingly, in the theory of planned behavior: Studying cannabis use,
this company, supervisor’s safety norms didn’t predict British Journal of Social Psychology, 38: 195–222.
individual safety behavior. These results propose that Conner, M., Smith, N. & McMillan, B. 2003. Examining
coworker’s safety behaviors are mostly influenced by normative pressure in the theory of planned behaviour:
their peers, and less by their supervisors, suggesting Impact of gender and passengers on intentions to break
that coworkers can mediate the effect of supervi- the speed limit, Current Psychology: Developmental,
sor’s safety norms on individual safety behavior at Learning, Personallity, Social, 22(3): 252–263.
Deutsch, M. & Gerard, H.B. 1955. A study of normative
work. This is an important finding given that very and informational social influences upon individual judg-
little research has examined how peers can impact ment. Journal of Abnormal and Social Psychology, 51:
safety behavior. These results also suggest that orga- 629–636.
nizational safety initiatives should be aware of the Fekadu, Z. & Kraft, P. 2002. Expanding the Theory
important role of fellow team members on individual of Planned Behavior: The role of social Norms and
attitudes and safety behaviors at work. New research Group Identification. Journal of Health Psychology, 7(1):
should be conducted in order to replicate the factorial 33–43.
structure and contrast if the pattern of safety influ- Hämäläinen, P., Takala, J. & Saarela, K.L. 2006. Global
ences is an idiosyncratic characteristic of the structure estimates of occupational accidents. Safety Science, 44:
137–156.
of teamwork and supervision in this company. Also, Hofmann, D.A., Morgeson, F.P. & Gerras, S.J. 2003. Cli-
the validity of this model for predicting behavior will mate as a moderator of the relationship between LMX
further include the test of a more complete socio- and content specific citizenship behavior: Safety climate
cognitive model with SEM, ideally using a multilevel as an exemplar. Journal of applied Psychology, 88(1):
approach. 170–178.
247
Hu, L.-T. & Bentler, P.M. 1999. Cutoff criteria for fit indexes Tesluk, P. & Quigley, N.R. 2003. Group and normative influ-
in covariance structure analysis: Conventional criteria ver- ences on health and safety, perspectives from taking a
sus new alternatives. Structural Equation Modeling: A broad view on team effectiveness. In David A. Hofmann
Multidisciplinary Journal, 6: 1–55. e Lois E. Tetricck (Eds.), Health and Safety in Organi-
Johnson, S. & Hall, A. 2005. The prediction of safe lifting zation. A multilevel perspective: 131–172. S. Francisco:
behavior: An application of theory of planned behavior. John Wiley & Sons.
Journal of Safety Research, 36: 63–73. Zohar, D. 2000. A group-level model of safety climate:
Linnan, L., Montagne, A., Stoddard, A., Emmons, K.M. & Testing the effect of group climate on microaccidents in
Sorensen, G. 2005. Norms and their relationship to behav- manufacturing jobs. Journal of Applied Psycholog, 85:
ior in worksite settings: An application of the Jackson 587–596.
Return Potential Mode, Am. J. Health Behavior, 29(3): Zohar, D. 2002. The effects of leadership dimensions, safety
258–268. climate, and assigned priorities on minor injuries in work
Rivis, A. & Sheeran, P. 2003. Descriptive norms as groups. Journal of Organizational Behavior, 23: 75–92.
an additional predictor in the Theory of Planned Zohar, D. & Luria, G. 2005. Multilevel model of safety
Behaviour: A meta-analysis. Current Psychology: climate: Cross-level Relationships between organization
Developmental, Learning, Personality, Social, 22(3): and group-level climates. Journal of Applied Psychology,
218–233. 9(4): 616–628.
248
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
K.T. Kosmowski
Gdansk University of Technology, Gdansk, Poland
ABSTRACT: This paper is devoted to selected aspects for knowledge-based layer of protection analysis (LOPA)
of industrial hazardous systems with regard to human and organizational factors. The issue is discussed in the
context of functional safety analysis of the control and protection systems to be designed and operated according
to international standards IEC 61508 and IEC 61511. The layers of protection can include, for instance, the
basic process control system (BPCS), human-operator (HO) and safety instrumented system (SIS). Such layers
should be independent; however, due to some factors involved the dependencies can occur. Thus, it may result in
the risk level increasing of accident scenarios identified in the process of risk analysis. The method is illustrated
on example of the control system (TCS) and protection system (TPS) of a turbo-generator set, which has to
be shut-down in some situations of internal or external disturbances. The required risk reduction is distributed
among TCS and TPS to be designed for appropriate safety integrity level (SIL).
249
disturbances, faults and accidents as well as the diag- control and/or protection systems. Human-operator
nostic activities, the functionality and safety integrity (HO) contributes to realization of a SRF according
tests, maintenance actions and repairs after faults. to the technical specification. There are still method-
The operators supervise the process and make deci- ological challenges concerning the functional safety
sions using some alarm panels within the operator sup- management in life cycle (Kosmowski 2006).
port system (OSS), which should be designed carefully An important term related to the functional safety
for abnormal situations and accidents, also for cases of concept is the safety integrity (IEC 61508), understood
partial faults and dangerous failures within the electric, as the probability that given safety-related system will
electronic and programmable electronic (E/E/PE) sys- satisfactorily perform required SRF under all stated
tems (IEC 61508) or the safety instrumented systems conditions within a given period of time. The safety
(SIS) (IEC 61511). The OSS when properly designed integrity level (SIL) is a discrete level (1 ÷ 4) for
will contribute to reducing the human error probability specifying the safety integrity requirements of given
and lowering the risk of potential accidents. safety function to be allocated using the E/E/PE system
The paper outlines the concept of using a or SIS (IEC 61511). The safety integrity level of 4
knowledge-based method for the layer of protection (SIL4) is the highest level, which require a redundant
analysis (LOPA) of industrial hazardous systems with architecture of the E/E/PE system with diagnosing and
regard to the influence of human and organizational testing of subsystems.
factors (H&OF). Various layers of protection can For consecutive SILs two probabilistic criteria are
be distinguished in the context of identified acci- defined in IEC 61508, namely:
dent scenarios, including e.g. basic process control
system (BPCS), human-operator (HO) and safety – the average probability of failure to perform the
instrumented system (SIS) designed according to safety-related function on demand (PFDavg ) for the
requirements and probabilistic criteria given in func- system operating in a low demand mode, and
tional safety standards: IEC 61508 and IEC 61511. – the probability of a dangerous failure per hour PFH
The protection layers should be independent. How- (the frequency) for the system operating in a high
ever, due to some factors involved the dependencies demand or continuous mode of operation.
can occur. It can result in a significant increase of
the risk level of accident scenarios identified in the The interval probabilistic criteria for the safety-
risk evaluating process. The problem should be care- related functions to be implemented using E/E/PE
fully analyzed at the system design stage to consider systems are presented in Table 1. Similar interval cri-
relevant safety related functions of appropriate SILs. teria also used in assessments of SIS (IEC 61511)
To reduce the human failure probability (HEP) an and Safety-related Electrical, Electronic and Pro-
advanced OSS should be designed. For dynamic pro- grammable Electronic Control Systems for Machinery
cesses, with a short HO reaction time permitted, the (SRECS) (IEC 62061).
HEP can be high, close to 1. The paper emphasizes the The SIL for given SRF is determined in the risk
importance of the context-oriented human reliability assessment process for defined risk matrix, which
analysis (HRA) within the functional safety manage- includes areas for distinguished categories of risk, e.g.
ment and necessity to incorporate in a systematic way unacceptable, moderate and acceptable (IEC 61508).
more important influencing factors. Verifying SIL for given safety-related function to
be implemented using the E/E/PE or SIS system is
usually a difficult task due to lack of reliability data and
other data used as parameters in probabilistic models
2 FUNCTIONAL SAFETY ANALYSIS of the system in design. In such situation, a qualitative
AND HUMAN FACTORS method for crude verifying of SIL is permitted in IEC
61508 for the system architectures considered at the
2.1 Safety integrity levels and probabilistic criteria design stage.
Modern industrial systems are extensively comput-
erised and equipped with complex programmable con-
trol and protection systems. In designing of the control Table 1. Probabilistic criteria for safety functions to be
and protection systems a functional safety concept allocated using E/E/PE systems.
(IEC 61508) is more and more widely implemented
in various industrial sectors, e.g. the process industry SIL PFDavg PFH [h−1 ]
(IEC 61511) and machine industry (IEC 62061).
4 [10−5 , 10−4 ) [10−9 , 10−8 )
The aim of functional safety management is to 3 [10−4 , 10−3 ) [10−8 , 10−7 )
reduce the risk of hazardous system to an accept- 2 [10−3 , 10−2 ) [10−7 , 10−6 )
able or tolerable level introducing a set of safety- 1 [10−2 , 10−1 ) [10−6 , 10−5 )
related functions (SRFs) to be implemented using the
250
However, the rules proposed in this standard for The hazard and risk analysis has to include
qualitative evaluation of the E/E/PE block diagrams (Gertman & Blackman 1994, Hickling et al. 2006,
should be used with caution, because they do not IEC 61508):
cover fully cases of potential dependent failures of
subsystems. The problem is more challenging if it is – All relevant human and organizational factors
necessary to include potential human errors, which issues,
are related to the human and organisational factors – Procedural faults and human errors,
(Kosmowski 2007). – Abnormal and infrequent modes of operation,
– Reasonably foreseeable misuse,
– Claims on operational constraints and interventions.
2.2 Functional safety management with regard
to human factors It is emphasized that the operator interface analysis
should:
Lately, a framework was proposed (Carey 2001) for
addressing human factors in IEC 61508 with consider- – Be covered in safety requirements,
ation to a range of applications of the E/E/PE systems – Take account of human capabilities and limitations,
in safety-related applications. It has highlighted the – Follow good HF practice,
diversity of ways in which human factors requirements – Be appropriate for the level of training and aware-
map on to various E/E/PE systems in different indus- ness of potential users,
tries and implementation contexts. Some conclusions – Be tolerant of mistakes—see classification of
were formulated as follows: unsafe acts and human errors by Reason (1990).
– Determination of the safety integrity level (SIL) Thus, the scope of analyses should include relevant
for an E/E/PE system requires careful consideration human and organizational factors (H&OFs) aspects
of not only of the direct risk reduction functions to be traditionally included in the HRA methods
it is providing, but also those risk reduction func- used in Probabilistic Safety Analysis (PSA) (Swain
tions performed by staff that interact with it; this & Guttmann 1983, Humphreys 1988, COA 1998).
requires addressing in the step of Hazard and Risk
Analysis of the IEC 61508 lifecycle;
– Having determined the safety integrity of the 2.3 Human reliability analysis in probabilistic
E/E/PE system, it was suggested that the effort that modeling of safety-related systems
needs to be placed into operations and maintenance
The human reliability analysis (HRA) methods are
in relation to human factors should be greater as the
used for assessing the risks from potential human
SIL level increases, especially for solutions of SIL3
errors, and for reducing the system vulnerability, oper-
and SIL4;
ating in given environment. However, some basic
– The types of human factors issues that need to be
assumptions in HRA methods used within proba-
addressed vary between the classes of systems dis-
bilistic safety analysis of hazardous systems are the
cussed; therefore, the framework is not specific in
subjects of dispute between researchers (Hollnagel
terms of the technology or other aspects related to
2005).
human factors.
Practically all HRA methods assume that it is mean-
Some general remarks were made for addressing ingful to use the concept of human errors and it is
human factors (HFs) within IEC 61508 that include: justified to estimate their probabilities. Such point of
view is sometimes questioned due to not fully veri-
– Incorporation of human tasks and errors into the fied assumptions about human behavior and potential
Hazard and Risk Assessment process; errors. Hollnagel (2005) concludes that HRA results
– Use of the tables to define the human factors are of limited value as an input for PSA, mainly
requirements for a given safety integrity level. because of oversimplified conception of human per-
formance and human error.
In the paper by Hickling et al. (2006) publishing In spite of this criticism, waiting for next genera-
a Guidance for Users of IEC 61508 was announced. tion of HRA methods, the human factor analysts use
The guidance is designed to respond to requirements for PSA several exiting HRA methods. Below selected
laid down in this standard. They fall into two broad HRA methods are shortly characterized, which can be
categories of those associated with: applied for HRA within the functional safety analy-
sis. The rough human reliability assessments based on
1. the hazard and risk analysis, and qualitative information with regard to human factors
2. the interface between human operator and technol- can be especially useful for initial decision making
ogy (process). at the designed stage of the safety-related functions
251
and systems (Kosmowski 2007). It will be demon- made to the base error weights. Each task no longer
strated that a functional safety analysis framework has to be rated on both processing (diagnosis) and
gives additional insights in HRA. response (action) components, only if the task con-
Several traditional HRA methods have been used tains diagnosis does diagnosis get rated, and similarly
in PSA practice, including THERP method (Swain for action.
& Guttmann 1983), developed for the nuclear Changes were also made to the worksheet to
industry, but applied also in various industrial sectors. enhance usability and to gather more information
Other HRA methods, more frequently used in prac- when non-nominal ratings are made. The overall range
tice are: Accident Sequence Evaluation Procedure- of possible HEPs has been expanded.
Human Reliability Analysis Procedure (ASEP-HRA), The final conclusion is that the enhanced SPAR-H
Human Error Assessment and Reduction Technique methodology is useful as an easy-to-use, broadly
(HEART), and Success Likelihood Index Method applicable, HRA screening tool. The comparisons
(SLIM)—see description and characterization of HRA and enhancements allow the SPAR-H methodology to
methods (Humphreys 1988, COA 1998). maintain the strengths of the original ASP HRA (1994)
Two first mentioned methods (THERP and ASEP- methodology, while taking advantage of the informa-
HRA) are the decomposition methods, based on a tion available from user feedback and from other HRA
set of data and rules for evaluating the human error methods and sources.
probabilities (HEPs). HEART consists of generic HEP is evaluated when the human failure event is
probabilistic data and a set of the influence factors placed into the structure of probabilistic model of the
for correcting nominal human error probability. SLIM system. In the HRA within PSA only more impor-
enables to define a set of influence factors, but requires tant human failure events are considered (Kosmowski
data for calibrating the probabilistic model. 2004). Then the context related PSFs are specified and
In the publication by Byers et al. (2000) five HRA determined according to rules of given HRA method.
methods were selected for comparison on the basis As the result the particular value of HEP is calculated.
of either relatively widespread usage, or recognized Different methods are used for evaluating HEP with
contribution as a newer contemporary technique: regards to PSFs, e.g. assuming a linear relationship for
each identified PSFk and its weight wk , with constant
– Technique for Human Error Rate Prediction
C for the model calibration
(THERP) (Swain and Guttmann, 1983);
– Accident Sequence Evaluation Program (ASEP)
(Swain, 1987); HEP = HEPno min al wk PSFk + C (1)
– Cognitive Reliability and Error Analysis Method k
(CREAM) (Hollnagel, 1998);
– Human Error Assessment and Reduction Technique or nonlinear relationship, as in the SPAR-H method-
(HEART) (Williams, 1988); ology (Gertman et al. 2005)
– A Technique for Human Event Analysis (ATHEANA)
(USNRC, 1998). NHEP · PSFcomposite
HEP = (2)
In addition to these methods, other sources of NHEP(PSF composite − 1) + 1
information were also examined to provide insights
concerning the treatment and evaluation of human where NHEP is the nominal HEP. NHEP equals 0.01
errors. Comparisons were also made with regard to for diagnosis, and NHEP equals 0.001 for action.
the SPAR-H HRA method (Gertman et al. 2005).
The team members were asked to construct more
detailed summaries of their methods and sources, 2.4 Including human failure events in functional
including specific lists of: 1) error types; 2) any base safety analysis and probabilistic modeling
rates associated with the error types; 3) performance In probabilistic modeling of the E/E/PE safety-related
shaping factors (PSFs); 4) PSF weights; and 5) depen- system the human failure events and their probabilities
dency factors. Obviously, not all methods and sources are elements of a subsystem model as explained below.
contained all of this information, and certainly not all For instance, PFDavg of a E/E/PE subsystem (SUB)
used the same terminology of error types and PSFs operating in the low demand mode is calculated from
(Byers et al. 2000). the formula (Kosmowski et al. 2006):
In summary the authors conclude that a result of
the comparison of the ASP HRA methodology to SUB ∼
PFDavg = PFDavgFT
+ PFDavg AT
+ PFDHE (3)
other methods and sources, enhancements were made
as regards: error type names, error type definitions,
FT
PSFs, PSF weights, PSF definitions, dependency con- where: PFDavg is the average probability of a sub-
ditions and dependency definitions. No changes were system failure on demand, detected in periodical
252
AT – independent of the initiating event and the compo-
functional test (FT); PFDavg —the probability of sub-
system failure on demand, detected in automatic test nents of any other IPL already claimed for the same
(AT); PFDHE —the probability of failure on demand scenario,
due to human error (HE). Depending on the subsys- – auditable, i.e. the assumed effectiveness in terms
tem and situation considered the human error can be a of consequence prevention and PFD must be capa-
design error (hardware of software related) or an oper- ble of validation (by documentation, review, testing,
ator error (activities of the operator in the control room etc.).
or as a member of maintenance group).
The E/E/PE safety-related system in designing con-
An active IPL generally comprises following com-
sists of subsystems: sensors/transducers/converters
ponents:
(STC), programmable logic controllers (PLC) and
equipment under control (EUC). Each of these sub-
systems can be generally treated as KooN architecture, – A—a sensor of some type (instrument, mechanical,
which is determined during the design. Each PLC or human),
comprises the central unit (CPU), input modules (dig- – B—a decision-making element (logic solver, relay,
ital or analog) and output modules (digital or analog). spring, human, etc.),
The average probability of failure on demand PFDavg – C—an action (automatic, mechanical, or human).
of the E/E/PE safety-related system (SYS) is evalu-
ated as the sum of probabilities for these subsystems
(assuming small values of probabilities) from the Such IPL can be designed as a Basic Process Con-
formula trol System (BPCS) or SIS (see the layers 2 and 4
in Fig. 1). These systems should be functionally and
SYS ∼ structurally independent; however, it is not always pos-
PFDavg STC
= PFDavg + PFDavg
PLC
+ PFDavg
EUC
(4) sible in practice. Figure 2 illustrates the functional
relationships of three protection layers: 2, 3 and 4
The PFDs in formula (4) can be evaluated shown in Figure 1. An important part of such complex
qualitatively (indicating SIL with relevant interval system is the man-machine interface (MMI) (GSAChP
PFDavg —see Table 1) or quantitatively (results of 1993, Gertman & Blackman 1994). Its functionality
probabilistic modeling process) with regard to poten- and quality is often included as an important PSF in
tial dependent failures and relevant human errors. HRA (Kosmowski 2007).
For complex KooN architectures suitable methods of
probabilistic modeling are used (Kosmowski 2007).
253
PL1 PL2 PL3 3.3 Treating of dependent failure events
BPCS HO SIS in human reliability analysis
As it was mentioned the international standard IEC
Figure 3. Protection layers for reducing the frequency of 61508 emphasizes in many places the significance of
accident scenarios. human failures and their potential contribution to the
probabilistic evaluations, however, there is no direct
indication how this problem should be solved. Some
PL1 PL2 PL3
TCS HO TPS general proposals are mentioned in the report (Carey
2001). One of the methods for treating dependent
failures is proposed in THERP technique (Swain &
Figure 4. Protection layers reducing the frequency of acci-
dent scenario.
Guttmann 1983).
THERP offers a dependency model for poten-
tial human failure events to be considered in com-
plex situations distinguishing: ZD—zero dependence,
3.2 Dependency issue of protection layers LD—low dependence, MD—moderate dependence,
Protection layers (PLs) 2, 3 and 4 from Figure 1 are HD—high dependence, and CD—complete depen-
shown in Figure 3. They include: dence. This model assumes fixed levels of the depen-
dency factors, equivalent to beta-H factors: βH = 0 for
– PL1—basic process control system (BPCS), ZD, βH = 0.05 for LD, βH = 0.14 for MD, βH = 0.5
– PL2—human-operator (HO), for HD and βH = 1 for CD.
– PL3—safety instrumented system (SIS). This dependency model is illustrated on an example
of two dependent events of potential human errors:
If these layers are treated as independent the fre- A (previous) and B (consecutive). The probability to
quency of i-th accident scenario FiIPLs is calculated make an error A and error B (potentially dependent)
form the formula is evaluated as follows
P(A · B) = P(A)P(B|A)
FIIPLs = FiI PFDiIPL1 PFDiIPL2 PFDiIPL3 (5)
= (1 − βH )QA QB + βH QA (7)
where: FiI is the frequency of an initiating event (I) where: P(A) = QA and P(B) = QB are probabilities
of relevant failure events. For βH = 0 (independence
and PFDiIPL1 , PFDiIPL2 , PFDiIPL3 are probabilities of
of events/errors) the result is P(A·B) = QA QB , but for
failure on demand for protection layers shown in Fig. 4,
βH = 1 (complete dependence of errors) P(A · B) =
treated as independent layers.
QA = P(A). When QA = QB << 1 then a simpli-
If these protection layers are dependent the fre-
fied version of formula (7) can be used: P(A · B) ∼ =
quency of i-th accident scenario FiPLs is calculated tak-
βH QA . The value of βH depends on various factors
ing into account the conditional probabilities resulting
to be considered in probabilistic modeling of given
in a higher value of the frequency will be obtained
safety-related situation (Swain & Guttmann 1983).
FIPLs = FiI PFDiPL1 PFDiPL2 PFDiPL3 = d · FiIPLs (6) 3.4 An example of protection layers analysis
including human failure event
The value of coefficient d can be much higher than Two safety-related systems are considered below: a
1 (d >> 1). Its value, depending on situation ana- turbine control system (TCS) and a turbine protection
lyzed, can be higher even an order of magnitude. The system (TPS). These systems perform an important
value of d is significantly influenced by assumptions function to switch off the relevant valves and shut down
concerning the probabilistic modeling of dependent a turbine set of the electrical power unit in situations
failures due to equipment failures and/or human errors of internal or external disturbances. Failures of these
(Kosmowski 2007). systems can lead to very serious consequences.
An important problem is to model the dependencies The TSC operates in a continuous mode of opera-
on the level of accident scenario (between protection tion and TPS is the system operating in a low demand
layers). It is especially challenging for the layer 2 (HO) mode (see item 2.1). These systems are designed
which is usually significantly dependent on the layer 1 with regard to required SIL, determined in the pro-
(BPCS). These cases are considered below with regard cess of risk assessment. Based on these assessments it
to potential influence of human and organizational was evaluated that the risk measure should be low-
factors. ered by factor of 10−4 (equivalent to SIL4) using
254
TSC and TPS, treated as first and third barrier (see It is proposed to increase SIL of TPS increasing
Fig. 3). Between these layers there is a second barrier: SIL of subsystem A from SIL2 (see Fig. 6) to SIL3
Human-Operator (HO) (see Fig. 4). and of subsystem C from SIL2 to SIL3. In subsystem
Preliminary results of the functional safety analysis A the architecture 2oo3 is proposed to lower PFDavg
of TCS and TPS indicate that assumed architectures and to lower frequency of TPS spurious operation. For
TCS ensures the safety integrity level SIL1. This low increasing SIL in subsystem C it is not justified to
level is mainly due to the safety integrity of subsys- implement 1oo2 structure due to too very high costs.
tem C (a control valve V-TCS) evaluated on the level Therefore, the regulatory aspects (the valve selection
of SIL1 (Fig. 5). The subsystem A (sensors, trans- of a high quality) and testing strategy of the shut-down
ducers and converters) contributes less significantly valve must be adapted to meet requirements for SIL3
to the result obtained (SIL2) and the contribution to (see interval criteria in Table 1).
PFDavg of subsystem B (the E/E/PE system) is very
low because of SIL3.
The TPS ensures the safety integrity level 2 (SIL2), 4 CHALLENGES IN SAFETY MANAGEMENT
as it can be seen in Figure 6. It is mainly due to SIL REGARDING HUMAN FACTORS
of subsystem C (a control valve V-TPS) evaluated as
SIL2. Subsystem A (sensors, transducers and con- 4.1 Advanced solutions influencing
verters) contributed less significantly (SIL2) and the human-operator reliability
contribution of subsystem B (E/E/PE system) to the
PFDavg is low thanks to SIL3. As it has been mentioned the hazardous industrial
Resulting safety integrity levels of protection layers plants require integrated safety management system
are shown in Figure 7. Due to significant dynamic of oriented not only on technical aspects, but first of all on
the system for most initiating events and high depen- human and organizational factors. Below two aspects
dency of human actions the human error probability are emphasized related to: (1) the dependability of
was evaluated as very high (HEP ≈ 1). Therefore, safety-related systems including human-operator reli-
the risk reduction by TCS and TPS is on the level of ability, and (2) the quality and safety aspects of
10−3 (SIL1 + SIL2). computerized systems used for monitoring, control
Thus, the risk reduction required at level of 10−4 and protection.
is not met and the design improvements have to be Nowadays more and more designers and safety
considered. The analysis has shown that it is not pos- managers are convinced that knowledge concerning
sible at reasonable costs to make a higher SIL of TCS the human performance capabilities as well as the
(from SIL1 to SIL2). Therefore other design option human and organizational factors should be a basis for
was taken into account to make higher SIL for TPS development of advanced technology for monitoring,
(from SIL2 to SIL3—see right block in Fig. 7). control and protection of hazardous systems. There
are new ideas how to design an advanced control room
concentrating on human factors.
A. B. C. EUC From the safety point of view of hazardous plants
STC E/E/PES V-TCS it is crucial to support the operators using advanced
tools for safety-related decision making oriented on
SIL2 SIL3 SIL1 reducing probabilities of human errors. The idea of an
intelligent operator support system (OSS) is usually of
Figure 5. Subsystems of the turbine control system (TCS). interest, integrated with an on-line diagnostic system
and an on-line dynamic risk assessment system. Such
A. B. C. EUC
OSS could be also used in situations of partial faults
STC E/E/PES V-TPS and dangerous failures within E/E/PE safety-related
systems or SISs, contributing to reducing the prob-
SIL2 SIL3 SIL2 ability of human errors and risks of abnormal states.
The OSS should provide intelligent advice during acci-
Figure 6. Subsystems of the turbine protection system dents based on advanced procedures that combine the
(TPS). symptom-oriented procedures and the dynamic risk
oriented procedures.
PL1 PL2 PL3
TCS HO TPS
4.2 Towards integrated knowledge-based approach
SLI1 HEP~1 SLI2->SIL3 in managing safety including human factors
Figure 7. Final safety integrity levels in protection layers of Current approaches used for the safety manage-
the turbine shut-down system. ment of programmable systems are not coherent.
255
The research works have been undertaken to develop ACKNOWLEDGMENTS
advanced methods, data/knowledge bases and tools
for knowledge-based computer aided functional safety The author wish to thank the Ministry for Science
management (Kosmowski 2007) oriented on: and Higher Education in Warsaw for supporting the
research and the Central Laboratory for Labour Pro-
– Determining required SIL for safety-related func- tection (CIOP) for co-operation in preparing a research
tions with using (a) quantitative risk models or programme concerning the safety management of
(b) the risk graphs defined using qualitative infor- hazardous systems including functional safety aspects.
mation with relevant knowledge bases and interac-
tive graphical support,
– Verifying SIL for E/E/PE or SIS using (a) quan- REFERENCES
titative probabilistic models or (b) block dia-
grams defined using qualitative information with Byers, J.C., Gertman, D.I., Hill, S.G., Blackman, H.S.,
relevant data/knowledge bases and interactive Gentillon, C.D., Hallbert, B.P. & Haney, L.N. 2000.
graphical support for the design and operation Simplified Plant Risk (SPAR) Human Reliability Anal-
phases, ysis (HRA) Methodology: Comparisons with Other HRA
– Knowledge bases for supporting evaluation of Methods. INEEL/CON-00146. International Ergonomics
dependent failures and human errors on the level of Association and Human Factors & Ergonomics Society
Annual Meeting.
safety-related functions and systems, and accident Carey, M. 2001. Proposed Framework for Addressing Human
scenarios, Factors in IEC 61508. Prepared for Health and Safety
– Knowledge bases for supporting designing and Executive (HSE). Contract Research Report 373. War-
managing an integrated safety and security strategy rington: Amey Vectra Ltd.
in the life cycle for systems operating in network. COA 1998. Critical Operator Actions—Human Relia-
bility Modeling and Data Issues. Nuclear Safety,
The quantitative risk model can be a basis for devel- NEA/CSNI/R(98)1. OECD Nuclear Energy Agency.
oping an on-line dynamic risk assessment module Dougherty, E.M. & Fragola, J.R. 1988: Human Reliabil-
within OSS to reduce human error probabilities and ity Analysis: A Systems Engineering Approach with
risks of abnormal states. Nuclear Power Plant Applications. A Wiley-Interscience
Publication, New York: John Wiley & Sons Inc.
Dougherty, Ed. 1993. Context and human reliability analy-
sis. Reliability Engineering and System Safety, Vol. 41
5 CONCLUSIONS (25–47).
Embrey, D.E. 1992. Incorporating Management and Organ-
The paper outlines the knowledge-based methodology isational Factors into Probabilistic Safety Assessment.
of layer of protection analysis (LOPA) for indus- Reliability Engineering and System Safety 38: 199–208.
Gertman, I.D. & Blackman, H.S. 1994. Human Reliability
trial hazardous systems with regard to human and and Safety Analysis Data Handbook. New York: A Wiley-
organizational factors (H&OF). The layers of pro- Interscience Publication.
tection include basic process control system (BPCS), Gertman, D., Blackman, H., Marble, J., Byers, J. &
human-operator (HO) and safety instrumented system Smith, C. 2005. The SPAR-H Human Reliability Anal-
(SIS) that can be dependent due to influencing factors ysis Method. Idaho Falls: Idaho National Laboratory.
involved. The human and organizational factors are NUREG/CR-6883, INL/EXT-05-00509.
incorporated into the probabilistic models using a rule- GSAChP 1993. Guidelines for Safe Automation of Chemical
based human reliability analysis taking into account Processes. New York: Center for Chemical Process Safety,
some existing HRA methods. American Institute of Chemical Engineers.
Hickling, E.M., King, A.G. & Bell, R. 2006. Human Factors
The functional safety oriented approach offers in Electrical, Electronic and Programmable Electronic
a framework for more extensive HRA analysis with Safety-Related Systems. Warrington: Vectra Group Ltd.
emphasis on context-oriented human-operator behav- Hollnagel, E. 2005. Human reliability assessment in con-
ior in situations of danger and safe failures (to be text. Nuclear Engineering and Technology, Vol. 37, No. 2
potentially partly detected and partly undetected) with (159–166).
regard to the safety-related functions of control and Humphreys, P. 1988. Human Reliability Assessors Guide.
protection systems. They should be designed with Wigshaw Lane: Safety and Reliability Directorate.
regard to knowledge concerning the human behav- IEC 61508:2000. Functional Safety of Electrical/ Electronic/
ior and potential errors. Some additional research is Programmable Electronic Safety-Related Systems, Parts
1–7. Geneva: International Electrotechnical Commission.
needed to provide more comprehensive insights con- IEC 61511:2003. Functional safety: Safety Instrumented
cerning the contextual influence of human factors to be Systems for the Process Industry Sector. Parts 1–3.
included in HRA in the context of safety-related func- Geneva: International Electrotechnical Commission.
tions to be designed using the programmable control IEC 62061:2005. Safety of Machinery—Functional Safety of
and protection systems. Safety-Related Electrical, Electronic and Programmable
256
Electronic Control Systems. Geneva: International Elec- Kosmowski, K.T. (ed.) 2007. Functional Safety Manage-
trotechnical Commission. ment in Critical Systems. Gdansk: Gdansk University of
Kosmowski, K.T. 2004. Incorporation of human and orga- Technology.
nizational factors into qualitative and quantitative risk LOPA 2001. Layer of Protection Analysis, Simplified Pro-
analyses. Proceedings of the International Conference on cess Risk Assessment. New York: Center for Chemical
Probabilistic Safety Assessment and Management (PSAM Process Safety, American Institute of Chemical Engi-
7—ESREL ’04). Berlin: Springer, Vol. 3: 2048–2053. neers.
Kosmowski, K.T. 2006. Functional Safety Concept for Rasmussen, J. & Svedung, I. 2000. Proactive Risk Manage-
Hazardous System and New Challenges. Journal of Loss ment in a Dynamic Society. Karlstad: Swedish Rescue
Prevention in the Process Industries 19: 298–305 Services Agency.
Kosmowski, K.T., Śliwiński, M. & Barnert T. 2006. Method- Reason, J. 1990. Human Error. Cambridge University Press.
ological Aspects of Functional Safety Assessment. Jour- Swain, A.D. & Guttmann, H.E. 1983. Handbook of Human
nal of Machines Operation and Maintenance (ZEM, Polish Reliability Analysis with Emphasis on Nuclear Power
Academy of Science), Vol. 41 (148): 158–176. Plant Application. NUREG/CR-1278.
257
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Modern large scale technology systems’—like power grids—reliance on information systems is
considerable. Such systems employ not only one, but a range of different information systems. This creates three
important, interdependent challenges for safe and reliable operations. The first is the sheer volume of systems,
which tie up organisational members in bureaucratic work, removing them from operational tasks and thus
introduce additional stress. This implies that the employees must be willing to speak out their previously tacit
knowledge, rules of thumb and know-how—not written in formal job instructions—and enter this information
into the systems, risking to loose personal assets relating to career and workplace identity, being thus a second
challenge. The third problem relates to data quality. Without valid and reliable data the systems will not have
any real value. The systems rely on the quality of key information entered by organisational members.
259
tasks and adding strain. Research has shown negative The qualitative data has been stored an analyzed in
effects on health and safety from ‘‘all this paperwork’’ Nudist 6. The analysis has been following explorative
in the offshore sector (Lamvik & Ravn, 2004). These analytic methods. First, single interesting observa-
challenges all relate to data quality. Without highly tions have been tracked and identified in the program.
valid and reliable data the ICT systems are not func- Second, these observations have been interpreted
tional. And data validity and reliability depend on the with the goal of identifying generic issues in the
precision and accuracy of the employees entering key material (i.e. knowledge sharing, translation, com-
information. Earlier research indicates that employees petence). Third, the generic issues have been paral-
are not necessarily trained, motivated or equipped to leled with relevant background variables in the data,
handle these tasks (Næsje et al. 2005). such as age, ICT-proficiency, function, company and
so on.
260
The two companies are similar in several respects: challenge is the installers’ attitude to the use of ICT-
based tools as an inherent part of their routines and
• Both are among the largest grid companies in
work practices—showing the identity issues lying
Norway
between working physically on the grid versus increas-
• Both operate complex grids in big cities (by Norwe-
ingly working with a system. The question is which
gian standards) and surrounding areas with a high
organisational elements need to be considered in order
number of customers
to facilitate this change in work practice, intensifying
• They both employ the same NIS
the interplay between technology and organisation.
• Both have a history of growth by acquisition the last
decade
• Both started implementing NIS in the mid-90’s, and 3.2.1 The planners’ use of ICT
carried out huge data capture projects to get NIS The planners and the management of the two enter-
data initially prises use NIS in their daily work. An area where
• Both acknowledge that gains from NIS has been use of NIS has been successful is authority reporting.
smaller and slower forthcoming than initially calcu- NIS has simplified and automated several of the steps
lated, but management maintains that NIS is crucial in yearly reports. Such reporting was a process that
for their operations earlier was manual, cumbersome and time consuming
The two companies differ in one important dimen- (Næsje et al. 2005).
sion. One of the companies, Company X, has chosen NIS is also used as a tool for early stage project-
to outsource its installation work, and hence does not ing when a new project is started, usually before it is
itself employ any installers. Rather, it hires all its decided when or by whom the project will be carried
installers, project by project. Company Y, on the other out. When determined, a more detailed planning is
hand, have kept their installers, and is in this respect an done. However, for this more detailed planning work
integrated company with planners and installers in the NIS is considered to be awkward and not up to date.
same organisational unit. While there are important The planners state that: ‘‘We use NIS as a first step for
differences between outsourced and integrated com- simple and overall calculations. We don’t use NIS for
panies our experience tells us that there are also lots of detailed project planning. To do so is inconvenient;
similarities. In this paper we focus on the work practice NIS lacks basic features, and data is unreliable. Once
and role of the installer, and from what we have seen you get under the ground everything looks different
in our interviews and fieldwork the similarities among anyway.’’
installers clearly outweigh the dissimilarities when it Thus, the project planners want to get out in the
comes to the handling and use of NIS. However, it field, to have look at it and discuss it with the doers.
should be noted from an occupational health point of While the goal of top management is that ‘‘planners
view that the outsourced installers complained about should be able to do all the planning without leaving
deteriorated working conditions in a number of areas their office desks’’ the planners themselves believe in
after being outsourced. A survey where this issue is visiting the project site, discussing with the installers,
investigated further is in progress. and rely on the installers’ local knowledge as far as
possible. They simply do not trust data in NIS to
be good enough to carry out project work, without
3.2 Integration of ICT in the grid companies calibrating with the physical reality.
All though NIS is in use among the planners, they
Modern power grid operations are completely depen-
are aware of the systems shortcomings regarding data
dent on complex and secure ICT-solutions as tools for
quality, and in order to carry out projects smoothly
safe and reliable functioning, and for becoming more
and establish reliable grids they prefer hands on local
cost-efficient. The quality of information is vital in
knowledge instead of decontextualised information in
order to ensure safe operations, involving trustworthi-
an ICT system.
ness, relevance, clarity, opportunities and availability.
The quality of the information flow is equally impor-
tant, including the attitude to learning, cooperative 3.2.2 The installers’ use of ICT
climate, process and competencies. Data quality thus Most installers do not use NIS other than in the
has prime priority and is a condition for ICT-based most limited way possible. Some of them manage to
cooperation—the data systems in use must be correct print out topographic instructions entered by planners,
and continually updated. ICT makes this multi-actor while most get a printed copy from his project leader
reality possible. which is used as a reference out in the field. Where
NIS is installed and in use today among plan- the NIS print-outs do not concur, they deal with the
ners and management in the companies, but a key unforeseen problem physically—digging holes in the
challenge is the installers’ lack of competencies ground checking the situation themselves, and calling
in computers and data systems. Another important their employers, contractors and subcontractors.
261
What regards the use of computers as the installers software. They need the ability to enter and transmit
main tool for ICT-based operations; while the com- new information, as well as the ability to find, extract,
panies has provided most installers with a personal interpret, mediate and use data.
computer, during our visits we only rarely saw one of Understanding the organisation as not only defined
them opened. Most of the installers have 20 years of through its operations and products but as an inter-
experience or more, and do not see the computer as a pretative entity, is to see that organisational pro-
primary work tool. Another drawback is that most of cesses, including the implementation of ICT, take
the installers have very little knowledge of computers, place through communication; we create and share
let alone data systems. And as the data systems are meaning through dialogue—dialogues mediate learn-
not sufficiently updated, they often encounter unfore- ing and is a collective tool. It is thus important to
seen challenges in the field. As said by two of the establish a culture for learning that goes beyond for-
installers, respectively 39 and 36 years old: ‘‘We didn’t mal coursing. Not least because ‘‘Formal descriptions
become installers because we liked going to school or of work and of learning are abstracted from actual
because we were into computers’’, and ‘‘Now I just practice. They inevitably and intentionally omit the
got a live-in partner, and she has started to show me a details. In a society that attaches particular value to
thing or two about computers and the internet’’. The abstract knowledge, the details of practice have come
installers have a work environment characterised by to be seen as nonessential, unimportant and easily
strong social relations and a high degree of profes- developed once the relevant abstractions have been
sional pride. They express regret for the decreasing grasped’’ (Brown & Duguid, 1991, p. 40).
focus on professional development and training, and Conventional learning theory—which most studies
the unpredictable working situation makes it necessary part from—emphasise abstract over practical knowl-
to have several ongoing projects at the same time. edge, and thus separate learning from performance,
believing that learning constitutes the bridge between
working and innovating. And thus emerges an under-
4 DISCUSSION standing of complex work processes as decomposable
in smaller and less complex parts where it is not neces-
The discussion will focus on important organisational sarily a precondition that the worker understands what
processes necessary to be explicit on in order to make he or she is doing (Brown & Duguid, 1991). This
installers use NIS more actively. First in this part we makes it seem like installers perform their tasks con-
will look at how ICT shape safe and reliable operations sistent with a formal job description, which is also
today, and then at how to understand the interaction used as a decision-making tool for diagnosing and
between ICT systems like NIS and the installers. It will problem-solving. But when something goes wrong the
further be outlined how ICT may represent a threat to installers seldom will look at the formal job descrip-
the occupational identity and career development of tion, but use his or hers long experience and will
installers—meaning that work identity can constitute eventually develop a non-sequential practice in order
a considerable barrier to use and thus to more reli- to complete the non-covering formal job description.
able operations. Finally, as bureaucratisation of work However—the installers will not use NIS properly if
imposes an important additional challenge, it is impor- they do not understand its purpose; e.g. if it does not
tant to consider its implications for the use of NIS correspond to their working reality.
among the installers. A summary of barriers to good Levin (1997) forward the view that both how the
implementation of ICT systems as well as some guide- technology works and how to work it in a particular set-
lines on how to integrate NIS in installers’ working ting is something that needs to be learned, understood
reality will conclude the discussion. as knowledge that is socially constructed in the partic-
ular company. In this social process all types of knowl-
edge interact, formal knowledge also, but especially
4.1 Man-machine interaction and the social
various forms of tacit and operational knowledge, not
construction of technology
least cultural skills. An organisation is always con-
The multitude and variance of the challenges tied to tingent of its organisational culture and procedures;
the interaction between ICT-based grid operations and ‘‘. . . routines are the factual organisation. . . [. . . ]. . .
installers outlined in the previous section show that the The core essence of an organisational development
relationship between human factors and use of tech- process will thus be the facilitation of learning to
nology is complex. Installers are dependent on high shape a new understanding and the skills necessary to
quality data from updated databases and reliable infor- change the organisation.’’ (Levin, 1997, p. 301). Thus,
mation in order to reach a high degree of accuracy work practices or work routines must be transformed
in their operations. In order to handle the ICT-based and adapted to the new working reality, through nego-
systems, the installers need to be skilled not only in tiation between all employees affected by the change.
ordinary computer technology, but also in the actual This might be especially useful in implementing the
262
understanding of how the system work, as well as why immediate, the installers are expected to operate more
it is introduced, for the use of the new ICT—in this through computers at the same time as they are told
case NIS. to lessen the physical contact with the other main part
of the organisation, namely the part that might have
helped them create references with regard to the new
4.2 Occupational identity and tacit knowledge
technology.
as threats to the integration of NIS
Occupational identity may thus be a potential source
When using a computer, installers do not get the instant of resistance against ICT-based change, as installers
satisfaction of seeing the outcome, and thus ICT might experience a devaluation of what is their professional-
not be perceived as particularly meaningful regarding ism, and thus occupational identity, without a proper
the outspoken demands—getting the job done. On the replacement. Experiencing ambiguity related to the
contrary—in stead of being given the possibility of use of ICT implies a feeling of insecurity vis-à-vis the
extended interaction and integration with the adminis- new technology as the informating side has not been
trative personnel as all employees now are supposed to implemented together with the actual computers and
operate on and from the same platform (NIS), installers software. Installers are told to let go of their previous
feel increasingly alienated not only from their original work identity—being valuable in that it represent the
work tasks but also from the organisation itself, as the profession of being a technical installer, but without an
new company policy implies a greater physical sepa- equivalent valuable identity offered as a replacement
ration of the technical installers and the planners and it will not be perceived as interesting to do so.
management. New ICT systems are thus implemented An individual asset that may hamper the proper
physically, but not integrated in a meaningful way in implementation and integration of NIS is the installers’
the installers’ working situation, as they correspond tacit knowledge tied to work tasks and organisational
on a very limited basis to their working reality. functioning. In order to develop and use NIS, indi-
By offering their installers two sessions à 45 min- viduals and teams must be willing to share their
utes in order to learn the new systems, which first of all knowledge. In times of organisational change based
must be said to be too little, the management implic- on ICT, the changes often imply such a great redef-
itly assumes that 1) their installers are familiar with inition of boundaries tied to expertise and respon-
working with computers and ICT systems in the first sibilities that employees may feel that their—often
place, and 2) their installers automatically understand hard-built—position in the formal or informal hier-
the usefulness and impact of using the new systems, or archy is threatened. A way to obtain protection is
worse; that they need not know what they are doing at not to share one’s specific knowledge and perhaps
work. This means that the companies take for granted even consciously produce counter-activities towards
employees’ ability and willingness to learn and use the the systems’ proper functioning (Schön, 1983; Argyris
new technology, with minimal effort from the side of & Schön, 1978). This behaviour may be perceived by
the organisation. Rather, the organisation must move the individual installer as the protection of his career.
from a focus on the performance of physical work to Knowledge and authority are redistributed and forms
cognitively operated tasks, and these different ways of a new hierarchy through the implementation of ICT;
work need to be learned in different ways—they are by those above the technology and those understanding
no means directly transferable to each other (Zuboff, and thus handling it best are those with the highest
1988). status. According to Zuboff (1988, p. 391), those ‘‘. . .
Change in work practice implies a change in rou- who must prove and defend their own legitimacy do not
tines. For true ICT-based change to happen, installers easily share knowledge or engage in inquiry. Work-
need to change their work practice, which is some- ers who feel the requirements of subordination are
thing that will not easily occur unless they get a good not enthusiastic learners. New roles cannot emerge
reason to do so, other than extrinsic rewards or sanc- without the structure to support them.’’
tions (Nelson & Winter, 1982). Routines—by some
also called norms or institutionalised behaviour, pro-
4.3 The bureaucratisation of grid operations
cesses and structures—become important in defining
and expressing employees’ occupational identities. If The strict meaning of the word ‘‘bureaucracy’’ is civil
installers shall be willing to change their routines, they service, and is traditionally associated with paper-
will need a meaningful replacement of the occupa- heavy office-work. The bureaucracy exerts a specific
tional identity built by these routines. Installers may be type of authority and power, with a great number of
less receptive to use new ICT as they have been doing rules, regulations and routines (Weber, 1974). The
perfectly fine up to now without it. When their man- rationality behind the bureaucracy is standardisation,
ual tasks are automated, they might have difficulties in legitimacy and easy error-detection. In the power grid
perceiving the change as valuable. From working in a industry the new bureaucracy to an increasing extent
reality where productivity outcomes are concrete and are the total of the ICT-based systems which needs to
263
be handled in the correct manner by employees, so they and complex. Organisational challenges are general
can perform their work tasks as stated in the company un-preparedness when it comes to abilities, motiva-
policy. ICT-induced bureaucratisation involves, as the tion and perceived usefulness of the systems from
findings in this study show, a strong focus on data. the part of the installers, the lack of a learning
High quality data further implies a vigorous empha- culture including awareness of the systems’ context-
sis on the collecting of the correct information, the specific conditions for use (local informal knowledge
correct encoding and storage of information—that the and actual work practice), failure to recognise the
collected data are placed in the correct systems and implications of ICT-based organisational change for
databases, and in the correct categories, and the correct installers’ occupational identity and career develop-
use of stored information, entailing correct interpre- ment, as well as little insight in the consequences of
tation of these data. This illustrates that the quality the bureaucratisation of work.
and reliability of data to a high degree is dependent In addition to these more universal challenges,
of the installers handling it, and thus their subjective empirically based on a range of different studies, we
judgment, abilities, willingness and motivation. identified, in accordance with other empirical findings
For teams, which often find themselves faced with (Venkatesh et al. 2003), also a set of specific factors
new tasks due to automation and the elimination of being especially relevant for the grid companies in
routine jobs, it implies a simplification of communica- question. The first is work experience—it seems clear
tion and infrastructural support. But, communication that among the installers having worked 20 years or
is more than the transmitting of symbols from one per- more (and most have) in the same field of work with
son to another. It also includes absorption and under- approximately the same methods as when they started,
standing as well as practical use of the transmitted the motivation is not very high when it comes to inte-
information—the significance can be difficult to keep grating manual and digital operations. This finding is
through coding and decoding. Information technology of course tightly bound to the next; the lack of com-
makes it possible to operate quantitative information petence and thus self-confidence among the installers
that earlier was too complex to handle, because of the when it comes to the handling of computers. The tran-
calculation-load and too many causal relationships. sition from action-oriented to cognitive-based skills
The limiting factors are the costs of the information may be seen as unattainable. A third barrier is earlier
and our ability for understanding and using it. and existing work practice. Existing work practice is
The challenges imposed by the inherent charac- to a large degree informal and characterised by a num-
teristics of ICT are above all again connected to the ber of heuristic and ad hoc methods. And finally, the
interaction between the installers and the technology, physical equipment must be easy and convenient to
showing that the bureaucratic effect it imposes sepa- use. In order to be able to use NIS and other systems
rate the employees from each other, contributing to while working out in the field, the installers need to
the disruption of social relations in the workplace, have optimal network availability. For example, loos-
and gives negative effects on health and safety of ing network connection when driving through a tunnel,
employees, in struggling with the extra work this and having to restart the computer in order to get back
bureaucratisation represents. Trist (1981) refers to on track again, is not optimal. And likewise, it must be
what he calls the ‘primary work system’, which is the easy and convenient to install the personal computer
concrete work group an employee belongs to and the in the car.
framework for the performance of his or hers daily In order to reduce the gap between formal and infor-
work tasks. According to Zuboff (1988), technological mal theory, and thus between NIS and the installers,
change creates limiting conditions for what is possible, the organisation’s management need to engage in an
as technology is not neutral but specific. This gives a inquiry to make explicit the underlying assumptions in
new angle vis-à-vis Groth’s (1999) theoretical stand- the installers’ theory-in-use. Schön (1983) launches
point that humans are the main restricting agents for ‘‘organisational inquiry’’ as a tool for organisational
the possibilities for technological and organisational change and development. An important element in
development. Both might be right. But technology this organisational inquiry is to raise consciousness
does not exist in a vacuum. In order to be useful it of practice, values and underlying assumptions tied to
needs to interact with both human and organisational actual performance and then compare it to the writ-
systems. Bureaucratisation is an abstraction of work ten and formal procedures. Inconsistencies need to
that must be explicitly considered. be identified and corrected in order to secure safe
operations. Moreover, routines must be established
for information sharing, relating both to tacit knowl-
4.4 Barriers to use and some guidelines for the
edge concerning work tasks as well as competencies
successful integration of ICT systems
when it comes to computer handling. These routines
We have seen that the challenges to the use of NIS in must be perceived as necessary and beneficial by the
our two grid companies are numerous, heterogeneous, installers in order to work properly, which is of crucial
264
importance for data quality and reliability. In this aspects of NIS were seen as attainable through an over-
respect it is important to be aware of possible obstacles all level implementation of the system—from manage-
to organisational learning. ment in order to analyse the reliability and efficiency
of grid operations to installers, using data to locate
exactly where they should operate geographically out
4.5 How ICT shape safe and reliable operations in the field, reporting back standard work data, as well
as inconsistencies between the information systems
As for today ICT systems like NIS seem to have a
and the actual field in order to continuously update
smaller impact on safe and reliable operations than we
the systems. ICT is thus significant both as a grid
might have expected after almost two decades of use.
controlling and as an operating device.
While planners use NIS for reporting and doing some
As the two companies see it, they also need to
project work, they also supplement information from
become efficient ICT-based organisations so as to be
NIS with ‘‘on-the-spot’’ observations and discussions
able to respond to the increased complexity of their
with those who actually implement their planning.
working environment and organisational structures, in
Installers to a large degree avoid using NIS. They
order to continue to carry out reliable grid operations.
have neither training, nor motivation, and does not
But because of too little focus on strategy and neces-
need to use NIS. For them NIS is not a support tool
sary conditions for continuous use and functioning,
but rather a control mechanism which they are sup-
the implementation process has more or less stag-
posed to report to, in order to document their work
nated. Results show that while planners are coping
progress. However, also installers are given their work
fairly well based on previous experience with com-
orders and maps from NIS, and hence to some degree
puters and constant interaction with management and
use NIS information as their point of departure for their
support functions, the installers only have been given
work. The understanding of the usefulness of NIS on
between one and two hours of training in using their
an abstract level is not self-evident, and reporting is
new equipment, which basically has been the only
something they try to do as little of as possible. In
interaction they have had with other organisational lay-
the field they prefer to rely on their own and their col-
ers regarding the implementation and use of the new
leagues local knowledge. Thus, installers and planners
technology.
avoid relying entirely on a system without high quality
Recent research on organisational change put
data. This is a two-sided dilemma, since high quality
emphasis on the importance of well conducted change
data is dependent on high quality reporting and use of
processes, important elements are taking existing
the system.
social norms into account, being aware of workforce
Still NIS is being used in decision making. It is
diversity, making conflicts constructive, clear distri-
used in buying services (in the tender processes), when
bution of roles and responsibilities, and the manage-
it comes to fixing the priorities of maintenance and
ment’s availability (Saksvik et al. 2007). Orlikowski
development, it is used to prepare work orders for the
(1996) views organisational change as enacted through
installers, and it is used for reporting purposes. And
the situated practices of organisational actors as they
use and reliance on NIS is increasing as more and more
improvise, innovate and adjust their work routines.
data is entered, and more and more functions are built
As ICT engender automating as well as informat-
into the system. While detailed project planning is dif-
ing capacities (Zuboff, 1988), implementation of NIS
ficult today, maybe the next version or the version after
requires a process where dialogue and negotiations are
will be better. Top management is still likely to pursue
key. Technology transfer as the learning of new ICT
the goal of the planner who does not leave his desk.
must be recognised as a collective achievement and
While both installers and planners today to a vary-
not top-down decision-making, or grid reliability will
ing extent ignore and distrust NIS, in the future more
remain random and difficult to control.
and more decisions, work and operations will depend
The studied companies learned the necessity of
on the ICT systems. In this perspective it is necessary
rethinking several aspects of information handling
to get installers to use and report to NIS.
in the process of becoming ICT-based somewhat the
hard way. The systems are implemented but remain
disintegrated, and thus data quality is poor. Some prob-
5 CONCLUSION lems—intrinsically tied to the lack of focus on systems
specifications before the start of the implementation
Grid operating companies after market deregulation processes, were the non-compatibility of the old sys-
embraced ICT systems in order to become increasingly tems with the new ones, as well as poor routines for
effective and fast-responding. data quality assurance and data maintenance. The lack
The companies have focused on information sys- of synchronisation between the development of the
tems in general, and NIS in particular for more than software and which functionalities that are actually
a decade. The maximum efficiency and cost-saving needed in order to use it as operating device, is also a
265
major reason for this underutilisation, and the use of Brown, J.S. & Duguid, P. (1991). Organizational Learning
the system is not equally rooted in all organisational and Communities of Practice: Toward a Unified View
layers and subgroups. of Working, Learning, and Innovation. Organization
Among management and project leaders the neces- Science, 2(1), 40–57.
sity of the systems seems clear, while installers Groth, L. (1999). Future organizational design. Chichester,
UK: John Wiley and sons.
have not been sufficiently explained the relationship Hicks B.J. (2007). ‘‘Lean information management: Under-
between the systems and their specific tasks, and thus standing and eliminating waste’’ International Journal of
they don’t see the relevance of adjusting their work Information Management 27(4), 233–249.
practices to system requirements. As an earlier study Lamvik, G. & Ravn, J.E. (2004). Living safety in drilling:
showed; ‘‘Data will not come before use, and use will how does national culture influence HES and working
not come before there is data. Thus, data collection practice? (No. STF38 A04020). Trondheim: SINTEF
must be supported or pushed by stakeholders, espe- Industrial Management, New Praxis.
cially management and different operational units.’’ Levin, M. (1995). Technology Transfer is Organiza-
(Næsje et al. 2005, p. 5). The analyses show that it tional Development—An investigation in the relation-
ship between technology transfer and organizational
is crucial to focus more strongly on aspects tied to change. International Journal of Technology Manage-
the collection and the management of data, as this to ment, 14(2/3/4), 297–308.
a large degree was neglected in the selection of soft- Nelson, R.R. & Winter, S.G. (1982). An evolutionary The-
ware. The grid operating company must on one hand ory of Economic Change. Cambridge: Belknap Press of
decide to what extent the individual installer shall be Harvard University Press.
given access to the systems, and if, whether read-only Næsje, P.C., H.Y. Torvatn, et al. (2005). Strategic Chal-
or editing. On the other hand, the company needs lenges in Implementing NIS: Investigations on Data
to make sure that the intended use of these systems Quality Managment. IPEC, 7th Int Power Engineering
gets incorporated into the routines and work prac- Conference, Singapore, IEEE Conference Proceedings.
Orlikowski, W.J. (2002). ‘‘Knowing in practice: Enact-
tices of their installers; ‘‘The lack of closeness between ing a collective capability in distributed organizing.’’
information and operational tasks is a major barrier, Organization Science 13(3), 249.
hindering efficient completion.’’ (Næsje et al. 2005, Orr, J.E. (1996). Talking about machines: an ethnography of
p. 5). The shift from local knowledge on how to solve a modern job. Ithaca, N.Y., Cornell University Press.
tasks—present in the head of the installers, to cen- Saksvik, P.Ø., Tvedt, S.D., Nytrø, K., Buvik, M.P., Andersen,
tralised knowledge leaning on integrated data in a G.R., Andersen, T.K. & Torvatn, H. (2007). Developing
common database, is an important challenge for safe criteria for healthy organizational change. Work & Stress.
grid operations. 21: 243–263.
Schön, D. (1983). Organizational Learning. In G. Morgan
(Ed.), Beyond Method: Strategies for Social Research
(pp. 114–128). Beverly Hills, Ca: Sage.
REFERENCES Trist, E.L. (1981). Evolution of sociotechnical systems. In
A.H. van de Ven & W.F. Joyce (Eds.), Perspectives on
Alvesson, M. (1993). Organizations As Rethoric: Knowledge- organization design and behaviour (pp. 19–75): John
Intensive Firms and the Struggle with Ambiguity. Journal Wiley & sons.
of Management Studies, 30(06), 997–1015. Venkatesh, V., Morris, M.G., Davis, G.B., & Davis, F.D.
Argyris, C. & Schön, D. (1978). Organizational learning: (2003). User acceptance of information technology:
A theory of action perspective. USA: Addison Wesley Toward a unified view. MIS Quarterly, 27(3), 425–478.
Publishing. Weber, M. (1974). Makt og byråkrati. Oslo: Gyldendal
Barley, S.R. (1996). ‘‘Technicians in the workplace: Ethno- Zuboff, S. (1988). In the Age of the Smart Machine. New
graphic evidence for bringing work into organization York: Basic Books.
studies.’’ Administrative Science Quarterly 41(3), 404.
Barley, S.R. & Kund G. (2001). ‘‘Bringing work back in.’’
Organization Science 12(1): 76.
266
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Incorporating simulator evidence into HRA: Insights from the data analysis
of the international HRA empirical study
ABSTRACT: The observation of nuclear power plant operating crews in simulated emergencies scenarios
reveals a substantial degree of variability in the timing and execution of critical safety tasks, despite the extensive
use of emergency operating procedures (EOP). Detailed analysis of crew performance shows that crew factors
(e.g. leadership style, experience as a team, crew dynamics) are important determinants of this variability.
Unfortunately, these factors are problematic in most Human Reliability Analysis (HRA) approaches, since most
methods do not provide guidance on how to take them into account nor on how to treat them in predictive
analyses. In other words, factors clearly linked to the potential for errors and failures, and information about
these factors that can be obtained from simulator studies, may be neglected by the HRA community. This paper
illustrates several insights learnt from the pilot phase of the International HRA Empirical Study on analysis,
aggregation and formatting of the simulator results. Suggestions for exploiting the full potential of simulator
evidence into HRA are made.
267
Table 1. Methods tested and HRA teams. as to what are the actions to be analysed. It should be
noted that defining the HFEs for the HRA teams did
Method Team Country not eliminate the qualitative analyses to be performed,
since the HFEs were defined on a functional level, i.e.
ATHEANA NRC staff + USA
fails to perform X within Y minutes.
consultants
CBDT EPRI (Scientech) USA One of the most important aspects of HRA methods
CESA PSI Switzerland is the identification and evaluation of the factors ‘‘driv-
CREAM NRI Chech ing’’ performance of the HFEs, commonly referred to
Republic as performance shaping factors (PSF) or the ‘‘driv-
Decision NRI Chech ing factors’’ of performance. Comparing the specific
Trees + ASEP Republic factors identified as driving factors by the HRA teams
HEART Ringhals + Sweden/ for the defined HFEs with those observed in Hammlab
consultants Norway was the main focus of the comparison.
KHRA KAERI South Kores
The HRA teams typically provided their analy-
MERMOS EDF France
PANAME IRSN France ses and the outcomes they predicted in several ways.
SPAR-H NRC staff + USA They filled out one form (‘‘Form A’’ ) that empha-
consultants, INL sized identifying the main drivers of performance in
THERP NRC staff + USA terms of PSFs, causal factors, and other influence
consultants characterizations explicitly identified through the
THERP (Bayesian VTT/TVO/Vattenfall Finland/ HRA method they were using. In addition, in Form
enhanced) Sweden A, they were also asked to describe how and why a
– Simulations – scenario might be difficult or easy for the crews in
IDAC University of Maryland USA terms of the specifics of the scenarios, i.e. in more
MICROSAINT Alion USA operational terms. They were also asked to provide an
QUEST-HP Riso Denmark HEP for each HFE based on the application of their
Politecnico di Milano Italy method. Additionally the teams were asked to pro-
vide a Form B, a ‘‘closed-form’’ where the responses
had to be structured according to a modified ver-
sion of the HERA taxonomy (Halbert et al. 2006).
inputs) to the HRA teams and answered requests Finally, the HRA teams were asked to provide their
from the HRA teams for additional information and method specific analysis documented according to
questions concerning ambiguities in the instructions PRA (good) practices, which included the derivation
and assumptions. The information package included, of the HEPs.
among other, instructions to the HRA teams, scenario
descriptions and HFEs, characterization of the crews
(e.g. their work practices and training), the proce- 2.2 Comparison of predicted and experimental
dures used in Hammlab, and forms for the responses outcomes
of the HRA teams. Finally, the study assessment group
reviewed the HRA team responses and performed the The core of the HRA empirical study is the evaluation
assessment and comparison of the predicted outcomes of HRA methods by means of comparing their predic-
vs. the experimental outcomes, together with input tions with observed performance. Comparisons were
from experimental staff from Halden. performed on several levels:
– On the factors that most influenced the performance
2.1 Focus on the qualitative outcomes: driving of the crews in the scenarios (‘‘driving factors’’).
factors and PSFs – On the level of difficulty associated with the oper-
ator actions of interest (the HFEs). For the HRA
At a high level, HRA methods have the same purpose predictions, the level of difficulty was mainly
(or aims) due to the role of the HRA within the PRA. represented by the HEP.
These common aims are: 1) an identification of the – On the reasons for the difficulties (or ease) with
HFEs to be included in the PRA accident sequence which the crews performed the tasks associated with
model, 2) the qualitative analysis of the HFEs, and each HFE, and how these difficulties were expressed
3) the quantification of the probability of these HFEs. in operational and scenario-specific terms (‘‘opera-
The study focused mainly on qualitative analysis tional expressions’’).
and to a lesser degree on the quantitative analysis.
The HFEs were defined for the HRA analysts. Def- In addition, several other factors were evaluated,
inition of the HFEs was needed in order to control for like the insights given by the HRA method for error
variability in the interpretation of the various teams reduction, sensitivity issues such as the impact of
268
qualitative choices on the HEP, and issues of guidance performers). The criteria used in the selection process
and traceability. were:
– SGTR isolation time
2.3 Experiment analysis methodology – Ruptured SG level at isolation.
As the qualitative HRA methods predictions typically The criteria led to the selection of 9 crews, 3 base
refer to the operational requirements and to the driver cases (2 ‘‘successes’’, 1 ‘‘failure’’) and 6 complex
factors that an idealised crew would face in the scenar- cases (3 ‘‘successes’’, 3 ‘‘failures’’). Other crews were
ios of the study, the main challenge of the analysis was also analysed in-depth, and this information was used
how to aggregate the performance of 14 different crews to confirm and/or extend the tendencies identified
into one average or exemplary operational description, from the analysis of the best and the worst performers.
as well as into a general assessment of the driving
factors. In other terms, while there were observed 14 2.5 In-depth analyses
operational stories for each scenario, together with
as many constellations of factors affecting the crews, The bases for the in-depth qualitative analysis were the
the HRA predictions were (mainly) on one set of fac- audio-video recordings, the recorded on-line expert
tors only and on one or few operational options (see comments, the simulator logs, and the crew inter-
Figure 1). views. The core of the analysis process was the detailed
review of the video recordings of the scenario phases
corresponding to HFE 1. These reviews were struc-
2.4 Quantitative screening and crew selection tured so as to be useful and relevant for comparison to
the HRA analysis submissions.
The starting point for the experimental analysis was The analysts viewed the video and transcribed key
to look at the quantitative data, namely performance communications and events. They also wrote com-
figures generated from simulator logs (e.g. perfor- ments about salient aspects of crew performance.
mance times), OPAS data (Skraaning 1998), expert Immediately after the viewing, they completed a sim-
and observer performance ratings, and crew PSF rat- plified version of the HERA system worksheets in
ings. This was a necessary step for assessing the order to record the PSF details identified during the
crews’ performance of the HFE under considera- video review in a common format. In completing
tion (e.g. time used for identification and isolation, HERA, the analysts also drew on additional data
SG1 level at isolation). This screening also provided sources, such as the crew interviews, crew PSF
information which was later used for the writing of questionnaires, and observer comments. Finally, the
summary operational stories (i.e. typical or average analysts summarised the observed episode in the form
crews progressions through the scenarios), by e.g. pro- of an operational story, highlighting performance char-
viding the execution times of important procedural acteristics, drivers, and key problems into so called
steps. ‘‘crews summaries’’.
However, a thorough qualitative analysis was nec- The format of the crew summaries was based on
essary to derive the required insights into drivers of the format for the reporting of the HRA methods
performance. The time schedule of the study and assessment, as follows:
the resource limitations conducted to the selection of
a subset of crews for in-depth study. The selection 1. Short story of what happened in the selected part
was aimed at identifying a mixture of crews at both of the scenario (written after reviewing DVD,
ends of the performance spectrum (‘best’ and ‘worst’ logs and interview) for identification and isolation
separately, which consisted of:
– Extracts of crew communications, including
Observations time stamps
(raw data) 14 Crew-level – A short summary of the observed episode in a
- Audio / video performances
- Operational story 2 scenario-level free form (not chronologically) including com-
- Interviews
- Simulator logs - Observed
performances (over ments on crew performance.
influences all crews)
- OPAS (PSFs) - 2 operational
expressions
2. Summary of the most influencing factors affecting
- On-line performance - Observed
ratings difficulties - 2 sets of driving performance:
(interpreted in factors with
- On-line comments ratings
- Crew self-ratings
light of other
types of raw
– The PSFs were categorised as ‘‘direct nega-
- Observer ratings data) tive influences’’, ‘‘negative influence present’’,
‘‘neutral influence’’, or ‘‘positive influence’’. In
analyzing a performance, a PSF is a ‘‘direct
Figure 1. Data integration and analysis. negative’’ when its negative influence on the
269
crew’s performance of the HFE was observed. Table 2. Performance times in the two scenarios.
In some cases, factors were identified as nega-
tive, but only as ‘‘present’’, meaning there was Sce- SG SG
no clear evidence that they significantly affected Crew nario Time1 level2 Crew Scenario Time1 level2
the performance of the HFE.
M Base 10:23 20 L Complex 19:59 78
3. Summary of the observed difficulty or ease the H Base 11:59 10 B Complex 21:10 1003
crew had in performing the HFE and of its assumed L Base 13:06 6 I Complex 21:36 70
causes. B Base 13:19 21 M Complex 22:12 81
A Base 13:33 17 G Complex 23:39 88
The ‘‘Summary of the most influencing factors I Base 13:37 31 N Complex 24:37 86
affecting performance’’ was for each crew a combina- E Base 14:22 40 H Complex 24:43 91
tion of variable PSFs and constant PSF. The constant K Base 15:09 39 K Complex 26:39 64
D Base 16:34 55 D Complex 27:14 100
PSFs were assessed by an expert panel and are con- J Base 17:38 44 A Complex 28:01 100
stant for all crews, e.g. the quality of the interface. G Base 18:38 39 C Complex 28:57 99
The constant PSFs have then a fixed assessment that F Base 18:45 73 F Complex 30:16 100
is applied to all crew stories to keep overview of all C Base 18:53 57 J Complex 32:08 100
PSFs assessed when looking at each individual story. N Base 21:29 75 E Complex 45:27 98
270
Table 3. Procedure progressions and transfer grounds in complex scenario.
Crew mechanisms are the elements and functions little integration of crew characteristics in most meth-
that describe how a team works (and, in HRA terms, ods, integration that should ideally also account for the
possibly fail). Examples are leadership and roles, com- relations between the two kinds of crew factors: crew
munication, openness, coordination, adaptability and characteristics and crew interaction.
prioritization.
The crew mechanisms, in addition to explaining
how the crews perform, determine both crew-to-crew
and crew-to-scenario variability, and should ideally 4 THE CHALLENGE: HRA PREDICTIONS VS.
be represented in the (crew) reliability model of an SIMULATOR RESULTS
HRA method. In contrast, crew characteristics would
determine systematic crew-to-crew variability (they The main effort of the data analysis process has been in
generally refer to the preparedness of the crew to the finding a presentation format compatible with outputs
task) and are, or should be, considered as context obtainable from HRA applications (section 2 above).
factors in HRA. Overall, the study methodology have been judged as
To understand the point, we could see traditional adequate to the purposes of the study by all concerned
HRA as built around reliability models of individ- parties, HRA-teams, Steering group, and Experi-
ual cognition, where personal level variability is the mentalist. However, on specific aspects, potential
irreducible random variability across people (this is for improvements have been individuated (Lois et al.
assumed to be small compared to the variation caused 2008). This paper concentrates on areas of improve-
by the context on the cognitive functions). Were the ment relative to empirical data integration, formatting,
reliability model to include crew cognition (as well and use. The main issue here is that crew factors
as non-cognitive team interactions) the ‘‘systematic’’ and other dynamic factors, which were observed to
crew-to-crew variability would be expected to be larger influence performance, could be better represented
than the person-to-person variability, in part due to the and used in the method-to-data comparison, and, in
fact that the crew would not be modeled on micro-tasks general, to inform HRA.
in laboratory settings, and in part because the status of To begin with, let us remind that the experimental
knowledge about team interaction does not account results were summarized in three main parts:
for many general laws. The existence of a consid-
erable crew-to-crew systematic variability is already 1. Response times for identification/isolation and rup-
reflected by the fact that many HRA methods possess tured SG levels.
‘‘crew characteristics’’ PSFs. However, the lack of 2. Aggregated operational stories for the two scenario
guidance on the use of this type of PSFs testifies the variants.
271
3. Aggregated driving PSFs (based on driving fac- In such cases there is a disjunction between PSFs for
tors’ summaries for ‘‘best’’ and ‘‘worse’’ performing the HFE, those that influence the speed of actions and
crews and operational stories). hence quick success, and the factors which would nor-
mally be considered influences on good performance
These presentation formats were chosen to allow the (like good consultations) but which could in the same
comparison of HRA method predictions with observed cases slow down the performance of the HFE. In other
simulator performance. The response times were nec- words, there is a mismatch between the categorization
essary in order to assess the performance of the HFEs required by the PRA HFEs representation and the one
of the study. The aggregated stories were written in implicit in the reliability models of HRA methods. The
order to summarize the performance of 14 different pilot study testifies this mismatch: the PSF profile of
crews (in the two scenarios), into single operational the second fastest crew has many similarities to the
expressions, which are the typical level of representa- profiles of the slow performing ones in the complex
tion of HRA analyses (as a discretization of all possible scenario.
scenario variants). The same goes for the summary In general terms, it is difficult to see how HRA
of the driving PSFs, which could be considered as can be directly informed by focusing on HEPs. In
the PSFs of the aggregated stories, as opposed to the first place it was recognized that HEPs could not
the various configurations of context in the individual be easily derived from observed ‘‘errors’’ in the tri-
scenario runs. als, even given the large number of runs. HFEs were
Concerns could be raised about the level of accu- therefore adapted to the constraints of a simulator exer-
racy and completeness of the empirical information cise (Broberg et al. 2008b). Yet, they still bring the
reached trough this process of aggregation and format- theoretical framework of the PRA, superimposing it
ting, concerns which regard all three types of results on the crew performance. In other words, while the
output. HFEs focus on what particular goals are not achieved
(i.e. what prescribed human-initiated recovery func-
tions are not performed), this cannot be a viable
4.1 Failure vs. performance
perspective for understanding crew performance. In
Crew performance in the pilot study was operational- fact, human and crew behavior in emergency scenar-
ized as crew performance of the HFEs, in terms of ios are not directed by the discrete temporal succession
completion time and ruptured SG level at isolation of PRA goals (which moreover are unknown to the
(the lowest the better). When the crews are evaluated agents until their course of action is aligned to the
on the performance of the HFE a strong emphasis was ‘‘right’’ event response), but by the dynamic goals
laid on time, with ‘‘best’’ crews being the fastest to which derive from the interaction of contextual inputs
isolate, and the ‘‘worst’’ the slowest. This is a con- with their interpretation and the responses to them.
sequence of defining the HFE on a time criterion, As a consequence, if the empirical basis of HRA is
although the time criterion has a strong relation to sev- information on the reliability models and their param-
eral functional goals, including the PSA relevant one eters, this has to be derived from studying what was
of avoiding filling up the steam generators (Broberg done and why, rather than focusing on what design
et al. 2008b). based actions were not performed (failures and errors).
On the fine-grained level of a simulator trial, The approach of focusing on the reliability models and
however, the speed of action can only be one of their parameters, rather than failures and errors, would
several indicators of good performance, and one have consequences on both the criteria for crew selec-
that can never be isolated from the other indica- tion (‘‘best’’ and ‘‘worst’’ crew would not be defined
tors. For instance, a crew can act very fast when foremost from completion times), and on the PSFs
a shift supervisor takes an extremely active role, profiling (the best/worse crews’ PSFs profiles would
decides strategies without consultation and orders the have more consistency).
crew to perform steps from procedures, although the
latter is a reactor operator responsibility. This per-
4.2 The difficult treatment of ‘‘variable’’ PSFs
formance would not be optimal in terms of other
indicators: first, such behavior would not be consid- The derivation of the driving PSFs for the base and
ered in accordance to the shift supervisor function complex scenarios are based on the driving factors
and the training received. Further, it would reduce the identified during the DVD reviews and summarized
possibility for second checks, with one person cen- in the crew summaries. The DVD review of individual
tralizing all diagnosis and planning functions. Third, scenario runs (as well as their final aggregation and
it may disrupt successive team collaboration as the evaluation), were influenced by the HERA terminol-
reactor operator would feel disposed of his/her func- ogy and other HRA-specific documents. This has been
tions and could assume either a passive or antagonistic challenging for the experimentalists, since such clas-
position. sifications and their definitions are not observational
272
tools, and since they incorporate context-performance unresolved issue in the pilot phase of the study. On the
models not necessarily meant for fine-level analysis other hand, it is also true that the scenario-based differ-
of crew behaviour and interaction. ences (the manipulation of the study), complexity and
Further, a distinction was made between ‘‘constant procedure-situation fit, which were captured by the
PFS’’ and ‘‘variable PSFs’’. Constant PSF were con- constant PSFs, did have strong and observed effects
sidered the same for all crews, and, in part, could be as testified by the performance differences between
determined before the actual runs (e.g. indication of base and complex conditions.
conditions) based on:
– scenarios descriptions 4.3 The interaction between PSF: observed vs.
– the nature of the simulated plant responses, proce- modelled models
dures, and interface
– the plant specific work practices of the participating For the identification of the driving factors from the
crews. crew summaries, the scenario events analyzed were
evaluated against a list of PSFs: for each item in the
Variable PSFs are those factors not supposed to be given set the presence, direction and effect was deter-
the same for all crews, and which had to be evalu- mined, as well as a description of its manifestation. For
ated for each crew after the scenario run. Many of instance, in one crew summary ‘‘communication’’ was
these PSFs have a dynamic nature in that they could rated as ‘‘negative influence present’’ and described in
be evaluated only as the result of their interaction with the following way: ‘‘While working on the isolation,
other context factors and of the interaction of these RO and ARO talk past each other, and the orders to the
with crew behaviour. For instance, stress levels can field operator are initially not what they intended’’.
vary across crews: a late identification could create This format is consistent with the conventional
high stress levels during isolation for a crew with lit- modeling of performance and PSFs for HRA in PRA,
tle experience in working together, but not in a more where the assessment problem can be formulated as
experienced one. Most variable PSFs identified turned follows:
out to relate to crew characteristics/mechanisms (e.g.
leadership style, accuracy of procedure reading) and Pf (Ti ) = f (wi1 v(F1 ), . . . , win v(Fn ), ei ) (1)
as such were classified under ‘‘work practices’’, ‘‘crew
dynamics’’ and ‘‘communication’’. where Pf (Ti ) is the probability of failure of task
This classification prompts three orders of related Ti in a particular event sequence, F1 , . . . , Fn are
problems. The first is that the variable, crew- PSFs that influence human performance of the given
interaction PSFs do not fit most of the current HRA task, v(F1 ), . . . , v(Fn ) are their quantified values,
methods, since those methods do not incorporate reli- wi1 , . . . , win are weighting coefficients representing
ability models of crew interaction and functioning (at the influence of each PSFs in task Ti and ei is an error
best they model the crew as a second level of informa- term representing model and data uncertainty. f repre-
tion processing), and, foremost, cannot analytically sents the function that yields the probability estimate,
treat crew-to-crew variability (they can at best accom- which together with the parameters of the expression
modate it mathematically, in sensitivity analysis). above could be called the reliability model, (i.e. a
The second problem is that there is little guidance model of human performance). Different HRA meth-
for most HRA methods and tools (e.g. HERA) on how ods incorporate different reliability models. Strictly
to determine the presence and appropriate level of con- speaking, in the context of PRA, HRA empirical data
stant (systematic) crew-characteristics PSFs (e.g. work is information about the parameters of the reliability
practices, differences in experience and cohesion). In models.
HERA for instance both ‘‘work practices’’ and ‘‘crew For several methods the reliability model or func-
dynamics’’ have sub-items on supervisor behaviour, tion f is one of independent factors, e.g. in SLIM:
so it is not to clear where to classify that dimension.
It is therefore hard to compare simulator results with Pf (Ti ) = wi1 v(F1 ) + wi2 v(F2 ), . . . , + win v(Fn ) + ei
predictions on such factors.
The third problem is that the results of the empiri- (2)
cal study regarding main drivers and PSFs might have
overweighed the importance of the constant/crew- This type of models treats the PSFs as orthogonal,
independent PSFs at the expense of the variable and direct influences on the probability of task failure.
crew-level PSFs, because they better fit the methodol- Even leaving aside the issue of failure, this kind
ogy of the study followed to produce the results. This of modeling is generally not adequate for describing
is reflected by the fact that the treatment of ‘‘team task performance in simulator trials. In the first place,
dynamics’’, ‘‘work processes’’, and ‘‘communication’’ the assignments and ratings cannot be done ‘‘one-by-
in the identification of main drivers, was admittedly an one’’, as the PSFs are not independent (HRA itself
273
recognizes them to be correlated or overlapping). In Also, detailed analyses of crew performance show
addition, the categorization in terms of ‘‘presence’’ that crew factors are important determinants of
and ‘‘directness’’ does not exhaust the range of pos- performance variability. If HRA wants to exploit the
sible interactions. An alternative and more realistic full potential of empirical information, we suggest
modeling would have to detail the entire assumed crew factors (and especially crew mechanisms) as the
influence set, by specifying all direct and indirect centre of research for future HRA developments, to
links (and possibly reciprocal effects). Hypothetical, the same extent that individual cognition has been so
observed structural models would be a much closer far. Models of individual human cognition are unable
approximation to the operational events as described to explain the full spectrum of crew interactions, even
and explained in the narratives of the crew sum- when a second (crew) level information processing is
maries. With such models, the process of aggregation modeled. Important aspects of crew behavior would
across crews would then be a process of generalizing be missed by such modeling.
influence patterns across crews and events. Finally, the well-known issue of PSFs interaction
It must be added that, although the drivers were cannot any longer be avoided by HRA methods and
presented and aggregated in tabular form, the method- empirical analysis alike, as complex patterns of causal
to-data comparisons in the pilot study have been factor are the essence of observed operating crews’
performed by using all available information: by behavior.
combining information on PSFs to operational data,
descriptions, and evaluation of difficulties, as well as
by interacting with the experimentalists. Also, some REFERENCES
more recent methods as ATHEANA and MERMOS do
not foremost adopt the ‘‘factorial’’ model illustrated Braarud, P.Ø., Broberg, H. & Massaiu, S. (2007). Perfor-
above, but develop operational stories/deviation sce- mance shaping factors and masking experiment 2006:
narios, which allowed for a more direct comparison to Project status and planned analysis, Proceedings of the
observed operation. Enlarged Halden Programme Group meeting, Storefjell,
Norway, 11–16 March 2007.
Broberg, H., Hildebrandt, H., Massaiu, H., Braarud, P.Ø. &
Johansson, B. (2008a). The International HRA Empirical
5 CONCLUSIONS Study: Experimental Results and Insights into Perfor-
mance Shaping Factors, proceedings of PSAM 2008.
The pilot study has shown that it is possible to inform Broberg, H., Braarud, P.Ø. & Massaiu, S. (2008b). The Inter-
HRA by empirical evidence, provided that a sound national Human Reliability Analysis (HRA) Empirical
methodology for comparing HRA methods predic- Study: Simulator Scenarios, Data Collection and Identi-
tions and simulator results is followed. At the same fication of Human Failure Events, proceedings of PSAM
2008.
time, issues for improvement have been identified. Hallbert, B., Boring, R., Gertman, D., Dudenhoeffer, D.,
One central idea of this paper is that HRA Whaley, A., Marble, J., Joe, J. & Lois, E. (2006).
empirical content is information about the reliability Human Event Repository and Analysis (HERA) System,
models (i.e. models of crew performance) incorpo- Overview, NUREG/CR-6903, U.S. Nuclear Regulatory
rated by the methods. In this view, HEPs are theoretical Commission.
entities generated by the methods and their assump- Lois, E., Dang, V.E., Forester, J., Broberg, H., Massaiu,
tions, which cannot be the object of observation, S., Hildebrandt, M., Braarud, P.Ø., Parry, G., Julius, J.,
and therefore cannot be empirically informed inde- Boring, R., Männistö, I. Bye, A. (2008). International
pendently of the process, methods and assumptions HRA Empirical Study—Description of Overall Approach
and First Pilot Results from Comparing HRA Methods
used to produce them. As a consequence, special to Simulator Data, HWR-844, OECD Halden Reactor
care has to be taken when defining the objects of Project, Norway.
comparisons between HRA predictions and simulator Skraaning, G. (1998). The operator performance assess-
evidence, as illustrated in the discussion of failure vs. ment system (OPAS), HWR-538, OECD Halden Reactor
performance. Project.
274
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Insights from the ‘‘HRA international empirical study’’: How to link data
and HRA with MERMOS
ABSTRACT: MERMOS is the reference method used by Electricite de France (EDF) for Human Reliability
Assessment (HRA), to assess the operation of nuclear reactors during incidents and accidents in EDF Probabilis-
tic and Safety Assessment (PSA) models. It is one of the second generation HRA methods that have participated
in the ‘‘HRA international empirical study’’ organised by the NRC and the Halden Reactor Project. This inter-
national study is not finished but has been already an opportunity to debate on relevant HRA issues during the
workshops in Halden and in Washington in 2007.
In this paper we will focus on the nature and meaning of predictive HRA, compared to the nature of data
(from observations on simulators or small real incidents). Our point of view on this subject will be illustrated
with an example of a MERMOS analysis implemented for the international study. Predictive HRA exists when
failure cannot be observed: it is a way to explore and reduce uncertainty, regarding highly reliable socio-technical
systems. MERMOS is a method which is supported by a model of accident that enables to describe the risk
and to link it to data. Indeed failure occurs when a way of operating (that usually leads to success) happens to
be inappropriate to a very specific context. Then data, in fact knowledge, is needed to describe two things: the
different operating ways (for example focusing for a while on the recovery of a system), and specific situations
(a serious failure of this system with a problem for identifying it). The HRA analyst has then to find which
combinations of operating habits and very specific situations could mismatch and lead to a serious failure of the
human action required to mitigate the consequences of the accident.
These links between operating habits, small incidents and big potential accidents that we will try to describe
in this paper should be understood for decision making in the field of safety, human factors and organisation;
indeed for example changing a working situation might be very risky regarding the whole panel of situations
modelled in a PSA. HRA should thus help the decision making process in the Human Factors field, besides
ergonomic and sociological approaches.
275
data and HRA can be linked using the MERMOS Shaping Factors (PSF) can. We would give some
method, giving examples taken from the analyses examples further.
implemented for the international study. MERMOS is not focused on general micro individ-
ual performance (including success) prediction, but
on macro collective and systemic failure at a safety
2 HOW TO DEFINE HRA RESULTS mission level. However, systemic failures occur only
AND HRA DATA in very specific contexts, which include some ‘‘opera-
tional expressions’’ that we can observe on simulator,
2.1 Nature and meaning of HRA as the comparison done in the international study
shows well. Moreover those MERMOS operational
HRA is helpful when failure cannot be observed: in stories are a way to express how different factors can
fact it is a way to explore and reduce uncertainty, combine to lead to failure, in opposition to consider-
regarding high reliable socio-technical systems. Thus ations on PSF which does not take into account their
HRA results intend to describe how failure can occur, combinations.
regarding PSA’s criteria: they describe ‘‘big’’ failures, However it is not sufficient to compare the MER-
not small ones that we can see on simulators from time MOS operational expressions with the operational
to time. expressions of failure that has been observed during
the dedicated simulations on Hammlab: what is inter-
2.2 Nature of HRA data esting is on the one hand to observe the MERMOS
operational expressions in any of the teams’ test (suc-
What we call data in HRA are data from simulations cessful or not), and then on the other hand to check that
or from small real incidents. In the frame of the inter- the combination of the items in the MERMOS scenar-
national study, we focus on the use of simulator data, ios leads to failure (even if the whole MERMOS failure
more precisely of data from dedicated simulations on scenario has not been observed).
Hammlab (the Halden simulator).
From the international empirical study point of
view, the data collected on simulator can be com-
pared to HRA results, and this is even one of the 4 LINKING DATA WITH MERMOS
main objective of the study to be able to show how the ANALYSES: EXAMPLES TAKEN
HRA methods could predict what could be observed FROM THE INTERNATIONAL STUDY
on simulator.
On the other hand from our point of view, what 4.1 How to link data and MERMOS analyses
could be observed on simulator are only small errors MERMOS is a method which is supported by a model
which never lead to failure in the sense of PSA, given of accident that enables to describe the risk and to link
the high level of safety of a nuclear powerplant. So it to data. Failure occurs when a way of operating (that
such data cannot be compared to HRA results; however usually leads to success) proves inappropriate to a very
there is of course a link between those data and HRA. specific context.
We consider as data any information which is use-
ful to the MERMOS application and that involves
3 PROCESS OF COMPARISON OF HRA the entire operating system (interactions between
RESULTS TO HALDEN DATA team, interface and procedures), not only individual
IN THE INTERNATIONAL STUDY behaviour.
276
There are three types of information: procedures are carried out etc.) and contributes to
building up their expertise. The data gathered thus con-
1. Information interpreting a particular operating sys-
stitutes a knowledge database of qualitative data—as
tem context: ‘‘Situation features describing the
opposed to a database of uniquely statistical data or
structural and contextual characteristics of the situ-
probabilities- which can be used more easily for expert
ation’’. It is at this level in particular that individual
judgment.
errors are found.
Given these data, the HRA analyst has then to find
Example: ‘‘The reactor operator makes a test
which combinations of operating habits and very spe-
error and is oriented to the ECP1 procedure’’
cific situations could mismatch and lead to a serious
This observation reflects the variations in human
failure, as considered in PSAs [5]. Let us take an
behavior which can create uncommon, particular
example to illustrate it.
contexts in which the resulting collective behavior
may fail.
2. Information interpreting a configuration or orien- 4.2 Examples of analyses from the international
tation of the entire system: the ‘‘CICA’’ (Important study: HFE1A & HFE 1B
Characteristics of Accident Management) allow the
operation of the operating system to be described Nine HFE has been analysed for the international
over time. They interpret a system configuration or study. Let us take the two first ones as examples:
orientation. They are rarely observed directly dur-
ing the test, but are the result of the interpretation HFE 1A:
of these observations. The initiating event is: steam generator tube rupture
Example: ‘‘the system follows procedures step (SGTR, base scenario).
by step’’ In this situation the mission is: to identify and
3. Information which feeds expert judgments (for the isolate the ruptured steam generator 20 minutes after
evaluation of situation features and CICA). SGTR during full power, in order to prevent overfill-
Example (context: loss of electric board ‘‘LLE’’ ing the ruptured steam generator. These 20 minutes
and overabundant safety injection): ‘‘document has been chosen by adding 5 minutes to the mean time
complexity is delaying the diagnosis’’ and does not correspond to a PSA criteria; however
An expert who needs to analyze a human factor they approximately correspond to the overfilling of
which occurs in this context will be able to take its the steam generators.
specificity into account and imagine failure sce-
narios where the complexity of documents and a HFE 1B:
delayed diagnosis influence the failure. The initiating event is: SGTR + major steam line
This data, gathered in a particular context (for this break quickly isolated (so that the secondary radiation
simulation, with the team being observed and for a indications are shown normal).
particular task), is reusable in order to imagine fail- In this situation the mission is: to identify and
ure scenarios for a similar HF (Human Factor) task, isolate the ruptured steam generator 25 minutes after
and also for a different HF task: many observations SGTR during full power, in order to prevent overfill-
can in fact be generalized. Some can directly be used ing the ruptured steam generator. These 25 minutes
statistically: for example graphs showing the distri- has been chosen by adding 5 minutes to the mean time
bution of the observed times needed for carrying out and does not correspond to a PSA criteria; however
an action can be drawn up, however their creation and they approximately correspond to the overfilling of
use will need to be refined. However it is very difficult the steam generators.
to decide what to incorporate into the samples, as the
situations are never completely reproducible: in our
4.3 Examples of data observed on Hammlab
experience, the data taxonomy and other data catego-
and found in the MERMOS analyses
rizations are by nature reductive and dependent upon
models which can quickly become obsolete. In the MERMOS analyses of HFE 1A and HFE 1B, we
What is more, their extrapolation in conserva- can recognize some elements, that we can call ‘‘oper-
tive PSA contexts is delicate and must be carried ational stories’’ that could have been also observed on
out with prudence. It is mainly through expert judg- the Halden simulator. This is not surprising because
ment that we could reuse this data in a quantitative MERMOS describes qualitatively the ways to fail,
manner, taking into account these limits in model- specifying precisely the situations that could partially
ing both observations and predictions. In addition, be observed during simulations.
observing simulations gives information which allows Here are some examples, gathering the comparison
us to increase each analyst’s knowledge of accident work from the expert board of the international study
management (operation of the operating system, how and some complements by EDF.
277
Operational expressions Operational expressions
Operational expres- observed during the ded- Operational expressions observed during the
sions predicted in icated experiments in predicted in dedicated experiments in
MERMOS—HFE 1A Halden (HFE 1A) MERMOS—HFE1B Halden (HFE 1B)
‘‘not act with a sense ‘‘Several crews decided trollably. This is prob- that the lack of training
of urgency’’ to take a meeting to able (assigned p = 0.3). on checking of alternative
assess status and develop The ARO will not be cues for SGTR is
a strategy before trans- fast because this check supported strongly by
ferring to E-3 (based on is not often trained the empirical data.
radiation indication)’’
during SGTR scenarios
‘‘trained transient’’ Good to very good [which rely more
training and experience strongly on other cues]
‘‘easy to diagnose HMI and indication of The operators follow ‘‘2 crews read carefully
transient’’ conditions: very good the instructions the foldout page’’
cautiously
Working through F- ‘‘SS abruptly to RO:
Operational expressions 0, the SS wishes to ‘‘you can go to FR-H5
Operational expressions observed during the quickly orientate the (one is not allowed to
predicted in dedicated experiments in team towards FR-H.5 enter this procedure
MERMOS—HFE1B Halden (HFE 1B) before step 22)’’
The system does not Supported by the evidence: Waiting for feedback This refers to E-3 Step 3.
perform the procedural ‘‘A crew was delayed from local actions leads The evidence indeed
steps fast enough and in E-0 due to their to delays (isolation not shows that the crews
does not reach the early manual steam line completed in time need a fair amount of
isolation step within break identification and window) time to complete this
the allotted time isolation’’ step due to the local
Also: ‘‘They use some time, actions mixed in with
check if sampling is the control room actions.
open’’
‘‘Identification of the ‘‘Crew cannot explain SG1
SGTR by checking level without radiation
steam generator levels and lack of level in
can cause problems or PRZ. Long discussions 4.4 Examples of data observed on Hammlab
time wastage.’’ and unstructured and not found in the MERMOS analyses
meetings’’
One important operational story that has been
‘‘The absence of This is strongly supported observed on the Halden simulator and that has caused
radioactivity does not by the empirical evidence some delay does not take place in any MERMOS fail-
facilitate diagnosis or and is in fact a dominant ure scenario. Our explanation is that we did not find
enable other hypotheses operational issue there could be a problem of transfer to procedure E-
to be developed for the (when combined with 3 for HFE 1B. Indeed theoretically, as mentioned in
event in progress. the procedural guidance’s the package, there are several paths to enter E-3 by
reliance on this indication following the procedures. From our experience with
and an apparent lack of French teams, operators should have no difficulties to
training on the alternative enter E3 if they follow strictly the procedure, without
cues). using their knowledge to transfer to E3 directly from
step 19. Because of that, we imagined that the main
ARO takes time to This is similar to reason to fail was a too strict following of the proce-
check that the level in the second operational dures that leads to spend too much time. In fact, it has
SG#1 is rising uncon- expression above. Note been observed exactly the opposite: Halden’s teams
spent time to transfer directly from step 19 to E3, by
(continued) communicating and concerting.
278
Only a good knowledge of the habits of the Halden’s 5 CONCLUSION
teams could have alert us and imagine that differ-
ence. We can explain that difference by the fact that In this paper we have focused on the nature of pre-
today, French procedures (state based procedures) are dictive HRA, compared to the nature of data (from
designed to provide the operators with a solution in any simulations or from small real incidents). Predictive
case. Then the operators trust the procedure and follow HRA exists when failure cannot be observed: it is
them first. We do not agree with the fact that an impor- a way to explore and reduce uncertainty, regarding
tant PSF for HFE1B is the inadequate procedure guid- high reliable socio-technical systems. MERMOS is a
ance: it is more likely the lack of trust of the operators method which is supported by a model of accident that
in the procedures, but this has to be deeper analyzed. enables to describe the risk and to link it to data, as
This difference between our predictions and obser- we could see through examples from the international
vations illustrates well one of the main objections we study; the HRA analyst has then to find which combi-
raised when the international study was launched: it is nations of operating habits and very specific situations
groundless to aim at predictive analyses without know- could mismatch and lead to a serious failure of the
ing the operators’ way of working; the best way to human action required to mitigate the consequences
achieve this goal is to observe simulator tests. The pur- of the accident, as considered in PSAs.
pose of HRA is not to predict what can be observed but These links between operating habits, small inci-
to predict from observations what cannot be observed. dents and big potential accidents that we have tried
to describe in this paper should be understood for
decision making in the field of safety, human fac-
4.5 Examples of data observed on EDF simulators
tors and organisation; indeed for example changing
and found in the MERMOS analyses
a working situation might be very risky regarding the
Last, it is important to underline that some of the mean- whole panel of the situations modelled in a PSA. HRA
ingful operational stories in MERMOS could not be should thus help the decision making process in the
observed on the Halden dedicated simulations. Indeed Human Factors field, besides ergonomic and socio-
the MERMOS analyses take the most of all the simu- logical approaches, even if it still needs research to
lations that we know (from our EDF simulators) and push away its boundaries.
that could be extrapolated for this study.
Here are some examples of those data:
REFERENCES
Operational
expressions predicted in Operational [1] Lois E., Dang V., Forester J., Broberg H., Massaiu
MERMOS—HFE 1A expressions observed S., Hildebrandt M., Braarud P. Ø., Parry G., Julius J.,
Boring R., Männistö I., Bye A. ‘‘International HRA
and HFE 1B on EDF simulators Empirical Study—Description of Overall Approach and
First Pilot Results from Comparing HRA Methods
‘‘local actions may Yes (and this is to Simulator Data’’, HWR-844, OECD Halden Reac-
cause delay’’ simulated by the tor Project, Norway (Forthcoming also as a NUREG
trainers) report, US Nuclear Regulatory Commission, Washing-
‘‘run through the procedures Yes ton, USA), 2008.
step by step’’ [2] Bieder C., Le Bot P., Desmares E., Cara F., Bonnet
‘‘the SS does not incite Yes J.L. ‘‘MERMOS: EDF’s New Advanced HRA Method’’,
the operators to accelerate PSAM 4, 1998.
the procedural path [3] Meyer P., Le Bot P., Pesme H. ‘‘MERMOS, an extended
second generation HRA method’’, IEEE/HPRCT 2007,
‘‘the SS does not worry Yes
Monterey CA.
about the effective perfor- [4] Pesme H., Le Bot P., Meyer P., ‘‘HRA insights from the
mance of the action’’ International empirical study in 2007: the EDF point of
‘‘delegation of . . . to the Yes view’’, 2008, PSAM 9, Hong Kong, China.
other operator’’ [5] Le Bot P., Pesme H., Meyer P. ‘‘Collecting data for MER-
‘‘the operator makes a Yes MOS using a simulator’’, 2008, PSAM 9, Hong Kong,
mistake in reading . . . ’’ China.
‘‘the shift supervisor Yes
leads or agrees the strategy
of the operators’’
‘‘suspension of operation’’ Yes (in order to
gain a better
understanding of
the situation)
279
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Operators’ response time estimation for a critical task using the fuzzy
logic theory
G. Simos
Hellenic Petroleum S.A., Aspropyrgos, Athens, Greece
ABSTRACT: A model for the estimation of the probability of an erroneous human action in specific industrial
and working contexts based on the CREAM methodology has been created using the fuzzy logic theory. The
expansion of this model, presented in this paper, covers also operators’ response time data related with critical
tasks. A real life application, which is performed regularly in a petrochemical unit, has been chosen to test
the model. The reaction time of the operators in the execution of this specific task has been recorded through
an indication reported in the control room. For this specific task the influencing factors with a direct impact
on the operators’ performance have been evaluated and a tailored made version of the initial model has been
developed. The new model provides estimations that are in accordance with the real data coming from the
petrochemical unit. The model can be further expanded and used in different operational tasks and working
contexts.
281
one output variable: the action failure probability of i. Selection of the input parameters
human operator. Validation of the model and sensi- ii. Development of the fuzzy sets
tivity analysis has already been performed (Konstan- iii. Development of the fuzzy rules
dinidou et al. 2006b, 2006a). iv. Defuzzification
The expansion of this model, presented in here,
covers also operators’ response time data related with The fuzzification process was based on the
critical tasks. The model disposes now of a second out- CREAM methodology and the fuzzy model included
put variable that calculates the estimated response time nine input variables similar to the common perfor-
of the operator performing a specific task in a specific mance conditions of the same methodology namely:
industrial context. For the estimation of the response Adequacy of organization, Working conditions,
time the model takes into account factors (common Adequacy of man-machine interface and operational
performance conditions) that influence the reaction of support, Availability of procedures, Number of simul-
the operator during this specific task. taneous goals, Available time, Time of day (circadian
Section 2 of this paper gives a quick overview of the rhythm), Adequacy of training and Crew collabora-
model developed for the estimation of human error tion quality. The fuzzy logic system has as output
probabilities while section 3 presents the expansion parameter the Action Failure Probability of Human
of the model to cover also operators’ response time. Operator.
Section 4 describes the real industrial task which will For the development of the fuzzy sets and the fuzzy
be used for the application of the model. Section 5 rules the phrasing and the logic of CREAM has been
presents the application of the model in this task and used. According to CREAM a screening of the input
a shorter version of the model which is more tailored parameters can give an estimation of the mode in which
made to include only those input parameters that affect an operator is acting (based on his Contextual Control
operators’ response time. Section 6 makes a com- Mode). The rules are constructed in simple linguistic
parison of the results between the two models while terms and can be understood at a common sense level.
section 7 presents the conclusions of this paper. At the same time these rules result in specific and
reproducible results (same inputs give same output).
The defuzzification process is performed through
2 FUZZY MODEL FOR HUMAN RELIABILITY the centroid defuzzification method (Pedrycz 1993),
ANALYSIS where an analytical calculation of the ‘‘gravity’’ center
produces the final result. The output fuzzy sets cover
A fuzzy logic system for the estimation of the prob- the interval from 0.5 ∗ 10−5 to 1 ∗ 100 (corresponding
ability of a human erroneous action given specific to the values of probability of action failure defined in
industrial and working contexts has been previously CREAM).
developed (Konstandinidou et al. 2006b). The fuzzy The system has operated with different scenarios
logic modeling architecture has been selected on and the results were very satisfactory and in the range
account of its ability to address qualitative informa- of the expectations (Konstandinidou et al. 2006b).
tion and subjectivity in a way that it resembles the These results can be used directly in fault trees and
human brain i.e. the way humans make inferences and event trees for the quantification of specific undesired
take decisions. Although fuzzy logic has been charac- events, which include in their sequences failures of
terized as controversial by mathematician scientists, human factors.
it is acknowledged that it offers a unique feature: the Another use of the model, which can be compared
concept of linguistic variable. The concept of a lin- to sensitivity analysis, deals with the input parameters
guistic variable, in association with the calculi of fuzzy of the model as influencing factors in Human Relia-
if–then rules, has a position of centrality in almost all bility. Factors which influence human reliability play
applications of fuzzy logic (Zadeh, 1996). a very important aspect in the quantification of human
According to L. Zadeh (2008) who first introduced error. The context in which the human action will take
fuzzy logic theory, today fuzzy logic is far less contro- place is defined by these factors. These are the factors
versial than it was in the past. There are over 50,000 that usually have the name of ‘‘Performance Shaping
papers and 5,000 patents that represent a significant Factors’’, or ‘‘Common Performance Conditions’’ or
metric for its impact. Fuzzy logic has emerged as a very ‘‘Performance Influencing Factors’’. Obviously those
useful tool for modeling processes which are rather factors, as their name indicates, influence the action
complex for conventional methods or when the avail- failure probability of the human operators, by increas-
able information is qualitative, inexact or uncertain ing it when they have a negative effect on it or by
(Vakalis et al. 2004). decreasing it when they support the action and the
The Mamdani type of fuzzy modeling has been operator. What is common knowledge (but not com-
selected and the development of the system has been mon practice) is that the better the quality of these
completed in four steps. factors the more reliable the operator behavior.
282
The fuzzy model has been used in order to detect The new model disposes of a new output param-
the critical transitions in the optimization of human eter namely ‘‘operators’ response time’’. The output
reliability, in a form of sensitivity analysis, for corre- parameter provides the needed estimations for oper-
sponding changes in each of the nine input parameters, ators’ response time. In order to maintain the con-
tested in specific contexts. Changes in the working nection with the initial model the same names and
context have been evaluated through their relevant notions in the output parameters were used. The out-
reduction to the action failure probability of the human put fuzzy sets correspond to the four control modes
operator (Konstandinidou et al. 2006a). As concluded of the COCOM model that is the cognitive model
from the application of the model, the input parameters used in CREAM (Hollnagel 1998). Those modes are:
that induce the highest variations in the action fail- the ‘‘strategic’’ control mode; the ‘‘tactical’’ control
ure probability are the ‘‘adequacy of training’’ and the mode; the ‘‘opportunistic’’ control mode; and the
‘‘crew collaboration quality’’. For the parameter ‘‘time ‘‘scrambled’’ control mode.
of the day’’ the model shows that operators are more For the application of the ‘‘ORT’’ fuzzy model the
prone to errors during the night hours (20:00–4:00) and four control modes were used to define the time inter-
also during shift ending and turnovers. The results of vals within which the operator would act to complete
this application are in the form of percentages. These a critical task. Hence quick and precise actions that
percentages represent the variations induced on the are completed within very short time are compatible
output result, namely the action failure probability, with the ‘‘strategic’’ control mode; ‘‘tactical’’ con-
from the variations in the input parameters. The mean- trol mode includes actions within short time intervals
ing of these percentages is that with an improvement in slightly more broad than the previous one; ‘‘oppor-
the training of operators and in the ability to collabo- tunistic’’ control mode corresponds to slower reactions
rate with each other, the level of human reliability will that will take longer time while ‘‘scrambled’’ con-
increase significantly. The values of these percentages trol mode includes more sparse and time consuming
are not so important; the most important is that with the reactions.
use of the fuzzy model the critical intervals are defined The relevant time intervals as defined for the four
within which the significant variations are located. The control modes in the ‘‘ORT’’ fuzzy model are pre-
determination of the critical transitions depicts in this sented in table 1. A graphical representation of the four
way the points in which the analyst should focus and fuzzy sets is given in figure 1. The range of the four
the areas of improvement which are meaningful and fuzzy sets is equivalent to the range used in the prob-
essential. With the ability of having numerical val- ability intervals of action failure probabilities in the
ues of human error probabilities, the analyst is able to initial model (Konstandinidou et al. 2006b) expressed
prioritize the possible improvements in elements that in logarithmic values.
affect operators’ reliability. These results can be used
furthermore in cost—benefit analysis with the objec-
tive to compare the parameters adjustments cost to the Table 1. Control modes and response time intervals.
impact they induce on the performance and reliability
of the human operator. Operators’ response time
(minutes)
Time interval
6 7 8 9 10
283
A crucial step in the development of the model The required time frame for the specific task is very
is the development of the fuzzy rules. A cluster of tight. Operators must complete their actions within
fuzzy rules to include all the possible combinations of 1–2 minutes. Otherwise pressure may rise or may drop
the input parameters fuzzy sets has been developed in beyond the safety limits and disturb the operation of
(Konstandinidou et al. 2006b). 46656 rules have been the whole unit or even worse (in case of extreme varia-
defined, taking into consideration the multiple fuzzy tions) result in equipment failure. Pressure rises and/or
sets of each input parameter and using the logical AND drops in few seconds in the specific node so opera-
operation as the building mode. tors’ response is crucial and should be prompted. For
The fuzzy rules for the extension of the model the completion of the task one operator is needed.
retained the ‘‘if – part’’ of the initial model and the The reaction time of the operators in the execution
‘‘when’’ part was changed accordingly to include the of this task has been recorded through the pressure
time notion. drop indication reported in the control room. Data
An example (i.e. the first rule) is the following: concerning the specific in—field task of the petro-
‘‘If the adequacy of organization is deficient AND chemical unit has been gathered during a whole year
the working conditions are incompatible AND the period. From those data it was noticed that normal
availability of procedures and plans is inappropriate reaction time is within 10–15 seconds (when perform-
AND the adequacy of man-machine interface and ing the normal—drain operation), reaction time during
operational support is inappropriate AND the num- maintenance was around 1 minute, while reaction time
ber of simultaneous goals is more than actual capacity in emergency situations was between 1 to 10 minutes
AND the available time is continuously inadequate depending on the case.
AND the time of the day is night AND the adequacy of After discussion with the key personnel of the unit
training and experience is inadequate AND the crew on the specific events that took place during the one
collaboration quality is deficient THEN the opera- year period the conclusions were that the elements that
tor would act in a SCRAMBLED way. Acting in a differentiate the reaction time of the operators is the
SCRAMBLED way means that the response time for level of experience each operator has and the num-
the operator is between 1 and 10 minutes’’. ber of tasks he is assigned to do in the same time.
In this way all the possible combinations of the input This number varies between normal operation, main-
fuzzy sets correspond to one (and only one) output tenance and emergency response situations. What has
fuzzy set and to the relevant control mode with the also been observed through the collected data is that
associated time interval. the time of the day plays also an important role in
In order to have a crisp number as output variable some situations: operators response time is different
(and not an output set) the centroid defuzzification between day and night shifts.
method (Pedrycz 1993) has been used as in the initial Hence for this specific task the influencing factors
model. In this way the model comes up with spe- that have a direct impact on the operators performance
cific estimates for operators response time expressed are: the circadian rhythm of the operator, expressed in
in minutes. terms of the hour of the day that he/she is requested
to perform the task; the experience and the training
he/she obtains, expressed in years of presence in the
specific unit (and the petrochemical plant); the number
4 SPECIFIC APPLICATION FROM of simultaneous goals, expressed in terms of parallel
THE PROCESS INDUSTRY tasks to be performed during normal operation, main-
tenance (task performed in order to shut down or to
In order to test the model a real life application has been start up the unit) or emergency situations (equipment
chosen. A specific task, which is the opening/closure malfunction, trip of the unit).
of a manual valve in order to maintain a desired pres- The conclusions of our observations were the basis
sure drop, is performed regularly in a petrochemical for the development of a shorter version of the fuzzy
unit. This task may be performed at least twice a day model, a model that would include only the influenc-
during normal operation in order to unclog the drain ing factors of this application with the relevant fuzzy
channel. The same task is performed during mainte- sets. This is meaningful since all the nine parame-
nance operation in order to shut down or start up the ters that are included in the full version of the ‘‘ORT’’
unit. In case of an abnormality that leads to the trip model do not affect response time in this particular
of the unit or in case of equipment malfunction the application and the computational cost of the model is
operators are called to act immediately and perform significantly decreased with the use of only three input
the same task in order to maintain the desired pres- parameters. Additionally by building a new—tailored
sure drop so that the unit is not jeopardized. This is made model for the specific application new fuzzy
equivalent to emergency response situations. sets for the output parameter ‘‘operators’ response
284
time’’ can be used and adjusted according to real The observation data and the expertise of the key
data. personnel were the knowledge base for the develop-
ment of the fuzzy rules. The following observations
determined the definition of the fuzzy rules:
5 FUZZY MODEL FOR THE SPECIFIC
APPLICATION—‘‘SHORT ORT MODEL’’ a. Time of the day (day/night) does not affect opera-
tors response time during normal operations
For the development of this tailored made ‘‘Opera- b. Time of the day (day/night) does not affect opera-
tors Response Time—ORT’’ short model the Mamdani tors response time for operators with good level of
type of fuzzy modeling has been selected and the training and experience
development of the system has been completed in four According to the observed data and by taking into
steps. account the above mentioned statements 8 fuzzy rules
were defined for the short ‘‘ORT’’ fuzzy model:
i. Selection of the input parameters
Three input parameters have been chosen Rule 1: ‘‘If number of goals is equivalent to normal
according to the conclusions stated in the previous operation and adequacy of training and experience
section. These input parameters are: is good then operators’ response time is very good’’.
a. The number of simultaneous goals Rule 2: ‘‘If number of goals is equivalent to normal
b. The adequacy of training and experience operation and adequacy of training and experience
c. The time of the day is poor then operators’ response time is good’’.
As unique output parameter was defined the Rule 3: ‘‘If number of goals is equivalent to mainte-
Operators Response Time. nance and adequacy of training and experience is
good then operators’ response time is good’’.
ii. Development of the fuzzy sets Rule 4: ‘‘If number of goals is equivalent to mainte-
In the second step, the number and characteristics nance and adequacy of training and experience is
of fuzzy sets for the input variables and for the output poor and time is during day shift then operators’
parameter were defined. The definition of the fuzzy response time is normal’’.
sets was made according to the observations from the Rule 5: ‘‘If number of goals is equivalent to mainte-
real data and the comments of the key personnel as nance and adequacy of training and experience is
stated previously. poor and time is during night shift then operators’
‘Number of simultaneous goals’: for the first input response time is critical’’.
parameter three fuzzy sets were defined namely ‘‘Nor- Rule 6: ‘‘If number of goals is equivalent to emergency
mal operation’’, ‘‘Maintenance’’ and ‘‘Emergency and adequacy of training and experience is good
Situation’’. then operators’ response time is normal’’.
‘Adequacy of training and experience’: for the Rule 7: ‘‘If number of goals is equivalent to emergency
second input parameter two fuzzy sets were defined and adequacy of training and experience is poor and
namely ‘‘Poor Level of Training and Experience’’ and time is during day shift then operators’ response
‘‘Good Level of Training and Experience’’. time is critical’’.
‘Time of the day’: for the last input parameter two Rule 8: ‘‘If number of goals is equivalent to emergency
fuzzy sets were distinguished corresponding to ‘‘Day’’ and adequacy of training and experience is poor and
and ‘‘Night’’. time is during night shift then operators’ response
‘Operators’ response time’: The output parameter time is very critical’’.
had to cover the time interval between 0 and 10 min-
utes. Five fuzzy sets were defined to better depict small
differences in reaction time and the equivalent time iv. Defuzzification
range was expressed in seconds. The fuzzy sets with Since the final output of the fuzzy system modeling
the time intervals each of them covers are presented should be a crisp number for the operators’ response
in table 2. More precisely operators’ response time is time, the fuzzy output needs to be ‘‘defuzzified’’. This
‘‘Very good’’ from 0 to 20 seconds, ‘‘Good’’ from 10 is done through the centroid defuzzification method
to 110 seconds, ‘‘Normal’’ from 60 to 180 seconds, (Pedrycz 1993) as in the previously developed fuzzy
‘‘Critical from 120 to 360 seconds and ‘‘Very critical’’ models.
from 270 to 1170 seconds. A graphical representation The fuzzy logic system has been built in accordance
of the five fuzzy sets is given in figure 2 in order to with the real data coming from the petrochemical unit.
visualize the range of each time set. The testing of the model and its comparison with
the full version will be presented in the section that
iii. Development of the fuzzy rules follows.
285
Operators Response Time The rest of the runs represent situations where all
1
input parameters except of ‘‘Number of simultaneous
goals’’, ‘‘Time of the day’’ and ‘‘Adequacy of training
and experience’’ have medium level values (equal to
Very Good a value of 50). Changes in values were made only for
Good
Normal
Critical
the three input parameters that affect the specific task
0
Very Critical
which was examined for the application of the model.
0 100 200 300 400 500 600
Time Interval For these three parameters the values that were used
with their correspondence with operational situations
Figure 2. Fuzzy sets representation for the ‘‘Operator (expressed in linguistic variables) are the following:
Response Time’’ output variable of the short model. ‘Number of simultaneous goals’: A value of 15
was chosen to represent emergency situations, while
a value of 50 was attributed to maintenance and 90 to
Table 2. Output fuzzy sets for operators response time. normal operation.
‘Time of day’: Value 12 was assigned to day time
Fuzzy set Time interval (in seconds)
while value 0 to night time.
Very good 0 <t< 20 ‘Adequacy of training and experience’: A value of
Good 10 <t< 110 0 depicts the inexperienced operator, a value of 50 is
Normal 60 <t< 180 the operator with adequate training but with limited
Critical 120 <t< 360 experience while a value of 100 corresponds to the
Very Critical 270 <t< 1170 very experienced operator.
What can be seen from the results is that the model
only depicts differences in time response during night
of an inexperienced operator for an emergency situ-
6 RESULTS FROM THE APPLICATION
ation (estimated reaction time 276 seconds). For the
OF THE MODELS
rest of the modeled situations (very and limited expe-
rienced operator, normal operation, maintenance and
6.1 ‘‘ORT’’ fuzzy model general application
emergency situation, day and night time) the model
The results from the general application of the full estimates the same reaction time for all operators (59
version of ‘‘ORT’’ fuzzy model are presented in table 3. second approx. 1 minute).
Details for better understanding of these results are as The reaction time estimated is in accordance with
following. the real time of operators’ response. The inflexibility
First row (first run) represents the worst case sce- of the model to provide different estimates according
nario, which means a context where all input param- to different situations is explained by the fact that for
eters are judged as ‘‘inadequate’’ and are given the the six out of the nine inputs medium values were cho-
minimum possible value they can be assigned to. In sen. This affects the inference of the model by leaving
this scenario—case the ‘‘ORT’’ estimated a value of a smaller number of rules to interfere for the calcu-
6 minutes (480 seconds) for operators’ response time. lation of the final result. From the total number of
The second row (second run) is still a worst case sce- 46656 rules only 18 rules are activated with the use of
nario but with slightly improved parameters value. In medium values.
this case the ‘‘ORT’’ produced a slightly improved Additionally from the three parameters whose val-
response time of 476 seconds. ues are alternated two (number of simultaneous goals
Situation 3 (third row—run) is a best case scenario and time of the day) comprise fuzzy sets that have a
with all parameters assumed to be in the most efficient neutral influence on the final output (Konstandinidou
level. In this case the ‘‘ORT’’ estimated a time of 8 sec- et al. 2006b). That means that even by improving
onds for operators’ response time while in the fourth the value of those inputs the estimated response time
situation which represents the best case scenario with would remain the same since the improvement has no
top values for all parameters the estimated time was 7 effect on the output result.
seconds.
With the above runs the sensitivity of the model was
6.2 ‘‘ORT’’ fuzzy model specific application
tested. Indeed the model depicts differences in its input
and the calculated result is alternated respectively. In order to overpass the observed shortages a new
Fifth row represents a medium—normal case. In group of runs has been selected. This group com-
this situation all parameters have a medium level of prises runs that correspond to the specific context
quality that corresponds to usual working contexts. In under which the selected critical task is performed.
this case the operators’ response time was estimated For the specific application of the model the following
at 59 second (∼1 minute). input values were used.
286
Table 3. Results from the application of the ‘‘ORT’’ fuzzy model.
Number of
Adequacy Working MMI and simulta- Training Crew Operators’
of organiz- condi- Procedures operational neous Available Time and expe- collabora- response
ation tions and plans support goals time of day rience tion time (sec)
0 0 0 0 10 10 0 10 0 480
10 10 10 10 15 20 2 10 10 476
90 90 90 90 90 90 12 90 90 8
100 100 100 100 90 100 13 100 100 7
50 50 50 50 50 50 12 50 50 59
50 50 50 50 15 50 0 0 50 276
50 50 50 50 50 50 0 0 50 59
50 50 50 50 90 50 0 0 50 59
50 50 50 50 15 50 12 0 50 59
50 50 50 50 50 50 12 0 50 59
50 50 50 50 90 50 12 0 50 59
50 50 50 50 15 50 0 100 50 59
50 50 50 50 50 50 0 100 50 59
50 50 50 50 90 50 0 100 50 59
50 50 50 50 15 50 12 100 50 59
50 50 50 50 50 50 12 100 50 59
50 50 50 50 90 50 12 100 50 59
50 50 50 50 15 50 0 50 50 59
50 50 50 50 50 50 0 50 50 59
50 50 50 50 90 50 0 50 50 59
50 50 50 50 15 50 12 50 50 59
50 50 50 50 50 50 12 50 50 59
50 50 50 50 90 50 12 50 50 59
90 20 90 50 15 20 0 0 50 294
90 20 90 50 50 20 0 0 50 294
90 20 90 50 90 20 0 0 50 294
90 20 90 50 15 20 12 0 50 276
90 20 90 50 50 20 12 0 50 59
90 20 90 50 90 20 12 0 50 59
90 20 90 50 15 20 0 100 50 59
90 20 90 50 50 20 0 100 50 59
90 20 90 50 90 20 0 100 50 59
90 20 90 50 15 20 12 100 50 59
90 20 90 50 50 20 12 100 50 59
90 20 90 50 90 20 12 100 50 59
90 20 90 50 15 20 0 50 50 276
90 20 90 50 50 20 0 50 50 59
90 20 90 50 90 20 0 50 50 59
90 20 90 50 15 20 12 50 50 59
90 20 90 50 50 20 12 50 50 59
90 20 90 50 90 20 12 50 50 59
‘Adequacy of organization’: A value of 90 was used sequence of actions for the specific task (as well as for
for this input parameter since the overall organization the rest of the tasks) is provided in well written and
of the specific unit in safety issues is judged to be updated procedures.
excellent. ‘Adequacy of MMI and operational support’: A
‘Working conditions’: A value of 20 was given value of 50 was assigned to this input as the whole task
in this parameter since the task is performed in a is performed on a specific valve so MMI is always the
petrochemical unit with unadvantageous working con- same and does not interfere in operators’ action.
ditions (noise, poor ergonomy, bad lighting, smoke ‘Number of simultaneous goals’: As previously a
and bad odors). value of 15 was chosen to represent emergency situa-
‘Adequacy of procedures and plans’: A value of 90 tions, while a value of 50 was attributed to maintenance
was used for this input parameter because the complete and 90 to normal operation.
287
‘Available time’: A value of 20 was assigned for this with CREAM (Konstandinidou et al. 2006b). Instead
input as the available time for performing the specific the team decided to produce a shorter version of the
task is always very little (1–2 minutes). model that would be more prone to adjustments and
‘Time of day’: A value of 12 was used for day time correspond better to the specific task.
while a value of 0 for night time. The development of the short version was also
‘Adequacy of training and experience’: A value of advantageous from the computational point of view
0 depicts the inexperienced operator, a value of 50 the as explained previously in section 4. The results from
operator with limited experience while a value of 100 the application of the ‘‘ORT – short’’ fuzzy model are
corresponds to the very experienced operator. presented in the following paragraph.
‘Crew collaboration quality’: A medium value of 50
was assigned to this parameter since no crew is needed
6.3 ‘‘ORT-short’’ fuzzy model
to perform this task (task performed by one operator
only). The results from the application of the short version
The results from this application of the model are of ‘‘ORT’’ fuzzy model are presented in table 4. With
presented in second part of table 3. the use of the ‘‘ORT – short’’ model the estimates for
The estimated times with input expressed in linguis- operators’ response time differ when the input param-
tic variables for the three parameters which influence eters change in all possible combinations. In this way
the operators response time in the specific application improvements in operators’ level of experience are
are presented in table 4 in order to facilitate the reader depicted as well as differences in time shifts.
in the comparison of results later on. According to the estimates of the ‘‘ORT – short’’
As expected, estimated times are greater for inex- model a well experienced operator will react in 13 sec-
perienced operators during night (294 sec) and day onds during normal operation in day and night shift, in
(276 sec) and between emergency (276 sec) and nor- 60 seconds during maintenance in day and night shift
mal operations or maintenance (59 sec). However for and in 120 seconds in emergency situations during day
a well trained operator the estimated times are always and night shift. This is in accordance with observation
the same (59 seconds ∼ 1 minute). a) that the time of the day does not affect the response
This is due to the same reason as explained in the time of an operator with good level of training and
previous section: ‘‘number of simultaneous goals and experience. Subsequently an inexperienced operator
time of the day have fuzzy sets with neutral effect on will react in 60 seconds during normal operation in day
the output result. Thus, changes in the specific input and night shift, in 120 seconds during maintenance in
parameters do not affect output. day time and 240 in night time shifts, and in 240 sec-
In order to overcome this problem the fuzzy model onds in emergency situations during day shift and 570
has to be modified. This was not feasible since a in night shift. This is in accordance with observation
change in the effect of the fuzzy sets would disturb the b) that the time of the day does not affect the response
initial structure of the model and make it incompatible time in normal operations.
with the estimations of the action failure probabil- The fuzzy logic system estimations are in accor-
ities which are already validated and in accordance dance with the real data coming from the petrochem-
ical unit. Indeed, observation data showed very slow
and very critical response of inexperienced operators
Table 4. Results from the application of the two versions during night shifts and in emergency situations. In
of ‘‘ORT’’ fuzzy model. fact the registered response time in one such case has
reached the period of 10 minutes (600 seconds).
‘‘ORT’’ ‘‘ORT’’ The model can be further expanded and used in dif-
Number of Time model short’’ ferent tasks and contexts e.g. maintenance tasks, other
simultaneous goals Training of day (sec) (sec) in-field actions or control room operations in the run-
Normal operation Good Day 59 13
ning of a petrochemical unit or more generally of a
Maintenance Good Day 59 60 chemical plant. The only constraints for the applica-
Emergency situation Good Day 59 120 tion of the model are the knowledge of the influencing
Normal operation Good Night 59 13 factors for the specific tasks and the availability of real
Maintenance Good Night 59 60 data.
Emergency situation Good Night 59 120
Normal operation Poor Day 59 60
Maintenance Poor Day 59 120 7 CONCLUSIONS
Emergency situation Poor Day 276 240
Normal operation Poor Night 294 60
Maintenance Poor Night 294 240
The criticality of certain tasks in industrial contexts
Emergency situation Poor Night 294 570 deals not only with the right performance of the task
but also with the correct timing of the performance.
288
A critical task performed too late may be in certain Indeed the ‘‘ORT – short’’ fuzzy model came up with
cases equal to an erroneously performed task. Thus estimates in operators response time that are in accor-
for the purposes of Human Reliability Analysis not dance with the observed data and additionally more
only the Human Error Probability of a task would be sensible to input variations.
necessary but also the response time of the operator Differences between day and night shifts as well as
under specific conditions. task performed during normal operation, maintenance
A model for the estimation of the probability of and emergency situation from experienced and inex-
an erroneous human action in specific industrial and perienced personnel are well depicted with relevant
working contexts has been previously created based on differences in operators’ response times. In fact in the
CREAM methodology and using the fuzzy logic the- extreme situation of an emergency during night shift
ory. The model has been expanded in order to produce where an inexperienced operator is called to act the
estimates for operators’ response time. This version estimated response time from the model is 570 sec-
was called the ‘‘ORT’’ model. onds which is in accordance with the observed data of
In order to test the model real data have been gath- 10 minutes (600 seconds).
ered form a petrochemical unit concerning a specific Following the steps described in the present paper
in-field task: the opening/closure of a manual valve ‘‘ORT – short’’ tailored made models based on fuzzy
in order to maintain a desired pressure drop. The logic architecture can be developed for different tasks
recorded reaction time for the specific task is about and contexts e.g. maintenance tasks, other in-field
1 minute in certain conditions. In extreme cases the actions or control room operations in the running of a
recorded time reached the period of 10 minutes. For chemical plant.
this specific task the influencing factors that have a
direct impact on the operators performance were: the
time of the day when the task is performed; the level
of training and experience of the operator and the REFERENCES
number of simultaneous goals the operator is asked
Bott, T.F. & Kozinsky, E. 1981. Criteria for safety-related
to perform differentiating between tasks during nor- nuclear power plant operator actions. NUREG/CR-1908,
mal operation, during maintenance or in emergency Oak Ridge National Lab, US Nuclear Regulatory Com-
situations (equipment malfunction, trip of the unit). mission.
Three different applications of the model were made Embrey, D.E. 1992. Quantitative and qualitative predic-
for the specific task. In the first application of the tion of human error in safety assessments, Major hazards
model (original version with second output parameter Onshore and Offshore, Rugby IChemE.
response time) with medium values for all parameters Hollnagel, E. 1998. Cognitive reliability and error analysis
except from the three influencing ones the estimated method (CREAM). Elsevier Science Ltd.
response time was within the range of expectations Isaac, A., Shorrock, S.T. & Kirwan, B. 2002. Human error
in European air traffic management: the HERA project.
(1 minute). Although the model was sensible in input Reliability Engineering & System Safety 75 (2): 257–272.
variations, when medium values were used for most of Kim, B. & Bishu, R.R., 1996. On assessing operator response
the input parameters the model was rather inflexible. time in human reliability analysis (HRA) using a possi-
This was due to the fact that medium values deactivated bilistic fuzzy regression model. Reliability Engineering &
most of the fuzzy rules of the original model (99% of System Safety 52: 27–34.
the total fuzzy rules were not used). Kontogiannis, T. 1997. A framework for the analysis of cog-
When the same model was used with values rep- nitive reliability in complex systems: a recovery centred
resenting the real life situation the output resulted in approach. Reliability Engineering & System Safety 58:
more ‘‘sensitive’’ values. Estimates were in the range 233–248.
Konstandinidou, M., Kiranoudis, C., Markatos, N. &
of expectations and variations in input induced vari- Nivolianitou, Z. 2006a. Evaluation of influencing fac-
ations in the output results. However variations in tors’ transitions on human reliability. In Guedes Soares
number of simultaneous goals and time of the day & Zio (eds). Safety and Reliability for Managing Risk.
were still not depicted (i.e. operators response time Estoril Portugal, 18–22 September 2006. London: Taylor
does not alter for day and night changes neither for & Francis.
different operations) since those two input parameters Konstandinidou, M., Nivolianitou, Z., Kyranoudis C. &
have fuzzy sets with neutral influence on the output Markatos, N. 2006b. A fuzzy modelling application of
result in the original structure of the model. CREAM methodology for human reliability analysis.
Therefore and since only three parameters were Reliability Engineering & System Safety 91(6): 706–716.
Pedrycz, W. 1993. Fuzzy control and Fuzzy Systems Second
acting as influencing factors in the specific task, an extended edition, London: Research Studies Press Ltd.
‘‘ORT – short’’ model was developed to include only Swain, A. & Guttmann, H. 1983. Handbook on Human Reli-
these input parameters. In this way the application of ability Analysis with Emphasis on Nuclear Power Plant
the model is more tailored made to the specific task Application NUREG/CR-1278 US Nuclear Regulatory
and a lot of saving in computational cost is achieved. Commission.
289
Weston, L.M. & Whitehead, D.W. 1987. Recovery actions in Vakalis D., Sarimveis H., Kiranoudis C., Alexandridis A.
PRA for the risk methods integration and evaluation pro- & Bafas G. 2004. A GIS based operational system for
gramme (RMIEP) NUREG/CR-4834, Vol. 1. US Nuclear wild land fire crisis management, Applied Mathematical
Regulatory Commission. Modelling 28 (4): 389–410.
Zhang, L., He, X., Dai, L.C. & Huang, X.R. 2007. The Zadeh L.A. 1996. Fuzzy logic and the calculi of fuzzy rules
simulator experimental study on the operator reliability and fuzzy graphs, Multiple-Valued Logic 1: 1–38.
of Qinshan nuclear power plant, Reliability Engineering Zadeh L.A. 2008. Is there a need for fuzzy logic? Information
and System Safety 92: 252–259. Sciences doi: 10.1016/j.ins.2008.02.012.
290
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: This paper describes the process of investigating, defining and developing measures for
organizational supportiveness in employment situations. The methodology centres on a focus group of peo-
ple of diverse age, gender, grade and commercial and industrial disciplines that met many times over a period
of several weeks. The focus group contribution was developed into a large questionnaire that was pilot tested
on a general population sample. The questionnaire was analysed using factor analysis techniques to reduce it
to a final scale of 54 items, which was evaluated by a team of judges, and was then field tested in a nuclear
power station. The analyses revealed a supportiveness construct containing eight factors, being: communication,
helpfulness, empowerment, barriers, teamwork, training, security and health and safety. These factors differ
from other support-related measures, such as commitment, by the inclusion of a ‘barrier’ factor. The findings
are evaluated with an assessment of the host company results and opportunities for further research.
291
facilitate a sense of reassurance and renewal, The ability to trust enables people to interact,
recognising that as leaders and representatives to build close relationships, is important for social
of their organizations, their participation is exchange and is essential for psychological health
not only desirable but critical’’ (Moses, 1997: and development (Asch, 1952; Erickson, 1959; Blau,
page 44). 1964; Argyle, 1972; Kanter, 1977; Barber, 1983). Not
only that, but positive relationships have been found
So it is clear that supportiveness can be critical to between HR strategies and high organizational perfor-
well-being of the workforce; it can also be stated that mance and commitment (Arthur, 1994; Huselid, 1995;
the implications of getting this wrong can have serious Tsui et.al. 1997). However, Koys, (2001) researched
impact upon the reliability and safety of an organiza- the relationship between HR strategies and business
tional system or its processes. But supportiveness can performance and contends that HR outcomes influ-
mean a lot more than social support, and can be related ence business outcomes rather than the other way
to commitment, trust and the psychological contract, round. HR by its very title is concerned with peo-
amongst its many possible correlates. Consequently, ple more than processes and suggests that it is in fact
the literature on supportiveness is diverse and var- people that make the difference.
ied. It includes the above issues and the work ethic, The prevailing management culture can influence
teamworking, organizational citizenship behaviours, support for alternative working arrangements differ-
expectations and aspirations, and may be seen in entially according to the supervisors perception of the
terms of theories of motivation, attribution, cognitive subordinate’s career success Johnson et al, 2008); this
dissonance etc. may be consistent with a good or poor culture and pre-
In order to develop an understanding of what sup- vailing beliefs about trust. Leung et al, (2008) have
portiveness an organization might provide, we propose shown that informal organizational supports, partic-
that the literature and research into supportiveness ularly those concerning relationship conflict, work
can be summarised into five main thematic areas of underload and lack of autonomy are more effec-
influence: tive than formal supports in reducing stress; again
these may also reflect issues of trust, management
∗ Supportiveness related constructs: psychological culture etc.
contract, organizational citizenship behaviours,
organizational commitment and social support 3 DEFINING A SUPPORTIVENESS
∗ Attitudes: trust, prevailing management culture, CONSTRUCT
beliefs, values, work ethic and motivation
∗ Lifestyle variables: domestic arrangements such Whilst some measures of ‘near’ concepts, such as
as working partner, childcare or care of relatives, social support, trust and commitment exist, none of
environment and non-work interests these are particularly relevant to the notion of the sup-
∗ Aspirational variables: promotion, development, portiveness that might provided by the organization.
transferable skills, job satisfaction, and flexible Thus, it was decided to establish the construct from
hours first principles by asking people what they considered
∗ Business issues: welfare, pensions, and safety at a supportiveness construct would be.
work, unions, legislation, and security. The construct was developed through an iterative
process of:
For each of these areas, a body of literature exists-
too much for one paper to cover, but exemplified by • Extracting variables from established constructs and
the following. concepts within existing literature.
The rapid changes to working life and societal val- • Holding informal interviews and conversations with
ues in the latter half of the 20th century, along with individuals and small groups from diverse employ-
changing economic circumstances and globalisation ment situations to collate their ideas about what
have impacted on the traditional psychological con- they considered that a good supportive organization
tract and new working practices are evolving to meet would be.
the demands of the changing work environment. There • Establishing a focus group of selected people who
is some evidence to suggest that traditional values of would brainstorm the potential variables of their
work ethic and organizational commitment may be perception of a supportive organization without the
waning in favour of more personal fulfilment outside influence of any prior input.
of work. However, it is not clear whether the pace of • Establishing a number of informal ambassador
change of peoples’ attitudes is less than or equal to groups whose collective output was ultimately fed
the pace of change of an emerging new psycholog- into the formal focus group.
ical contract and the effect of a dynamic workplace • Collating all inputs and conducting a ranking and
environment. rating exercise with the focus group.
292
Table 1. The focus group constitution.
293
10 Likert-style items per element with a 7-point scale coefficients for job security and teamwork. The results
ranging from ‘‘strongly disagree’’ to ‘‘strongly agree’’. of this analysis is shown in Table 3
An initial pilot on 10 PhD management students was One explanation for this may be that teamwork
followed by a larger pilot in cooperating organisations relies on some type of inter-personal bonding between
in the general industrial and commercial domain, gen- co-workers that takes time to establish and that secu-
erating 103 responses (47 male, 32 female and 24 rity cannot be felt during a period of probationary
gender undisclosed). The questionnaires were factor employment. The standard terms and conditions of
analysed and rationalised into seven factors that were employment at the nuclear power station required all
represented in a 54 item questionnaire; an eight factor, employees to satisfactorily complete a one/two year
health and safety, was omitted from this final ques- probationary period before being confirmed in their
tionnaire as it was felt that this would lengthen the post. This observation may be consistent with the
questionnaire unnecessarily when such issues could be measure being a reliable indicator of perceived orga-
better tested using the organizations’s own health and nizational supportiveness if it is accepted that UK
safety inspection procedures. An established Organi- employment legislation permits unaccountable dis-
zational Commitment measure (Meyer & Allen 1997) missal within the first 12 months of employment
was added for the field test in a single organisation (a without any recourse to appeal, then it is reasonable for
nuclear power station) about which a great deal was new employees not to feel secure in any organisation.
known i.e. the people, processes, operational culture, As a validity and benchmarking exercise to compare
corporate history etc. Consequently, it was possible to our factors with commitment, the commitment mea-
take the mean scores of the returned questionnaires and sure of Meyer and Allen (1997) was correlated with
ask three inter-rater judges to give their opinion of the F1 communications and F4 barriers, with the results in
mean score, between 1 and 7, for each question. This Table 4. The results suggest that affective commitment
process, whilst not fitting the classical application of is strongly associated with both factors, as indeed it
inter-rater reliability, is consistent with the approach often is with other word attitudes such as trust and job
described by Marques & McCall, (2005) and yielded satisfaction. For the normative commitment measure
general consensus between the judges that the measure that relates more to obligation, this is more strongly
derived from the questionnaire was a true reflection related to F4 barriers than to communications, which
of the actual level of organisational supportiveness would be consistent in terms of attitude theory.
present at that time.
5.2 Sample size issues
The two datasets—from the pilot test in the general
5 RESULTS
population and the field test at the nuclear power
station- were gathered approximately 12–14 months
5.1 The 8-factor solution
apart and the closeness with which these two indepen-
The results from the two independent datasets, the ini- dent surveys agree with each other suggests that the
tial pilot test in the general population (N = 103) construct has both internal consistency and construct
and the field test in a host organisation (N = 226), validity. However, neither survey produced the very
were compared and found to be statistically in 91% high ratios of cases to variables (N:P ratio) that fac-
agreement. So the two datasets were combined into a tor analysis ideally requires to have a high confidence
one (N = 329) and subjected to another exploratory in the outcome of the factor analysis. The first sur-
factor analysis where they demonstrated a 96% agree- vey had a 2:1 N:P ratio and the second a 4.5:1 N:P
ment with the field test result. The factors of this ratio. As the questionnaires were identical, their data
second exploratory factor analysis with alpha coeffi- can be combined into a single dataset giving a 6.5:1
cients for the host organisation (N = 226) are shown N:P ratio. This not only increases the cases to vari-
in Table 2. The eighth factor was identified as health ables ratio but it mixes one set of data that could be
& safety and conditions of employment). Since this focused on and therefore skewed to a particular orga-
involves clear lines of statutory enforcement and cor- nization (the field test data) with data that were in
porate responsibility, it is omitted henceforth from the effect randomly gathered from a number of different
analysis since these are largely outwith the control of organizations (the general population data).
the local workforce. There is some debate about what constitutes a suit-
Further analysis of each of the 7 factors in respect able sample size for factor analysis. In general, it
of: age, gender, grade, length of service and shift- is reasonable to say that the larger the sample the
work/daywork effects showed no significant differ- better the results. Small samples are likely to yield
ence from the generalised test results with the excep- spurious results where factors splinter and cannot
tion of length of service effects for employees with be replicated in subsequent analyses or may con-
less than 2 years service who demonstrated lower alpha tain unrepresentative bias (Froman 2001). Minimum
294
Table 2. The 8-factor solution of the field test in the host organization, excluding factor 8 (N = 226).
Length of service <1 1–2 2–5 5–10 10–20 >20 <1 1–2 2–5 5–10 10–20 >20
Communication 5.097 5.232 4.421 4.222 5.003 4.833 .790 .861 .907 .967 .844 .855
Helpfulness 4.908 4.948 4.350 3.978 4.711 4.600 .900 .921 .953 .986 .909 .933
Empowerment 4.304 4.335 3.929 4.190 4.777 4.758 .929 .764 .920 .841 .909 .905
Barriers 4.634 4.438 4.104 3.881 4.110 4.097 .803 .887 .946 .849 .893 .926
Teamwork 5.000 5.630 5.792 5.583 5.666 5.599 .880 .317 .837 .793 .722 .852
Training 4.917 5.014 4.625 3.444 4.617 4.920 .786 .840 .831 .627 .600 .681
Security 3.958 3.174 3.625 3.333 4.042 4.102 .730 .341 .795 −.60 .738 .740
N 8 23 24 3 80 88 8 23 24 3 80 88
295
Table 4. Pearson’s correlations between F1, F4 & the Meyer A means of measuring, particularly in terms relative
and Allen (1997) commitment scales. to a previous or subsequent measure, the strength or
level of supportiveness that currently exists within any
Commitment F1 F4 organization has been developed.
scores Communications Barriers
The construct validity and internal consistency of
Normative .282∗∗∗ −.498∗∗∗ the measure has been demonstrated.
Continuance .066 −.041 We have shown that organizational supportiveness
Affective .545∗∗∗ −.592∗∗∗ is an independent construct compared to organiza-
tional commitment and not a direct correlate of OC.
Key: ∗∗∗ = p < .0001. Trust and loyalty appear consistently as impor-
tant throughout the management literature, and their
absence appears regularly to be associated with nega-
sample sizes suggested range from 3 to 10 subjects tive consequences. The ability to trust enables people
per item with a minimum of between 100 and 300 to interact, to build close relationships, is important
subjects regardless of the number of items (Gor- for social exchange and is essential for psychologi-
such 1983; (Cattell 1978; Tinsley & Tinsley 1987; cal health and development (Erickson, 1959; Blau,
Nunnally & Bernstein 1994). Higher estimates range 1964; Argyle, 1972; Kanter, 1977; Barber, 1983).
from ‘a large sample of several hundred’ (Cureton & A supportiveness construct such as this one with a
D’Agostino 1983) to 20 subjects per factor (Arindell focus on communication can build emotional trust
& Van der Ende 1985). The sample sizes used in and an emphasis on developmental training can mit-
this analysis are for the pilot test, 103 subjects which igate the uncertainty of the current business envi-
satisfy Gorsuch’s (1983) criteria; for the field test, ronment. In asking where the supportiveness con-
226 subjects, which satisfy Gorsuch’s (1983), Cattell’s struct fits into the body of theory and constructs that
(1978) and Tinsley’s & Arindell’s (1987) criteria. For exist to describe and explain workforce attitudes to
the combined sample of 329, all of the criteria are their employers and to business organisations, there
satisfied. is evidence that positive support through good HR
policies are associated with high organizational per-
formance as well as employee commitment and trust
5.3 Ordinal scale (Koys, 2001; Arthur, 1994; Huselid, 1995; Tsui
From the results that were obtained, a subjective et.al. 1997). In addition, the evidence that employee
supportiveness scale was developed for the host assistance programmes support systems more than
organisation; this can be used for each subscale and pay for themselves demonstrates the usefulness of
its linguistic anchors for each scale point are: 7 = supportiveness.
exceptionally supportive, 6 = very supportive, 5 =
supportive, 4 = neither and so on to 1 = very poor.
REFERENCES
296
Cronbach, L.J. & Meehl, P.E. (1955), Construct validity Marques, J.F. & McCall, C. (2005). The Application of
in psychological tests. Psychological Bulletin, Vol. 52: Interrater Reliability as a Solidification Instrument in a
281–302. Phenomenological Study. The Qualitative Report, Vol. 10
Cureton, E.E. & D’Agostino, R.B. (1983). Factor analysis: No. 3: 438–461.
An applied approach. Hillsdale, NJ: Erlbaum. Meyer, J.P. & Allen, N.J. (1997). Commitment in the
Dalton, D.R. & Mesch, D.J. (1990). The impact of flex- Workplace. Sage.
ible scheduling on employee attendance and turnover. Moses, B.(1997). Building a life-friendly culture. Ivey
Administrative Science Quarterly, Vol. 35: 370–387. Business Quarterly, Vol. 62 No. 1: 44–46.
Erikson, E.H. (1959). Identity and the life cycle. Psycholog- Moorhead, A., Steele, M., Alexander, M., Stephen, K. &
ical Issues, Vol. 1: 1–171. Duffin, L. (1997). Changes at work: The 1995 Australian
Friedman, D.E. & Galinski, E. (1992). Work and fam- workplace and industrial relations survey. Melbourne:
ily issues: A legitimate business concern. In S. Zedeck Longman.
(Ed.), Work Families and Organizations. San Francisco: Nunnally, J.C. & Bernstein, I.H. (1994). Psychometric
Jossey-Bass. Theory (3rd. Ed.). New York: McGraw Hill.
Froman, R.D. (2001). Elements to consider in planning Oppenheim, A.N. (1994). Questionnaire Design, Interviews
the use of factor analysis. Southern Online Journal and Attitude Measurement. (2nd Edition) Pitman.
of Nursing Research, Vol. 2 No. 5: 1–22 www. Palmer, M.J. (2001). Why do we feel so bad? (per-
snrs.org/publications/SOJNR_articles/iss05vol02_pdf sonnel management in the health care industry) http://
Gorsuch, R.L. (1983). Factor Analysis (2nd Ed.). Hillsdale, www.findarticles.com/cf_0/m0HSV/6_14/79788282
NJ: Erlbaum. /print.jhtml
Huselid, M.A. (1995). The impact of human resource man- Piotrkowski, C.S., Rapoport, R.N. & Rapoport, R. (1987).
agement practices on turnover, productivity, and corporate Families and work. In M.B. Sussman & S.K. Stein-
financial performance. Academy of Management Journal, metz (Eds.), Handbook of marriage and the family (pp.
Vol. 38: 635–672. 251–283). New York: Plenum Press.
Johnson, E.N., Lowe, D.J. & Reckers, P.M.J. (2008). Alter- Tinsley, H.E. & Tinsley, D.J. (1987). Uses of factor analysis in
native work arrangements and perceived career success: counselling psychology research. Journal of Counselling
Current evidence from the big four firms in the U.S. Psychology, Vol. 34: 414–424.
Accounting Organizations and Society. Vol. 33 No. 1: Trochim, M.K. (2002). Construct Validity. http://www.
48–72. socialresearchmethods.net/kb/constval.htm
Kanter, R.M. (1977). Men and Women of the Corporation. Tsui, A.S., Pearce, J.L., Porter, L.W. & Tripoli, A.M. (1997).
New York: Basic Books. Alternative approaches to the employee-organization rela-
Koys, D.J. (2001). The effects of employee satisfaction, tionship: Does investment in employees pay off? Academy
organization citizenship behavior, and turnover on orga- of Management Journal, Vol. 40: 1089–1121.
nizational effectiveness: A unit level longitudinal study. Wohl, F 1997. A panoramic view of work and family. In S.
Personnel Psychology, Vol. 54 No. 1: 101–114. Parasuraman & J.H. Greenhaus (Eds.), Integrating work
Leung, M.Y., Zhang, H. & Skitmore, M. (2008) Effects of and family: Challenges and choices for a changing world.
organisation supports on the stress of construction esti- Wesport, CT: Greenwood Publishing Group.
mation participants. Journal of Construction Engineering
and Management-ASCE Vol. 134 No. 2:84–93.
297
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: There are several theories that relate to drivers’ risk-taking behaviour and why they might choose
to increase the level of risk in any particular situation. Focus groups were run to identify transient factors that might
affect driver risk-taking; these were recorded, transcribed and content-analysed to obtain causal attributions. Five
main themes emerged, which could then be sub-divided; these themes are discussed in light of existing theories.
It was found that the attribution to self was the most frequent, but that causal explanations were consistent with
the theories of zero-risk, risk homeostasis and flow.
1 INTRODUCTION AND BACKGROUND highly skilled in an activity and are faced with low
challenges, the individuals experience a state of bore-
1.1 Introduction dom. Conversely, when individuals are not skilled in
an activity and are faced with significant challenges,
Driver behaviour has, for many years, been recognised
they experience a state of anxiety. When individuals’
as the main cause of death and injury on the roads.
skills and the challenges posed by an activity are evenly
Sabey and Taylor (1980) for example, showed that
matched, the individuals experience a pleasurable flow
road users were a causal factor in 94% of collisions.
state. Csikszentmihalyi’s model (2002) suggests that
The road environment and the vehicle were causal fac-
under normal driving conditions drivers remain within
tors in 28% and 8.5% of collisions (total greater than
a flow channel, balancing challenges, ultimately con-
100% because crashes can be attributable to multiple
trolled by speed and attention (Fuller, 2005). Should
causes.) The driver has repeatedly been shown to play
the driving environment become more challenging, a
a dominant role in collision causation (Department for
reduction in speed or an increase in attention, per-
Transport, 2007).
haps achieved by aborting secondary tasks can bring
The research reported here investigates which moti-
the driver back into a flow state. If it became less
vations and other transient factors are most salient with
challenging, an increase in speed or reduction in atten-
respect to affecting driver behaviour.
tion, perhaps achieved by adopting secondary tasks
can similarly ensure that the driver remains in a flow
1.2 Behavioural adaptation
state. Thus by varying their speed or attention, drivers
In a seminal paper Taylor (1964) measured the gal- can remain in flow when challenges and or skill levels
vanic skin response (GSR) of drivers in the following change.
road types or conditions: urban shopping streets; wind- In the context of road safety, an understanding of the
ing country roads; arterial dual carriageways; peak and circumstances under which drivers might be motivated
off-peak; day and night and found that GSR, taken to to accept (knowingly or otherwise) increased risks or
be a measure of subjective risk or anxiety, was evenly challenges is of particular interest. The role of motives
distributed over time over the range of roads and con- in driver behaviour has been recognised in two main
ditions studied. His results suggest that driving is a theories: the zero-risk theory (Näätänen and Summala,
self-paced task governed by the level of emotional ten- 1974) and the theory of task difficulty homeostasis
sion or anxiety that drivers wish to tolerate (Taylor, (Fuller, 2000).
1964). It is now accepted that drivers adapt to condi- The zero-risk theory suggests that driver behaviour
tions and state of mind: Summala (1996, p.103) stated is a function of mobility, ‘extra motives’ and safety
that ‘‘the driver is inclined to react to changes in the (Summala, 1998). On the one hand mobility and
traffic system, whether they be in the vehicle, in the ‘extra motives’ such as self-enhancement, time goals,
road environment, or in his or her own skills or states.’’ thrill-seeking, social pressure, competition, conser-
Csikszentmihalyi’s (2002) flow model represents vation of effort, pleasure of driving and mainte-
the following two important dimensions of experi- nance of speed and progress push drivers towards
ence: challenges and skills. When individuals are higher speeds (Summala, 2007). On the other hand,
299
warning signals control risk taking if safety margins attributional analysis. Attributional statements have
that are learned through experience are compromised been defined as ‘‘any statement in which an out-
(Summala, 1998). come is indicated as having happened, or being
The theory of task difficulty homeostasis argues present, because of some event or condition’’ (Munton,
that drivers monitor task difficulty and aim to drive Silvester, Stratton and Hanks, 1999). Statements meet-
within an acceptable range of difficulty (Fuller, 2000). ing this definition were extracted from the transcript.
Safety margins may be affected by motives, through Where several different causes or effects were given for
their influence on the upper and lower limits of accept- a particular relationship, attributions were extracted
able task difficulty. Fuller (2000) lists motives that and coded separately.
push drivers towards higher speeds and reduced safety
margins in three categories: social pressure; critical
threshold testing; and other motives. Social pressure 3 RESULTS
includes: maintaining the speed of flow in a traffic
stream; pressure from passengers; fear of arriving late 1026 attributional statements were extracted from the
for an appointment; a desire to drive like others; and transcripts and were reduced into major causal areas
a wish to avoid sanctions. Critical threshold testing (attribution frequency in parentheses):
includes a desire to test the limits, perhaps attributable
to sensation seeking needs, and a drift towards the lim- self (1831)
its, due to a lack of negative feedback associated with physical environment (660)
previous risky driving practices. Other motives include other road users (251)
time pressure, time-saving and gaining pleasure from vehicle (105)
speed. road authority (105)
Research has been carried out in order to estab-
lish how drivers are affected by motivation in terms
The self theme can be extended or broken down into
of either increased or reduced safety margins: when
the following:
drivers are motivated by time saving, they drive faster
thus taking increased risks (see for example: Mussel-
white, 2006; McKenna and Horswill, 2006); similarly, extra motives (879)
when angry, they adopt aggressive driving patterns flow state (332)
and drive faster, thus reducing safety margins (see for perception (233)
example: Mesken, Hagenzieker, Rothengatter and de journey type (142)
Waaard, 2007; Stephens and Groeger, 2006). capability (116)
Whilst theories of driver behaviour acknowledge time pressure (103)
that motivations play an important role in terms of experience (26)
driver risk taking, there has been no research to deter-
mine which are the most salient motives and transient Data were then coded within each of these themes.
factors of influence other than in relation solely to A selection of the attributional statements of other road
speed (Silcock et al., 2000). users, vehicle and the roads authority as causal themes
are shown in Table 1.
Self and physical environment themes had to be
2 METHODOLOGY further divided in order to preserve the richness of
the data. The physical environment theme was divided
Eight individuals with full UK driving licences who into the following sub-themes: physical environment,
drove on a frequent basis participated in the study. road condition, and road familiarity. To illustrate the
The study group comprised 6 males and two females, presence of these causal themes, a selection of attri-
with ages spread across the range 17–65. Data were butional statements are shown in Table 2. The self
recorded using a portable cassette recorder with micro- theme was divided and is shown in Figure 2. To
phone. illustrate the presence of ‘self’ in the sub-themes,
a selection of attributional statements are shown in
Table 3.
2.1 Design and procedure
Two unstructured focus group discussions were held.
Participants were encouraged to talk about their own 4 DISCUSSION
driving behaviour, and the circumstances under which
they felt that their driving behaviour changed, giv- We have shown from this research that there are five
ing examples where appropriate. Both focus groups main categories of causal areas, being the driver him
were transcribed for content analysis, including or herself; the physical environment; other road users;
300
Table 1. Statements where the cause was coded under ‘other road users’, ‘vehicle’ and ‘roads authority’.
Table 2. Statements where the cause was coded under ‘physical environment’, ‘road condition’, and ‘road familiarity’.
the roads authority and the vehicle being driven. Of that people adjust their speed upwards or downwards
these, by far the most frequently occurring was ’self’. according to the weather or their knowledge of the
Each of these is considered below in relation to existing road; thus zero-risk is an inappropriate explanation
theory and evidence. prima facie as the situation does not involve the oppos-
‘Self ’ contained seven sub-themes: perception; ing motives proposed by Summala (1998). However
capability; journey type; time pressure; extra motives; the idea that drivers adapt to the environment in order
flow state; and experience; each of these is considered to remain within a flow state or avoid boredom might
below. be a better explanation, as would the homeostasis
In terms of perception, whether the situation felt theory (Csikszentmihalyi, 2002; Fuller, 2000). Capa-
safe or felt risky were frequently reported. Percep- bility was also a frequently reported cause: it was
tion is a stage inherent within most models of driver often perceived to have increased (such as being in
behaviour (Fuller, 2000; Summala, 1998 and 2007; a larger vehicle) or reduced (through fatigue). If capa-
Näätänen and Summala, 1974). This study has found bility increased, drivers are expected to adapt by either
301
Table 3. Statements where the cause was coded under the umbrella theme, ‘self ’.
increased speed or reduced concentration; again these as sensation-seeking or to avoid lateness (Summala
ideas are consistent with both flow and homeostasis 2007; Fuller 2000; Näätänen and Summala, 1974). In
explanations (Csikszentmihalyi, 2002; Fuller, 2000). our study, negative emotions such as anger resulted in
Extra motives, illustrated in Table 3, include: drivers effecting more aggressive behaviour and hence
boredom relief, flow-seeking, maintaining progress, reduced safety margins whereas positive emotions had
negative and positive emotions, penalty avoidance, the reverse effect and resulted in increased safety mar-
relaxation, risk-aversion, risk and thrill-seeking and gins; this is consistent with other findings (Underwood
tiredness. The theory of flow (Csikszentmihalyi, 2002) et al., 1999; Stephens and Groeger, 2006). Other
would predict boredom relief motives to result in either motives such as penalty avoidance, relaxation, tired-
faster driving or adoption of secondary tasks, in either ness and risk-aversion all led to reduced speeds but
case reducing safety margins; flow-seeking motives probably increased boredom and took drivers out of
should encourage faster driving when the challenges their flow channel or band of acceptable task dif-
are low but slower driving when the challenges are ficulty; again this is consistent with other findings
high. The findings here would support this explana- (van der Hulst et al., 2001). Risk-seeking motives
tion, but so they also would support the homeostasis are likely to encourage driving at the upper bounds
and zero-risk theories, both of which emphasise the of the flow channelband of acceptable task difficulty
motivation tendencies propelling drivers to drive faster (Csikszentmihalyi, 2002).
302
Journey type was an important causal theme in our a large vehicle appears to result in faster driving,
findings and included leisure trips, long journeys and presumably from increased visibility and reduced
commuting. Motivations related to different journey challenges, whilst the opposite appears to be the
types have associated and different effects on driver case when driving a small vehicle (Csikszentmiha-
behaviour: for example, club trips (found in this study) lyi, 2002). Vehicle image appeared to influence driver
might encourage risky driving amongst peers (Arnett behaviour if the vehicle being used wasn’t the driver’s
et al., 1997) whilst leisure trips may be expected to usual vehicle. In light of work by Newman et al. (2004)
encourage a generally calmer and more relaxed driv- drivers could be expected to drive at reduced speeds
ing manner. In general for any journey type, whether in non-private vehicles, but our findings indicate the
the driver was under time pressure or not (includ- opposite to be true.
ing time-saving) were frequently nominated factors The road authority can self-evidently be an influ-
of influence. Motorists are likely to drive faster and ence, for example in terms of safety measures, traffic
more aggressively when under time pressure, and by calming measures, chevrons and speed limits and these
implication in a more relaxed fashion when not, as in fact were frequently nominated causal factors. The
was found here (Musselwhite, 2006; McKenna and fact that drivers nominated these as causal factors
Horswill, 2006). suggests that they are likely to slow down in these situa-
Flow state was found to be a key theme: whether the tions (McKenna and Horswill, 2006), possibly because
situation resulted in the driver feeling bored or anxious of fear, responsibilities, correction of risk mispercep-
was reported frequently. The flow model (Csikszent- tions and associations between warnings and increased
mihalyi, 2002) suggests that a state of boredom or challenges. Drivers also stated as a causal factor that
anxiety is not pleasant, and as such drivers are expected the speed limit is too low; flow theory would sug-
to look for opportunities to achieve a flow state either gest that they would weigh up the costs and benefits
by adjusting task demands or attention, such as our of speeding versus experiencing a state of boredom
examples illustrate. (Csikszentmihalyi, 2002).
Even car insurance premia reflect experience, so The physical environment theme was divided into
unsurprisingly it was also found to be a causal influ- the physical environment, road condition and road
ence, but only represented in our data by whether the familiarity. Road type was frequently reported as an
driver had experienced an accident or near miss. This influence, particularly motorways or dual carriage-
also fits with the commonly observed phenomenon of ways, followed by tight rural roads and open rural
drivers slowing down after observing the evidence of roads; these different road types have different design
an accident, only to speed up again later. Initial find- speeds to which drivers are expected to adapt- for
ings support the suggestion that drivers adopt more example we found drivers saying they drove faster
risk-averse attitudes after such events and as such are on open roads with high visibility, and slower on
expected to increase safety margins for a period, driv- tight roads where it is reduced (Csikszentmihalyi,
ing within the lower limits of their flow channels; this 2002). Within the road condition sub-theme, the only
explanation fits all three theories. factor cited in this study was adverse conditions,
Other road users are also cited frequently, with high such as water or snow on the road, where drivers
traffic levels the most frequently nominated cause. would be expected to slow down, taking more care
Predictably, high traffic levels were found to affect (Csikszentmihalyi, 2002; Stradling, 2007). In terms
anger, violations and accidents; being held up by of road familiarity, drivers said they would drive faster
a slower car in front and responding aggressively on familiar roads, consistent with all of the three main
were also causes cited in our study, again consis- theories which suggest that challenges are reduced
tent with other research (Underwood et al., 1999; with familiarity (Stradling, 2007); this can be accom-
Bjorklund, in press). Additional causes within this modated by an increase in speed and/or a reduction
theme included other drivers’ incompetent or risky in attention. We also found road familiarity may be
behaviours and traffic jams affecting anger and low associated with increased confidence and a sense of
traffic levels encouraging higher speeds via reduced ownership; an example of this being ‘‘the old people
challenges (Bjorklund, in press; Csikszentmihalyi, that come into the city centre here change the way I
2002). That other road users were found to be a main drive’’.
causal theme in the determination of driver behaviour To summarise, the findings of self as the dominant
supports both the zero-risk and risk homeostasis the- cause is an interesting attribution, not entirely consis-
ories where perception of the environment (including tent with findings elsewhere that most drivers make the
other road users’ behaviour) are key stages within the attribution of blame to others; this is consistent with
models (Fuller, 2000; Summala, 2007; Näätänen and self-serving attributions and the fundamental attri-
Summala, 1974). bution error in attribution theory (Hewstone, 1989).
The vehicle being driven, in terms of size and Most of our findings are consistent with all three
image, were factors of influence in our study. Driving theories of driver behaviour and flow (Fuller, 2000;
303
Summala 2007; Csikszentmihalyi, 2002; Näätänen Fuller, R. (2005). Towards a general theory of driver
and Summala, 1974). behaviour. Accident Analysis & Prevention 37(3):
461–472.
Hewstone, M. 1989. Causal Attribution: from cognitive
processes to collective beliefs. Oxford: Blackwell.
5 CONCLUSIONS McKenna, F.P. and M.S. Horswill (2006). Risk Taking From
the Participant’s Perspective: The Case of Driving and
This research forms the preliminary base for a longer Accident Risk. Health Psychology 25(2): 163–170.
and more detailed study, but this required the identi- Mesken, J., M.P. Hagenzieker, et al. (2007). Frequency,
fication of themes from which to proceed, and these determinants, and consequences of different drivers’ emo-
have been identified here. In all, five major themes tions: An on-the-road study using self-reports, (observed)
behaviour, and physiology. Transportation Research Part
have been identified which sub-divide into 13 smaller F: Traffic Psychology and Behaviour 10(6): 458–475.
themes, which can form the basis for evaluation and Munton, A.G., J. Silvester, et al. (1999). Attributions in
judgement in further interviews and surveys. How- Action: A Practical Approach to Coding Qualitative Data,
ever, even with these themes and our data supporting John Wiley & Sons Ltd.
them as often very frequently occurring, it is not pos- Musselwhite, C. (2006). Attitudes towards vehicle driv-
sible to identify which of the three main explanatory ing behaviour: Categorising and contextualising risk.
frameworks-flow theory, zero-risk theory or home- Accident Analysis & Prevention 38(2): 324–334.
ostasis offers the best explanations for either our Näätänen, R. and H. Summala (1974). A model for the role of
themes or their frequency of occurrence. Somehow, all motivational factors in drivers’ decision-making. Accident
Analysis & Prevention 6(3–4): 243–261.
these theories seem to tell us that drivers may be moti- Newnam, S., B. Watson, et al. (2004). Factors predict-
vated to drive faster, but whether this is to maintain ing intentions to speed in a work and personal vehicle.
flow, or for some form of extra motive, or as critical Transportation Research Part F: Traffic Psychology and
threshold testing, cannot easily be ascertained, even Behaviour 7(4–5): 287–300.
with the causal reasons provided in our attributional Sabey, B.E. and H. Taylor (1980). The known risks we run:
analyses. the highway. Crowthorne, TRL Ltd.
The study so far has some limitations- we need Silcock, D., K. Smith, et al. (2000). What limits speed? Fac-
more focus groups, but directed more towards causal tors that affect how fast we drive, AA Foundation for Road
factors particularly for ‘self’. Once these have been Safety Research.
Stephens, A.N. and J.A. Groeger (2006). Do emotional
conducted and analysed, then questionnaires can be appraisals of traffic situations influence driver behaviour?
built to test some of the more pertinent aspects of Behavioural Research in Road Safety: Sixteenth Seminar,
self and other causes. Additionally, we have focussed Department for Transport.
solely on drivers in one part of the United Kingdom, Stradling, S.G. (2007). Car driver speed choice in Scotland.
so more work will be done in relation to other driving Ergonomics 50(8): 1196–1208.
areas, such as capital cities and rural environments. Summala, H. (1988). Risk control is not risk adjustment: The
zero-risk theory of driver behaviour and its implications,
United Kingdom: Taylor & Francis.
Summala, H. (1996). Accident risk and driver behaviour.
REFERENCES Safety Science 22(1–3): 103–117.
Summala, H. (2007). Towards understanding motivational
Arnett, J.J., D. Offer, et al. (1997). Reckless driving in ado- and emotional factors in driver behaviour: comfort
lescence: ‘State’ and ‘trait’ factors. Accident Analysis & through satisficing. Modelling Driver Behaviour in Auto-
Prevention 29(1): 57–63. motive Environments—Critical Issues in Driver Interac-
Bjorklund, G.M. Driver irritation and aggressive behaviour. tions with Intelligent Transport Systems. P.C. Cacciabue,
Accident Analysis & Prevention In Press, Corrected Proof. Springer Verlag: 189–207.
Csikszentmihalyi, M. (2002). The classic work on how to Underwood, G., P. Chapman, et al. (1999). Anger while driv-
achieve happiness, Rider. ing. Transportation Research Part F: Traffic Psychology
DfT (2007). Road Casualties Great Britain: 2006—Annual and Behaviour 2(1): 55–68.
Report, The Stationary Office. van der Hulst, M., T. Meijman, et al. (2001). Maintaining task
Fuller, R. (2000). The task-capability interface model of the set under fatigue: a study of time-on-task effects in sim-
driving process. Recherche—Transports—Securite 66: ulated driving. Transportation Research Part F: Traffic
47–57. Psychology and Behaviour 4(2): 103–118.
304
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
C. Vivalda
Schlumberger Carbon Services, Clamart, France
L. Jammes
Schlumberger Carbon Services, Paris La Défense, France
ABSTRACT: Carbon Capture and Storage (CCS) is a promising technology to help mitigate climate change
by way of reducing atmospheric greenhouse gas emissions. CCS involves capturing carbon dioxide (CO2 ) from
large industrial or energy-related sources, transporting, and injecting it into the subsurface for long-term storage.
To complete the limited knowledge about the site and experience about the operational and long-term behavior
of injected CO2 , a massive involvement of expert judgment is necessary when selecting the most appropriate
site, deciding the initial characterization needs and the related measurements, interpreting the results, identifying
the potential risk pathways, building risk scenarios, estimating event occurrence probabilities and severity of
consequences, and assessing and benchmarking simulation tools. The paper sets the basis for the development
of an approach suited for CCS applications and its role in the overall framework of CO2 long-term storage
performance management and risk control. The work is carried out in the frame of an internal research and
development project.
305
unobtainable, while issues are very serious and/or very and documented process should add value to the
complex. current practice and provide justified assumptions and
The paper sets the basis for the development of results for external audit.
an approach suited for CCS applications and its role
in the overall framework of CO2 long-term storage
performance management and risk control. The work
is carried out in the frame of an internal research 3 CHALLENGES
and development project and examples of potential
applications are presented. Using expert judgment to help overcome the insuf-
ficient, lack of, or poor, data is challenged by the
following:
2 STATE OF THE ART
– The experts are questioned on a domain that is being
At the time the authors are writing (2008) there are no discovered;
published formalized methods for experts’ judgment – CCS experts are contributing to the discovery of the
elicitation in the domain of CO2 storage. Nevertheless, domain and can be biased by their own understand-
expert judgment is tacitly or explicitly employed in ing;
studies and projects to complement lack of or poor – There are no available statistics (e.g. on unwanted
information and data. events such as leakage from the formation to the
Experts are currently required to assess existing atmosphere; on fault and fracture activation; etc.).
data related to a site, such as geophysics data, geo- However new data from research and demonstration
logical reports, petro-physical properties . . . and projects are recorded: they have to be continually
decide for further data acquisition and site character- mined to update first subjective estimations;
ization when a site is screened for suitability to store – Experimental results cover a limited number of spe-
CO2 . They are also asked: to estimate physical quan- cific phenomena as, for example, wellbore cement
tities, such as rock permeability from measurements degradation (Kutchko & al., 2007; Barlet-Gouédard
and provide degree of confidence or probability den- & al., 2007). Extrapolations to the overall site
sity functions of the estimated quantities; to intervene behavior are not yet viable and their limited number
in the qualitative and semi-quantitative steps of risk as well as confidentiality makes it difficult to build
assessment to identify risk pathways and scenarios, statistics. In spite of that, experts should be able
and when not otherwise possible, to assess their prob- to benefit from this information when providing
ability of occurrence and their potential consequences. judgments;
They are expected to make choices among models to – Numerical modeling of physical phenomena is
represent the actual CO2 behavior, for example during underway and is rapidly progressing, despite the
injection and storage in the underground formation limited feedback from the field necessary to cali-
for a long time period, and to assess and benchmark brate and history match the models. This implies
simulation tools. that current simulation models should consider
CCS projects in Australia (Bowden & Rigg, 2004) the uncertainty of the input parameters and make
are an example. Experts have been involved in the explicit the degree of confidence of the results. The
process of selecting the most suitable storage sites. role of experts to assess the models as well as to
The expert panel was formed by individuals carry- provide estimations of input parameters is crucial;
ing the relevant competencies, such as geomechanics, – Generic risk pathways have been imagined, such
geochemistry, geology, project management, etc. and as CO2 escape into potable aquifers due to well-
led by normative experts. A pool of experts has also bore failure, vertical migration and leakage through
filled and is maintaining a risk register for one selected abandoned or closed wells in the vicinity (Benson
site (Otway). Weyburn project in Canada is another & al., 2002) but not feed-backed and quantified by
example (Whittaker, 2004). In this project experts experience. Starting from these generic pathways,
have been questioned to identify the list of failures, experts may be required to build site specific sce-
events and processes (FEPs) relevant to the project narios and assess their probability of occurrence and
(Savage & al., 2004) and to build risk scenarios. Other the magnitude of their consequences;
examples, such as Sleipner in Norway or Illinois in – Each site is ‘‘unique’’ (not reproducible). Knowl-
United States can also be mentioned. edge about the structure and the properties of the
In all cases, no formal process was followed but the geological system is usually obtained by inter-
quality of the results was assured by the excellence and preting existing relevant geophysical data such as
common sense of the people in the panels. seismic, and measuring underground strata char-
Notwithstanding the importance of these first refer- acteristics—mechanical, petro-physical, fluid flow
ences and applications, it seems that a well established properties, chemical composition. . . Experts will
306
always be required to interpret and assess site spe- The first is represented by natural and industrial
cific data. Extrapolations to or from other sites analogs. They have the advantage of presenting some
are normally risky and shall be appropriately docu- characteristics similar to CO2 storage, such as leak-
mented. age/seepage mechanisms for natural analogs, long
term repository for wastes, gas injection into forma-
These challenges influence the way the formal tions for gas storage; but also important differences,
process for expert judgment elicitation is built. such as CO2 already in place for natural analogs, short
storage period (few months to years) and reversible
process for gas storage sites, and dangerous substances
4 EXPERTS JUDGMENT ELICITATION for waste repositories. The second area is represented
PROCESS by other industrial applications, such nuclear, aero-
nautics, chemical, oil and gas. . . The experts in these
The internal project is currently in the phase of set- two areas need accurate training on the system charac-
ting the requirements for the development of an expert teristics, performance, and challenges to avoid under-
judgment elicitation process able to: estimation of the differences, such as peculiar CO2
– Address the challenges described above; physical and chemical properties, long-term storage
– Capture the most relevant information and data from requirements, etc. and draw biased conclusions.
the experts; The third area is represented by expertise outside
– Be well balanced between time and costs and quality industrial applications, such as policy and regulations,
of captured information; insurance, sociology, environmental protection. . .
– Address specific needs and objectives of expert This contribution is very valuable for example when
judgment use; assessing the consequences of a given scenario and
– Be reproducible. their impact on population, the environment, etc. In
this case the experts need a full understanding of the
The formal process will be based on existing prac- overall system and its challenges, spanning from the
tices and methods (Cooke & al., 1999; Bonano CO2 storage site to the legal framework, the local
& al., 1989), which will then be customized to be population habits, the flora and the fauna, etc.
implemented on CO2 storage projects. On top of these three areas, a valuable set of experts
While building the process, it is important to define is found among the CCS practitioners, i.e. those who
the domains it will be applied to, and ensure it covers have or are participating in CCS research, demonstra-
all of them. tion and future large-scale projects. Their know-how
The following domains are identified: and feedback is very precious.
– Measurements interpretation (e.g. CO2 plume size, Depending on the objectives of the elicitation pro-
mass in place, etc.); cess, a balanced mix of the above expertise needs to
– Physical parameters estimation (e.g. permeability, be reached. The presence of experts outside the CCS
fault/fracture extent, etc.); community already accustomed to giving judgments
– Risk related parameters estimation (e.g. scenario should positively contribute to keep the approach up-
identification, likelihood and severity estimation, to-date and smooth the way towards implementation
etc.); of the elicitation process in this new field.
– Conceptual and mathematical models selection and Following the classical approach for expert judg-
validation (e.g. CO2 transport model, mechanical ment elicitation (Bonano, 1989) three main kinds of
model, etc.). experts will be selected:
All along these domains, the experts are also – Generalists: knowledgeable about various aspects
required to qualify or quantify uncertainty, e.g. in of the storage site and its performance;
qualitative assessment, in numerical values for key – Specialists: at the forefront of specialties relevant to
parameters, in predictions, etc. the storage site;
The process will be deployed into the following four – Normative experts: trained in probability theory,
main steps. psychology and decision analysis. Assist general-
ists and specialists with substantive knowledge in
articulating their professional judgments.
4.1 Experts selection
Typical specialties necessary to create a panel
There is a need to find a balanced way to select the for CO2 storage projects is geology, geomechanics,
experts knowing that the expertise on CO2 geologi- geochemistry, geophysics, petro-physics, monitoring
cal storage is being built in parallel to the increase techniques and instrumentations, materials, etc.
in knowledge. Three main external areas can be The size of the expert panel varies according to the
mentioned where useful know-how exists. domain and objects to be elicited.
307
4.2 Experts elicitation instruments and modes experts can be asked to estimate the physical quantity,
and provide the degree of confidence or the proba-
The mode of carrying out the experts’ elicitation
bility density functions of this parameter in different
depends on the elicitation purposes, the domains it
sections of the well. More refined methods, such as
addresses, the level of general knowledge about the
the Classical Model suggested by Cooke & al. (1999)
objects to be questioned, and the available expertise
are better suited to deal with this case to find a rational
relevant to the object to be questioned.
consensus on the final distributions.
It is envisaged to use at least two approaches to
The third example addresses the estimation of the
elicit knowledge. The first one is by setting up expert
probability of a fault opening under certain pressure
panels, to have all the experts gathered together at least
conditions, when data from site seismic measurements
once and encourage discussion and confrontation. The
are very poor and mechanical properties uncertain. In
second one is by survey, where the experts judgment is
this case, the experts may give very different judg-
elicited independently but not confronted. The results
ments and seeking consensus is less informative than
will then be analyzed by the normative expert(s).
estimating the degree of variability among experts’
best estimates. This allows getting a measure of the
overall uncertainty around that variable and then decid-
4.3 Experts judgments analysis and combination
ing to take actions, such as asking for additional
The judgments provided by the experts will then be measurement campaigns, to reduce the uncertainty
analyzed and combined. bounds.
Methods to combine expert judgments exist in liter-
ature. They vary from very simplistic methods, based 4.3.1 Uncertainty measures
on averaged values of experts’ estimations, giving Uncertainty associated to the judgments has to be mea-
each expert the same weight, to more complicate and sured and considered when the results of the elicitation
informative (Gossens & al., 1998), where the experts process are analyzed. Efficient measures to look at are
are weighted and their judgments probabilistically the following (Hoffmann & al., 2006):
aggregated.
– Extent of agreement between experts and exter-
The choice of the most appropriate method to com-
nal attributions (e.g. analogues): use of relevant
bine the different judgments will vary depending upon
analyses (e.g. regression) to explain differences;
the final use of the estimations. Three examples are
– Degree of variability among experts’ best estimates:
presented below.
statistical measure of consensus of expert opinion;
The first example considers a pool of experts gath-
– Individual uncertainty: measure of the certainty
ered at the initial phase of a project to compile a risk
experts have about their own attribution judgment.
register. Once the list of hazards, their potential causes,
and consequences are identified and recorded, elicited The uncertainty is described by probability distribu-
outcomes will be the likelihood and severity of the tions, credal intervals, when numerically quantifiable,
identified hazard. These two parameters, at this stage or by qualitative statements, such as large, small . . .
of the project, are poorly known and reference statistics when not. The treatment of quantified uncertainties
do not exist, so they will be classified using indexes is done using traditional probabilistic and statistical
(e.g. from 1 to 5) running for example from improb- methods.
able to probable for likelihood and from negligible to
catastrophic for severity. Each expert is asked to index
4.4 Updating initial estimations
likelihood (IL ) and severity (IS ) of each hazard and
provide a credal interval (e.g. [IL − 1; IL + 1]). The An important feature of a geological site is that
judgments are then combined on the indexes and, due its description becomes more and more accurate by
to the broad level of the analysis, a simple combina- acquiring new data, by monitoring, and by running cal-
tion method, like averaging the individual indexes, will ibrated simulation models. This implies that some of
be sufficient to obtain an integer mean index Im . The the objects initially evaluated by experts are now mea-
aggregated credal intervals can also be evaluated. sured or calculated, and also that some judgments have
The second example concerns a project where an to be updated because of more available information.
existing well is being evaluated for potential re-use as A positive outcome is that the uncertainty surrounding
an injection well (Gérard & al., 2006; Van Der Beken, the overall CO2 storage system is narrowed.
A. & al., 2007), and where cement evaluation logs are Updating sessions are therefore necessary and valu-
available. In this case, the permeability of the cement is able. They may require the involvement of only one or
one of the most significant factors to drive the choice a few experts to inform the system of new consolidated
of re-using the well, because the probability of hav- data. Or they may want a pool of experts to re-run an
ing CO2 leaking through the cement depends on it. elicitation process that will consider all the new infor-
In this case, more precise judgments are required and mation at hand. The composition of the pool may be
308
5 EXPERT JUDGMENT AND CO2 STORAGE
PERFORMANCE MANAGEMENT
vant phases of CO2 storage site life cycle, which are the
following: a) site selection, b) site screening, c) char-
acterization, d) design, e) injection, and f ) long-term
storage/surveillance. Figure 2. Example of CO2 storage site and risk pathway.
309
The overall approach for CO2 performance 6.3 Site characterization
management and risk control considers uncertainties,
Site characterization corresponds to the phase where
including those introduced by the judgments.
additional measurements are made following the
directions given during the site screening phase on
5.1 Expert judgment and modeling the base the preliminary performance assessment. In
this phase experts interpret measurements. To carry
Modeling is the core of the CO2 storage site per- out a detailed performance assessment, they identify
formance management and risk control methodology. risk pathways and scenarios. Experts are questioned
Its main purpose is to capture the main features of about the probability of occurrence and magnitude of
the overall site and simulate the most important pro- consequences of risk pathways/scenarios.
cesses induced by CO2 injection, to represent the During this phase a static model can be built and
reality in the most truthful way. Simulation mod- dynamic simulations run to quantitatively assess the
els are used, for example, to quantitatively evaluate risk pathways or the scenarios. The involvement of
the risk pathways/scenarios. To take into account the a group of experts to create the model is crucial to
limited knowledge of today, the models have to be take maximum profit of the various expertises and to
probabilistic and include uncertainty analysis. Experts solve conflicts when modeling choices are made, such
are involved in the process of selecting the most as the size of the 3D area to be described, the inclusion
appropriate and representative models. of surface properties, the inclusion of distant wells, etc.
The quality of the results depends on the quality of
the simulation models and tools, and the role of experts
in benchmarking the tools is significant. The decision 6.4 Long-term storage
diagram for structured expert elicitation process selec-
tion, as it is conceived today, does not address methods Long-term storage corresponds to the phase where
for model assessment because of a different nature and the stored CO2 is expected to stay in place and the
a dedicated approach will be investigated. site is monitored to confirm this expectation. Experts
interpret monitoring data. Most of the interpretations
are derived from indirect measurements and need to
be understood. Experts update predictions as far as
6 EXAMPLES OF POTENTIAL pathway/scenarios are concerned.
APPLICATIONS
310
and Industrial Analogues for Storage of Carbon Diox- IPCC, 2005. IPCC Special Report on Carbon Dioxide
ide in Deep Geological Formations. Lawrence Berkeley Capture and Storage. Intergovernmental Panel on Climate
National Laboratory LBNL-51170. Change, Cambridge University Press, Cambridge, UK.
Bérard, T. Jammes, L. Lecampion, B. Vivalda, C. & Kutchko, B.G. Strazisar, B.R. Dzombak, D.A. Lowry, G.V. &
Desroches, J. 2007. CO2 Storage Geomechanics for Per- Thaulow, N. 2007. Degradation of well cement by CO2
formance and Risk Management, SPE paper 108528, under geologic sequestration conditions. Environmental
Offshore Europe 2007, Aberdeen, Scotland. Science & Technology, Vol. 41, No. 13, pp. 4787–4792.
Bonano, E.J. Hora, S.C. Keeny, R.L. & von Winterfeldt, D. Oberkampf, W.L., Helton, J.C., Joslyn, C.A.,
1989. Elicitation and use of expert judgment in perfor- Wojtkiewicz, S.F. & Ferson, S. 2004. Challenge Prob-
mance assessment for high-level radioactive waste repos- lems: Uncertainty in System Response Given Uncertain
itories. NUREG/CR-5411; SAND89-1821. Washington: Parameters. Reliability Engineering and System Safety,
US Nuclear Regulatory Commission. Vol. 85, pp. 11–19.
Bowden A.R. & Rigg, A. 2004. Assessing risk in CO2 Savage, D., Maul, P.R., Benbow, S. & Walke, R.C. 2004.
storage projects. APPEA Journal, pp. 677–702. A generic FEP database for the assessment of long-term
Cooke, R.M. & Gossens, L.J.H. 1999. Procedures guide Performance and Safety of the geological storage of CO2 .
for structured expert judgment. EUR 18820. Brussels, Quintessa, QRS-1060A-1.
Euratom. Simola, K., Mengolini, A. & Bolado-Lavin, R. 2005. For-
Gérard, B. Frenette, R. Auge, L. Barlet-Gouédard, V. mal expert Judgment an overview. EUR 21772, DG JRC,
Desroches J. & Jammes, L. 2006. Well Integrity in CO2 Institute for Energy, The Netherlands.
environments: Performance & Risk, Technologies. CO2 Van Der Beken, A., Le Gouévec, J., Gérard, B. & Youssef, S.
Site Characterization Symposium, Berkeley, California. 2007. Well Integrity Assessment and Modelling for CO2
Gossens, L.H.J. Cooke, R.M. & Kraan, B.C.P. 1998. Evalua- injection. In Proceedings of WEC07, Alger, Algeria.
tion of weighting schemes for expert judgment studies. Vivalda, C. & Jammes, L. 2008. Probabilistic Performance
In Mosleh, A. & Bari, A. (Eds.) Probabilistic safety Assessment Methodology for long term subsurface CO2
assessment and management. Springler, Vol. 3, pp. storage. In Proceedings of PSAM 9 Conference, Hong
1937–1942. Kong.
Helton. J.C. 1994. Treatment of Uncertainty in Performance Whittaker, S.G. 2004. Investigating geological storage of
Assessments for Complex Systems. Risk Analysis, Vol. greenhouse gases in southeastern Saskatchewan: The IEA
14, No. 4, pp. 483–511. Weyburn CO2 Monitoring and Storage Project. In Sum-
Hoffman, S. Fischbeck, P. Krupnik, A. & McWilliams, M. mary of Investigations, Misc. Rep. 2004-4.1, Vol. 1, Paper
2006. Eliciting information on uncertainty from heteroge- A-2, Saskatchewan Geological Survey, Sask. Industry
neous expert panels. Discussion Paper. Research for the Resources, Canada.
future. RFF DP 06-17.
311
Integrated risk management and risk—informed decision-making
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Simona Verga
DRDC CSS (Centre for Security Science), Ottawa, Canada
ABSTRACT: This work advocates an architecture approach for an all-hazards risk model, in support of
harmonized planning across levels of government and different organizations. As a basis for the architec-
ture, a taxonomic scheme has been drafted, which partitions risk into logical categories and captures the
relationships among them. Provided that the classifications are aligned with the areas of expertise of vari-
ous departments/agencies, a framework can be developed and used to assign portions of the risk domain to those
organizations with relevant authority. Such a framework will provide a structured hierarchy where data collection
and analysis can be carried out independently at different levels, allowing each contributing system/organization
meet its internal needs, but also those of the overarching framework into which it is set. In the end, the proposed
taxonomy will provide a ‘‘blueprint’’ for the all-hazards risk domain, to organize and harmonize seemingly
different risks and allow a comparative analysis.
315
Figure 1. Generic risk management process, showing a typical sequence of steps commonly followed, as well as the review
and feedback processes.
outcomes. Risk management is the structured approach start with a ‘‘risk equation’’ along these lines. But
to set up such processes and develop such strategies while this formula is sufficiently general to grant
(Haimes 2004). acceptance with a broad audience of ‘‘risk profes-
Although the details of the risk management sionals’’, it must be refined further in order to be of
approach vary widely across risk domains/organiza- practical value to anyone tasked with a specific assess-
tions, the following steps are commonly followed: (1) ment. The major difficulty facing an ‘‘all-hazards’’
risk identification; (2) risk assessment; (3) identifi- methodology is defining and finding good measures
cation/analysis and implementation of risk treatment for ‘‘Likelihood’’ and ‘‘Consequences’’ consistently
options; and (4) monitoring and evaluation. In most across risks of very different nature.
cases, risk management is a cycle that incorporates
review and feedback loops. Figure 1 shows a generic
risk management process. 2.2 Classification of risks—various perspectives
Invariably, risk management starts with risk identi- Risks must be identified and described in an
fication. An important part of risk identification is understandable way before they can be analyzed and
establishing the context. This implies selecting the managed properly. Risk identification should be an
domain of interest, establishing the identity and objec- organized, thorough approach to seek out probable
tives of risk managers and other interested parties or realistic risks. Among existing methods, the use
(stakeholders), the scope of the process, and the basis of taxonomies meets and promotes the objectives
upon which risks will be evaluated (i.e., assumptions, listed before. Establishing appropriate risk categories
constraints). After establishing the context, the next provides a mechanism for collecting and organizing
step in the process is to identify potential risks. Risk risks as well as ensuring appropriate scrutiny and
identification may be approached from different ends: attention for those risks that can have more serious
it may start with identifying potential sources of the consequences.
risk event, or with the risk event itself. More will be Taxonomies are meant to classify phenomena with
said on this essential step in risk management in subse- the aim of maximizing the differences among groups.
quent sections, as risk identification and classification The term ‘taxonomy’ refers to the theory and practice
constitutes the main topic of this paper. of producing classification schemes. Thus, construct-
Once a risk has been identified, it must be assessed. ing a classification is a process with rules on how to
Risk is the product of Likelihood and Consequences, form and represent groups (Greek word: taxis—order),
where ‘‘likelihood’’ refers to the risk event’s chance of which are then named (Greek word: nomos—law, or
occurrence and ‘‘Consequences’’ measures the sever- science). Taxonomies are useful, if they are able to
ity and extent of the effects associated with the event. reduce the complexity of the domain studied into more
Indeed, any risk assessment methodology is likely to tractable macro-classes (Coccia 2007).
316
The design of taxonomies can be a useful first Another approach is to ‘‘slice’’ risk with respect to
step in theory building. Classification as an output the domain on which the risk event has an impact, as
deals with how groups and classes of entities are illustrated in Figure 2: (1) the natural environment:
arranged, according to the taxonomic approach used. earthquake, flood, storm; (2) the built environment:
The numerous paradigms advanced by specialists in structures, transportation, IT networks; and (3) the
various risk fields may be distilled into a number of social environment: people, communities. We will
general perspectives, or ‘‘facets’’, on how to structure come back to this view in a later section, when we
the risk domain. Each of these perspectives offers cer- discuss building methods for assessing consequences
tain advantages for bringing forward a particular facet of risk events.
of a risk event. The multi-faceted approach is also Last but not least, the classification of risks based on
respectful of the inevitable dose of ambiguity regard- the nature of risk sources provides a basis to systemat-
ing the classification criteria, which may be more ically examine changing situations over time. The next
significant for certain classes of risks than for others. section presents a risk taxonomy based on the source
The blurring of traditional categories related to envi- of the risk event. The classification exercise provides
ronmental and technical risk events is a case in point a powerful way to visualize and understand a complex
(Cohen 1996). domain.
The above considerations illustrate the fact that the
construction of taxonomy inevitably confronts limi-
tations and requires execution of somewhat arbitrary 3 THE ALL-HAZARDS RISK ASSESSMENT
decisions. Nonetheless, even an imperfect structured TAXONOMY
approach is preferred, if it enables a comparative
analysis of broad risk categories, instead of punctual This section proposes a taxonomic approach that
treatment of an arbitrary set of risks in isolation. breaks down all-hazards risk by trying to identify risk
There are several ways of classifying risks. sources, and discusses the advantages of using this
From a time evolution perspective, there are two approach, as well as the shortcomings of the proposed
main sequences of events when talking about risks. scheme.
The first type of event sequence is a sudden occurrence
that brings immediate consequences. Examples are
3.1 Structuring and organizing existing
earthquake, structural collapse, or terrorist attack. The
knowledge
second type of event sequence happens gradually, and
the consequences may become apparent after a long One of the main objectives of the AHRA taxon-
period of time. Examples here are the risk to human omy exercise is directed primarily at retrieving and
health posed by the agricultural use of pesticides, or organizing risk-related knowledge that exists diffusely
that of emerging nanotechnologies. throughout various organizations and levels of the
Canadian government, focusing here on the federal
level. This knowledge constitutes the basis on which a
harmonized methodology for assessing national risks
will be built. Access to the most updated and relevant
information across risk domains under government
responsibility represents an essential enabler for risk
assessment methodology development.
As suggested in (Lambe 2007), an effective taxon-
omy has three key attributes: it provides a classifica-
tion scheme; it is semantic; and it can be used as a map
to navigate the domain. The proposed scheme has been
designed with those key attributes in mind.
First of all, the proposed scheme classifies risks
by grouping related risk events together, in categories
and subcategories structured in a way that reveals the
nature of the underlying relationships. The organi-
zation of classes is respectful of multiple types of
relationships; for example, the two major classes of
risk events are separated based on whether malicious
intent plays a role in the realization of any given risk
within the class.
Within each major category, the subcategories are
Figure 2. Impact taxonomy. decided based on similarity of attributes, although
317
Figure 3. The all-hazards risk taxonomy.
the classification principle is clearer for some than Economic Forum 2008), which is most certainly going
for others (e.g., weather-related events and geological to affect local conditions, so do potential sources of
event are clear examples of Natural Disasters, while risk and it is desirable that the taxonomy goes through
ecological disaster may legitimately fall under both periodic reviews and updates in order to stay adequate.
Natural Disaster and Unintentional events resulting
from human action). 3.2 Taxonomy as basis for data collection
Second, the AHRA taxonomy is semantic; it func-
tions within a controlled vocabulary that describes the Based on the initial categories included in the risk tax-
content of the whole domain and each class and sub- onomy, the team of analysts proceeded to building
class; the agreed definitions for key risk terms are a ‘‘Risk Domain Architecture’’. To that end, a sur-
documented in the AHRA lexicon (Verga 2007). vey was prepared and administered in order to collect
To ensure the success of the taxonomy building relevant information from various risk communities
exercise, the team of analysts at the Centre for Secu- within the Canadian federal government. The survey
rity Science has undertaken a collection of evidence was structured around three main parts:
from stakeholders—Canadian federal organizations
with a public safety and/or national security risk man- 1. A standard first part allowed the respondents to
date—with a focus on establishing common ground, self-identify and communicate their role as risk
mapping activities to risk categories and uncovering practitioners;
critical gaps. 2. A second part consisted of a suite of questions
Figure 3 shows the most current version of the developed to elicit specific information for use
AHRA Risk Event Taxonomy. It must be noted that the in the risk architecture—largely based on the risk
categories are not fully stabilized and they may evolve categories in the taxonomy;
as more parties become engaged and provide input; in 3. The survey ended with a series of open questions
fact, as the global context evolves continuously (World aimed at gaining an overall impression of the stateof
318
Figure 4. OV-05 operational activity model.
risk assessment at the federal level, also designed a brief description of the results is included, together
to elicit additional input to further improve the with magnified insets to showcase the main point.
taxonomy. Figure 4 shows the AHRA taxonomy ‘‘translated’’
into an operational view—OV-05, or Operational
The information collected through the survey was Activity Model. In this model, each risk event in the
used to construct a systems architecture, which helped taxonomy is represented as an ‘‘activity’’ that needs
illustrate how people and organizations were involved to be completed for an all-hazards risk assessment
in risk activities, the relationships among them, and to be thoroughly conducted. The figure shows an
how their mandated responsibilities aligned with cate- enlarged portion, for clarity. It should be noted that
gories proposed in the risk taxonomy. The survey also risk events such as ‘‘Ecological Disasters’’ or ‘‘Emerg-
served to identify those participants willing to share ing Technologies’’, which in the AHRA taxonomy
risk-related tools, methods and assessments. More connect to more then one column, are not properly
details about how the survey was administered, how represented in this Operational Activity Model, since
the data was analyzed and the architecture built can be this type of relationship is not logical in an activity
found in (Keown 2008). The next section summarizes hierarchy.
the results that are most relevant to the purpose of this In the survey, participants indicated their sections,
paper. the larger organizations they belonged to, and each
of the taxonomic events they were actively reviewing
through a risk assessment. This information was visu-
3.3 Results—a federal risk community architecture alized using an Operational Activity Node, or OV-02,
Using the information captured through the survey, diagram. Activity Nodes represent sections within par-
an architecture was constructed. The U.S. Depart- ticipating departments and agencies that conduct risk
ment of Defense Architecture Framework (DoDAF). assessment activities. Figure 5 shows an example—a
DoDAF represents a standard way to organize a sys- node representing the Canadian Ice Service section
tems architecture and is constructed using a number within the Department of Environment Canada.
of complementary and consistent views, enabling both Based on these results, it was possible to return to
an operational and a systems perspective on the built the activity hierarchy and indicate which nodes are
architecture. A full discussion of DoDAF is beyond the responsible for each activity, as shown in Figure 6.
scope of this paper and can be found in (DoDAF 2004). Although not shown, the information collected
The AHRA architecture was built and visualized using through the survey also allowed mapping commu-
Telelogic System Architect® Version 10.6. The dia- nications or other types of relationships between
grams created are too detailed to be viewed clearly, but organizations.
319
Finally, based on the survey responses, it was pos- 3.4 Taxonomy as a basis for methodology
sible to identify risk practitioners who volunteered development
to provide information on tools, methods or specific
Based on the discussion in the last paragraph of
assessments. Based on the material collected from
section 2.1, as well as extensive research on method-
these respondents, and an extensive review of the
ology employed within the global risk management
research literature on the topic, the team of analysts
community, the universal, widely-accepted risk
at CSS hopes to develop a harmonized methodol-
assessment principle is illustrated by the equation:
ogy capable of sustaining an all-hazards scope. The
next section goes back to the AHRA taxonomy and
shows how it can be used to guide methodology Risk Likelihood magnitude of
= ×
development. Magnitude of occurrence Consequence
320
respective domains: adaptability of the source—threat
actor—in order to avoid risk treatment measures.
For this reason, estimating the likelihood of a mali-
cious risk event requires a different approach and
different metrics than estimating the likelihood of a
non-malicious event.
For the latter type, at least in principle, likelihood is
a more straightforward combination of the frequency
of occurrence for that event type, based by histor- Figure 7. All-hazards risk assessment modules.
ical data, and vulnerability/exposure of the human,
natural and build environment exposed to the given
hazard/threat. Although variations exist within each of
the three major branches: unintentional (man-made);
natural disasters; and health disasters, the calcula-
tion algorithm can be sufficiently consistent for those
subcategories with a clear relationship to the class.
Specialization of Consequence assessment may
also be necessary. However, it is conceivably possible
to establish a common set of consequence parameters,
along with adequate metrics, of which for each risk
category only the relevant parameters will be selected
and included in the assessment. The set of Conse-
quence parameters may be organized around the three
major domains in the Impact Taxonomy illustrated in
Figure 2, which also includes overlap of the domains, Figure 8. Risk assessment tetrahedron—a graphical repre-
allowing for ‘‘hybrid’’ parameters. sentation of the common risk equation.
The rationale for having a common set of Conse-
quence parameters stems from the aim of the AHRA
methodology, which, as stated in earlier sections of man-made disasters. Also, the calculations of Con-
this document, is to enable a comparative analysis sequences could be quite different, although this
across broad categories of different risks, in order to paper strongly advocates a common approach for Con-
inform decision-making at the highest level. The final sequence assessment. A ‘‘modular’’ AHRA would,
output may be assumed to consist of a set of Risk however, need to provide commonality in the way
Magnitude assessments—relating to the top risks of in which the final results are presented to decision
the day—which will need to be viewed both in abso- makers. Figure 7 illustrates a possible breakdown in
lute magnitude terms and in relative magnitude terms. risk assessment modules, while Figure 8 represents
In order that the relative assessment of Risk Magni- a graphical representation of risk equation, showing
tude—leading to priorities for action and/or allocation how the modules can be brought together to provide a
of resources—can work, there will have to be a com- common picture of different assessments.
mon set of parameters for the understanding of the To end this section, a last look at the AHRA taxon-
various consequences. omy is in order. Figure 3 also illustrates a challenge in
For example, it may be necessary to prioritize finding the right ‘‘treatment’’ for risks that do not seem
resources between impending natural disasters on amenable to the same kind of tidy subdivision. The
the one hand and anticipated terrorist activity on sub-categories ‘‘Ecological Disasters’’ and ‘‘Emerg-
the other. Common ways of understanding the total ing Technologies’’ remain somewhat ill-defined and
consequences for Canada of each Risk on the list unwieldy. The difficulty with these two sub-categories
will be required. For decision-making at the highest originates in one shortcoming of the current scheme:
level the risk magnitude assessment will probably the classification principle does not consider the time
need to be supported by high-level information on sequence in the realization of risk events, as discussed
Consequences. in section 2.2. From a time perspective, these two
Thus, a logical way to proceed with the AHRA groups of risk would naturally fall under the ‘‘grad-
methodology is to develop a number of ‘‘modules’’ ual’’ type; many of the other sub-categories belong
that reflect variations in the way in which the Risk to the ‘‘sudden occurrence’’ category, although some
Magnitude calculation needs to be performed for the of the ‘‘boxes’’ in Figure 3 will break under the new
different classes of risk events. The calculation of lens. This last point highlights the challenges in the
Likelihood could be rather different for Malicious ambitious enterprise of tackling ‘‘all-risk’’ in ‘‘one bat-
Threats, for Natural Disasters and for Unintentional tle’’, particularly the difficulty of bringing the time
321
dimension into the equation. Developing the AHRA management decisions. At the same time, the taxon-
methodology is work in progress in the Risk group at omy ‘‘pulls together’’ the different components and
DRDC Centre for Security Science and this document provides the common framework required for harmo-
is meant to illustrate the problem, the approach and nized assessment and comparative analysis of different
initial results as well as an awareness of the challenges risks, albeit at a fairly high level.
associated with this exciting project. A noteworthy quality of the risks identified in the
taxonomy is that they do not exist, and cannot be
identified and assessed, in isolation. Many are inter-
4 CONCLUDING REMARKS connected, not necessarily in a direct, cause-and-effect
relationship, but often indirectly, either through com-
This paper proposes a taxonomic scheme that parti- mon impacts or mitigation trade-offs. The better the
tions the All-Hazards Risk Domain into major event understanding of interconnectedness, the better one
categories based on the nature of the risk sources, and can design an integrated risk assessment approach and
discusses the advantages of using this approach, as recommend management options. But this remains
well as the shortcomings of the proposed scheme. The methodologically and conceptually difficult, due to
taxonomy enables an architecture approach for an all- the inherent complexity of the domain and our limited
hazards risk model, in support of harmonized planning ability to represent it adequately.
across levels of government and different organiza- The above considerations add to the methodological
tions. Provided that the classifications are aligned with hurdles around the representation of interconnected-
the areas of expertise of various departments/agencies, ness inter- and intra- risk domains. In addition, one
a framework can be developed and used to assign por- cannot leave out the global risk context, which is both
tions of the risk domain to those organizations with more complex and more challenging than ever before,
relevant authority. Essential actors, who are active according to the World Economic Forum. (Global
in conducting assessments and/or performing func- Risks 2008).
tions that need to be informed by the assessments,
are often invisible from the point of view of author-
ity structures. Such a framework provides a structured REFERENCES
hierarchy where data collection and analysis can be
carried out independently at different levels, allow- DoD Architecture Framework Working Group. 2004. DoD
ing each contributing system/organization to meet Architecture Framework Version 1.0, Deskbook., USA.
its internal needs, but also those of the overarching Department of Defence.
framework into which it is set. Global Risks 2008. A Global Risk Network Report, World
Economic Forum.
Finally, based on the survey responses, it was pos- Coccia, M. 2007. A new taxonomy of country performance
sible to identify risk practitioners who volunteered and risk based on economic and technological indicators.
to provide information on tools, methods or specific Journal of Applied Economics, 10(1): 29–42.
assessments. Based on the material collected from Cohen, M.J. 1996. Economic dimensions of Environmen-
these respondents, and an extensive review of the tal and Technological Risk Events: Toward a Tenable
research literature on the topic, the team of analysts Taxonomy. Organization & Environment, 9(4): 448–481.
at CSS hopes to develop a harmonized methodology Haimes, Y.Y. 2004. Risk Modeling, Assessment and Manage-
capable of sustaining an all-hazards scope. ment, John Wiley & Sons.
The paper also shows how the AHRA taxonomy Keown, M. 2008. Mapping the Federal Community of Risk
Practitioners, DRDC CSS internal report (draft).
can be used to guide methodology development. The Lambe, P. 2007. Organising Knowledge: Taxonomies,
taxonomy can be used to understand the different Knowledge and Organisational Effectiveness. Oxford:
requirements in treating distinct risk categories, which Chandos Publishing.
in turn guides the choice of assessment processes, Rowe, W.D. 1977. An anatomy of Risk, John Wiley & Sons.
scaling/calibration schemes, or the set of parame- Verga, S. 2007. Intelligence Experts Group All-Hazards
ters in order to accommodate specific risks. As a Risk Assessment Lexicon, DRDC CSS, DRDC-Centre for
consequence, a national all-hazards risk assessment Security Science-N-2007-001.
needs a fold-out, modular structure, that reflects and
is able to support the different levels of potential
322
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: There exist many discipline oriented perspectives on risk. Broadly categorised we may distin-
guish between technical, economic, risk perception, social theories and cultural theory. Traditionally, these
perspectives have been viewed to represent different frameworks, and the exchange of ideas and results has been
difficult. In recent years several attempts have been made to integrate these basic perspectives to obtain more
holistic approaches to risk management and risk governance. In this paper we review and discuss some of these
integrated approaches, including the IRGC risk governance framework and the UK Cabinet office approach.
A structure for comparison is suggested, based on the attributes risk concepts and risk handling.
323
onus of proof‘. This implies that the base case is that associated uncertainties. Focus is on the events and
all identified risk reduction measures should be imple- consequences (referred to as observables quantities),
mented, unless it can be demonstrated that there is such as the number of fatalities and costs, and these are
gross disproportion between costs and benefits. predicted and assessed using risk assessments. Proba-
bilities and expected values are used to express the
uncertainties, but it is acknowledged that they are
2.2 The UK cabinet office approach
not perfect tools for expressing the uncertainties. To
The UK Cabinet office approach (Cabinet office 2002) evaluate the seriousness of risk and conclude on risk
sets out how government should think about risk, and treatment, a broad risk picture needs to be established,
practical steps for managing it better. It proposes prin- reflecting also aspects such as risk perception and soci-
ciples to guide handling and communication of risks etal concern. The analyses need to be put into a wider
to the public. Risk refers to uncertainty of outcome, of decision-making context, which is referred to as a
actions and events, and risk management is about get- management review and judgment process.
ting the right balance between innovation and change
on the one hand, and avoidance of shocks and crises on
the other. The approach is based on the thesis that the 3 COMPARISON OF THE APPROACHES
handling of risk is at heart about judgement. Judge-
ment in the context of government decision making This section compares the four frameworks, with
can, and should, be supported by formal analytical respect to the risk perspectives and risk handling.
tools which themselves need enhancing. But these
cannot substitute for the act of judgement itself. The
approach frames how far formal risk analysis can be 3.1 The risk concept
usefully enhanced and made systematic, so that there is
greater clarity about where analysis ends—and judge- We introduce a context and terminology as follows:
ment begins. It also explores and suggests what else We consider an activity, from which events A may
we need to do to enhance our handling of risk and occur leading to consequences C. The occurrence of A
innovation. and the consequences C are subject to uncertainties U.
The likelihoods and probabilities associated with the
events and possible consequences are denoted L and P,
2.3 The risk governance framework IRGC respectively. Using these symbols, the risk definitions
The risk governance framework (Renn 2005) has been can be summarised in the following way:
developed to provide structure and guidance on how – HSE framework: (L, C)
to assess and handle risk on the societal level. The – Cabinet Office framework: U and (L, C)
framework integrates scientific, economic, social and – IRGC framework: C
cultural aspects and includes the effective engagement – Consequence-uncertainty framework: (A, C, U).
of stakeholders. The framework is inspired by the con-
viction that both the ‘factual’ and the ‘socio-cultural’ Likelihood is normally understood as the same as
dimension of risk need to be considered if risk gov- probability, and in this paper we do not distinguish
ernance is to produce adequate decisions and results. between these two concepts. Note however that some
It comprises five main phases; pre-assessment, risk see likelihood as a more qualitative description than
appraisal, tolerability and acceptability judgment, risk probability which is restricted to a number in the
management and communication. Risk is defined as interval [0, 1].
an uncertain consequence of an event or an activity The Cabinet Office defines risk by uncertainty.
with respect to something that humans value. The Often the uncertainty is seen in relation to the expected
framework gives importance to contextual aspects value, and the variance is used as a measure of risk. As
which, either, are directly integrated in a risk manage- an example, consider the problem of investing money
ment process, or, otherwise, form the basic conditions in a stock market. Suppose the investor considers two
for making any risk-related decision. The framework alternatives, both with expectation 1, and variances
also introduces a categorisation of risk problems which 0.16 and 0.08, respectively. As alternative 1 has the
is based on the different states of knowledge about each lowest risk (uncertainty), expressed by the variance,
particular risk. this alternative would normally be chosen. As another
example, consider the number of fatalities in traffic
next year in a specific country. Then the variance is
2.4 The consequence-uncertainty framework
rather small, as the number of fatalities shows rather
In the consequence-uncertainty framework introduced small variations from year to year. Hence according
by Aven (2003, 2007), risk is defined as the two- to this definition of risk, we must conclude that the
dimensional combination of events/consequences and risk is small, even though the numbers of fatalities
324
Uncertainty account uncertainties/likelihoods, so why not include
Risk this dimension into the risk concept?
Also the (L, C) and (P, C) definitions can be chal-
lenged. A probability is not capturing all aspects of
Eventsand concern. To explain this we need to first introduce
Activity consequences the two common ways of interpreting a probability:
(outcomes) the classical relative frequency interpretation and the
subjective Bayesian interpretation.
Values at stake Values at stake According to the classical relative frequency
paradigm, a probability is interpreted as the relative
Figure 1. Risk defined as a consequence (Aven & Renn fraction of times the events occur if the situation ana-
2008a). lyzed were hypothetically ‘‘repeated’’ an infinite num-
ber of times. The underlying probability is unknown,
and is estimated in the risk analysis. Hence if this inter-
are many thousands each year. Clearly, this defini- pretation is adopted in the above definitions of risk, we
tion of risk fails to capture an essential aspect, the have to take into account that the risk estimates could
consequence dimension. Uncertainty cannot be iso- be more or less accurate relative to the underlying true
lated from the intensity, size, extension etc. of the risk. The uncertainties in the estimates could be very
consequences. Take an extreme case where only two large, and difficult to express.
outcomes are possible, 0 and 1, corresponding to 0 The alternative (the Bayesian perspective) consid-
and 1 fatality, and the decision alternatives are A and ers probability as a measure of uncertainty about
B, having uncertainty (probability) distributions (0.5, events and outcomes (consequences), seen through the
0.5), and (0.0001, 0.9999), respectively. Hence for eyes of the assessor and based on the available back-
alternative A there is a higher degree of uncertainty ground information and knowledge. Probability is a
than for alternative B, meaning that risk according to subjective measure of uncertainty, conditional on the
this definition is higher for alternative A than for B. background information. The reference is a certain
However, considering both dimensions, both uncer- standard such as drawing a ball from an urn. If we
tainty and the consequences, we would of course judge assign a probability of 0.4 for an event A, we com-
alternative B to have the highest risk as the negative pare our uncertainty of A to occur with drawing a red
outcome 1 is nearly certain to occur. ball from an urn having 10 balls where 4 are red. True
The IRGC framework defines risk by C. See probabilities do not exist.
Figure 1. However, a probability is not a ‘‘perfect tool’’ for
According to this definition, risk expresses a state this purpose. The assigned probabilities are conditi-
of the world independent of our knowledge and percep- onal on a specific background information, and they
tions. Referring to risk as an event or a consequence, could produce poor predictions. Surprises relative
we cannot conclude on risk being high or low, or com- to the assigned probabilities may occur, and by just
pare options with respect to risk. Compared to standard addressing probabilities such surprises may be over-
terminology in risk research and risk management, it looked (Aven 2008a, b).
lead to conceptual difficulties that are incompatible The consequence-uncertainty definition (A, C, U)
with the everyday use of risk in most applications, as may be rephrased by saying that risk associated with an
discussed by Aven & Renn (2008a) and summarised activity is to be understood as (Aven and Renn 2008):
in the following. Uncertainty about and severity of the consequences
The consequence of a leakage in a process plant of an activity (I), where severity refers to intensity,
is a risk according to the IRGC definition. This size, extension, and so on, and is with respect to
consequence may for example be expressed by the something that humans value (lives, the environment,
number of fatalities. This consequence is subject to money, etc). Losses and gains, for example expressed
uncertainties, but the risk concept is restricted to the by money or the number of fatalities, are ways of
consequence—the uncertainties and how people judge defining the severity of the consequences.
the uncertainties is a different domain. Hence a risk The main features of the definition are illustrated
assessment according to this definition cannot con- in Figure 2.
clude for example that the risk is high or low, or that The uncertainty relates to both the event and the
option A has a lower or higher risk than option B, as it consequences given that this event occurs.
makes no sense to speak about a high or higher con-
sequence—the consequence is unknown. Instead the
3.2 Risk handling (management)
assessment needs to conclude on the uncertainty or the
probability of the risk being high or higher. We con- The risk handling covers all activities to direct and
clude that any judgement about risk needs to take into control an organisation with regard to risk. It typically
325
emphasis on consequences
eg if serious/irreversible or
Uncertainty need to address societal towards
Risk
rely on past
experience
Severity of generic hazard
Events and
Activity consequences
(outcomes) consider putative
conventional consequences
risk assessment and scenarios
Values at stake
Values at stake
Consequences increasingly uncertain
Embed and
Evaluate risks
HSE framework review
The main steps of the risk management process are pre-
sented in section 2.1. The steps follows to large extent Assess risks
the standard structure for risk management processes, Gain assurance
apetite
about control
see e.g. AS/NZS 4360 (2004). However, the frame-
work has some genuine features on a more detailed Identify suitable
reponse to risks
level, of which the following are considered to be of
particular importance:
– Weight to be given to the precautionary principle in
the face of scientific uncertainty. The precaution- Communicating about risk and uncertainty
326
Table 1. Risk problem category—uncertainty induced example—implications for risk management (Aven and Renn 2008b,
adapted from Renn (2005)).
Risk problem
category Management strategy Appropriate instruments
At the strategic level decisions involve the formula- based on incomplete or invalid data bases, possi-
tion of strategic objectives including major external ble changes of the causal chains and their context
threats, significant cross-cutting risks, and longer term conditions, extrapolation methods when making
threats and opportunities. At the programme level, the inferences from experimental results, modelling
decision-making is about procurement, funding and inaccuracies or variations in expert judgments.
establishing projects. And at the project and oper- Uncertainty may results from an incomplete or inad-
ational level, decisions will be on technical issues, equate reduction of complexity, and it often leads to
managing resources, schedules, providers, partners expert dissent about the risk characterisation.
and infrastructure. The level on uncertainty (and hence Ambiguity relates to i) the relevance, meaning and
risk) will decrease as we move from strategic level to implications of the decision basis; or related to
the programme and then operational level. ii) the values to be protected and the priorities to
In addition, the focus is on risk appetite, i.e. the be made.
quantum of risk that you are willing to accept in pursuit
of value. There is a balance to be made between inno-
vation and change on the one hand and, and avoidance For the different risk problem categories, the IRGC
of shocks and crises on the other. Risk management framework specifies a management strategy, appro-
is often focused on risk reduction, without recognition priate instruments and stakeholder participation, see
of the need for taking risks to add values. Table 1 which indicates the recommendations for the
category uncertainty.
IRGC framework
On a high level the framework is similar to the two The consequence-uncertainty framework
other frameworks presented above. However on a more The framework follows the same overall structure
detailed level, we find several unique features. One as the other frameworks and is characterised by the
is related to the distinction between different type following specific features:
of situations (risk problems) being studied, accord-
ing to the degree of complexity (Simple—Complex), – It is based on a broad semi-quantitative perspec-
Uncertainty and Ambiguity (Aven & Renn 2008b): tive on risk, in line with the perspective described
in section 3.1, with focus on predictions and high-
Simplicity is characterised by situations and problems lighting uncertainties beyond expected values and
with low complexity, uncertainties and ambiguities. probabilities, allowing a more flexible approach
Complexity refers to the difficulty of identifying than traditional statistical analysis. It acknowledges
and quantifying causal links between a multitude that expected values and probabilities could produce
of potential causal agents and specific observed poor predictions—surprises may occur.
effects. – Risk analyses, cost-benefit analyses and other types
Uncertainty refers to the difficulty of predicting the of analyses are placed in a larger context (referred
occurrence of events and/or their consequences to as a managerial review and judgment), where the
327
limitations and constraints of the analyses are taken framework stresses the importance of reflecting con-
into account. sequence, likelihoods and uncertainties. The adjusted
– The cautionary and precautionary principles as con- definition ‘‘uncertainty about and severity of the con-
sidered integrated features of risk management. The sequences of an activity with respect to something that
cautionary principle is a basic principle in risk man- humans value’’ (Aven and Renn 2008a), can be seen
agement, expressing that in the face of uncertainty, as reformulation of the original one to better reflect
caution should be a ruling principle, for example the intention.
by not starting an activity, or by implementing mea- As another example, the Cabinet office (2002)
sures to reduce risks and uncertainties (Aven & refers to risk as uncertainty, which means that risk
Vinnem 2007, HSE 2001). The precautionary prin- is considered low if one expects millions of fatalities
ciple is considered a special case of the cautionary as long as the uncertainties are low. Risk manage-
principle; its definition is discussed in Section 4. ment certainly needs to have a broader perspective on
risk, and this of course also recognised by the cabinet
A risk classification structure is suggested by the office framework. The terminology may however be
combination of expected consequences EC and an challenged.
assessment of uncertainties in underlying phenomena When referring to the likelihood of an event we
and processes that can give large deviations compared mean the same as the probability of the event. How-
to the expected values. ever, the term probability can be interpreted in differ-
Starting from the classification based on the tra- ent ways as discussed in Section 3.1 and this would also
ditional risk description using the expected conse- give different meanings of likelihood. With exception
quences, we may modify the classification based on of the consequence-uncertainty framework none of
the uncertainty assessments: For example, if a system the frameworks have specified the probabilistic basis.
is classified to have a medium risk according to the In the consequence-uncertainty framework probabil-
expected consequences criterion, we may reclassify it ity means subjective probabilities. Hence there is
as having high risk, if the uncertainties in underlying no meaning in discussing uncertainties in the prob-
phenomena and processes are very large. The uncer- abilities and likelihoods. If such a perspective is
tainties may be related to for example new technology, adopted, how can we then understand for example
future use and demand for the system, and political Figure 2, which distinguishes between uncertain-
events. ties about likelihoods (probabilities) and uncertainties
about consequences?
The former types of uncertainties are referred to
4 DISCUSSION as epistemic uncertainties and are also called second-
order probabilities. It is based on the idea that there
The four frameworks have similarities as shown in exists some ‘‘true’’ probabilities out there, based on
Section 3. The overall principles are to large extent the traditional relative frequency approach, that risk
overlapping: analysis should try to accurately estimate. However
– Risk perspectives highlighting events, conseque- this view can be challenged. Consider for example the
nces, probability (likelihood) and uncertainties. probability of a terrorist attack, i.e. P(attack occurs).
– Risk management processes along the lines shown How can this probability be understood as a true prob-
in Figure 4, and the use of risk reduction processes ability, by reference to a thought-constructed repeated
such as ALARP. experiment? It does not work at all. It makes no sense
– A risk-informed use of risk analysis. It is acknowl- to define a large set of ‘‘identical’’, independent attack
edged that risk analyses may provide useful decision situations, where some aspects (for example related
support, but they need to be placed in a wider con- to the potential attackers and the political context)
text, where their scope and limitations are taken into are fixed and others (for example the attackers’ moti-
account. Quantitative risk analyses cannot replace vation) are subject to variation. Say that the attack
sound judgments. probability is 10%. Then in 1000 situations, with
the attackers and the political context specified, the
Different terminology is used, and different aspects attackers will attack in 100 cases. In 100 situations
are highlighted in the four frameworks. The ter- the attackers are motivated, but not in the remaining
minology is to varying degree consistent with the 900. Motivation for an attack in one situation does not
intentions and ambitions of the frameworks, as shown affect the motivation in another. For independent ran-
in Section 3.1. For example, in the IRGC framework dom situations such ‘‘experiments’’ are meaningful,
risk is defined as an uncertain consequence of an but not for more complex situations as for example
event or an activity with respect to something that this attack case.
humans value. However, the framework in general Alternatively, we may interpret the likelihood
does not restrict risk to a consequence. Rather the uncertainties in Figure 2 by reference to the level of
328
consensus about the probabilities, or by reference to proper requirement without knowing what it implies
the amount and quality of the background data and and what it means when it comes to cost, effect on
knowledge for the probabilities. safety etc. If such criteria are defined, they give a focus
Or we may use other classification structures, for on obtaining a minimum safety standard—and there is
example the one which is based on expected conse- no drive for improvement and risk reduction. If a high
quences and uncertainties in underlying phenomena level of safety is to be obtained, other mechanisms
and processes (refer to the consequence—uncertainty than risk acceptance criteria need to be implemented
framework). and highlighted, for example ALARP processes. Fur-
The use of the precautionary principle needs to thermore, no method has a precision that justifies a
be based on an understanding of the risk and uncer- mechanical decision based on whether the result is
tainty concepts. The precautionary principle applies over or below a numerical criterion.
when there are scientific uncertainties about the con- HSE (2001) sets the value of a life (the cost one
sequences, but are also uncertainties of the likelihoods should be willing to pay for reducing the expected
and probabilities included? This is discussed by Aven number of lives by 1) equal to £1 million and pro-
(2006). poses that the risk of an accident causing the death of
The level of uncertainties would affect our man- 50 people or more in a single event should be regarded
agement policies and strategies. We will always give as intolerable if the frequency is estimated to be more
weight to the cautionary and precautionary princi- than one in five thousand per annum. HSE believes
ples in case of large uncertainties. All frameworks that an individual risk of death of one in a million per
acknowledge this, although the terminology varies. annum for both workers and the public corresponds
The HSE framework and the consequence-uncertainty to a very low level of risk and should be used as a guide-
framework highlight both the cautionary principle, line for the boundary between the broadly acceptable
and not only the precautionary principle. The caution- and tolerable regions.
ary principle means that caution, for example by not For the offshore industry a value of a life of
starting an activity, or by implementing measures to £6 million is considered to be the minimum level,
reduce risks and uncertainties, shall be the overriding i.e. a proportion factor of 6 (HSE 2006). This value
principle when there is uncertainty about the future is used in an ALARP context, and defines what is
occurrence of events and their consequences. The pre- judged as ‘‘grossly disproportionate’’. Use of the pro-
cautionary principle is a special case of the cautionary portion factor 6 is said to account for the potential
principle used when there are scientific uncertainties for multiple fatalities and uncertainties. Hence the
about the consequences. In practice many refer to pre- base case is that a risk reducing measures should be
cautionary principle in the meaning of the cautionary implemented, and strong evidence (costs) is required
principle. However, this could be considered unfortu- to justify no-implementation.
nate as it would mean a reference to this principle too To verify these criteria expected value based
often. Aven (2006) among others prefer to restrict the approaches such as cost-benefit analyses and cost
precautionary principle to situations where there is a effectiveness analyses are used, calculating ICAF val-
lack of understanding of how the consequences (out- ues (implied cost of averting one fatality, i.e. the
comes) of the activity are influenced by the underlying expected cost per expected reduced number of fatal-
factors. ities). This approach is indeed questionable; as the
To manage risk it is common to use a hierarchy of expected values do not take into account the risks and
goals, criteria and requirements, such as risk accep- uncertainties. A main objective of a safety measure
tance criteria (defined as upper limits of acceptable is to reduce risk and uncertainties, but then we can-
risk) or tolerability limits, for example ‘‘the individ- not use a principle based on expected values which to
ual probability of being killed in an accident shall not large extent ignores the risk and uncertainties (Aven &
exceed 0.1%’’. The use of such criteria constitute an Abrahamsen 2007).
integrate part of the various frameworks. However, the All risk perspectives and frameworks considers in
weight given to the criteria varies. In the consequence- this paper acknowledges the need for taking into the
uncertainty framework these criteria do not play an account the risk and uncertainties beyond the expected
important role. According to this framework such cri- values, but the practice of using expected value based
teria should be used with care, and avoided if possible approaches is in direct conflict with this recognition.
in particular on a high system level, for example a
plant or a an industry (Aven & Vinnem 2007, Aven
et al. 2006). It is argued that principally speaking, a 5 FINAL REMARKS
requirement (criterion) related to risk and safety can-
not be isolated from what the solution and measure Our analysis demonstrates that the four frameworks
mean in relation to other attributes, and in particu- are based on the same type of fundamental ideas
lar costs. It is impossible to know what should be the and principles. However the terminology and practical
329
approaches and methods adopted differ substantially. Aven, T. and Renn, O. 2008a. On risk defined as an event
This can be partly explained by different scientific where the outcome is uncertain. Submitted.
traditions, as the frameworks have been developed in Aven, T. and Renn, O. 2008b. Determining the right level
different scientific environments, and partly explained of investments in societal safety and security—the role
by different needs and objectives. The foundations of of quantitative risk assessments. Submitted for possible
publication.
all the frameworks have not been clarified. Processes Aven, T. and Vinnem, J.E. 2005. On the use of risk acceptance
need to be initiated to strengthen the theoretical basis criteria in the offshore oil and gas industry. Reliability
of the frameworks. An example in this direction is Engineering and System Safety, 90, 15–24.
Aven and Renn (2008b). Aven, T. and Vinnem, J.E. 2007. Risk Management, with
Applications from the Offshore Oil and Gas Industry.
Springer Verlag, NY.
REFERENCES Aven, T., Vinnem, J.E. and Røed, W. 2006. On the use
of goals, quantitative criteria and requirements in safety
AS/NZS 4360 2004. Australian/New Zealand Standard: Risk management. Risk Management: an International Journal.
management. 8, 118–132.
Aven, T. 2003. Foundations of Risk Analysis—A Knowledge Cabinet Office 2002. Risk: improving government’s capabil-
and Decision Oriented Perspective, Wiley, NY. ity to handle risk and uncertainty. Strategy unit report. UK.
Aven, T. 2006. On the precautionary principle, in the context HES 2001. Reducing risk, protecting people. HES Books,
of different perspectives on risk. Risk Management: an ISBN 0 71762151 0.
International Journal, 8, 192–205. HSE 2006. Offshore installations (safety case) regulations
Aven T. 2007. A unified framework for risk and vulnera- 2005 regulation 12 demonstrating compliance with the
bility analysis and management covering both safety and relevant statutory provisions.
security. Reliability Engineering and System Safety, 92, ISO 2002. Risk management vocabulary. ISO/IEC Guide 73.
745–754. Renn, O. 2005. Risk Governance: Towards an Integra-
Aven, T. 2008a. A semi-quantitative approach to risk analy- tive Approach. White Paper No. 1, written by Ortwin
sis, as an alternative to QRAs. Reliability Engineering & Renn with an Annex by Peter Graham (International Risk
Systems Safety, 93, 768–775. Governance Council: Geneva 2005).
Aven, T. 2008b. Risk Analysis, Wiley, NJ.
Aven, T. and Abrahamsen, E.B. 2007. On the use of cost-
benefit analysis in ALARP processes. I. J. of Performa-
bility. 3, 345–353.
330
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: The aim of this paper is to ensure the development of design projects in an environment with
limited resources (material, human, know-how, etc.) and therefore satisfy the strategic performance objectives
of an organization (cost, quality, flexibility, lead time, deadlines, etc.). The matter of this paper is also to set
down the problems of a real integration between risk and design system managements. With this intention, a
new paradigm for Risk Management Process (RPM) is proposed then illustrated via an industrial case. Such
a RMP includes the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring
and communicating risks resulting from design system dysfunctions. It also takes into account risks caused
by domino effect of design system dysfunctions and completes risk management methodologies provided by
companies that don’t consider this aspect.
331
Definition of the design project
Monitoring
and
Review
Modeling of the design system
Context Analysis
Risk identification
Monitoring
and
Risk analysis
Review
Risk evaluation
Risk assessment
Monitoring
Corrective actions
and
No corrective action Review
Risk treatment
may be simply stopped due to uncontrolled parame- risks relative to design projects (Fig. 1). The different
ters and unidentified constraints arising from various phase of the process are detailed hereafter.
processes within the project such as the product design
process or the supply chain design (identification of
suppliers and subcontractors for example). The con-
3 RMP: CONTEXT ANALYSIS
sequence: no risk, no design. Risk processes do not
require a strategy of risk avoidance but an early diag-
3.1 Definition of the design project
nosis and management (Keizer et al., 2002). Neverthe-
less, most project managers perceive risk management The definition phase aims to determine the contents
processes as extra work and expenses. Thus, risk man- of the project: product, service, system and/or net-
agement processes are often expunged if a project work design. Design process is the set of activities
schedule slips (Kwak et al., 2004). In a general way, involved to satisfy design objectives in a specific
main phases of risk management are (Aloini et al., context. The design objectives concern the prod-
2007): context analysis (1), risk identification (2), risk uct/service/system/network definition. They are con-
analysis (3), risk evaluation (4), risk treatment (5), strained by the enterprise organization and the design
monitoring and review (6) and communication and steps, and are influenced by technologies or human and
consulting (7). In agreement with such a methodology, physical resources (Wang, 2002). Design is mainly
we propose to use the following process to manage the a human activity and it is also very complex to
332
Actor
Actor Axis
Link 2 Link 3
Enterprise
Process Organisation
Link 5
Link 4 Design
system Link 6
is En
Ax vir
ic on
me
log nt
hno Ax
c is
Te
Scientific and External and
Technological Internal
Knowledge Product
Environments
Link 1
Figure 2. Design system modeling, interactions between factors influencing the design system (Robin et al., 2007).
understand the tasks carry out by designers (Gero, risk. Different types of innovation exist (organizational
1998). When the resolution steps are known (routine change, process or technological innovations, product
design process), the project is structured accord- development, etc.), which do not rest on the implemen-
ing to different activities which transform the prod- tation of similar knowledge and means and thus do not
uct/service/system/network knowledge. Then, the generate the same risks. For example, a survey done
project is defined like the intention to satisfy a design by the Product Development and Management Asso-
objective (a technical function, a part, an assembly or ciation (PDMA) reveals that more than 50% of the
a complex mechanism). The project manager decom- sales in successful companies were coming from new
poses the project according to the identified activities products and that the percentage was even over 60% in
and the actors’ tasks are very prescriptive. In this the most successful overall company (Balbontin et al.,
case the respect of the delay is the main performance 2000).
objective. So, the project manager decides on the
synchronisation of the human and material resources
3.2 Modeling of the design system
availability with the activities needs.
In the other cases, design can’t be considered as Modeling contributes to ideas development and struc-
a solving problems process, as a creative or inno- turing, and can be used as a support of reasoning
vative design process, and activities don’t structure and simulation. Design management requires under-
the project. Design must be identify as a process standing of design process context in order to adapt
which support emergence of solutions. In this case, actors’ work if it turns out that it is necessary. Hence,
the project is organised to favour the collaboration in their generic model of design activity perfor-
between actors of the process and the project manager mance, O’Donnell and Duffy insist on the necessity
searches to create design situations which facilitate to identify components of the design activity and their
the emergence of solutions. He decides on the adapted relationships (O’Donnell et al., 1999).
organization to favour collaborative work. Innovation The design system can be defined as the environ-
corresponds to the application of new and creative ment where design projects (product or system or
ideas. Therefore, implement an innovation project network design) take place. We have identified three
leads to investing in a project by giving up the idea of factors influencing the design system and which have
an immediate profitability and by accepting a certain to be considered to follow and manage suitably the
333
design system evolution and the design process (Robin up actor and external/internal environments (link 3,
et al., 2007): Fig. 2). Organization has to favour allocation of
adapted human resources to a specific situation in
– The context in which the design process takes
a particular context. These models are local perfor-
place. It includes natural, socio-cultural and econo-
mance inductors for design system and interactions
organizational environments (external and internal
between them provide a dynamic vision of the design
environments). External environment is the global
system evolution (links 4 to 6, Fig. 2). In this model,
context in which enterprise is placed (its market,
the description of factors influencing the design sys-
its rivals, its subcontractors . . .). Internal environ-
tem, at each decision-making level provides a global
ment describes the enterprise itself: its structure, its
vision of the design context. Hence, thanks to such
functions and its organization. Internal environment
a representation of the design context, the decision-
is an exhaustive description of the system in order
maker can analyse the design situation and identify
to take into account all the elements which could
particularities of each project. He is able to observe
have an influence on the decision-making at each
evolution of each component (environment, techno-
decision-making level.
logical and actor one), interactions between them and
– The technological factor that concerns the techno-
consequently to adapt his project management method
physical environment (scientific and technological
by taking the right decision of management to satisfy
knowledge). Scientific knowledge regroups the nat-
objectives.
ural science and the engineering sciences. Tech-
nological knowledge concerns the manufacturing
practices and the technology. Interest is to have a
global vision of the knowledge possessed and usable 4 RMP: RISK ASSESSMENT
by the enterprise and to identify a potential lack of
knowledge in some design tasks. 4.1 Risk identification
– Human and his different activities during design Risk can be planned or unexpected, from external
process (actor). Actor aspects have to consider or internal origin, linked to market trends, eruption
multi-facets of the designers. Human resources will of new technologies, strategic or capitalistic deci-
be described with classical indicators (availability of sions, etc. Risk Identification is discovering, defining,
a resource, hierarchical position, role in a project, describing, documenting and communicating risks
training plan . . .). But factors very close to the before they become problems and adversely affect
actor’s personality have to be taken into account too. a project. There are various techniques that can be
These factors influence the design process and more used for risk identification. Useful techniques include
generally the design system. brainstorming methods as well as systematic inspec-
These three global factors are global performance tions and technological surveys.
inductors for design system. These factors and their
interactions are integrated in a model composed with
4.2 Risk analysis
a technological axis, an environment axis and an actor
one (Fig. 2). Then specific objectives, action levers According to Lemoigne (Lemoigne, 1974), complex
and performance indicators, dedicated to the design system analysis refers to three points of view: a func-
system, have to be identified according to elements of tional point of view, i.e. the description of system
this model. functionality and behaviour, an ontological or organic
To identify and manage relationships between point of view, i.e. the description of resources used
global factors influencing performance of the design (human or technical), materials and information, and
process, we propose to use product, process and orga- related control structures, and a genetic point of view,
nizational models (Fig. 2). Product model acts as a which renders system evolutions and development.
link between knowledge and external/internal environ- Consequently we have developed a modeling approach
ments (link 1, Fig. 2). Product is the expression of the to provide analysts with the appropriate view of a
scientific and technological knowledge of an enter- system. Approach regroups a functional model to sit-
prise and permits to evaluate its position on a market. uates the system within its environment, an organic
It’s a technical indicator which allows to make evolve view to depict the physical organization and resources
a firm or to identify a possible lack of competency to which achieve functions previously identified and
be competitive on a market. As process corresponds an operational view which stipulates the ways the
to the place where the knowledge is created and used organic system is exploited. The application of such
by the actors to develop the product, it connects actor a decomposition to the global and local factors of the
and knowledge (link 2, Fig. 2). Finally, influences of design system is proposed hereafter (Fig. 3). Exam-
environments on actors are taking into account by the ples of potential evolutions of these factors are also
mean of an organizational model. This model joins presented.
334
Functional Evolution of the company role
Internal Organic Evolution of the company structure
environment
Operational Evolution of the company operating modes
Functional Evolution of the company place in the network
External Organic Evolution of the partners in the network (subcontractors, collaborators,…)
Global factors
environment
Operational Evolution of the partnerships (new contracts, new collaborations,…)
Functional Company knowledge and know-how evolution (fundamental sciences)
Scientific and Organic Evolution of the methods and techniques associated to this knowledge
technological
knowledge Operational Evolution of the operating modes
Functional Evolution of the actor’s role
Actor Organic Evolution of the actor’s positioning in the structure
Operational Evolution of the actor’s knowledge and competencies (training period,…)
Figure 3. Potential modifications of local and global factors of the design system.
335
Criticality classes Level of risk Decision
No action or modification at the operational level.
C1
Acceptable in the present state Follow-up, monitoring and review.
(case 1, Fig. 4)
Risk assessment.
Modification at the organic level.
C2
Tolerable under regular control Follow-up, monitoring and review.
(case 2, Fig. 4)
Risks assessment.
Modification at the functional level.
C3
Difficult to tolerate Follow-up, monitoring and review.
(case 3, Fig. 4)
Risk assessment.
C4 Change of strategy.
Unacceptable
(case 4, Fig.4) Total reorganization of the project.
Risk identification
Monitoring
Risk analysis and
Review
Risk evaluation
Monitoring
Corrective actions
and
No corrective action Review
Figure 6. Criticality classes and domino effect on the Risk Management Process.
– Slightly disturbing if it has no impact on the and/or competences of human and technical
structure of the design system (case 1, Fig. 4): resources, legislatives constraints, etc. Such a risk
changes of resources capacities, modifications of belongs to the criticality classe number 2 (C2),
operational constraints, for example. There are sev- which includes a risk level tolerable under regular
eral types of operational constraints: constraints of control.
precedence, temporal constraints, cumulative con- – Strongly disturbing if it requires strategic adjust-
straints, disjunctive constraints, etc. A slightly risk ments of the design system, impacting its functional
belongs to the criticality classe number 1 (C1), characteristics (case 3, Fig. 4): change of industrial
which includes a risk level acceptable in the present activity, integration of new technologies, modifica-
state. tion of the supply chain, etc. Such a risk belongs to
– Fairly disturbing if it acts upon the organic defini- the criticality classe number 3 (C3), which includes
tion of the design system (case 2, Fig. 4): capacities a risk level tolerable with difficulty.
336
– Fatal if it makes the design system obsolete (case 4, In this example, we decide to analyze two possible
Fig. 4): bad investments, for example. Such a risk evolutions (evolutions of the company or of its envi-
belongs to the criticality classe number 4 (C4), ronment) which can constitute a risk for the design
which includes an unacceptable risk level. system. Our analyse is limited to the investigation of
the global inductors impacts on the local inductors,
Determination of these criticality classes depends but it is important to also consider that the modifi-
on specificities of each system. When all the cation of these global inductors can influence other
risks impacting design system are identified and global inductors. Let us consider two events E1 and E2.
all the corresponding RPN are calculated, a crit- E1 corresponds to a breakdown in the process and E2
icality scale could be created and valuation of is a lack of natural aroma of chocolate.
classes could be done.
Reengineering the project during its life-cycle is
a procedure triggered each time significant events 6.2 Risk management
which impact the project occur. The functional,
Criticality analysis of events susceptible to have an
organic and operational definitions of the project
impact on the design system refers to a grid (Figure 7),
should then be tuned accordingly to support re-
in which the quotation scales of the occurrence fre-
engineering reasoning.
quency of the event (O), the gravity degree of the
A decisional framework enables to visualize risk
same event (G) and the risk of its non-detection (D)
criticalities. According to their value, the generic crit-
illustrate the expectations of the various actors in the
icality of risks consequences entitles to define actions
company:
to be carried out (see Figure 5). Obviously, such
actions are dependant on the company’s intention of – The occurrence scale (O) is defined by the appear-
doing risk management. Therefore, an effort com- ance frequency of a dysfunction. An exceptional
bined with the actions of risk management can be event will be credited with 0.25 point; a rare event
defined according to a qualitative scale: for example, with 0.50 point, a recurrent event (weekly, daily)
no action, vigilance or selective action, vigilance or with 0.75 point and a permanent event with 1 point.
periodic action, vigilance or continuous action, etc. – The gravity scale (G) considers the sum of the quo-
Finally, the propagation of accidental scenarios and its tations obtained for the criteria previously defined:
impact on the Risk Management Process are presented organization, process and product. Criteria are
hereafter (Figure 6). Such an approach enables to take marked out of 25. Therefore, a criterion of minor
into account risks caused by domino effect of design gravity (operational consequence on the exploita-
system dysfunctions. tion on the system) is credited with 5 points, while
the criterion considered as the most significant cri-
terion, i.e. the criterion which has big consequences
6 INDUSTRIAL CASE on the exploitation of the system (functional defi-
nition), is credited with 25 points.
6.1 Introduction – The non-detection scale (D) measures the ‘‘proba-
bility’’ of not detecting a potential failure when the
The company produces ice creams for the great distri- cause exists. The term ‘‘probability’’ used here is
bution. Characteristic of this branch of industry lies in not standard, since the values corresponding to these
the fact that it is a seasonal production. The off sea- probabilities are not contained between 0 and 1. Vol-
son corresponds to a relatively reduced production. At untarily, the graduation is bounded by 10 and 20,
the height of the season, the company is required to in order to clearly indicate the importance of the
have a perfect control of its production equipments various causes at the origin of the dysfunctions.
(very high rate of production), because any matter
loss or overconsumption could have a strong impact on It is then necessary to identify the origin of the risk
the productivity. Therefore, the appearance of events and to quantify the impact of this risk on the elements
susceptible to modify the functionality, the structure of the design system (product, process, organization).
and/or the operational scenarios of the production sys- Such a work is carried out by the FMECA group: one
tem is extremely prejudicial for the company, and it is or more experts who have knowledge on the tool and
imperative to analyze the criticality of these events conduct the discussions, actors of the design who pro-
in order to launch rapidly adequate and corrective vide essential knowledge relating to the design system,
actions. and persons in charge of other services (production,
Innovation has a key role to play in the performance marketing, etc.) who evaluate the impact of the risk
of such a firm. Considered as a solution for growth and in their own fields. In accordance with the FMECA
competitiveness, it is used by managers to create new methodology, the criticality of events is valued by the
sources of value. Risk Priority Number (Figure 7).
337
Occurrence :
Causes: Consequences :
Appearance frequency
Global inductors evolution Local inductors evolution
of a dysfunction
Internal / external
environments
Scientific and
Organization
technological
knowledge
Exceptional
Permanent
Recurrent
Rare
Operational
Operational
Operational
Operational
Operational
Operational
Functional
Functional
Functional
Functional
Functional
Functional
Organic
Organic
Organic
Organic
Organic
Organic
D G O RPN
The Risk Priority Number of E1 is given by: occur. The functional, organic and operational mod-
els (or definitions) of the design system should then
RPN 1 = 15 × (15 + 25 + 15) × 0.5 = 412.5 (2) be tuned accordingly to support reengineering rea-
soning. The methodological guidelines are based on
The Risk Priority Number of E2 is given by: event criticality analysis. A classification of events
was made to guide the analysts towards appropri-
RPN 2 = 20 × (25 + 25 + 15) × 0.25 = 325 (3) ate model tuning, such that the representation of the
system be permanently in conformity with the sys-
6.3 Conclusion tem despite the continuous modifications encountered
by the system during its life-cycle. A risk manage-
The Risk Priority Number of E1 is higher than the Risk ment methodology is also provided in order to take
Priority of E2. Therefore, in order to launch the correc- into account risks caused by domino effect of design
tive actions efficiently, it will be necessary to initially system dysfunctions. The Risk Management Process
treat dysfunctions due to E1. Moreover, impacts of the includes the tasks of establishing the context, iden-
risks on the design system have been quantified, which tifying, analysing, evaluating, treating, monitoring
will enable to adjust the design strategy. Events leading and communicating risks resulting from design system
to operational modifications of the company are com- dysfunctions.
mon, and are an integral part of everyday life. With
this intention, the company launched out in a step of
continuous improvement (preventive and autonomous REFERENCES
maintenance) in order to, on the one hand, prevent-
ing slightly events and, on the other hand, solving all Aloini, D., Dulmin, R., Mininno, V. (2007). Risk
dysfunctions which can exist in production workshops management in ERP project introduction: Review
(dysfunctions related to worker’s environment. Such a of the literature, in: Information & Management,
step aims at extending the life span of equipments and doi:10.1016/j.im.2007.05.004.
decreasing times of corrective maintenance. Balbontin, A., Yazdani, B.B., Cooper, R., Souder, W.E.
(2000). New product development practices in American
and British firms, in: Technovation 20, pp. 257–274.
Gero, J.S. (1998). An approach to the analysis of design
7 CONCLUSION protocols, in: Design studies 19 (1), pp. 21–61.
Kececioglu, D. (1991). Reliability Engineering Handbook,
Reengineering the design project during its life-cycle Volume 2. Prentice-Hall Inc., Englewood Cliffs, New
is a procedure triggered each time significant events Jersey, pp. 473–506.
338
Keizer, J., Halman, J.I.M, Song, X. (2002). From experience: Sperandio, S., Robin, V., Girard, Ph. (2007). PLM in the
applying the risk diagnosing methodology, in: Journal strategic business management: a product and system
Product Innovation Management 19 (3), pp. 213–232. co-evolution approach, in the proceedings of the Inter-
Kwak, Y.H., Stoddard, J. (2004). Project risk management: nal Conference of Product Lifecycle Management, July
lessons learned from software development environment, 11–13 2007, Milan, Italy.
in: Technovation 24, pp. 915–920. Wallace, L., Keil, M., Rai, A. (2004). Understanding soft-
Lemoigne, J.L. (1974). The manager-terminal-model sys- ware project risk: a cluster analysis, in: Information &
tem is also a model (toward a theory of managerial Management, 42, pp. 115–125.
meta-models). Wang, F., Mills, J.J., Devarajan, V. (2002). A concep-
O’Donnell, F.J.O., Duffy, A.H.B. (1999). Modelling product tual approach managing design resource, Computers in
development performance, in: International Conference Industry 47, pp. 169–183.
on Engineering Design, ICED 99, Munich.
Robin, V., Rose, B., Girard, Ph. (2007). Modelling collab-
orative knowledge to support engineering design project
manager, in Computers in Industry 58, pp. 188–198.
339
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Currently, several decision-support methods are being used to assess the multiple risks faced
by a complex industrial-based society. Amongst these, risk analysis is a well-defined method used in the
nuclear, aeronautics and chemical industries (USNRC, 1998; Haimes, 2004). The feasibility of applying
the Probabilistic Risk Assessment approach (USNRC, 1983) in the nuclear field (PRA-Nuc) for some new
applications has been already demonstrated by using an integrated risk model of internal and external events
for a Generation IV nuclear power plant (Serbanescu, 2005a) and an integrated risk model of random tech-
nical and intentional man-made events for a nuclear power plant (Serbanescu, 2007). This paper aims to
show how such experiences and results can be extended and adapted to the non-nuclear sectors. These exten-
sions have been shown to trigger two main methodological novelties: (i) more extensive use of subjective
probabilities evaluations, in the case of non-nuclear applications and (ii) inclusion of hierarchical systems
theory in the PRA modelling. The main aspects of the results and conclusions of the above-mentioned
cases, along with insights gained during this analysis are presented and discussed in this paper. In particu-
lar, this paper is a synthesis of insights gained from modelling experiences in extending PRA-Nuc to new
applications.
341
random and intentional types of challenges to CAS,
and to solve nonlinear dynamic models by defining
what linearity means for a CAS; (iii) To define the
system as a whole, as being a result of the synergetic
interfaces of its components and to define also the
CAS interface with the environment; (iv) To have a
solution for the system control (like for instance dis-
tributed control, hierarchical control and/or external
to the CAS unitary control); (v) To have a system
management based on predefined objectives, such as
energy/substance balance or risk impact, including
validation and verification processes. (vi) To solve the
specifics of the cause-effect issue for a CAS, which is
connected in its turn to other issues like definition of
linearity, uncertainty and system structure modeling;
Figure 2. Representation of a CAS model to be imple-
(vii) To be dynamic and highly flexible in defining
mented in PRA-Nuc codes (e.g. Risk Spectrum).
initial and boundary conditions.
Feasibility of extension of PRA-Nuc application
was previously demonstrated for other CAS-like Gen-
eration IV nuclear power plants (Serbanescu, 2005a,
2005b) and an integrated risk model of random tech-
nical and intentional man-made events for a nuclear
power plant was described in Serbanescu 2007a,
2007b.
342
connected with the SC and EN type nodes in Figure 4.
The calculation of scenarios leading to an end state
in Figure 4 will include combination of failures at the
level of components of the CAS. Please note that the
notations shown in these figures follow the PRA-Nuc
principles and are used during the implementation of
the model into the computer codes.
It is possible to show that a CAS model of challenges
is generating a σ-algebra over the set of all possible ES
(Serbanescu 2005a, 2007a). In such a structure ‘‘risk’’
is defined as a norm in the measurable vector space of
the sets of scenarios. The risk is defined as the distance
between normal state and an altered end state. This
distance is usually calculated, as a product between
the probability of a given sequence of scenarios and
the damages associated with the endstates after the
scenario will take place.
The scenarios resulting from Boolean combinations
of failures differ in many aspects, as for instance the
Figure 4. Sample representation of a CAS fault tree model. combination of failed barriers or the ES (final condi-
tions) after the scenario came to an end for the given
level of PRA model.
Figure 6 shows an example of a CAS scenario def-
inition. End states for levels 1 and 2 are also known as
Release Categories (RC) while ES of level 3 are known
as Risk Categories (RK). More details of these and rep-
resentative examples of these entities are presented in
(Colli et al, 2008).
In any case, the ES identification is subject to con-
tinuous iterations and sensitivity analyses following
the process previously represented in Figure 1. Table 1
is a sample of endstates for the hydrogen installa-
tion shown in Figure 3. The ‘‘Code’’ column is only
indicative to show that a code is needed for the imple-
mentation of the model into PRA-Nuc computer codes.
A sample of a typical IE list for the hydrogen instal-
lation presented in Figure 3 is: (i) Breaks (e.g. break
Figure 5. Sample representation of CAS event tree model.
343
Table 1. Example of End States for Hydrogen installation. between the acceptable threshold for risk and the
frequency of a given event (IE) to happen.
End State Parameter(s) Code From a topological point of view, this threshold in
a 3-dimensional subset (defined by the risk, probabil-
Effect levels
ity of an IE and the dominant parameter of the CAS)
Overpressure 10 mbar EFOV4
500 mbar EFOV4 splits the space of possible solutions into two areas sep-
arating the acceptable solutions from the unacceptable
Thermal 3 kW/m2 FTH1 ones. The threshold line is linear if the axes of risks and
35 kW/m2 EFTH3 event probability/frequency are represented in the log-
Gas Cloud Not dangerous EFGC1 arithmic scale. This line is another representation (in
Dangerous in size EFGC2 a 3D form) of Pareto sets of solutions as presented in
(Serbanescu 2005a, 2007a), and for this reason, PRA
Harm effects
Overpressure Window break HOVDG1 can be also used to define the Pareto set of acceptable
Building collapse HOVDG2__ solutions for a CAS.
Eardrum rupture HOVINJ__ More in detail, (Serbanescu 2005a) one can con-
Fatalities 1% HOVFAT1__ sider a system as a cybernetic hierarchical one (e.g. of
Fatalities 100% HOVFAT3__ a CAS type as explained before).
Thermal Burns degree 1 HTHBU1 As it was shown in Serbanescu 2005a for such
Burns degree 2 HTHBU2__ systems the distance from the best solution is quan-
Glass/window fail HTHFIRE__ titatively described by a specific type of risk measure
Fatalities 1% HTHFAT1__ calculated as a loss of information entropy (Jaynes,
Fatalities 100% HTHFAT3__ 2003, Smithson, 2000). Consequently, the optimum
Fire Fatalities 1% HFIFAT1 for a certain problem is achieved when the Shannon
Fatalities 100% HFIFAT3 information entropy1 reaches a minimum, given the
variables constraints. In mathematical terms, this leads
Explosions Fatalities 1% HEXFAT1 to the task of finding the optimum for (1) with the limit
Fatalities100% HEXFAT3
conditions (2).
Sinf = XI ∗ ln XI , (1)
344
The verification of the impact of this assumption is
one of the main targets of the sensitivity cases.
As a consequence of such an assumption the build-
ing of the model and the calculation of solutions is
guided by formulas of type (3), in which ‘‘R’’ repre-
sent the risk metrics function, ‘‘NL’’ index is related
to ‘‘non-perturbated’’ initial model/solution, ‘‘HC’’ is
related to the induced perturbation in a format of a
Hazard Curve, ‘‘R 0 ’’ is the non perturbated solution
for risk metrics (reference solution), R the modifi-
cation induced in the results by a given assumption and
εerror is the tolerance.
Figure 8. 3-dimensional representation of the risk metrics
RNL = FNL (PM , HC) = F0 ⊗ HC results for CAS level 3.
= R 0 + R + εerror (3)
paraboloid inside the cone) and the limitations (the
As it is shown in Figure 7 and in formula (3), F is cone). In the LF approach (B2), the limitations are
the function that builds the solutions of the PRA-Nuc already embedded in the space of acceptable
model and it is defined based on the sets of end states solutions defined by the internal paraboloid (i.e. the
PM and the hazard curve of a given new phenomenon cone is already embedded within the paraboloid). The
to be modeled (HC), and with values in the sets of val- external paraboloid in B2 indicates the external upper
ues obtained for risk calculations of all ES as defined bound of the solutions and not the limits defined by
by the set RNL . (Serbanescu 2007a). the cone in A2.
An example of risk metrics results for a Genera- In both cases the acceptable solutions from a risk
tion IV nuclear power plant has been explained in perspective indicate scenarios for acceptable design
more detail in Serbanescu 2005a, where different solutions with various degree of feasibility, provid-
approaches to evaluate risk metrics were discussed ing also important information for the CAS risk
regarding their use in decision-making related to opti- optimization process.
mized solutions from a risk perspective. Figure 8 As shown in Figure 8 there are 10 types of solu-
shows two approaches to presenting risk metric results. tions identified in the solutions space. For A2 these
A2 is the classical approach, as defined by USNRC are: 1-low risk impact—not difficult design solutions;
(1983). B2 is the approach based on the Lagrangean 2-low risk impact—solutions defined mainly by active
Function (LF) approach mentioned in Section 4 of this systems features; 3-medium risk impact—achievable
paper. If we would like to use these approaches in design solutions; 4-medium to high risk impact—
decision-making, it is important to note the subtle dif- solutions supported by passive features; 5-high but
ference between A2 and B2. In the classical approach still acceptable risk impact—difficult design solu-
(A2), the user has to bear in mind both the space tions. For B2 these are 6–10, where 6 corresponds
of acceptable solutions from a risk perspective (i.e. to 5, i.e. high but still acceptable risk impact—
difficult design solutions, and 10 corresponds to 1
(i.e. low risk impact—not difficult design solutions).
It is also worth noticing that results shown in Figure 8
are typical for all the CAS mentioned in this paper
(details for other cases are in (Colli et al, 2008) and
(Serbanescu et al, 2008)).
345
to assess risk based criteria (Risk Based Decision ◦ feedback review statements (for the terms noted
Making—RBDM). The experience gained in its appli- with F—statements based on feedback review
cation to the nuclear system led to identify a set of and UF —uncertainty of the statements from
areas of applicability for both the deterministic and feedback review).
probabilistic tools, as shown in Figure 9.
In this classification the area of applicability is It is also important to notice that risk analyses
defined by two criteria: (i) credibility in the assumed results are fundamentally divided in ‘‘determinis-
degree of conservatism of the model and (ii) credibility tic’’ oriented statements and ‘‘probabilistic’’ oriented
in the uncertainty level of the built model and applied statements.
method to evaluate risk. For deterministic judgments the result is composed
Formula (4) can be applied in order to find out how of the criteria value D and the level of uncertainty
certain could one be on a risk analysis based on prob- in this values (UD ); for the probabilistic results the
abilistic and deterministic set of results and/or how to components of the results are P and UP . There is
‘‘combine’’ them (if possible). also a component of results given by feedback from
real object while compared to the model (F set of
(P ⊗ U(P) ) ⊗ (D ⊗ U(D) ) ⊗ (F ⊗ U(F) ) statement).
O= ↑ ↑ ↑ ↑ ↑ (4) Operator ⊗ will have various impact on the final
RP RG1 RD RG2 RF function (with low-L, medium-M or high-H) impact)
as shown in Table 2 depending on the type of judg-
The function O (Objective of the decision process) ment cases, in which the decision maker positions
is a result of a combination using a series of logic himself (which could be optimistic, pessimistic etc.).
operators (⊗): The result of how the final credibility should be con-
sidered given a set of deterministic results is illustrated
• RP,D for reasoning on credibility of probabilistic in the Table 2, which shows that the role of the deci-
and respectively deterministic results, and RF for sion maker can be also modeled and considered a priori
the reasoning on the credibility of reasoning based so that variations in the conclusions of the same risk
on feedback from experiments/real cases; results used by various interest groups could be pre-
• RG1 and RG2 for connecting results on reasoning dicted and understood. Understanding risk results is
based on: one of the main conditions of assuring a good risk gov-
◦ probabilistic evaluations (for the terms noted with ernance process and maximizing the use and impact
P—probabilistic statements and UP —probabili- of the risk evaluations.
stic statements uncertainties),
◦ deterministic evaluations (for the terms noted
with D—deterministic statements and 2.6 Understanding errors and judgment biases
UD —uncertainties of deterministic statements), In the search for solutions on the task of self-assessing
the credibility of risk analyses results, two groups of
systematic biases are identified. The first is related
to the generic scientific method and its drawback, for
which a series of systematic errors (called ‘‘scientific
myths’’) exist as defined in (Mc Comas, W. 1996):
(i) Hypotheses become theories which become laws;
(ii) Hypothesis is an educated guess; (iii) A general
and universal scientific method exists; (iv) Evidence
accumulated carefully will result in sure knowledge;
(v) Science and its methods provide absolute proof;
(vi) Science is procedural more than creative; (vii)
Science and methods can answer all questions; (viii)
Scientists are particularly objective; (ix) Experiments
are the principle route to scientific knowledge.
The second group of biases is related to the ‘‘myths’’
generated by risk analyses for CAS, for which a list
as defined by (Hanson S.O., 2000): (i) ‘‘Risk’’ must
have a single, well-defined meaning; (ii) The sever-
ity of risks should be judged according to probability
Figure 9. Sample representation of areas of applicabil- weighted averages of the severity of their outcomes;
ity for decision making of deterministic and probabilistic (iii) Decisions on risk should be made by weighing
approaches (Serbanescu 2007b). total risks against total benefits; (iv) Decisions on risk
346
Table 2. Sample representation of the reasoning operators from formula (4) used in decision making statements.
P L L M L M
RP L L M L H
U(P) H H H H H
TOTAL P L L M L H
D H H M H L
RP H L L H L
U(D) L L L L L
TOTAL D M M L M L
F H H M H L
RF H L L H L
U(F) L L L L L
TOTAL F H M L M L
R G1 M M L L L
R G2 H M M H M
O
Total objective
function M M H L L
347
Table 3. Representation of the reasoning process as per
(Descartes, 1637).
348
P8 Management of risk model leads to manage- P2 Applicability areas of deterministic and
rial/procedural control in order to limit the uncertainty probabilistic parts in the CAS model and in the
in the real process of CAS evaluation. However this decision module to be clearly defined and used.
action is in itself creating new systematic assumptions P3 Use numerical and logical functions as
and errors and is shadowing the ones accumulated up switches and connectors between the deterministic and
to this phase. probabilistic part of CAS models and their metrics.
P9 The completion of a nine-cycle phase CAS P4 Use special sensitivity analyses phase to
and its implementation reveal the need to restart the define the sensitivity to unseen/not clearly formulated
process for a better theory. assumptions embedded in the model based on their
reflection in the paradoxes. In the screening process
– Second step: defines believes identified to be of those issues, use diverse methods not included so
the main features of each of the steps far in CAS model.
P1 It is assumed that there is a unique definition P5 Perform a full inventory of identified para-
for risk and the risk science has a unique and unitary doxes in CAS model and the possible beliefs generat-
approach to give all the answers. ing them in order to have a better understanding of the
P2 It is assumed that the well-established scien- CAS model bias and define the CAS reference model
tific facts showing both random and deterministic data for further analysis.
used in a scientific manner could provide support for P6 Identify the rules for the post processing of
certitude by using risk assessments. risk analyses results in order to be used in the decision
P3 It is assumed that in the case of risk analyses making process, by defining the place and desirability
a scientific method of universal use exists to evaluate for the user of Risk Informed Decision Making—a
severity of risks by judging them according to their module to be added to the actual results from risk
probability and the outcomes/damages produced. analyses for CAS models.
P4 It is assumed that by using carefully chosen P7 The merging action of deterministic and prob-
experience and model results one can derive objective abilistic approaches in CAS risk models is accompa-
results proving the validity of results for the given CAS nied by an improved set of logical construction of the
model. formulations of results and modules merging the two
P5 It is assumed that by using educated guesses approaches.
and experiments scientists can find and evaluate any P8 Continuously check the objectivity of the CAS
significant risk due to the objectivity and other specific model through risk managerial actions, including their
features of science. potential distortion into the model.
P6 It is assumed that based on the objectivity of P9 Restart the cycle of modeling even if there is
science and the approach in risk analyses to evaluate no user request for it since there is always a need to have
risks against benefits; the results could be used as such full coherent answers to all paradoxes encountered,
in decision-making process. even if they seem of no interest to the user and/or sci-
P7 It is assumed that by using a scientific method, entific community. The expected effect of the actions
which is honest and objective and by using risk reduc- implemented in the CAS risk analysis process was rep-
ing measures in all sectors of society (any type of resented and discussed in (Serbanescu 2005a). The
CAS model) the combined use of well proven tools main conclusion of this representation showed (with
in all science of analysis/deterministic and synthe- examples from Generation IV modeling) the impor-
sis/probabilistic approaches assures success in CAS tance of the feedback modeling in CAS risk analyses
modeling. in order to assure a convergent set of solutions by iden-
P8 It is assumed that science is more procedural tifying and managing mainly the systematic possible
than creative (at least for this type of activity) and the errors.
decisions themselves have to be made by trained staff
and scientists.
P9 It is assumed that science is evolving based on 3 CONCLUSIONS
laws which appear by the transformation of hypotheses
into theories, which become laws and for any CAS, in The paper presents the main issues identified during
this case, if there will be a real risk then the scientists the extended use of PRA-Nuc for new non-nuclear
will find it. applications. The results concluded so far identify
some common generic aspects, which need to be con-
– Last step: a set of actions to prevent generation sidered in order to implement properly and/or extend
of paradoxes is defined: existing PRA-Nuc models and tools to new applica-
P1 Model diversity of objective functions for tions. More pilot cases and applications are also under
CAS metrics and use hierarchy for its structure looking way in order to confirm further the results obtained so
for optimum at each Hierarchical level. far and/or to identify new issues to be considered.
349
REFERENCES Serbanescu D., 2005a. Some insights on issues related to
specifics of the use of probability, risk, uncertainty and
Colli A & Serbanescu D., 2008. PRA-Type Study Adapted logic in PRA studies, Int. J. Critical Infrastructures, Vol. 1,
to the Multi-crystalline Silicon Photovoltaic Cells Manu- Nos. 2/3, 2005.
facture Process, ESREL 2008 under issue. Serbanescu D, 2005b. Integrated Risk Assessment, ICRESH
Descartes R., 1637, Discours de la méthode, Paris, 2005, Bombay, India.
Garnier—Flammarion, 1966, edition. Discourse on Serbanescu, D. & Kirchsteiger C., 2007a. Some methodolog-
Method (1637), Haimes, Yacov Y., 2004, Risk Model- ical aspects on a risk informed support for decisions on
ing, Assessment and Management, 2nd Edition, Wiley & specific complex systems objectives, ICAP 2007.
Sons, New Jersey. Serbanescu D., 2007b. Risk Informed Decision Making,
Hansson S.O., 2000, Myths on Risk Talk at the conference Lecture presented at VALDOC Summer School on Risk
Stockholm thirty years on. Progress achieved and chal- Issues, Smoegen (Sweden), Vol. Karita Research Sweden
lenges ahead in international environmental co-operation. (Organiser), JRC PB/2007/IE/5019.
Swedish Ministry of the Environment, June 17–18, 2000 Serbanescu D. &Vetere Arellano A.L. et al., SES RISK a new
Royal Institute of Technology, Stockholm. method to support decisions on energy supply, ESREL
Howard et al, 1984, Howard R.A. and Matheson J.E., (edi- 2008 under issue.
tors), Readings on the Principles and Applications of USNRC 1983, PRA Procedures Guide. A guide for
Decision Analysis, 2 volumes (1984), Menlo Park CA: the performance of Probabilistic Risk Assessment for
Strategic Decisions Group. Nuclear power Plants (1983) USNRC, NUREG/CR-
Jaynes E.T., 2003, Probability Thoery—The Logic of Sci- 2300, February 1.
ence, Cambridge University Press, Cambridge, UK. USNRC 1998, Regulatory Guide 1.174, An approach for
Kato, Tosio, 1995. Perturbation Theory for Linear Opera- using PRA in Risk Informed Decisions on plant specific
tors’’, Springer Verlag, Germany, ISBN 3-540-58661. changes to the licensing basis, July 1998.
Mc Comas, W. 1996, Ten Myths of science: Reexamining Smithson, Michel J., 2000, Human judgment and impre-
what we know, vol 96, School Science & Mathematics, cise probabilities, web site of the imprecise probabilities
01-01-1996, p. 10. project http://ippserv.rug.ac.be 1997–2000 by Michel J.
Peirce C.S., 1931, Collected Papers of Charles Sanders Smithson and the Imprecise Probabilities Project.
Peirce, 8 vols. Edited by Charles Hartshorne, Paul Weiss,
Arthur Burks (Harvard University Press, Cambridge,
Massachusetts, 1931–1958, http://www.hup.harvard.edu/
catalog/PEICOA.html
350
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: This paper introduces to the fundamental characteristics of weather derivatives and points out the
relevant differences in comparison to classical insurance contracts. Above all, this paper presents the results of a
survey conducted among Austrian companies which aims at investigating the objectives of weather derivatives
usage and at analysing concerns regarding their application. The survey was conducted via face-to-face interviews
among 118 firms from different sectors facing significant weather exposure such as energy and construction
companies, beverage producers and baths. As no other survey has put a focus on weather derivatives so far,
this paper aims at filling a lack of relevant information regarding weather derivative practices. The results will
grant a deeper insight in the risk management practices and the needs of potential costumers. This facilitates
the development of target group specific weather risk management solutions which may enhance the usage of
weather derivates in various industries.
Many industries and accordingly their sales and 2.1 Weather risk and weather exposure
income are at risk due to weather fluctuations. It is
estimated that nearly 20–30 percent of the U.S. econ- Weather risks refer to weather events which affect the
omy is directly affected by the weather (CME 2006). revenues and earnings of a company in a negative
Other estimations assume that 70 percent of all busi- way. Type and quantity of relevant weather param-
nesses face weather risk in some way (Jain & Foster eters depend on the business area and can include
2000). Weather fluctuations still cannot be controlled, events such as temperature, precipitation or humidity
but with weather derivates a relatively new financial (Schirm 2001). These kinds of weather characteristics
tool has been created, which offers protection against are called ‘‘noncatastrophic events’’ which typically
weather-related risks. have a high-frequency but low severity. They are con-
Weather derivatives are believed to have substantial trasted with catastrophe-related low frequency—high
market potential in weather affected industries but so severity risks, e.g. hurricanes, tornados, etc. Weather
far research has primarily been focused on pricing and derivates have been developed to facilitate protec-
valuation issues. Hence, it is the aim of this paper tion against profit impacts given adverse weather
to investigate reasons and concerns regarding the use conditions but not for property or catastrophic risk
of weather derivatives as this topic was not covered protection (Clemmons 2002).
before. However, this is of fundamental interest for Weather risks belong to the category of operational
the application of these instruments. risks. In particular they refer to the danger of losses
The remainder of this paper is structured as fol- due to external events, as weather conditions cannot
lows. Section two provides the theoretical background be influenced by an enterprise. Furthermore, weather
of weather derivatives and points out the main differ- risks are considered to be volumetric risks which can
ences in comparison to classical insurance contracts. affect both supply as well as demand.
The third section focuses on the descriptive analy- The sensitivity to weather conditions can be defined
sis of the survey results regarding risk management as weather exposure. It quantifies the dependency of
practices and weather derivatives usage among Aus- operating figures on adverse weather conditions and
trian companies. The conclusions are presented in is the first condition for a comprehensive weather
section four. risk management. The determination of the weather
351
exposure usually requires a detailed analysis of the 2.2 Characteristics of weather derivatives
company’s data and potential influencing factors on a
A weather derivative is a financial contract between
company’s business success. Weather derivatives then
two parties with a payoff which is derived from the
serve as an efficient instrument to reduce weather risks
development of an underlying index. They differ from
and respectively weather exposure, and hence mini-
common financial derivatives as their underlying is
mize their potential negative influence on company’s
not a tradable asset but meteorological variables.
success. A systematic weather risk management pro-
As we already noted weather affects different com-
cess therefore assures competitiveness and presumably
panies in different ways. In order to hedge these
causes positive effects (Jewson & Brix 2005):
different types of risk, weather derivatives can be based
– Reduces the year-to-year volatility of profits on a variety of weather variables. These include tem-
– Profit smoothing leads to constant year-to-year tax perature, wind, rain, snow or sunshine hours. The
burdens only condition is that the weather variables can be
– Low volatility in profits often reduces refinancing transformed into an index and that they are measured
costs objectively without the influence of any counterparties
– In a listed company low volatility in profits usually (Cao et al. 2003, Dischel 2002).
translates into low share price volatility, and less The pay-off of these financial instruments is derived
volatile shares are valued more highly from a weather index, not from the actual amount of
– Low volatility in profits reduces the risk of money lost due to adverse weather conditions. There-
bankruptcy and financial distress fore, it is unlikely that the pay-off will compensate
the exact amount of money lost. The potential differ-
A sample of weather risk and corresponding finan- ence between an actual loss and the received pay-off
cial risks faced by various industries is given in is known as basis risk. Generally, basis risk is reduced
Table 1. when the company’s financial loss is highly correlated
with the weather and when contracts of optimum size,
structure and location are used for hedging (Jewson &
Table 1. Illustrative links between industries, weather type Brix 2005).
and financial risks. Typically, a standard weather derivative contract is
defined by following attributes:
Risk holder Weather type Risk
– Contract period: defines a start date and an end date,
Energy industry Temperature Lower sales during warm usually a month or a season
winters or cool – Measurement station: preferably close to the com-
summers
pany’s location to reduce geographical basis risk
Energy Temperature Higher heating/cooling
consumers costs during cold – Weather variable: corresponding to weather expo-
winters and hot sure and hedging needs
summers – Underlying: index which aggregates the weather
Beverage Temperature Lower sales during variable over the contract period
producers cool summers – Pay-off function: determines the cash-flows of the
Construction Temperature/ Delays in meeting derivative
companies Snowfall schedules during – Strike Level: value of the index at which the pay-off
periods of poor changes from zero to a non-zero value
weather
– Tick and Tick Value: defines how much the pay-off
Ski resorts Snowfall Lower revenue during
winters with below- changes per unit of the index
average snowfall The pay-off functions of weather derivates rely on
Agricultural Temperature/ Significant crop losses
industry Rainfall due to extreme
the pay-off functions of traditional derivative instru-
temperatures or rainfall ments, e.g. options, collars, straddles or swaps (Hull
Municipal Snowfall Higher snow removal 2006). Because weather is not a tradable asset, the
governments costs during winters exercise of weather derivatives always results in cash
with above-average settlement. In addition, contracts may involve finan-
snowfall cial limits in the maximum pay-off.
Road Salt Snowfall Lower revenues during
companies low snowfall winters
Hydro-electric Precipitation Lower revenue during 2.3 Weather derivatives in comparison
power periods of drought to weather insurance contracts
generation
Traditional insurance companies already offer pro-
Source: Climetrix 2006. tection against weather risks. So, is there really a
352
need for weather derivatives or can weather risks be weather risks as all losses have to be proven. This is
hedged by means of traditional insurance contracts? time-consuming and costly. The straightforward com-
To answer this question the key characteristics of pensation process of weather derivates justifies the
weather derivatives and weather contracts have to be acceptance of basis risk. Furthermore, the existence
contrasted. of basis risk has the beneficial effect that weather
The main difference between the two instruments derivates are lower-priced than insurance contracts.
is that the holder of an insurance contract has to Other aspects in which derivatives and insurance
prove that he actually suffered a financial loss due differ include legal, tax and regulatory issues. A
to adverse weather conditions in order to be compen- comprehensive discussion of these topics is given in
sated. Hence, weather insurance contracts consist of Raspé (2002), Edwards (2002), Ali (2004) and Kramer
two triggers: a weather event plus a verifiable financial (2006).
loss. If the insured is not able to prove this, he will not To summarize, weather derivates and insurance
receive payments from the contract (Becker & Bracht contracts show significant differences but are not to be
1999). In contrast, the payments of weather derivatives considered as exclusively competing concepts. Rather
solely rely on the weather index value, an actual loss they should be used as complementary instruments
does not have to be demonstrated. Weather derivates in weather risk management as both offer application
offer the option holder the advantage of receiving specific advantages.
prompt compensation without the risk of potentially
needing long lasting proof of the actual loss (Raspé 3 THE SURVEY
2002).
In conjunction with this feature another distinctive 3.1 Research methodology and respondents
criterion has to be considered. The buyer of a weather profile
derivate does not need to have any weather sensitivity
or intention to protect himself against adverse weather The literature lacks relevant information regarding
conditions, i.e. he does not need to show an insur- actual weather derivatives usage so a main objective of
able interest. On the other hand, insurance contracts the survey was to fill this research gap. It was also con-
are based on the concept of insurable interest, which sidered useful to investigate the broader issues related
means a direct relationship between the insured risk to that topic. Therefore, questions regarding general
and the insurance purchaser has to exist, i.e. a natural risk management practices were included in the ques-
exposure is required (Culp 2002). Weather derivatives tionnaire. Following research ideas served as starting
can also be bought for mere speculation (Alaton et al. point:
2002). – How do companies perceive climatological risks?
An additional important feature of weather – What reasons for the use and concerns regarding
derivates compared to insurance is that two counter- weather derivatives are named by active users?
parties with opposed risk exposures can enter into a – Which are the main factors that hinder companies
contract to hedge each other’s risk, e.g. via a swap to use weather derivatives?
structure. This is usually not possible in the insurance
market (Alaton et al. 2002). Furthermore, swap con- The survey was conducted via face-to-face inter-
tracts allow protection at no upfront costs, whereas a views among 118 Austrian firms from different sectors
premium must always be paid for insurance contracts facing significant weather exposure such as energy
(Becker & Bracht 1999). and construction companies, beverage producers and
The typical usage of weather derivates and insur- baths. The breakdown of respondents per sector is as
ance contracts can be seen as another difference follows: 37.3% energy, 25.4% baths, 20.3% beverages
between the two. As stated before, weather derivates and 16.9% construction sector. The sample consists to
are mainly constructed for protection against high- 3.4% of micro-, 26.4% of small-, 23.1% of medium-
frequency/low-severity risks. Insurance contracts usu- and 13.2% of large sized enterprises. In comparison to
ally refer to risks of extreme or catastrophic nature but the average percentage of enterprise sizes in Austria
with low occurrence probability (Alaton et al. 2002). a relatively large part of the sample is represented by
A possible explanation for these typical application medium- and large-sized companies. This is mainly
fields can be found in the instrument specific basis attributed to the energy and construction sector. The
risk. The pay-off of weather derivates shows no depen- main findings of the survey will be highlighted in this
dency on the actual loss which results in a natural paper.
basis risk and implies the risk of an insufficient com-
pensation in extreme events. Insurance solutions are
3.2 Weather risk and weather exposure
preferred in this situation as they are indemnity based
and do not contain basis risk. In contrast, insurance First, respondents were asked to specify on a five point
contracts do not function well with normal, frequent scale (1 for no weather risk and 5 for very high weather
353
no respondents face a high exposure as up to 50% of their
revenues are affected. Finally, a large group of respon-
low dents (21%) face a very high exposure, as weather
12%
risks threaten more than 50% of their revenues. The
5%
high proportion of firms with medium, high and very
high exposure indicates that there is definitely a need
49% very high for a sophisticated weather risk management (Fig. 2).
21%
moderate
3.3 Risk perception and risk management
13%
Given the relatively high exposures across the sample,
it seems interesting to analyse whether an institution-
alised risk management process exists. This topic was
high covered in the questionnaire by asking which depart-
ment or person is conducting the risk analysis and
Figure 1. Weather risk faced by respondents. within which frequency risk analysis is carried out.
The results show, that in the majority of the cases
(62%) the management board is performing these anal-
> 50 Percent 21%
yses and that special departments are assigned only
41 - 50 Percent 11,5%
to some extent (15%). On the one hand, it can be
positive that the executives are in charge of the risk
31 - 40 Percent 10% management process as it signals its importance. On
the other hand, specialised departments could focus
21 - 30 Percent 11%
and explore in more detail the potential risks as general
11 - 20 Percent 14% managers probably do. Therefore, designated depart-
ments or employees seem to be beneficial from the
1 - 10 Percent 26% company’s perspective.
Another question of the survey asked respondents to
unknown 7%
indicate the frequency at which they analyse their risks.
0% 5% 10% 15% 20% 25% This could serve as indicator how important risks are
perceived and whether a functioning risk management
Figure 2. Weather exposure faced by respondents. exists. 58% of respondents to this questions stated that
they never assess their risks. Nearly 12% indicate to
analyse risks at least sometimes. 30.5% of respondents
risk) to what extent their company faces weather risk. admit regular risk analysis.
Almost the half of firms (49.2%) stated that they face These findings are worrying if we consider the sig-
very high weather risks and another 13% indicated nificant weather risks and exposures stated by the
high weather risks. The results show that the major- companies. Therefore, it was also analyzed how the
ity of firms in the analyzed sectors are significantly specified exposure corresponds with the regularity of
exposed to weather risks. Only 12% of firms said that risk analysis. It was expected that the frequency of risk
they face no weather risks at all. Figure 1 presents a analysis declines with diminishing weather exposure,
distribution of the answer by weather risk category. i.e. that firms with a high exposure are performing
After the majority of firms face considerable a regular risk assessment in opposite to low expo-
weather risks we were interested to analyze whether sure firms. The relationships between the level of
they can quantify their exposure. Only a more detailed weather exposure and the frequency of risk analysis
knowledge of the weather exposure facilitates an effec- are displayed in Figure 3.
tive risk management process. Therefore, the compa- As expected, a large number of companies with
nies were asked to indicate the percentage of operating low exposure are never performing risk analysis at
revenues at risk due to adverse weather conditions. all (52%). 33% of respondents indicate regularly risk
Only a low number of 7% of the respondents stated assessments and other 15% state to analyse risks at
that the exposure is ‘‘unknown’’, which highlights the least sometimes. These findings are in line with the rel-
importance of weather risk in these business sectors. atively low exposure. In contrast to this, the frequency
26% of the firms have a moderate weather exposure of risk analysis does not improve with increasing expo-
influencing up to 10% of their revenues. Further, 14% sure, instead the proportion of firms with regular risk
state an exposure between 11–20% of their revenues. assessments even declines. Figure 3 displays, that a
Aggregated 21% face a medium weather exposure large amount of firms facing medium or very high
affecting up to 40% of their revenues. 11.5% of exposures are not controlling their risks on a regular
354
> 50 Percent 68% 32%
Three respondents actually use weather derivatives,
two belonging to the energy and one to the construc-
41 - 50 Percent 25% 17% 58% tion sector. The small number of users was expected
due to the fact that weather derivatives are a rela-
31 - 40 Percent 60% 10% 30%
Exposure
355
risk management. This kind of press coverage could 5
also contribute to the fact that potential end-users are Mean
Median
reluctant in their decision to apply weather derivatives. 4
Mode
Interestingly, basis risk is not concerned as overly
important by respondents. One companies ranks this
3
fact as important, the others state moderate and no
importance. These results are to some extent in con-
tradiction to the expectations as literature often names 2
basis risk as a major problem in the application
of weather derivates. But, as these respondents are 1
actually using weather derivatives, basis risk seems
3,92
3,62
3,56
3,52
3,21
2,99
2,78
2,52
2,42
2,26
2,23
2,15
2,12
1,95
2,5
acceptable or they simply have not had any problems 0
regarding this issue.
356
Table 2. Rotated component matrix. identified factors seem plausible given the findings
before. As weather derivatives are relatively new
Component instruments and many firms never had experience
with derivatives before, they lack expertise in eval-
1 2 3 uating and handling these instruments. Additionally,
l Difficulty of evaluating
as nearly 60% of companies do not analyze their
hedge results ,902 risks on a regular basis it seems reasonable that
m Uncertainty about they are not able to quantify their exposure correctly.
accounting treatment ,872 Further, they probably cannot appraise the potential
n Uncertainty about tax and benefits of weather derivatives as they hardly know
legal treatment ,869 the instruments. This leads to the third factor that
k Difficulty of pricing and weather derivatives are widely unknown. It is entirely
valuing derivatives ,833 possible that factor 1 and 2 also arise from a gen-
o Concerns about perception eral unawareness of hedging measures with weather
of derivative use ,678
j Difficulty of quantifying
derivatives. Therefore, lack of knowledge regarding
the firm’s exposure ,551 ,455 weather derivatives and their application seems to be
d No benefits expected ,742 the most important reason for not using them so far.
e Instrument does not fit Taken this into consideration, weather derivates
firm’s needs ,716 should be actively promoted in the public and to
a Insufficient weather potential end users to increase the awareness level.
exposure ,662 Furthermore, the functioning and characteristics of
p Company policy not to weather derivatives as risk management tool should
use derivatives ,641 be highlighted to demonstrate their benefits and to
f Exposure effectively
managed by other means ,639
build up some basic expertise within the firms. The
h Costs of hedging exceed promotion of risk analysis may also contribute to a
the expected benefits ,516 ,616 success of weather derivatives as the firms get aware
i Lack of expertise in of so far neglected weather risks. Finally, if potential
derivatives ,820 users know the instrument and its role in weather risk
c Never considered using management they will more likely apply them.
weather derivatives ,752
b Weather derivatives
unknown ,743 3.6 Potential usage of weather risk management
instruments
Expecting the low number of active weather deriva-
tive users we also asked the respondents to indicate
A factor analysis yields three significant factors whether they can imagine using weather derivatives
which explain up to 66% of the total variance. Using or comparable instruments in the future. The results
the factor loadings given in the rotated component show that roughly one-fourth (26.7%) of firms are
matrix the questions can be assigned to the three generally willing to apply weather derivatives. Given
extracted factors. The factor loadings shown in Table 2 the actual state this proportion indicates a significant
are already sorted for easier interpretation as well as market potential for weather derivatives.
factor loadings below 0.4 are not displayed. The question demonstrates that many respondents
Factor 1 appears to be related to ‘‘lack of know- are open-minded about weather risk management with
ledge’’ (l, m, n, k, j and less so for o) as it mainly weather derivatives. Of course, it has to be investigated
encloses reasons in the context of pricing, valuation, which firms finally can use these instruments as basis
hedging and taxation uncertainties. Factor 2 could be risk and large contract sizes may have unfavourable
named ‘‘no benefits expected’’ (d, e, f, h, a and less impacts. High cost for small weather derivative trans-
so for p) as the containing reasons focus on the fact actions could be reduced via bundling schemes in
that there might be better alternatives or that weather which different companies located in one region are
derivatives do not fit the firms’ needs. Finally, fac- sharing a derivative contract to reduce the costs and to
tor 3 includes questions regarding unawareness of achieve reasonable contract sizes.
weather derivatives in general (c, b, i) which leads Another possibility is the integration of weather
to its assignment of ‘‘instrument unknown’’. derivatives in loans. This structure enables a company
The factor analysis indicates that the reason not to to enter into a loan agreement with a higher interest
use weather derivatives can be mainly attributed to rate that already includes the weather derivatives pre-
three factors: ‘‘lack of knowledge in derivatives’’, ‘‘no mium which the bank pays to the counterparty. In case
benefits expected’’ and ‘‘instrument unknown’’. The of an adverse weather event, the company only pays a
357
fraction or nothing of the usual loan due, thus receiv- from a ‘‘lack of knowledge’’ regarding derivatives.
ing a financial alleviation in an economical critical Furthermore, the factors ‘‘no benefits expected’’ and
situation. Moreover, weather-indexed loans would be ‘‘instrument unknown’’ seem to restrict the usage of
less likely to default which is also favourable for the weather derivatives.
bank itself as it strengthens the bank’s portfolio and Considering these findings, the main challenge
risk profile (Hess & Syroka 2005). Weather-indexed will be to increase the acceptance, awareness and
loans seem especially applicable for SMEs as they are knowledge towards weather risk management and cor-
financed to a large extent by loans. This facilitates the responding tools. The results show, that a significant
access for banks and offers considerable cross selling proportion of companies not using weather derivatives
potential. The potential use of a weather-linked credit so far may begin to use them as knowledge of these
by companies was tested in question 24. instrument increases.
The results show that 17% of respondents can imag- Finally, the survey confirmed that many firms
ine to use a weather-indexed loan. In comparison to are interested in weather risk management, but the
question 23, it does not seem as attractive as weather process is still in its infancy. Firms should put
derivatives for potential users. On the one hand, this more emphasis on investigating their weather expo-
could be attributed to the more complex product struc- sure and potential hedging measures to reduce the
ture. On the other hand, potential users could simply impacts of adverse weather conditions on operating
prefer a stand-alone product instead of buying some figures. Especially weather derivatives offer the pos-
sort of bundling schemes. Further, the comments of sibility to manage weather risks actively and flexible.
respondents on questions 23 and 24 indicate that there On the other hand, today’s large contract sizes hin-
is a general interest in weather derivatives but addi- der mainly SMEs from the application of weather
tional information is requested. This highlights again derivatives. Hence, future research will focus on con-
that instrument awareness has to be improved as well tract structuring issues, such as bundling schemes or
as lack of knowledge has to be reduced. weather-indexed loans, to facilitate the use of weather
derivatives.
4 CONCLUSION
REFERENCES
The main objectives of this work were to give an
introduction to weather derivatives and to investi- Ali, P.U. 2004. The Legal Characterization of Weather
gate weather derivative practices. A survey, conducted Derivatives. Journal of Alternative Investments 7(2):
among 118 Austrian companies, confirmed that the 75–79.
respondents face a significant weather exposure and Becker, H.A. & Bracht, A. 1999. Katastrophen- und
that they are also to a large extent aware of it. On Wetterderivate: Finanzinnovationen auf der Basis von
Naturkatastrophen und Wettererscheinungen. Wien.
the other hand, the survey revealed that the majority Cao, M. et. al. 2003. Weather derivatives: A new class
of firms are lacking a sophisticated risk management of financial instruments. www.rotman.utoronto.ca/∼wei/
concept as they hardly control their risks on a reg- research/JAI.pdf, 16.06.2007.
ular basis. This seems worrying given the general Clemmons, L. 2002. Introduction to Weather Risk Man-
knowledge of their exposure. agement. In Banks, E. (ed), Weather risk management:
Respondents already using weather derivatives markets, products, and applications: 3–13. Basingstoke.
indicated that they generally consider them as a Climetrix 2006. Climetrix—Weather Derivatives Software.
useful tool in weather risk management. Primarily, http://www.climetrix.com, 15.08.2006.
weather derivatives are applied for earnings stabiliza- CME 2006. CME Weather Products, http://www.cme.com/
trading/prd/weather/index14270.html, 09.08.2006.
tion. Instrument specific advantages, such as the lack Culp, C.L. 2002. The ART of risk management. New York.
of damage proofs and prompt compensation payments, Dischel, R.S. 2002. Climate Risk and the Weather Market.
are emphasized. Typical concerns regarding the usage London.
of weather derivatives are pricing, valuation, tax and Edwards, S. 2002. Accounting and Tax Treatment. In Banks,
legal issues. Further, the image of weather derivatives E. (ed), Weather risk management: markets, products, and
is perceived relatively critically. The study implies that applications: 246–261. Basingstoke.
also companies already using weather derivatives may Hess, U. & Syroka. J. 2005. Weather-based insurance in
need some additional assistance in the weather risk Southern Africa. The International Bank on Reconstruc-
management process. tion and Development, Washington.
Hull, J. 2006. Options, futures, & other derivatives, Upper
The relevance of different reasons in the deci- Saddle River, NJ.
sion of companies not to use weather derivatives was Jain, G. & Foster, D. 2000. Weather Risk—Beyond
also investigated. A factor analysis on the survey Energy. Weather Risk supplement to Risk magazine August
results produced evidence that the reluctance of firms 2000, http://www.financewise.com/public/edit/energy/
to use weather derivatives arises to a great extent weather00/wthr00-beyondenergy.htm, 10.08.2006.
358
Jewson, S. & Brix, A. 2005. Weather derivative valuation: Mojuyé, B. 2007. Does the hot dog vendor lose out?
the meteorological, statistical, financial and mathemati- International Financial Law Review 26(11): 27–29.
cal foundations. Cambridge. Raspé, A. 2002. Legal and Regulatory Issues. In Banks, E.
Kramer, A.S. 2006. Critical Distinctions between Weather (ed), Weather risk management: markets, products, and
Derivatives and Insurance. In Culp, C.L. (ed). Structured applications: 224–245. Basingstoke.
finance and insurance: the ART of managing capital and Schirm, A. 2001. Wetterderivate: Einsatzmöglichkeiten und
risk: 639–652. Hoboken. Bewertung. Working Paper, University of Mannheim.
359
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
M. Siegrist
Institute of Environmental Decisions, Consumer Behavior, ETH, Zurich, Switzerland
ABSTRACT: Nanoparticulate materials (NPM) pose many new questions on risk assessment that are not
completely answered and concerns have been raised of their potential toxicity and life cycle impacts. Voluntary
industrial initiatives have been often proposed as one of the most promising ways to reduce potential negative
impacts on human health and the environment from nanomaterials. We present a study which had the purpose to
investigate how NPM industry in general perceives precaution, responsibility and regulations, how they approach
risk assessment in terms of internal procedures, and how they assess their own performance. The survey shows
that industry does not convey a clear opinion on responsibility and regulatory action, and that the majority of
companies do not have standardized procedures for changes in production technology, input substitution, process
redesign, and final product reformulation as a result of a risk assessment. A clear majority of the companies
found their existing routines regarding these procedures to be sufficient.
361
The data was collected in Germany and Switzerland be responsible and 4 thought it should be shared with
between December 2005 and February 2006. The other actors. In the end-of-life, the industrial opinion
sample consisted of a total of 135 companies, 48 of is divided: 17 companies argued that the responsibil-
them from Switzerland and 87 from Germany. The ity should be taken by the industry alone, 10 thought
companies were identified through websites, litera- the government or the consumer should be responsi-
ture reviews and personal contacts. A prerequisite for ble, whereas 9 thought it should be shared with other
company selection was that companies should have actors. The responsibility can be seen as externalized
NPM-based products available on the market. A total throughout the life cycle stages.
of 40 companies filled out the questionnaire, which In research and development 19 companies con-
represents a response rate of 29.6%. Before sending sidered that no regulations are needed, whereas 17
out the questionnaire, we contacted each company found that industrial standards should be established
by phone and requested the person in charge of risk and 2 companies preferred governmental standards. In
assessment procedures to fill out the questions. the production stage a clear majority of the companies
The two largest industrial sectors were ‘‘chemi- found that NPM should be regulated by industrial stan-
cals and materials’’ and ‘‘consumer goods’’, and the dards, whereas in the usage stage and the end-of-life
most common application fields for NPM within these stages the company opinions were divided as to how
industrial sectors were coating and thin films for to best regulate this area. In general, the industry can
different materials (e.g. glass, wood and textile), med- therefore be seen as divided on whether industrial stan-
ical applications and electronic products. Twenty-five dards or governmental regulations comprise the most
companies had less than 100 employees, 8 companies appropriate form of regulation.
had between 100 and 1000 employees, 6 companies On the question: ‘‘If risk assessment reveals a lack
had more than 1000 employees and 1 company did of knowledge and there is a possibility of harmful
not answer this question. Fourteen companies reported effects, does your company have standardized cri-
that they were ‘‘primary producers’’ of NPM, 21 com- teria or procedures for a) raw material substitution
panies were ‘‘downstream users’’ working with NPM b) final product reformation c) process change?’’
purchased for their applications, 2 companies pro- The majority, 21 companies, did not indicate any
duced and purchased NPM for their applications, and standardized procedures following a risk assessment.
3 companies did not answer this question. In order Eleven companies were found to be promoting risk
to address the objectives we developed a number of research, whereas 21 companies, a majority, did
questions regarding (1) industrial interpretations of the not promote any such research. Furthermore, a total
precautionary principle, life cycle responsibility and of 15 companies had procedures involving different
regulation, (2) industrial procedures, and (3) indus- stakeholder concerns in product development (e.g.
try’s own assessment of these respective procedures public consultations, hearings, scenario analysis).
and areas. In general, companies were quite satisfied with
their current performance. All companies found that
best available information acquisition was important,
3 RESULTS although the routines used for it could be improved.
However, it was particularly in terms of promoting
Regarding the industrial interpretations of the precau- risk research, sharing knowledge with other organiza-
tionary principle, a clear majority of the responders tions such as safety knowledge, and risk assessment
found that all emissions should be kept As Low As methodology, that the companies saw the greatest
Reasonably Achievable (ALARA) and that measures potential for improvement.
should be taken if specific criteria of potential irre-
versibility are fulfilled. However no majority opinion
was found regarding whether the burden of proof 4 DISCUSSION
should be on the proposing actor. A principle compo-
nent analysis identified only one factor that explained Industries perceive themselves as clearly responsible
a total variance of approximately 87.55% and one can for potential impacts to human health and environ-
therefore conclude that the respondents answered all ment in the research, development and production
the questions in a consistent manner. stages, but this responsibility is gradually being exter-
In the production phase of the life cycle, most of the nalized to other stakeholders throughout the life cycle.
companies felt responsible for potential environmental This clear acknowledgement of industrial responsibil-
health impacts that may occur, whereas 2 thought this ity is in sharp contrast to a less uniform perception
responsibility should be shared with the government. of regulation, where 38 companies wanted indus-
In the use phase, 24 companies opined that the respon- trial standards or no regulations in the production
sibility should be borne mainly by industry, whereas stage, 25 companies wanted the same in the usage
only 8 thought the government or the consumer should phase and 18 companies in the end-of-life. The
362
combination of increasingly industrial externalization expected by the public, as they perceive fewer risks
of responsibility and regulations throughout the life associated with nanotechnology than lay people do
cycle may be problematic as current regulations gen- (Siegrist et al. 2007a; Siegrist et al. 2007b).
erally do not cover NPM. Thus we may have a situation
where there is a vacuum concerning the question who
should monitor that NPM are being developed and 5 CONCLUSIONS
used in a safe manner.
The prevention of the possibility of harm arising Do the companies have to be pushed or pulled to
from production or products by eliminating prob- improve their precautionary measures or is the current
lems at the source may involve changes in production situation satisfactory? In the case of NPM, industries
technology, input substitution, process redesign and find that regulation should be evidence-based, but the
re-engineering, and final product design and reformu- fate of NPM throughout the life cycle receives little
lation. About two thirds of the companies did not have industrial attention (Helland et al. 2008). Thus, we
such procedures in place, but at the same time most have a situation of interpreting whether the state of sci-
companies assessed their existing routines regarding entific evidence warrants regulatory action. We have
these respective procedures and found them to be shown that the industrial opinion is not clear on how to
sufficient with only a few companies thinking these interpret the state of evidence, but that two things do
procedures could be improved. This may imply that stand out: emissions should be kept as low as possible
there are no high incentives for considering alterna- and specific characteristics of irreversibility are reason
tive technology options and thus a business-as-usual enough for taking precautionary measures. However,
scenario seems the most likely path that industry would who should monitor and demonstrate such specific
chose in this respect. One exception was the procedure characteristics as industry does not necessarily see
of risk assessment. It may be argued that compa- that as their responsibility? How could a common
nies need assistance in this respect as a majority of approach be defined in order to create standards of
companies do not have risk assessment procedures risk assessment and other quality standards?
in place, but do express a wish to improve their Building on the consensus opinion of the industry,
performance. It is obvious that the current lack of one may draw two specific priorities for governmental
established risk assessment and management frame- bodies to investigate in collaboration with industry:
works for NPM is problematic for the companies
(Reijnders 2006). – What are the possible sources of NPM emissions
The awareness among key actors in a company throughout the product life cycle, how high are such
(managers, engineers, researchers, safety experts, emissions and what is the environmental fate of such
product designers etc.) is heavily influenced by social emissions?
factors such as communication and cooperation with – What NPM characteristics may serve as signs of
other stakeholders in addition to the existing corporate potential irreversibility for ecosystemic interactions
culture, the core values of the company (Ashford & (e.g. persistency, bioaccumulation, etc.) and which
Zwetsloot 2000). Increasing awareness among com- NPM specifically inhibit such characteristics?
panies’ key actors through training and outreach
activities can therefore comprise effective measures
to improve the safety culture of the companies. The
surrounding network of agents may therefore pro- REFERENCES
vide important contributions to industry for governing
risks, but nonetheless greater industry contributions to Ashford, N.A. & Zwetslot, G. 2000. Encouraging inherently
safer production in European firms: a report from the
the public knowledge base on NPM have been called field. Journal of Hazardous Materials, 78: 123–144.
for (Helland & Kastenholz 2007). We may conclude Nowack, B. & Bucheli, T.D. 2007. Occurrence, behavior and
from our results that most companies have an estab- effects of nanoparticles in the environment. Environmen-
lished network in which risk information is exchanged. tal Pollution., 250: 5–22.
This information exchange usually takes place among Davis, J.M. 2007. How to assess the risks of nanotechnology:
companies and between companies and universities, learning from past experience. Journal of Nanoscience
although very few actively involve themselves in and Nanotechnology, 7: 402–409.
funding university research. Helland, A., Kastenholz, H., Thidell, A., Arnfalk, P. &
The majority of companies also found that informa- Deppert, K. 2006. Nanoparticulate materials and regu-
latory policy in Europe: An analysis of stakeholder per-
tion exchange was an area in which there was room for spectives. Journal of Nanoparticle Research, 8: 709–719.
improvement. A further aspect resulting from insuffi- Helland, A., Scheringer, M., Siegrist, M., Kastenholz, H.,
cient communication with external stakeholders may Wiek, A. & Scholz, R.W. 2008. Risk assessment of engi-
be the consumer response. Nanotechnology experts neered nanomaterials—Survey of industrial approaches.
may not be inclined to initiate the risk assessment Environmental Science & Technology, 42(2): 640–646.
363
Helland, A. & Kastenholz. H. 2007. Development of Nan- Siegrist, M., Wiek, A., Helland, A. & Kastenholz, H. 2007a.
otechnology in Light of Sustainability. J. Clean. Prod, Risks and nanotechnology: the public is more concerned
online: doi:10.1016/j.jclepro.2007.04.006. than experts and industry. Nature Nanotechnology, 2: 67.
Morgan, K. 2005. Development of a preliminary framework Siegrist, M., Keller, C., Kastenholz, H., Frey, S. &
for informing the risk analysis and risk management of Wiek, A. 2007b. Lay people’s and experts’ perception of
nanoparticles. Risk Anal., 25(6): 1621–1635. nanotechnology hazards. Risk Analysis, 27(1): 59.
Nel, A., Xia, T., Mädler, L. & Li, N. 2006. Toxic potential of Som, C., Hilty, L.M. & Ruddy, T.F. 2004. The precau-
materials at the nanolevel. Science, 311: 622–627. tionary principle in the information society. Human and
Oberdörster, G., Oberdörster, E. & Oberdörster, J. 2005. Ecological Risk Assessment, 10(5): 787–799.
Nanotoxicology: An emerging discipline evolving from U.S. EPA 2007. Nanotechnology White Paper; U.S. Environ-
studies of ultrafine particles. Environmental Health Per- mental Protection Agency: Washington, DC.
spectives, 113(7): 823–839.
Reijnders, L. 2006. Cleaner nanotechnology and hazard
reduction of manufactured nanoparticles. Journal of
Cleaner Production, 14: 124–133.
364
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Terje Aven
University of Stavanger, Stavanger, Norway
365
If the safety function reliability is below the SIL β-factor of 10% was chosen and the degree of redun-
value, the total system risk might become unaccept- dancy is taken into account as β0−r where β0 = 10%
able. The SIL is thus a risk based measure and is as and r is the degree of redundancy. For example, r = 1
such a good candidate for the evaluation of risk related means that the safety function tolerates one failure,
to deferred maintenance. Note however that if a safety and β0−r = 0.1. It follows that the expected additional
function is less reliable than required according to the delay time due to the deferred maintenance equals
SIL, the exact increase of total system risk cannot be d · β0−r , and hence Equation (1) can be written
directly inferred.
The SIL value represents an established risk based d
D= β −r (3)
measure for the maximum allowable unreliability of a p·T 0
safety function and is used as a basis for the following
risk based prioritisation method. A system might for example include a safety func-
Now suppose a safety function has failed. The prob- tion rated at SIL 2 with redundancy of 1. The function
lem is to determine the maximum time dm before the contains two sensors which can both detect a high
maintenance activity for this unit should start (referred pressure. Over one year the delayed maintenance of
to as the maximum delay time). Suppose the unit the sensors has amounted to 8.7 days. Using again
belongs to SIL category 2, i.e. the probability of fail- p = 0.005 the delay factor becomes D = 0.48. The
ure on demand (PFD), p, should be between 10−3 and maintenance delay should be acceptable.
10−2 . To simplify we require p ≤ 0.005. For a specific As will be demonstrated in Section 3, observed
period of time (T), say one year, this corresponds to delay time factors Di∗ can be readily calculated from
an expected downtime of 1.8 days. The interval lim- maintenance data for all safety functions i. Based on
its 10−3 and 10−2 correspond to 0.365 days/year and these we can produce overall indices and diagrams
3.65 days/year, respectively. To determine the maxi- providing the management and the authorities with
mum acceptable delay time, we need to define what is a picture of the maintenance backlog status. These
‘‘small’’ compared to 1.8 days. The actual delay time indices and diagrams can be used as a basis for
should not significantly increase this downtime. Obvi- concluding on whether the maintenance of safety func-
ously if the maximum delay time is a factor 10 higher tions is going reasonably well or whether safety is
than 1.8 days, i.e. 18 days, it is too large. A factor 5 ‘eroding away’. An example of an approach for visu-
is smaller but still it gives a major change in the total alising the status is the following: Calculate all delay
downtime. We see that we have to reduce the factor to time factors Di∗ for all safety functions i which have
about 1 to not significantly change the downtime, and failed in the time interval T and present a graph show-
the proposed method uses this number as a criterion ing the associated cumulative distribution. At D = 1
for determining the maximum delay time. a dividing line is drawn which marks the maximum
We formalise this by introducing the delay time fac- delay time. The number of safety functions to the right
tor D, expressing the ratio between the additional delay of this line should be small, i.e. centre of the histogram
time d due to deferred maintenance and the expected should be well to the left of this line.
downtime due to the SIL requirement, i.e. If several systems are to be compared it would
be interesting to calculate a single number which
d summarises the information on the maintenance per-
D= (1)
p·T formance with respect to deferred maintenance of
safety systems. One could readily calculate the mean
The criterion used to determine the maximum delay value D∗ of all Di* , with respect to the safety functions
time can then be written which have failed in the time interval T . The mean
value calculates the ‘centre of gravity’ of the distribu-
D ≤ 1, (2) tion of the Di∗ ’s, and as will be shown in Section 3,
the mean value provides a good overview over the
i.e. dm ≤ p · T . maintenance backlog status. Moreover, the mean value
Next we address the case of redundant safety sys- D∗ can easily be plotted as a function of time, which
tems, i.e. safety functions consisting of two or more provides an overview over the evolution of the main-
components in parallel such that one failure does tenance backlog in time. The mean value, D∗ , could
not immediately cause the safety function to fail. It also be plotted as an accumulated function of time,
is observed that the dominant reason for failures of which provides an overview of total delay time factor
redundant safety functions is Common Cause Failures over a period of time. Care has however to be shown
(CCF). To incorporate these failures into the method, when using D∗ as a basis for judgments about the
we use a modifying factor β, the so-called β-factor acceptability of the maintenance backlog. For exam-
(see IEC (2000) and IEC (2003)). Typical values for ple, requiring D∗ ≤ 1, would allow many large delay
β range from 1% to 10%. For the present study, a times (far beyond the limit 1), as long as the average
366
is within the criterion 1. Hence if a criterion should be 1
out of the list. If not all conditions are fulfilled, the fail- 0,3
0,2
ures are left in the list conservatively assuming that the
0,1
compensating measure is totally ineffective. 0
0 0,5 1 1,5 2 2,5 3 3,5 4 4,5 5
367
created and it takes 51 days of delayed maintenance, performance through time, find important contribu-
contributing to a clearly visible slope in Figure 2. Other tors to delayed maintenance, prioritise maintenance
active notifications during this time contribute to con- from day to day basis or to compare the maintenance
siderably less delay time. In general attention should performance of several systems.
be placed on non-redundant SIL2 functions. As part of future work it is planned to include pre-
From Figure 2 one may conclude that the accumu- ventive maintenance delays in the methodology, i.e.
lated risk from delayed maintenance is too high, as an analogous delay time factor originating from pre-
there are many safety functions for which the PFD is ventive maintenance being performed later than the
more than doubled by delayed maintenance. planned time.
A new method for prioritisation of maintenance back- IEC. 2000. IEC 61508—Functional safety of elec-
log with respect to maintenance of failed safety trical/electronic/programmable electronic safety-related
functions has been proposed. The proposed method systems. First edition. IEC.
is linked to the established Safety Integrity Level IEC. 2003. IEC 61511—Functional safety—Safety instru-
mented systems for the process industry sector. First
regime from IEC 61508 which specifies the reliabil- edition. IEC.
ity requirements of safety functions. The method is NORSOK. 2001. NORSOK standard Z-008—Criticality
thus inherently risk based. It furnishes a variety of risk analysis for maintenance purpose. Revision 2. Norwegian
indices to gain an overview over the status of the main- Technology Centre.
tenance backlog of safety functions. The indices can be OLF. 2001. OLF 070—Recommended Guidelines for the
used to determine acceptance levels which tell the user application of IEC 61508 and IEC 61511 in the Petroleum
whether the maintenance of safety functions is going Activities on the Norwegian Continental Shelf. Revision
reasonably well or whether safety is ‘eroding away’. 0.1 The Norwegian Oil Industry Association.
The indices can be used to monitor the maintenance
368
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Environmental Health Risks (EHRs) traditionally have been dealt with in a hierarchical and
technocratic manner. Preferably based on scientific expertise, standards set are uniform and based on legal
regulations. However, this approach has encountered implementation problems and deadlocks, particularly in
cases where scientific knowledge is at best incomplete and interests of powerful stakeholders conflict. Many
new approaches to manage EHRs have been implemented, which share two characteristics: an increased
integration of (a) cost-benefit and other considerations; (b) the public and other stakeholders; and (c) of EHR
objectives in other sectoral policies, and an increased differentiation of EHR standards (partly as a consequence
of the former characteristic). Still little systematic empirical research has been conducted on the experiences
with these shifts in EHR governance, in particular in the light of the shortcomings of the ‘traditional’ approach
to EHR governance. This paper proposes an analytical framework for analyzing, explaining and evaluating
different categories of, and shifts in, EHR governance regimes. We illustrate our paper with the trends in EHR
governance described above.
369
type of risks there are more opportunities to influence • The regulatory and decision-making style (in part
them (in the case of natural events EHR management based on O’Riordan, 1985);
will mainly be focused on adaptation and mitigation • The requirements with respect to organizational
of adverse health effects and less with fundamentally and institutional capabilities for assessing, mon-
addressing their causes). itoring and managing risks (including emergency
management).
2.2 EHR governance regimes Other relevant elements of risk governance regimes
found in the literature include culture, principles
EHR governance regimes can be defined as ‘‘the com- and uncertainty and ambiguity. Rayner and Cantor
plex of institutional geography, rules, practice, and (1987) discuss four different ‘institutional cultures’
animating ideas that are associated with the regulation that may underlie approaches to risk management.
of a particular risk or hazard’’ (Hood et al., 2004: 9). These cultures reflect distinct worldviews, based
Only limited research has been conducted on the clas- among other things on particular principles of social
sification of risk regimes (Hood et al., 2004). Below justice and perceived economic interests. The impor-
we discuss a few of such attempts. tance of culture and cultural values in the percep-
In comparing the ways in which risks were regulated tion and selection of risks is also recognized by,
in different countries, O’Riordan (1985) identified among others, Douglas and Wildavsky (1982). It
four (partly overlapping) ‘styles of risk regulation’ that is not clear however whether culture is part of
can be considered as four risk governance regimes. governance regimes or an important context vari-
These regimes primarily differ in the way in which able of influence on the way in which governance
decision-making is organized (top-down, interactive regimes are shaped and function. Related to cul-
etc.) and the extent to which consensus among stake- tural aspects are the principles behind standard set-
holders is possible. ting; both elements are based on some core values.
Hood et al. (2004) consider risk governance regimes As regards principles for EHR standard-setting, De
as systems consisting of interacting or at least related Hollander and Hanemaaijer (2003) for instance dis-
parts and identify nine distinct configurations or risk tinguish between four approaches, reflecting different
governance regimes, which they identify by means of principles:
two dimensions:
• ‘Right-based’ approach: an equal protection for all
• ‘Basic control system components’: ways of gath- above a certain risk level;
ering information; ways of setting standards; and • ‘Utility-based’ approach: maximization of benefits
ways of changing behavior in order to meet the for society as a whole (i.e. achieving the greatest
standards (i.e. policy instruments); increase in overall public health at the lowest cost);
• The ‘instrumental’ and ‘institutional’ elements of • ‘Technology-based’ approach: using the best avail-
regulatory regimes: the ‘regulatory regime context’ able techniques;
(different types of risks at hand, the nature of public • The precautionary principle: a cautious approach
preferences and attitudes over risk and the ways in in the light of complexity, uncertainty and irre-
which stakeholders are organized) and the ‘regime versibility.
content’ (the policy setting, the configuration of
state and other organizations directly engaged in risk The EEA (2001) emphasizes the importance of
regulation and their attitudes, belief and ‘operating uncertainty in risk governance and suggests a frame-
conventions’). work for classifying risks regarding different forms
of uncertainty (risk, uncertainty and ignorance) and
The IRGC takes a more normative approach. It actions (and guiding principles) for handling these
advocates a framework for risk governance that aims situations. Klinke and Renn (2002) also discuss ambi-
at, among other things, enhanced cost-effectiveness, guity: the presence of ‘‘contested views about the
equal distribution of risks and benefits, and consis- desirability or severity of a given hazard’’ (Klinke
tency in risk assessment and management of similar and Renn, 2002: 1092). UNESCO COMEST (2005)
risks (Bunting, 2008; Renn, 2006). The IRGC frame- addresses the issue of risk governance under uncer-
work takes into account the following elements: tainty and explores the implications of the precau-
tionary principle for risk governance. Van der Sluijs
• The structure and function of various actor groups in (2007) reviews the challenges to risk governance of
initiating, influencing, criticizing or implementing uncertainty and precaution, focusing on the interface
risk decisions and policies; between science and policy, and concludes that a pre-
• Risk perceptions of individuals and groups; cautionary—post normal—style of risk governance
• Individual, social and cultural concerns associated has slowly but steadily started to invade traditional
with the consequences of risk; approaches. Methodological challenges remain as
370
to how to further integrate different approaches to 2.4 Explaining EHR governance regime selection
deal with uncertainty, in particular the more techni- and performance
cal approaches and the approaches from the policy
What explains the presence of particular EHR gov-
perspective.
ernance regimes and how can we understand the
The above discussion suggests that there is no such
contribution of these regimes to the reduction of
thing as a generally accepted framework for identi-
EHRs? Hisschemöller and Hoppe (2001) and Hoppe
fying and classifying risk governance regimes, but
(2002) adopted a useful theoretical model that links
provides us with what seem to be relevant elements
governance regimes to two specific characteristics of
in such a framework:
the policy problem at issue: certainty of the knowl-
edge basis and the extent to which norms and values
• EHR type in terms of (perceived) seriousness, cer- converge (see Figure 1). In contrast to the authors dis-
tainty of the knowledge basis and the prevalence of cussed in the preceding Section, Hisschemöller and
conflicting interests among stakeholders as regards Hoppe (2001) and Hoppe (2002) explicitly consider
EHR handling; these characteristics as independent variables relevant
• Governance style, referring to the plurality and to the appropriateness and performance of governance
diversity of actors allowed to be involved in regimes. Interactions and negotiations with, and input
decision-making, the moment when they are from, stakeholders are assumed to be necessary when
involved in decision-making processes, and their stakes of the various actors involved are high, norms
role in the implementation of EHR strategies; and values diverge, and when there is high uncer-
• The role of science and other knowledge sources in tainty about causes of the policy problem or impacts of
decision-making on EHR objectives; alternative policy programs – i.e. when ‘unstructured’
• The principles behind EHR objectives; policy problems are at issue. This unstructured prob-
• Dominant instruments in the implementation of lem category is similar to the post normal science type
EHR strategies (e.g. hierarchical or more voluntary of risk assessment proposed by Funtowicz and Ravetz
forms of regulation); (1993). In these situations stakeholder involvement is
• Culture and values; required in all stages of policy-making, including anal-
• The institutional context; ysis, both in order to get access to relevant information
• The interlinkages between the above elements. and to create support for policy-making. Examples
of this mode of problem solving are discussed in
Kloprogge and Van der Sluijs (2006) for the risks of
2.3 Evaluating EHR governance regime climate change. ‘Structured’ policy problems, on con-
performance trary, can be solved in a more hierarchical way. Here,
policy can be left to public policy-makers; involvement
Although many criteria can be employed for assessing
of stakeholders is not needed for analysis or success-
the performance of EHR governance regimes (see for
ful problem solving. In this case policy-making has
instance those employed by the IRGC in Section 2.2),
a technical character and is often heavily based on
one of the basic criteria would seem to be the extent
scientific knowledge. In the case of moderately struc-
to which they succeed in reducing EHRs to levels that
tured, ‘means’ problems stakeholder involvement is
are acceptable to decision-makers, the public, scien-
not required for recognition of the problem at issue,
tists and other stakeholders. At least two interrelated
dimensions are relevant here. The first is the speed
with which EHRs are identified, decision-making on
their management is completed, and implementation is
organized. The second is the outcome in terms of (per- Structured problems Moderately structured
/ means problems
ceived) risk reduction and its evaluation by relevant
actors. e.g. road maintenance
Yet, it is also interesting to move beyond the e.g. traffic safety
level of individual EHRs, e.g. by looking at how
EHR regimes impact upon other EHRs. Relevant in
this light is the concept of ‘risk migration’: the sit- Moderately structured Unstructured
uation where one risk is reduced but another one / goals problems problems
created or enhanced. An example is polybrominated
diphenyl ethers (PBDEs) based flame-retardant com-
e.g. abortion e.g. car mobility
pounds that accumulated in the environment and in
humans and in particular caused societal anxiety when
they were found in breast milk (Alcock and Busby, Figure 1. Types of policy problems (with examples).
2006). Source: Hoppe, 2002 (adapted).
371
but mainly for the selection of the means by which this
goal is to be reached. Since there is high uncertainty
about the effectiveness of and stakeholder prefer-
ences for various solutions, policy-makers together
with stakeholders search for adequate problem-solving
activities. Finally, in the case of moderately structured,
‘goals’ problems there is substantial agreement on cer-
tain knowledge but sometimes intense disagreement
about norms and values at stake and about the goals
that should be set. Interaction with stakeholders is
required in order to identify and streamline stakeholder
preferences.
Other bodies of literature focus on specific aspects
of governance regimes, in particular the role of sci-
ence in policy (e.g. Funtowicz and Strand, 2008;
Gibbons et al., 1994). Many publications in that area Figure 2. Analytical framework for characterizing,
start emphasize that science often cannot be the only explaining and evaluating EHR governance regimes.
knowledge producer, in particular in the case of Source: Authors.
uncertainties or moral issues where perceptions of
stakeholders diverge and where consensus is required
for successful policy (Funtowicz and Strand, 2008). 3 UNDERSTANDING EHR GOVERNANCE
This is in line with Hisschemöller and Hoppe (2001) IN PRACTICE: ILLUSTRATION
and Hoppe (2002).
The above literature is useful as a starting point Rather than predefining distinct configurations of
for searching for explanations for EHR governance EHR governance regimes and analyze and evaluate
regimes found in practice and their performance, but these, we suggest taking the elements from the ana-
there are two aspects that deserve attention. One, the lytical framework presented above to identify distinct
literature discussed is in part normative; it prescribes EHR governance regimes and developments in these
‘ideal’ governance responses in particular situations. regimes from observations in practice. In this Section
However, in practice problems that can be charac- we will illustrate the value of the analytical framework
terized as ‘unstructured’ are not always dealt with by analyzing and evaluating EHR governance regimes
according to what the literature suggests. For finding at the macro level encompassing shifts in EHR regimes
explanations for the presence of certain governance in general. Our framework however can also be used
regimes therefore also other aspects may be rele- for micro level analyses focusing on distinct regimes
vant (e.g. the existence of diverging interests and for a particular EHR in a particular country and time
power relations; see also Flyvbjerg, 1998). Two, period.
the literature starts from problems that have been In a quick-scan survey conducted in 2007 Soer et al.
accepted on societal and political agendas and does (2008) compared trends in EHR governance in the
not explicitly address the issue of when problems Netherlands with those in nine European countries,
become accepted. In the case of EHRs (and risks in the U.S. and Australia. The authors observe shifts that
general) calamities often are followed by intense pub- they summarize as a turn from a ‘traditional’, special-
lic and political reactions irrespective of the chance ized approach to a more integrated and differentiated
of such events. Risk awareness can also be cre- approach. How can this trend be analyzed, under-
ated by ‘policy entrepreneurs’ with an interest to stood and evaluated from our analytical framework?
bring together problem-owners, decision-makers and Below we will first describe and evaluate the tradi-
solutions (Kingdon, 1995). tional approach to EHR governance and then try to
explain shifts and make an ex ante evaluation of them.
2.5 Towards an analytical framework
for evaluating EHR governance regimes
3.1 ‘Specialized’ EHR governance regimes
Figure 2 brings together the elements of our analytical
framework that we discussed above. (Block) arrows 3.1.1 Characterizing EHR governance regimes
indicate the types of relationships between the ele- The traditional way of dealing with EHRs as could be
ments that we expect to find in empirical analysis. observed in many western countries as from the Indus-
Feedback loops from EHR governance regimes and trial Revolution can be summarized as follows (e.g.
their outcomes to their context are possible, but for Fiorino, 1990; Heriard-Dubreuil, 2001; O’Riordan,
the sake of this paper ignored in the figure. 1985; Sunstein, 2002):
372
• Regarding the role of stakeholders: usually govern- Netherlands air and water quality improvements were
ment agencies set standards in hierarchical ways. realized and smog levels were reduced dramatically,
(Formal) public participation is limited or absent. whereas the noise problem was stabilized (Keijzers,
Informal influences by stakeholder groups however 2000). A similar picture emerges if we take a Euro-
do exist (see below); pean perspective (e.g. EEA, 2003, 2007 regarding air
• Regarding the role of science: scientists are the and water quality). Yet, the traditional approach to
logical providers of knowledge on the nature and EHRs also encountered various (often interrelated)
severity of EHRs and levels at which health risks problems, which at least in part can be explained
are acceptable; by characteristics of the EHR governance regime
• Regarding principles underlying EHR standards: configuration.
standards are based primarily on estimated health First, various examples are known of EHRs with
impacts, preferably based on scientific risk assess- severe health consequences that have not been reg-
ments. Cost-benefit and other considerations usu- ulated at all. An important explanation is found in
ally do not play a major role in an early stage of limitations in scientific knowledge, hindering the set-
EHR governance, i.e. in the definition of standards; ting of clear EHR standards (Health Council of the
• Regarding standards: Environmental health risks Netherlands, 1995; Open University, 1998, U.S. EPA,
are dealt with on an individual basis. Where possible 2004; VROM, 2004). However another explanation is
quantified standards are formulated that generic, i.e. found in powerful lobbies of interest groups that suc-
apply to all of the situations specified and do not dis- ceed in lowering EHR standards (see for instance Hood
criminate between groups of people. This results in et al., 2004 for the U.K. situation). Here strong eco-
detailed standards, which is one of the reasons why nomic interests and weak(ly presented) public (health)
this approach is often considered ‘technocratic’. interests result in deadlock situations; EHRs not being
Compensation of health risks geographically or actively dealt with. A third explanation lies in the
between groups of people (either concerning one principles behind EHR standard setting, where cost-
specific risk type or between different risk types) benefit considerations usually are not of primary
usually is not allowed; importance. This has resulted in, what is perceived
• Regarding policy instruments: a linear approach to as, excessive costs of meeting EHR standards (e.g.
EHR governance is taken: implementation and the Health Council of the Netherlands, 1995). An exam-
selection of instruments (of which legislation and ple is soil quality; in many western countries including
licenses are typical) follows after risk assessment for instance Denmark and the Netherlands there are
and standard-setting and does not play a large role vast amounts of land polluted by industrial activi-
in earlier stages of EHR policy. ties that need to be cleaned up but for which a lack
of funding is available (Soer et al., 2008). Another
Today this approach, which can be called ‘special- example is radon gas in buildings, causing lung can-
ized’ due to its focus on individual EHRs, still can cer. At least in the Netherlands, the costs of reducing
be observed worldwide. In Europe, for instance, this this risk are perceived as excessive (VROM, 2004).
approach is visible in the EU Directives regulating A fourth explanation of EHRs not actively being taken
concentrations of particulate matter and other EHRs. up is that it is not always clear which societal actor
should take responsibility of dealing with EHRs, in
3.1.2 Explaining ‘specialized’ EHR regimes particular when those causing risks or in control of
The technocratic and hierarchical character of EHR instruments for reducing EHRs can be distinguished
regimes reflect wider ideas on the role of govern- clearly or when governments are expected to deregu-
ments in society, which were dominant in Western, late (Renn, 2006; U.K. H.M. Treasury, 2005; VROM,
liberal societies until some two decades ago. (Cen- 2004). It should be noted that also examples are found
tral) governments were considered to have a strong and of EHRs policies that haven been criticized due to
leading role in addressing social problems and there a limited scientific basis or low cost-effectiveness.
was much faith in the contribution that science could In the Netherlands for instance millions of euros
have in enhancing the effectiveness and efficiency of were made available for research on health effects
government policy (Fischer, 1997; Van de Riet, 2003). of radiation from mobile phone transmitting stations
This has become institutionalized in very specialized in response to public concerns, while there was lit-
(and growing) bureaucracies and an important role of tle scientific evidence of such effects. This illustrates
(institutionalized) science-based knowledge providers an important other shortcoming of the specialized
(‘policy analysis’). approach: difficulties in reconciling ‘objective’ sci-
entific EHR assessments and ‘subjective’ EHR per-
3.1.3 EHR governance outcomes and explanations ceptions by the public. Perceptions of stakeholders are
The ‘specialized’ approach has resulted in the reduc- considered to have become more important due to sci-
tion of various health risks. For instance, in the entific limitations, democracy concerns and a growing
373
dependence of governments on stakeholders. Even to the following changes in the elements of EHR
though knowledge has been built on variables that governance regimes outlined in our analytical frame-
affect the perceived seriousness of risks (e.g. voluntari- work (see Figure 2):
ness and personal control, the catastrophic potential,
emotional associations with the risk, trust in regula- • Regarding the role of stakeholders: the public and
tory agencies etc.) and the availability of guidelines other stakeholders are increasingly involved in the
for taking public perceptions of EHRs explicitly into formulation and implementation of EHR gover-
account (e.g. Klinke and Renn, 2002), this issue is nance regimes. Not only is a more participatory
thus far only has been addressed marginally in EHR approach to EHRs increasingly considered neces-
governance regimes (e.g. in the Netherlands and else- sary in order to create support for EHR policies,
where for external safety a distinction is made between it also stems from a desire to make other stake-
‘individual risk’ and ‘group risk’ based on the societal holder co-responsible for preventing and reducing
impact of a group of people killed or injured in compar- EHRs (Renn, 2006; U.K. H.M. Treasury, 2005;
ison to individual casualties. Yet an overall framework Soer et al., 2008; VROM, 2004). Participation
for incorporating public concerns is lacking. sometimes serves to create legitimacy and trust,
A second and related problem is that realizing EHR for instance in the U.K. where public protest arose
standards or the setting of stricter EHR standards is after the public was exposed to ‘unacceptable’ risks
often hindered by conflicts between EHR objectives relating to among other things BSE (Fisher, 2000);
and those of other policy domains, in particular spa- • Regarding the role of science: a few efforts have
tial planning. In particular in intensively used urban been made to reconcile scientific and stakeholder
areas, further spatial developments are often hindered risk perceptions. The U.K. H.M. Treasury (2005)
by strict EHR norms (e.g. Glasbergen, 2005; Wheeler for instance has proposed to make ‘concern assess-
and Beatley, 2004). Yet, the institutional context that ment’ and integral part of risk management. Since
lies responsibilities for EHR governance mainly with 2006 there is a legislative requirement to attempt
state agencies that, in addition, often prescribe detailed incorporating public opinion in the decision-making
(minimum) standards for EHRs, combined do not process by means of such an assessment, although
provide an incentive for actors involved (manufactur- it is recognized that ‘‘public attitudes to risk are dif-
ers, planners, etc.) to reduce EHRs beyond the legal ficult to measure’’; and that ‘‘public concerns may
minimum standards or to find innovative ways for be founded on ignorance, false information, unre-
reducing EHRs (Health Council of the Netherlands, liable media reporting, etc.’’ (U.K. House of Lords,
1995). 2006: 6). Eventually it is up to decision-makers to
A third problem with the specialized approach rela- determine the relative weight of such factors;
tes to difficulties in dealing with ‘cumulative’ effects • Regarding principles underlying EHR standards:
of EHRs (e.g. Health Council of the Netherlands, cost-benefit, economic and other concerns are
1995; U.S. EPA, 2004). On the one hand, such effects more explicitly (and perhaps also more intensively)
are overlooked in the case of source-based regulations included in EHR assessments (e.g. U.K. H.M. Trea-
(in contrast to effect-based regulations, such as the EU sury, 2005, VROM, 2004). In this way also a better
Directives for air pollution that prescribe maximum integration of EHR standard setting and EHR imple-
concentrations of for instance particulate matter). On mentation is strived after. There are however also
the other hand, problems exist because of a lack of countries that explicitly do not consider costs or fea-
knowledge on the combined effect of different EHRs sibility in the risk assessment and standard setting
(e.g. Robinson and MacDonell, 2006, VROM, 2004). stage (e.g. Australia and the U.S.; Soer et al., 2008);
Apart from that, the specialized approach sometimes • Regarding standards: an increased differentiation
results in ‘risk migration’(see Section 2.3). can be discerned. In the Netherlands for instance
some experiments have been conducted with pro-
viding urban planners more policy freedom in the
formulation of area-specific environmental ambi-
3.2 ‘Integrated’ and ‘differentiated’ EHR
tions (Runhaar et al., 2009). In this way a better
governance regimes
coordination and local optimization of environ-
3.2.1 Characterizing EHR governance regimes mental (health) planning and spatial planning is
A recent quick-scan survey of trends in EHR gov- facilitated. These experiments allow for a limited
ernance in ten European countries, the U.S. and form of differentiation of environmental objectives
Australia (Soer et al., 2008) revealed various changes (in a spatial sense). Compensation—a lower envi-
in EHR governance regimes in Australia, the U.S. and ronmental quality in one domain being offset by an
in ten European countries. It should be noted that improvement in another—was also envisaged, but
these trends are not found in all of these countries appeared impossible (also in light of EU Directives).
in the same intensity. Nevertheless the study points Also in Scotland it is legally possible to generate
374
area-specific environmental standards (Soer et al., societal context. The trend towards more public and
2008). Obviously differentiation of EHR standards stakeholder participation and integration of policy
is not a new phenomenon—however in the past sectors form part of a broader shift towards more
differentiation usually related to predefined situa- integrated approaches to dealing with societal issues
tions. Differentiation is also envisaged in another in Western, liberal societies, which are commonly
form—an explicit and deliberate (rather than an referred to a change in planning from ‘government’
ad hoc) differentiation of EHR governance regimes to ‘governance’. There is no agreed-upon definition
for distinct types of EHRs. Up to now several of what governance entails (Jordan et al., 2005). Yet,
countries including the Netherlands, Malta and the often-mentioned characteristics are: a decline of cen-
United Kingdom have announced to adopt such an tral government’s ability to regulate society in a top-
approach (Soer et al., 2008). Yet implementation is down fashion, resulting in more horizontal forms of
still in an early stage. It is therefore still uncertain steering in cooperation with other government ties and
whether or not this type of differentiation is feasible, stakeholders outside the government; a more direct
realistic, or even desirable; and early inclusion of stakeholders in the formulation
• Regarding policy instruments: risk assessment and and implementation of policies; shared responsibili-
management are more integrated. Also, EHR objec- ties between state, civil society and market actors in
tives are increasingly integrated in other sectors, in the formulation and implementation of policies; (as
particular in spatial planning. Examples of coun- a consequence) a blurring of the traditional bound-
tries are Australia, Germany and the Netherlands. aries between state, civil society and market (Van
Regularly used tools for better incorporating EHRs Kersbergen and Van Waarden, 2001). Two important
in spatial planning are Health Effect Screenings, causes of this trend towards governance are a (per-
Health Impact Assessments and Strategic Environ- ceived) ineffectiveness of central government policy
mental Assessments. In Malta integration between due to, among other things, limits to the extent in
policy sectors is strived after through the formation which society can be known and steered, and the plea
of an inter-departmental committee on environment for more direct democracy.
and health (Soer et al., 2008).
On a more abstract level, these trends reflect a 3.2.3 ‘Specialized’ EHR regimes: Outcomes,
change to more integration (of cost-benefit and other explanations and challenges ahead
considerations in EHR standard-setting; of stakehold- The shift towards more integration and differentia-
ers in EHR in the formulation and implementation tion is observed in several countries but is by far
of EHR governance regimes; and of EHR objectives crystallized. In many of the countries examined,
in other policy sectors) and more differentiation of plans are in immature stages or even only under
EHR standards (partly as a consequence of the former consideration. Not much experience has been built
shifts). with increased integration and differentiation in EHR
policies. Yet a few new dilemmas were identified,
3.2.2 Explaining ‘specialized’ EHR regimes including the weighing of stakeholder opinions and
The shifts in EHR governance regimes discussed scientific inputs and the weighing of health and other
above in part stems from the problems with the concerns (see also Glasbergen, 2005 and Runhaar
‘specialized’ approach. In the Netherlands for exam- et al., 2009). In addition EHR planners state that
ple EHR planners have differentiated norms for soil they lack a clear framework for systematically deal-
quality according to land use functions. Soil norms ing with EHRs. ‘Old’ problems include a lack of
for houses are stricter than for those for industrial (scientific) data (e.g. on cumulative and risk migra-
areas. A same approach has been followed as regards tion effects), insufficient funding and problems in
noise nuisance risks (Glasbergen, 2005). This dif- communication between EHR planners, other sec-
ferentiated approach is based on a desire to realize toral planners and stakeholders. Finally a potential
EHR reductions in a more cost-effective manner and risk of more integration is compromising of EHR
to better reconcile EHR policies and spatial poli- standards in favor or other ambitions (Soer et al.,
cies. Setting EHR standards based on ‘best available 2008).
technology’ (BAT) or on what is ‘reasonably prac- It is far from certain that more integrated and differ-
ticable’ (ALARP) is another well-known approach entiated governance regimes will completely replace
to reconciling EHR reduction and economic con- more traditional EHR regimes. In Europe, EHRs are
cerns. In this context these shifts can be considered as increasingly targeted at a supranational level (EU)
ways to overcome the outcomes of more ‘specialized’ by means of Directives that prescribe strict and uni-
regimes. form standards for acceptable EHRs. It is interesting
However, the above shifts can also be explained to examine how these various forms of EHR regimes
by more general developments in the broader interact.
375
4 CONCLUSIONS EEA. 2003. Europe’s water: An indicator-based assessment.
Copenhagen: European Environmental Agency.
Given the limited attention being paid to EHR gover- EEA. 2007. Air pollution in Europe 1990–2004. Copen-
nance regimes in risk research, our aim was to develop hagen: European Environmental Agency.
an analytical framework for characterizing, explaining Fiorino, D.J. 1990. Citizen participation and environmen-
tal risk: a survey of institutional mechanisms. Science,
and evaluating such regimes. Based on a review of rel- Technology & Human Values 15(2): 226–243.
evant literature we developed a framework, which we Fischer, F. 1997. Evaluating public policy. Chicago: Nelson-
illustrated by means of some macro trends we observed Hall Publishers.
in some Western countries. Fisher, E. 2000. Drowning by numbers: standard setting
The framework seems to be useful for guiding in risk regulation and the pursuit of accountable public
research into the above area as it allows for a sys- administration. Oxford Journal of Legal Studies 20(1):
tematic examination of relevant elements and possible 109–130.
relationships. In the analysis of recent shifts in EHR Flyvbjerg, B. 1998. Rationality and power. Democracy in
governance we discussed as an illustration of our practice (translated by S. Sampson). Chicago/London:
University of Chicago Press.
framework not all of elements were elaborated in much Funtowicz, S.O. & Ravetz, J.R. 1993. Science for the post-
detail. Cultural influences on governance regimes normal age. Futures 25(7): 739–755.
for instance may be identified more explicitly in an Funtowicz, S. & Strand, R. 2008. Models of science and pol-
international comparative study. icy. In T. Traavik & L.C. Lim (eds), Biosafety first: holistic
We suggest that further research is conducted in approaches to risk and uncertainty in genetic engineering
order to classify EHR governance regimes with the aid and genetically modified organisms. Trondheim: Tapir
of our framework. What distinct configurations can be Academic Press (forthcoming).
found in practice, next to the (perhaps artificially con- Gibbons, M., Limoges, C., Nowotney, H., Schwarzman, S.,
structed) ‘specialized’ approach we discussed? And Scott, P. & Trow, M. 1994. The new production of
knowledge: the dynamics of science and research in
what relations between the various elements exist? The contemporary societies. London: Sage.
shifts towards integration and differentiation identi- Glasbergen, P. 2005. Decentralized reflexive environmental
fied in the quick-scan survey conducted by Soer et al. regulation: opportunities and risks based on an evalua-
(2008) may act as a starting point. Three remarks tion of Dutch experiments. Environmental Sciences 2(4):
should be made here. One, in this study only a 427–442.
(probably non-representative) sample of countries was Health Council of the Netherlands. 1995. Niet alle risico’s
included. Two, the shifts identified were not observed zijn gelijk: kanttekeningen bij de grondslag van de risi-
in each of the sample countries in the same intensity. cobenadering in het milieubeleid (Not all risks are equal,
Three, the survey focused on the main characteris- a critical approach to environmental health risk policy; in
Dutch). The Hague: Gezondheidsraad.
tics of national EHR governance regimes; no in-depth Heriard-Dubreuil, G.F. 2001. Present challenges to risk
research was conducted into specific EHRs. However, governance. Journal of Hazardous Materials 86(1–3):
many of the trends that we observed are similar to 245–248.
those reported by for instance Amendola, 2001, De Hisschemöller, M. & Hoppe, R. 2001. Coping with
Marchi, 2003, Heriard-Dubreuil, 2001 and Rothstein intractable controversies: the case for problem structur-
et al., 2006. ing in policy design and analysis. In: M. Hisschemöller,
R. Hoppe, W.N. Dunn & J.R. Ravetz (eds), Knowl-
edge, power, and participation in environmental policy
REFERENCES analysis: 47–72. New Brunswick/London: Transaction
Publishers.
Alcock, R.E. & Busby, J. 2006. Risk migration and scientific Hollander, A. de & Hanemaaijer., A. 2003. Nuchter
advance: the case of flame-retardant compounds. Risk omgaan met risico’s (Dealing sensibly with risks; in
Analysis 26(2): 369–381. Dutch). Bilthoven: Netherlands Environmental Assess-
Amendola, A. 2001. Recent paradigms for risk informed ment Agency.
decision making. Safety Science 40(1–4): 17–30. Hood, C., Rothstein, H. & Baldwin, R. 2004. The government
Bunting, C. 2008. An introduction to the IRGC’s risk of risk. Oxford: Oxford University Press.
governance framework. Paper presented at the Sec- Hoppe, R. 2002. Cultures of public policy problems. Journal
ond RISKBASE General Assembly and Second Thematic of Comparative Policy Analysis: Research and Practice
Workshop WP-1b. May 15–17. Budapest: Hungary. 4(3): 305–326.
De Marchi, B. 2003. Public participation and risk gover- Jordan, A., Wurzel, R.K.W. & Zito, A. 2005. The rise of
nance. Science and Public Policy 30(3): 171–176. ‘new’ policy instruments in comparative perspective: has
Douglas, M. & Wildavsky, A. 1982. How can we know the governance eclipsed government? Political Studies 53(3):
risks we face? Why risk selection is a social process. Risk 477–496.
Analysis 2(2): 49–51. Keijzers, G. 2000. The evolution of Dutch environ-
EEA. 2001. Late lessons from early warnings: the pre- mental policy: the changing ecological arena from
cautionary principle 1896–2000. Copenhagen: European 1970–2000 and beyond. Journal of Cleaner Production
Environmental Agency. 8(3): 179–200.
376
Kersbergen, K. van & Waarden, F. van. 2001. Shifts in gov- Runhaar, H.A.C., Driessen, P.P.J. & Soer, L. 2009. Sus-
ernance: problems of legitimacy and accountability. The tainable urban development and the challenge of pol-
Hague: Social Science Research Council. icy integration. An assessment of planning tools for
Kingdon, J.W. 1995. Agendas, alternatives, and public integrating spatial and environmental planning in the
policies. New York: Harper Collins College. Netherlands. Environment and Planning B, 36(2) (forth-
Klinke, A. & Renn, O. 2002. A new approach to risk eval- coming).
uation and management: risk-based, precaution-based, Sluijs, J.P. van der. 2007. Uncertainty and precaution in envi-
and discourse-based strategies. Risk Analysis 22(6): ronmental management: insights from the UPEM con-
1071–1094. ference. Environmental Modelling and Software 22(5):
Kloprogge, P. & Sluijs, J.P. van der. 2006. The inclusion 590–598.
of stakeholder knowledge and perspectives in integrated Soer, L., Bree, L. van, Driessen, P.P.J. & Runhaar, H.
assessment of climate change. Climatic Change 75(3): 2008. Towards integration and differentiation in
359–389. environmental health-risk policy approaches: An inter-
Neumann, P. & Politser, R. 1992. Risk and optimality. In national quick-scan of various national approaches to
F. Yates (ed). Risk-taking Behaviour: 27–47. Chicester: environmental health risk. Utrecht/Bilthoven: Coperni-
Wiley. cus Institute for Sustainable Development and Inno-
Open University. 1998. Risico’s: besluitvorming over vei- vation/Netherlands Environmental Assessment Agency
ligheid en milieu (risks: decision-making on safety and (forthcoming).
the environment, in Dutch; course book). Heerlen: Open Stoker, G. 1998. Governance as theory: five propositions.
University. International Social Science Journal. 50(155): 17–28.
O’Riordan, T. 1985. Approaches to regulation. In: Sunstein, C.R. 2002. Risk and reason. Safety, law, and the
H. Otway & M. Peltu. Regulating industrial risks. Sci- environment. New York: Cambridge University Press.
ence, hazards and public protection: 20–39. London: U.K. H.M. Treasury. 2005. Managing risk to the public:
Butterworths. appraisal guidance. London: H.M. Treasury.
Rayner, S. & Cantor, R. 1987. How fair is safe enough? U.K. House of Lords. 2006. Economic Affairs—Fifth Report.
The cultural approach to societal technology choice. Risk London: House of Lords.
analysis, 7(1): 3–9. UNESCO COMEST. 2005. The precautionary principle.
Renn, O. 2006. Risk governance. Towards an integra- Paris: UNESCO.
tive approach. Geneva: International Risk Governance U.S. EPA. 2004. Risk assessment principles and practices.
Council. Washington: United States Environmental Protection
Riet, O. van de. 2003. Policy analysis in multi-actor pol- Agency.
icy settings. Navigating between negotiated nonsense VROM. 2004. Nuchter omgaan met risico’s. Beslissen met
and superfluous knowledge. Ph.D. thesis. Delft: Eburon gevoel voor onzekerheden (Dealing sensibly with risks;
Publishers. in Dutch). The Hague: Department of Housing, Spatial
Robinson, P. & MacDonell, M. 2006. Priorities for mix- Planning, and the Environment.
tures health effects research. Environmental Toxicology Wheeler S.M. & Beatley T. (eds.) (2004). The sustain-
and Pharmacology 18(3): 201–213. able urban development reader. London/New York:
Rothstein, H., Irving, Ph., Walden, T. & Yearsley, R. 2006. Routledge.
The risks of risk-based regulation: insights from the
environmental policy domain. Environment International
32(8): 1056–1065.
377
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: The term ‘‘safety margin’’ has become a keyword when discussing about the safety of the
nuclear plants, but there is still much confusion about the use of the term. In this paper the traditional concept
of safety margin in nuclear engineering is described, and the need is expressed of extending the concept to
out-of-design scenarios. A probabilistic definition of safety margin (PSM) is adopted for scalar safety output at
a scenario-specific level. The PSM is easy to generalize (to initiating events, multiple safety outputs, analytical
margins) and, combined with frequencies of initiators and accidents, makes up the plant risk. Both deterministic
and probabilistic approaches to safety assessment found easy explanation in terms of PSM. The role of the
probabilistic margins in the safety assessment of plant modifications is discussed.
379
Figure 1. Safety margins in the analysis of Design Basis Transients and accidents.
it is possible to define class-specific acceptance cri- failure mode of a particular barrier can result from a
teria in terms of extreme allowed values of the safety variety of transients, as indicated by the converging
variables, also called safety limits. arrows linking the two first columns of figure 1.
In this context, the concept of safety margin is As in the previous case, there are several possible
applied on a scenario-specific basis and its meaning modes of failure of each barrier, as indicated by the
can be agreed without much difficulty. However, even dashed ellipse ‘‘Other barrier failures’’. Each combi-
at single scenario level, a great variety of margins nation of barrier failures and type of accident gives rise
appear and all of them can be properly called safety to a particular release of radioactive products (source
margins. Figure 1 tries to represent these margins and term), as indicated by the converging arrows link-
how they relate to each other. ing the second and third columns. Again, a limited
In this figure, the two left-most columns represent set of enveloping DBT is selected in order to per-
the barrier analysis and the two on the right side repre- form the source term analysis. These DBT will be,
sent the analysis of radiological consequences. In the in general, fewer and different from those used in
first column, a particular safety variable in a particular the barrier analysis. The selection of DBT for source
DBT is represented. Since the DBT is an enveloping term analysis and the analysis of these DBT to con-
scenario, the extreme value of the safety variable in the firm that they remain below the Source Term Reference
enveloped transients will stay below the value of the Limit introduce two new margins, identified as Source
same variable in the DBT which should, indeed, stay Term Analytical Margin and Source Term Margin in
below the acceptance criterion or safety limit. There figure 1.
will be as many ‘‘left-most columns’’ as the number of Finally, the radiological effects of the source term
safety variables times the number of DBT. This is indi- are calculated in terms of doses. The use of the Source
cated in Figure 1 by the dashed ellipse entitled ‘‘Other Term Margin allows to decouple the dose calculations
S.V. and Acc. Crit.’’ In every one of these columns from the source term analysis. If the doses resulting
there will be an Analytical Margin and a Licensing from a release equal to the Source Term Reference
Margin. Limit are lower that the Authorised Dose Limit, any
Each safety variable and its corresponding safety change in the source term analysis does not force a
limit are selected to prevent a particular failure mode of recalculation of doses, provided that the new source
a protection barrier. However, the safety limit is not a term remains below the reference limit. The drawback
sharp boundary between safety and failure. Overpass- of this approach is that it could result in a more difficult
ing the safety limit means that there are non-negligible application of the ALARA principles. In any case, the
chances for a given failure mode but, in most cases, difference between the calculated dose and the Autho-
there is a margin (the Barrier Margin in figure 1) rised Dose Limit is an additional margin, identified as
between the safety limit and the actual failure. A given Dose Margin in figure 1.
380
A Global Plant Margin is indicated in figure 1. The analysis framework proposed by the SMAP
However, this is only a qualitative concept. Note that group consists of an adequate combination of tradi-
each column of figure 1 corresponds to different phys- tional deterministic (analysis of DBT) and probabilis-
ical magnitudes and, therefore, they cannot simply be tic (PSA) techniques. The use of event and fault trees,
summed-up. In addition, we have concurrent margins similar to those of PSA, applied to the assessment
that cannot be easily combined into a single margin of any safety objective, is combined with simula-
measurement. It is clear that an adequate Global Plant tion techniques, typical of DBT analyses, in order
Margin can only exist if all the partial margins exist. to quantify the exceedance frequencies of the limits
Moreover, the larger the partial margins, the larger the that define the safety objectives being assessed. These
plant margin. However, a quantification of the Global exceedance frequencies are then used as risk indicators
Plant Margin is not possible. that characterize the overall plant safety.
The concept of safety margin proposed in this paper
is an extension of the traditional concept of safety mar-
gins (as depicted in figure 1) and is especially suited
3 THE NEED TO EXTEND THE CONCEPT for methodologies aimed, like SMAP, to answer the
OF SAFETY MARGIN question on the sufficiency of safety margins.
381
When V < L, the acceptance criterion for V is for every sequence Ai , i = 1, . . ., S and the problem
fulfilled, and the result is successful or acceptable. is posed of how to combine them in order to obtain
On the contrary, when V > L, the limit is violated the safety margin for the initiator IE. With a defini-
and the result is failed or unacceptable. When L has tion such as (2) the combination of safety margins in
no uncertainty, the region V < L is the acceptance not straightforward. Therefore, a better definition of
region for V and the complementary set V ≥ L is margin should be found.
the rejection or forbidden region for V. Whenever L A probabilistic definition of safety margin has been
is uncertain such regions can still be defined, being proposed (Martorell et al. 2005, Mendizábal et al.
aware that they have random or uncertain boundaries. 2007). For our setting, we define:
With this proviso, the safety margin can be defined
as a measure of the distance from the safety output to PSM (V ; A) ≡ PR {V < L/A} (4)
the forbidden region V ≥ L. Uncertainties are to be
considered in the safety margin definition. or, from (1):
The view of V and L as random variables is anal-
ogous to the load-capacity formulation in Classical PSM (V ; A) ≡ PR {D > 0/A} (5)
Reliability (figure 2). V can be viewed as the load
on a static component, whose capacity or resistance namely, it is the probability of V being under its limit,
is L. The component fails whenever its capacity is conditioned to the occurrence of the accident A. The
overcome by the load. probabilistic safety margin (PSM) is the probability
A classical election for the safety margin of V that the calculated V during A is in the safe region.
in A is: Such probability is implicitly conditioned to the use
of the predictive model M.
SM (V ; A) ≡ Max{k γ D , 0} (2) A general definition of the PSM is:
382
– Its use can be extended to other situations, for
F
instance to analytical safety margins PSM (B; A) = PR{V k < Lk /A}
– PSM’s can be generalized to multidimensional k=1
safety outputs and to combinations of accident
F
sequences (e.g. initiating events) = PSM (V k ; A) (13)
– PSM’s combine according to the laws of probability
k=1
The probability in (4) and (5) corresponds to the This is another example of how probabilistic mar-
calculation uncertainty of V and L, sometimes called gins can merge into another margin.
epistemic uncertainty, as opposed to the aleatory Now let us focus again on the scalar safety output V
uncertainty arising from the unpredictability of the and consider all the initiating events IEi , i = 1, . . . M
accidents (i.e. related to the occurrence of initiators, that can start accidents challenging V. The frequency
additional failures, some phenomena, etc). In some of V exceeding the limit L is:
sense, thus, the PSM for an accident sequence reflects
the lack of knowledge about the behaviour of safety
S
variables. ν (V > L) = νi (1 − PSM (V ; IEi )) (14)
The probability of V exceeding the limit is one i=1
minus the PSM:
where νi is the frequency of IEi . In (14) the fre-
1 − PSM (V ; A) = PR{V ≥ L/A} (9) quencies of initiators combine with the exceedance
probabilities:
5 CALCULATION OF PROBABILISTIC
That is, the margin for the initiator is a weighted SAFETY MARGINS
average of the margins for sequences, the weight being
the conditional probability. This is an example of how If the probability distributions of V and L are known,
probabilistic margin combine. The same expression the PSM is calculated as a convolution integral. But
holds for the exceedance probabilities. such situation is rare. Very often, the calculation of
Now, let us suppose a safety barrier B having several V is difficult and time-consuming, so that the large
failure modes, the i-th failure mode being typified by random samples needed to confidently calculate the
a safety output Vi with an upper safety limit Li , i = probability distribution are almost unthinkable.
1, . . ., F. A safety margin can be assigned to the barrier, The PSM can be calculated by means of Monte
conditioned to the accident A: Carlo methods. Random values of V are obtained by
randomly sampling the inputs to the model M and per-
forming calculations for the accident A. The same
F
procedure may yield random values for the limit L.
PSM (B; A) ≡ PR (V < L )/A
k k
(12)
Then, PSM can be estimated by means of statisti-
k=1
cal methods. For instance, the same methods used in
Reliability for the estimation of component failure-
which is the probability of no failure conditioned to A. on-demand probabilities can be applied to the PSM;
It is a generalization of the PSM for a multidimensional a survey of such methods can be found in (Atwood
safety output. Whenever the random variables Vi are 2003). For an exposition about the estimation of PSM
independent, the probability in (12) factorizes and we refer to (Mendizábal et al. 2007, 2008). Strategies
383
of variance reduction (e.g. importance sampling) can FV is an increasing function, and hence
be implemented in the Monte Carlo method.
+∞ +∞
fL (s) FV (s; IE) ds > FV (Vb ; IE) fL (s)ds
Vb Vb
6 PROBABILISTIC SAFETY MARGINS AND
DETERMINISTIC SAFETY ASSESSMENT = FV (Vb ; IE) [1 − FL (Vb )] (17)
Vb
PR {V < L/IE} = fL (s) FV (s; IE) ds
−∞
+∞
+ fL (s) FV (s; IE) ds (16)
Vb Figure 3. Lower limit to the probabilistic safety margin.
384
event, the inequality (18) can be introduced in (14) to give guidance to loss-of-coolant accident (LOCA)
to yield: analyses performed with best-estimate models. This
guide was the realistic counterpart to the overconser-
M vative guidance provided in 10 CFR 50.46 and the
ν (V > L) < νk [1 − PR(V ≤ Vbk )PR(Vbk < L)] Appendix K to 10 CFR 50, where the acceptance cri-
k=1 teria for a LOCA analysis were spelled out in terms
(20) of several safety outputs (peak cladding temperature,
local maximum oxidation of the cladding, core-wide
where Vbk is the value of V calculated for the k-th oxidation) and the limit that they could not surpass. In
design basis transient. (20) trivially transforms into RG 1.157, the requirement was that during a LOCA
the limits are not to be violated with a high probability.
The ordinary deterministic criteria were transformed
M
ν (V > L) < νk PR(V ≤ Vbk )PR(Vbk ≥ L) into probabilistic criteria, the probability being related
k=1
to the uncertainty of the calculated safety outputs.
The BEPU methodologies, supplemented by statis-
M tical procedures as those hinted in section 5, can be
+ νk PR(V > Vbk ) (21) used to estimate the PSM for DBTs. It is important to
k=1 point out that the estimated PSM has statistical uncer-
tainty, stemming from the finite size of the random
(21) provides an upper bound to the exceedance samples. Therefore, an acceptance criterion for the
frequency of the limit L. The first addend in the right PSM of the enveloping transient should read:
hand side represents the contribution of the transients
enveloped by the DBTs (those within the design basis) PR{PSM (V ; DBT ) > M0 } ≥ 1 − α (22)
and the second one is the residual contribution stem-
ming from the not enveloped fraction (beyond design that is, the margin must be higher than M0 , a value
basis sequences). The right hand side of (21) gives close to 1, with a high statistical confidence (α is a
the exceedance frequency of L supposing that the low value, say 0.05). When the statistical sample is
not enveloped fraction gives rise to a limit violation large enough (a possibility if the calculations with M
(i.e. progress beyond design basis assumptions) and are not time-consuming) (22) simplifies to:
assigning the probabilistic margin of the DBTs to the
enveloped fraction of transients. If the DBT is ade- PSM (V ; DBT ) > M0 (23)
quately chosen, the residual term can be neglected
against the main one, and the maintenance of the safety
margin is assured through the enveloping character and 7 THE ROLE OF PSM: PLANT
the safety margin of the DBTs. This is the basis of the MODIFICATIONS AND PSM AFFECTATION
deterministic design approach.
So far we have defined probabilistic safety margins as
building blocks of the NPP risk. It is on the regulatory
6.2 Realistic methodologies
side to decide the magnitude of the tolerable damage
In the realistic methodologies of DSA, the value Vb exceedance frequency as a function of the damage,
of the output V in the enveloping transient is no making up the risk curve against which the design
longer a constant value, but an uncertain variable, its should be checked and a safety margin preserved.
uncertainty coming from the calculation process. But It should be noted, see (14), that the exceedance
the cornerstone of the method is still valid: the high frequency of a safety limit is not conditional to any par-
safety margin is assured through the definition of an ticular event or sequence but cumulative to all of them.
enveloping transient with a safety margin high enough. The design involves the characterisation of the ini-
The DBT in realistic methodologies produces less tiating events covering all plant conditions and modes
conservative values of the safety outputs than those of operation (ANS 1983, IAEA 2001) and the delin-
found in the conservative methodologies, because real- eation of the bounding cases, not necessarily only one
istic models and hypotheses are used throughout and case per IE. It is the core of the designers’ job the build-
few pessimistic assumptions (e.g. single failure crite- ing of the bounding case and the methodology used to
rion) are maintained. The uncertainties of the outputs obtain the exceedance probability of the safety limit,
are estimated instead. and a description exceeds the target of this paper.
The probabilistic definition of safety margins is The classification of the postulated events (within
implicit in the nuclear regulation which refers to real- the design basis) is made according to the expected
istic methodologies applied to DSA. In 1989, the frequency of the initiating event or of the accident
USNRC issued the Regulatory Guide 1.157 in order sequence. This classification approach should be
385
made consistent with the above mentioned assertion explored. Following the standard PSA formalism, the
regarding the cumulative nature of the exceedance fre- possibility to make use of a limited number of bound-
quency criterion. No such classification is made within ing cases like those presented before, breaks down due
the realm of PSA, where design basis postulates break to the fact that sequence delineation becomes more
down. complex as the number of headers of the associated
In this section we will tackle the role of safety mar- event tree increases. On the contrary, thermalhydraulic
gins when modifications in a plant are being assessed. calculations within PSA are not making use of the
It is common practice to evaluate the impact in safety BEPU methods and uncertainty only stems from con-
of plant modifications with a double perspective: i) siderations linked to the failure rates of event tree head-
deterministic (preservation of the design bases) and ers (uncertainty on the frequency of the sequence).
ii) probabilistic, estimating the impact of the change Within Consejo de Seguridad Nuclear two conver-
on exceedance frequencies of some safety limits. gent approaches are being studied. One of them rests
Concerning i), the impact is customarily assessed on the concept of dynamic event trees where sequence
against DBTs and verified that specific limits are delineation is stochastic but conditioned by the past
not violated. Current regulation requires that for a history being generated (Izquierdo & Cañamón 2008).
plant modification being acceptable it should be ver- An alternate short term approach makes use of the
ified that the frequency of initiating events is not BEPU methodologies approach and of current PSA
affected and that enough safety margin is preserved results (Martorell et al. 2005). Such method focuses on
for the DBTs. Both elements appear in the right hand the analyses of standard ‘‘success sequences’’ where
side of (21). A thorough evaluation of the new plant an aggregated PSM and frequency of exceedance are
conditions is required to confirm that the new plant generated. Event tree failed sequences are assumed to
operating conditions do not increase the expected fre- have PSM = 0 and a contribution to the frequency
quency of initiating events or create new ones, that of exceedance comes from the ‘‘success sequences’’
equipment needed to cope with events will do accord- once BEPU methods are applied to the most relevant
ing to design and that the magnitude of the damage sequences. In both cases the incorporation of uncer-
is kept low. Due to the limited number of events and tainty stemming from the simulation (mainly thermo-
the bounding approach used in the sequences delin- hydraulic) has profound implications. For instance, the
eation, PSM estimation is straightforward, although concept of cut set should be revised in the presence of
not an easy task, by means of the BEPU method- such TH uncertainty, and interpreted as a collection of
ologies (Boyack 1989). The frequencies of accident basic events whose simultaneous occurrence implies
sequences should be calculated by means of proba- the violation of the safety limit with a high probability.
bilistic techniques, including operational experience
and precursory analyses. It is important to note that, in
standard conservative methodologies, where the safety 8 CONCLUSIONS
limits are given without uncertainty, the main term in
(21) has only contributions from the DBTs producing The role of safety margins in Safety Analysis of
limit violations. nuclear plants is examined through the present paper.
As an example, following a power plant increase, The need of a general definition of safety mar-
it has been observed that the operating conditions of gin is pointed out, and a probabilistic definition of
plant equipment will become more demanding of cur- safety margin is proposed. Probabilistic margins can
rent intensity on the main plant transformers implying combine with other probabilities and frequencies to
that the frequency of load rejection events may notably make up the exceedance frequencies of safety limits.
increase. Similarly the new enveloping case assuming Both the deterministic and probabilistic approaches
a new power rate will result in a decrease of the PSM. to safety analysis found easy explanation in terms
Both effects tend to augment the upper bound in (21). of probabilistic safety margins, as well as the safety
As a result a plant modification will require design assessment of plant modifications.
changes in a way as to preserve the frequency of initi-
ating events (modifications on the main transformer)
and the preservation of the safety margin (limiting
fuel peaking factors, new fuel designs, . . .). These REFERENCES
results can also be achieved by reducing the epistemic
uncertainty and the conservative bias of the simulation ANS (American Nuclear Society) 1983. Nuclear Safety Cri-
teria for the Design of Stationary Pressurized Water
models used in the safety outputs calculation (hidden Reactor Plants. ANSI/ANS-51.1–1983.
safety margins). Atwood, C.L. et al. 2003. Handbook of Parameter
The evaluation of PSM affectation from the prob- Estimation for Probabilistic Risk Assessment. Sandia
abilistic perspective is nowadays subject to intense National Laboratories—U.S. Nuclear regulatory Com-
research (SMAP 2007). Several approaches are being mission. NUREG/CR-6823.
386
Boyack, B. et al. 1989. Quantifying Reactor Safety Mar- Safety Assessment Methods for Nuclear Reactors. Korea
gins. Prepared for U.S. Nuclear Regulatory Commission. Institute of Nuclear Safety, Daejon, October 30th to
NUREG/CR-5249. November 2nd 2007.
IAEA. 2001. Safety Assessment and Verification for Nuclear Mendizábal, R. et al. 2008. Probabilistic safety margins:
Power Plants. Safety Guide. Safety Standard Series No. definition and calculation. Presented to ESREL 2008.
NS-G-1.2 , 2001. Pelayo, F. & Mendizábal, R. 2005. El carácter determin-
Izquierdo, J.M. & Cañamón, I. 2008. TSD, a SCAIS suitable ista del análisis de accidentes en centrales nucleares.
variant of the SDTDP. Presented to ESREL 2008. Seguridad Nuclear 35: 20–29.
Martorell, S. et al. 2005. Estimating safety margins consid- SMAP (Task Group on Safety Margins Action Plan). 2007.
ering probabilistic and thermal-hydraulic uncertainties. Safety Margins Action Plan—Final Report. Nuclear
IAEA Technical Meeting on the Use of Best Estimate Energy Agency. Committee on the Safety of Nuclear
Approach in Licensing with Evaluation of Uncertainties. Installations, NEA/CSNI/R(2007)9.
Pisa (Italy), September 12–16, 2005.
Mendizábal, R. et al. 2007. Calculating safety margins
for PSA sequences. IAEA Topical Meeting on Advanced
387
Legislative dimensions of risk management
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
O. Harrami
Swedish Rescue Services Agency, Karlstad, Sweden
Department of Fire Safety Engineering and Systems Safety, Lund University, Lund, Sweden
M. Strömgren
Swedish Rescue Services Agency, Karlstad, Sweden
Division of Public Health Sciences, Karlstad University, Karlstad, Sweden
ABSTRACT: This study gives an overview of approaches for risk management used within the Swedish
Rescue Services Agency (SRSA). The authority’s commission covers a broad spectrum of safety issues. Group
interviews were performed within different sectors of the organisation. The results show that several perspectives
on accidents and different understandings of safety terms exist within the SRSA. How the organisation uses risk
analyses and carries out risk evaluations differs among the sectors. The safety work includes various types
of accidents, injuries and incidents. The SRSA also use a variety of strategies for safety based on tradition,
legislation and political direction. In such an extensive safety authority, it is not unproblematic to coordinate,
govern and regulate safety issues. Different safety paradigms and risk framings have created problems. But these
differences can also give opportunities to form new progressive strategies and methods for safety management.
391
of risk analysis, a development of competences and within that sector, and be aware of the traditions and
methodologies regarding risk management, an exten- views prevalent within the sector.
sion of the authority’s commission to new risk areas The interviews were performed from October 2004
and a recent reorganisation. through March 2005. Each group interview took
The commission was the start of work that in time approximately three hours to perform. The same struc-
expanded to a more comprehensive study, which also tured question guide was used for all group interviews.
included subjects such as: the use of safety manage- The question guide consisted of open questions and
ment terms, perspectives on accidents, strategies and was structured around different themes such as: the
processes for risk management, actors, tools for analy- phenomenon of accident and injury, actors, safety
sis of accident risks (e.g. risk analysis), risk evaluation management, common terms, safety legislation and
and safety regulations. The study is described in-depth the use of risk analysis.
and published in a Swedish report (All et al. 2006). After the interviews the preliminary results were
The objective of this paper is to describe and presented to the studied sectors both as a report and
discuss some themes and underlying principles for at a workshop. The feedback received was included in
risk management in a multifaceted national safety the final results.
authority. In the analyses comparisons were made of terms,
strategies, and how risk analysis and risk evaluation
were performed.
2 METHOD
Aspects that this paper studies are how the Swedish 3 RESULTS AND ANALYSIS
Rescue Service Agency works with safety, risk anal-
ysis, risk assessment and risk evaluation. Structured 3.1 Safety related terms
group interviews were performed with 12 different
sectors within the organization. The reason why inter- How central safety terms are used and understood
views were preferred to questionnaires was that many within the different sectors has been studied.
of the questions were difficult to describe with clear Many sectors explain accidents with words like
and simple questions. More correct interpretations ‘‘suddenly’’, ‘‘undesired’’, ‘‘unintentional’’, ‘‘negative
were also facilitated since different parts of the orga- event’’, ‘‘event leading to injuries and damages’’ etc.
nization use terms and definitions in different ways. Several sectors express that an accident is an event
In order to structure the application sectors, sev- that will initiate a rescue operation. Some sectors only
eral logics and methods to divide the organisation include unintentional events in the term accident while
were considered. The final division was based on a others also regard intentional events, like arsons, as
combination of legislations used, traditions, branches accidents. For some sectors injuries are emphasized
and contexts. The studied sectors are those working while others focus on damage on property or the envi-
with: ronment. There are also examples of sectors where
definitions of the term accident are influenced by, or
1. Fire protection in buildings stated, in different legislations.
2. Transportation of dangerous goods Risk and safety are very central terms for the SRSA
3. Flammables but still they seem to be hard to explain and define.
4. Explosives These terms are often used as technical terms but also
5. Land use planning in a more general sense like ‘‘we have to reduce the
6. Natural disasters risks’’ and ‘‘for a safer society’’. The sector Environ-
7. Environmental and risk appraisal for industry, mental and risk appraisal for industry refers to official
including Seveso-establishments documents e.g. the Seveso II directive and in national
8. Emergency response support guidelines when explaining the term risk. These are
9. Safety management in municipalities examples of technical definitions of risk. Almost all
10. National injury prevention program sectors the studied described that risk, in one way or
11. Emergency preparedness for chemical, biological, another consists of two parameters: probability and
radiological and nuclear (CBRN) incidents consequences. There are, however, variations in how
12. Supervision, in four different jurisdictions the sectors emphasise these two parameters. Three
divergent groups of explanation of the term risk were
From each sector two or three key persons were found:
selected to the group interview. The selections of key-
persons were made in cooperation between the analysis 1. Probability (P)
group and the department director of each sector. The 2. Consequence (C)
key person should have had long experience in working 3. A combination of probability and consequence
392
In addition there was a difference in what way the sectors indicate in their answers that they saw the two
two parameters should be combined in group 3. Three concepts as dissimilar.
types of mathematical functions were proposed: a sum
of P and C, a product of P and C and finally other
3.2 Structure and coordination of the work
relations between P and C. Another interesting finding
with public safety
is that many of the interviewed sectors did not feel
comfortable when using the term risk. This section starts out with an analysis of accidents that
If risk is a difficult word to explain, the term safety the sectors work with. It continues with a presentation
seems even more challenging to grasp. Many of the of analyses made from four theories and models, in
answers were quite vague and general. Only one sector, order to illustrate different views on and structures
the National injury prevention program, gave a more of operations at the SRSA. The analyses deal with
academic and detailed explanation of the term safety questions about the constitution and definition of an
by defining it as: ‘‘ . . . a circumstance characterised accident, strategies to control safety and strategies for
by an adequate control of physical, material and moral countermeasures.
threats, which contribute to the perception of being An analysis was made of some accidents and types
protected from hazards. Safety thus cannot be defined of events that the sectors work with (Tab. 1). The anal-
in an absolute meaning. Safety is a dynamic status. ysis illustrates the complexity of operations within
Safety is not only lack of injuries and hazards. Safety the SRSA. Two sectors, Emergency response support
cannot be restricted to injury prevention.’’ Many of and Safety management in municipalities, work with
the other sectors gave explanations like ‘‘safety is the almost all of the listed events. On the other hand there
opposite of risks, accidents or injuries’’. From the are some sectors that only handle a few types of events.
broad spectrum of received explanations on the term Some types of events are handled only by a few of
safety, four types of meanings were identified: the sectors while other events, e.g. fire and contact
with hazardous substances, are handled by almost all
1. Control of risk studied sectors. When several sectors work with the
a. Systems and organization to prevent accidents same type of event, they deal with different aspects
b. Measures that are taken to prevent accidents of the event. These aspects could for example depend
on: where the event take place, if certain substances
2. Absence or low levels of are involved in the event, which legislations govern
the event, the event’s origin etc. To exemplify this the
a. Accidents event type fire, which is handled by several sectors
b. Injuries and damage from different aspects, is analysed. The sector Fire
3. Risk-free or without any risk protection in buildings is concerned with this event
4. Feeling of safety and security if it takes place in buildings. The sectors Dangerous
goods, Flammables, Explosives, Environmental and
The meanings 1 and 2 are in some respect related to risk appraisal for industry and Emergency prepared-
objective measures, quantifications and observations. ness for CBRN incidents are concerned with the event
The meanings 3 and 4 are more abstract and subjective if the fire includes or affects hazardous materials. The
than the first two. sector Dangerous goods is also concerned with fires
The concepts of risk management and safety man- from a transportation point of view. The sector Land
agement (safety work) are both quite common in use planning is concerned with this event both from a
Sweden. The concepts have similar meanings both ‘‘hazardous materials’’ and ‘‘fires in buildings’’ point
in a practical and a theoretical sense. How the sec- of view. The sector Natural disasters is interested in
tors apprehend these two concepts have been studied. fire if it takes place in forests or other vegetation. The
The answers show that most of the sectors either use sector Emergency response support is concerned with
the term risk management or the term safety man- the event from a fire extinguishing point of view. The
agement in everyday work. Although all sectors work sector Safety management in municipalities has a more
thoroughly with risk and safety issues, many of them comprehensive approach to the event type fire.
had difficulties to give a comprehensive explanation of An analysis was made on what constitutes and
these two concepts. Common explanations of the two defines accidents. There are various literatures on the
concepts are: a process, steps, systematic activities and nature of accidents (Andersson 1991, Campbell 1997,
measures taken in order to improve safety. Risk man- Hollnagel 2004, Kjellén 2000). Despite all complex
agement is sometimes perceived to be more systematic accident models the results in this study have been
and more scientific than safety management. A more analysed against a simplistic accident model, which
in-depth analysis of the answers and actual practices states that an accident is constituted by a combination
reveals that only a minority of the sectors sees any of an event and an injury/damage. It was found that
real differences between the two concepts. A couple the interviewed sectors focused on the two parts in a
393
Table 1. The table shows which types of event the different sectors work with. Note that the sector 12 (Supervision) has been
excluded in this table.
Types of events
Suffocation
Trapped in
Explosion
Drowning
Lightning
Landslide
Flooding
Storm
Cuts
Fire
Fall
Sector
varying extent, and hence a supplement to the model Explosives and Emergency response support. The
was made. The supplement displays the sectors’ views sectors Natural disasters and National injury preven-
on accidents based on the main focus, which could be tion program have a damage-based view on accidents.
either: The sectors Environmental and risk appraisal for
industry and Safety management in municipalities
– Event-based
have an event- and damage based view. The remain-
– Damage-based
ing sectors used more than one type of the views on
– Event- and damage based
accidents.
Accidents that are event-based will be regarded as Next the operation of the selected sectors’ were
accidents, independent of the magnitude and extent analysed and categorised in relation to Rasmussen’s
of the damages. A typical event-based accident is an three types of control strategies: empirical safety con-
unintentional explosion. Damage-based accidents on trol, evolutionary safety control and analytical safety
the other hand, have the magnitude and extent of the control (Rasmussen 1994). These strategies describe
damage as a starting-point for defining an accident. the control of safety from the perspective of avail-
A typical damage-based accident is a natural disaster. able information and suitable analysis method. The
Regarding natural disasters, Carr argued that a (nat- findings show that the sectors Emergency response
ural) disaster is defined by human beings and not by support, National injury prevention program and
nature i.e. it should be defined and understood by its Safety management in municipalities, have their focal
damage. The event itself is not an accident or a disaster point in the empirical control strategy. Dangerous
‘‘not every windstorm, earth-tremor, or rush of water is goods, Explosives and Flammables have their focal
a catastrophe’’ (Carr 1932 in Furedi 2007). For the last point in evolutional control strategy. The sectors Land
group (event- and damage base), no clear emphasis is use planning, Natural disasters and Emergency pre-
seen on the event or the damage. Both are required paredness for CBRN incidents primarily utilize the
for defining it as an accident. Most of the sectors analytical control strategy. Two of the sectors uti-
have an event-based view on accidents i.e. Fire pro- lize two strategies. Fire protection in buildings uses
tection in buildings, Dangerous goods, Flammables, both empirical and evolutional safety control, and
394
Environmental and risk appraisal for industry uses analysis that are concerned with risk and safety issues.
both evolutional and analytical safety control. This could be e.g. regulation impact assessments,
The sectors’ operation were also analysed using a cost-effect analyses, risk inventories, risk evaluations,
model that is commonly used at the SRSA describ- risk assessments, incidents and accident outcomes,
ing the safety management process in five stages: 1) environmental impact assessments, quantitative risk
Prevent accidents, 2) Take mitigation actions before analysis (QRA), flood inundation mapping and fire
accidents occur, 3) Prepare rescue operations, 4) Carry spreading analysis.
out rescue operations, and 5) Take actions after res- A description has been made of how risk analyses
cue operations. These five strategies to control risk, are used in different sectors in the authority. The results
described in the model, are divided up both from show that risk analyses focuses on very different parts
the perspective of time and type of countermeasure. of the socio-technical system (Rasmussen 1997). The
The first three stages are measures that are taken main part of the work with risk analyses that SRSA
before an accident, while stage 4 and 5 are measures does, that is reviews of conducted risk analyses and
taken during an accident and after an accident, respec- issuing directions on how to perform risk analyses,
tively. Note that the model has some resemblance is primarily focused on a narrow part of the socio-
with the generic model Federal Emergency Manage- technical system. These analyses are delimited to an
ment Agency (FEMA) uses for disaster and emergency operation (site specific), organisation or geographic
management, which has four stages: Mitigation, Pre- sector (often local). The SRSA (i.e. the interviewed
paredness, Response, and Recovery (FEMA 1996). sectors) also conduct their own safety investigations
The five-stage model above has been used to deter- and risk analyses. Many of these analyses focus on a
mine where in the process the different sectors focus comprehensive part of the socio-technical system e.g.
their work. Most of the interviewed sectors work with from a national or regional point-of-view. Some anal-
all of these five stages. The work of nine of the twelve yses were also made from a narrow socio-technical
selected sectors have their main focus in stages 1 and 2. system point-of-view e.g. in connection with authori-
The sectors Emergency response support and Emer- sations for an operation. An example of risk analysis
gency preparedness for CBRN incidents, have their that has been made from a comprehensive socio-
primarily focus on stages 3, 4, and 5. Only the sec- technical point-of-view is risk analysis of the ‘‘sys-
tor Safety management in municipalities has the same tem’’ transportation of dangerous goods in Sweden or
focus on all stages. Europe. Other similar examples are the analysis of
Finally, an analysis was done of the different sec- expected effects on fire safety and societal costs, con-
tors’ utilization of Haddon’s ten strategies for counter- ducted in connection with introducing guidelines on
measures. A revised version of the ten strategies based compulsory smoke detectors in residences (Sweden),
on Folkhälsoinstitutet (1996), Gunnarsson (1978) and and the ongoing investigations about possible require-
Haddon (1970) has been used in this analysis: ments on self-extinguishing cigarettes (Sweden and
Europe).
1. Eliminate the risk
The purpose and aim of the risk analysis was dis-
2. Separate from the risk
cussed with the sectors. The results show that they
3. Insulate the risk
differ between sectors and are unclear in some cases.
4. Modify the risk
The results also show that there is on the one hand an
5. Equip to handle the risk
official purpose with a risk analysis and on the other
6. Train and instruct to handle the risk
hand a more pragmatic (non-stated) purpose. At the
7. Warn about the risk
same time as the purpose and aim of risk analysis is
8. Supervise the risk
only briefly and often vaguely described in Swedish
9. Rescue if accident happens
regulation, the regulations and guidelines often state
10. Mitigate and restore
that the purpose and aim of a risk analysis has to be
The twelve sectors utilized in some way most of the made clear early in the process. This transfer of the
strategies for countermeasures presented above. The issue from central to a local and operation-specific
dominant strategies for countermeasures are number context, makes it possible to direct the shaping of the
3, 4, 5 and 6. Strategies 3 and 4 are focused on actions risk analysis in the assignment or the actual risk analy-
that reform and reduce the hazard (risk source), while sis. This is unfortunately not done to any great extent.
strategies 5 and 6 focuses on preparing actions that can The vague specification of the purpose in the regu-
avoid and manage incidents. lation also creates insecurity among the stakeholders
and supervising authorities about how the risk analyses
should be conducted and reviewed. The most com-
3.3 Risk analysis and other similar tools
mon purposes or aims found in the actual risk analysis
In this section the term risk analysis is used as a generic usually quote what is stated in the regulation, or estab-
term for all types of investigations, examinations and lish that the purpose is to fulfil the requirement in
395
certain regulation. Fulfilling requirements from insur- thought that adequate safety was not primarily a ques-
ance companies or from the organisation itself have tion of achieving a certain safety level or safety goal;
also been stated. Another common category of pur- instead the focus should be on the characteristics of
pose is that the risk analyses shall constitute some the safety work.
kind of basis for decisions for different stakeholders The principles and directions used for evaluation of
and public authorities. Yet another common category risk in the authority’s operation were surveyed. Fifteen
is the purpose to verify or show something. Examples types of principles and direction were referred to by the
of this are to verify that the regulation is fulfilled, the sectors as starting-points when doing risk evaluation.
safety level is adequate or that the risk level is accept- Some examples are: risk comparison, economical con-
able. Other examples are to show that it is safe, more siderations, zero risk target (vision zero), experience
actions do not have to be taken, the risk is assessed in and tradition (practice), lowest acceptable or tolera-
a proper manner or that a certain capacity or skill is ble risk level, national goals, the principle of avoiding
obtained. A less common category of purpose is to dis- catastrophes, a third party should not be affected by
play a risk overview or a comprehensive risk picture. the accidents of others, and balanced consideration
An outline for a generic structuring of the different pur- and compromises between competing interests. Some
poses of a risk analysis based on the received answers of the sectors did not have a clear picture of how the
could hence be: principles were utilized in real cases or situations. Also
in a couple of cases the sectors did not know which
1. Formal requirements principles that governed the evaluation of risk within
a. Legal based their domain.
b. Non-legal based Based on some of the results presented above, an
outline for classification of risk criteria was made. The
2. Basis for decision-making intention with the outline is to display some differ-
a. Public decisions ent aspects that the criteria focus on and hence also
b. Non-public decision the evaluations. The outline has five main classes
of criteria: 1) Safety actions and system design, 2)
3. Verification Rights-based criteria, 3) Utility-based criteria, 4)
a. Design of detail, part of a system or a system Comparisons, 5) Comprehensive assessments. More
b. Risk level about the outline for classification of risk, and other
results on how SRSA conceived and do evaluation is
4. Risk overview/comprehensive risk picture found in Harrami et al. (in press).
396
the understanding about different theories, models and of causes, effects, relations, correlations and solutions.
strategies, and the implications that there might have Hence, which theory and model that is used probably
on the authority’s work. If used correctly, the diversity affects both the organisation (the structuring of the
of different theories, models and strategies for safety sectors) and the operation at the authority. The coor-
work could strengthen the authority and contribute to dination of the work, e.g. the delimitation of which
develop new ways to work with risk management. aspects of an accident/event different sectors shall han-
The uses of and knowledge about risk analyses have dle also depend on which fundamental model and
always been considered to be crucial for the SRSA. theory that is applied. Therefore the choice and use
Even so, most sectors had difficulties in describing of approaches, theories, strategies and practices must
and specifying in what way risk analyses affect safety be conscious and deliberate. According to Hovden
and the significance of risk analysis in safety work. (2004) for over 100 years there have been ‘‘muddling
The authors had expected more comprehensive and through’’ processes to form the safety and rescue insti-
profound discussions on the relevance, use, utilization, tutions and regulatory regimes, and this has resulted in
content of the risk analyses and how the reviewing an over-complex ‘‘jungle’’ of safety institutions. This
and evaluation of the results was done. If risk analyses is in some respects the case for the SRSA. The ‘‘mud-
shall continue to be regarded as important and strategic dling through’’ process within the SRSA has been
subject for the organisation in future, there is a need ongoing for over two decades and has resulted in an
to specify what function and importance risk analyses authority with a very scattered commission and opera-
should have in risk management regulated by SRSA. tion. On the other hand there are also advantages with
There is also a need for the sectors to increase their an integrated management of issues concerning safety,
competence as well as the focus on these issues. risk, accidents, disasters, injuries, damage and res-
The different sectors had difficulties in expressing cue operations. An authority that handles accidents in
and describing how they assess adequate, sufficient, a more comprehensive way can co-ordinate the work
acceptable or tolerable safety. They were also uncer- better.
tain about which values, directions and principles Finally the authors also believe that many of the
that governed their operation and how these should issues discussed above will become even more sig-
be used. These insufficiencies regarding knowledge nificant in the future. Especially since a new national
that has a general and non-technical nature may be authority for safety, security and crisis will be estab-
an obstacle for good transparency, the understanding lished in January 2009. This authority will take
of decisions, communication of decisions and stand- over the tasks of the SRSA, the Swedish Emergency
points and support to decision-makers. These findings Management Agency and The National Board of
are most probably the result of deficient reflections Psychological Defence.
and discussions about risk evaluation issues within the
authority. In order to develop a more robust assessment
there is a need for SRSA to develop a more substan- 5 CONCLUSIONS
tial foundation for the evaluation of risk and safety
issues. The divergence in theories, practice and use of terms
Harms-Ringdahl & Ohlsson (1995) carried out a within the SRSA, together with a lack of understand-
study among eleven Swedish safety authorities. They ing, complicates the co-operation and coordination
found that there were major differences between the within the SRSA and with other actors within the field
authorities according to their areas of responsibilities, of safety. These differences can also give opportunities
traditions and operating conditions, manifested by dif- for advancements in safety management. To achieve
ferences in terminology, views on accidents and how this it is necessary for more profound discussions and
they should be prevented. The results in this paper reflections on how to perform safety management in
show that major differences also exist within a single such a diversified safety agency. Subjects that ought
authority. to be discussed are for example:
The SRSA is the result of the merging of several
– The basis on which events, accidents, injuries, crisis
operations of a handful of authorities and fields of
and catastrophes should be included in the work at
activities. This has resulted in a governmental author-
the authority
ity with a widespread operation that holds very differ-
– Which risk management strategies should be used
ent approaches, theories, strategies and practices. The
– The importance of risk analysis and how it should
width and diversity of the operation can be explained
be utilised in the safety work
to a large extent by different safety paradigms based
– Standpoints on fundamental ethics, values and
on tradition, legislation, sector boundaries and polit-
principles for evaluating risk.
ical directions. The diverse approaches, theories and
models focus on different aspects of safety and risk, Several of the issues that the authority handle are
and will result in different analyses and explanations complex and do not have any simple and obvious
397
answers. Therefore these issues need to be handled Carr, L.J. 1932. Disaster and the Sequence-Pattern Concept
with humility and caution. It is also important that of Social Change. American Journal of Sociology 38(2):
the employers have understanding and respect for how 207–218.
other sectors work in the authority, and that they ques- FEMA 1996. Guide for All-Hazard Emergency Operations
tion and critically examine their own work with safety. Planning. State and Local Guide (SLG) 101. Washington:
Federal Emergency Management Agency.
The co-operation within the organisation and with Folkhälsoinstitutet 1996. På väg mot ett skadefritt Sverige
other authorities would be facilitated if the authority (in Swedish). Report 1996:117. Stockholm: Swedish
develops a strategy or a policy on how to handle central National Institute of Public Health.
terms. Furedi, F. 2007. The changing meaning of disaster. Area 39
(4): 482–489.
Gunnarsson, S.O. 1978. Strategies for accident preven-
6 FUTURE WORK tion. In R. Berfenstam, L.H. Gustavsson & O. Petersson
(eds), Prevention of accidents in childhood; A symposium
The SRSA has initiated several activities based on in the series of congresses and conferences celebrating
the 500th anniversary of Uppsala University, held at
the study, e.g. a project that aims to develop meth- the Department of Social Medicine, University hospital,
ods and strategies for municipal risk assessment, a October 5–7, 1977, Uppsala. Uppsala: Uppsala University
development study regarding risk evaluation. It has Hospital.
also initiated a project group that co-ordinates risk Haddon, W.J. 1970. On the escape of tigers: an ecologic
communication and central terms and definitions. note. American Journal of Pubilc Health (December):
2229–2234.
Harms-Ringdahl, L. & Ohlsson, K. 1995. Approaches
ACKNOWLEDGEMENTS to accident prevention: A comparative study of eleven
Swedish authorities. Safety Science 21(1): 51–63.
Harrami, O., Postgård, U. & Strömgren, M. (in press).
We would like to thank the officials participating in the Evaluation of risk and safety issues at the Swedish Res-
interviews for the openness and the Swedish Rescue cue Services Agency. In Proceedings of ESREL 2008
Service Agency for making it possible to conduct this AND 17th SRA EUROPE CONFERENCE—Annual Risk,
study. We also would like to thank Prof. Lars Harms- Safety and Reliability Conference, Valencia Spain, 22–25
Ringdahl and an anonymous referee for constructive September 2008. Rotterdam: Balkema.
comments on the conference paper. Hollnagel, E. 2004. Barriers and accident prevention—or
how to improve safety by understanding the nature of
accidents rather than finding their causes. Burlington:
REFERENCES Ashgate.
Hovden, J. 2004. Public policy and administration in vulner-
able society: regulatory reforms initiated by a Norwegian
Abrahamsson, M. & Magnusson, S.-E. 2004. Använd- commission. Journal of Risk Research 7(6): 629–641.
ning av risk- och sårbarhetsanalyser i samhällets kris- Kjellén, U. 2000. Prevention of Accidents Through Experi-
hantering—delar av en bakgrundsstudie (in Swedish). ence Feedback. London: Taylor & Francis.
LUCRAM report 1007. Lund: Lund University Centre Lundgren, L.J. & Sundqvist, G. 1996. Varifrån får
for Risk Analysis and Management. miljövårdsbyråkraterna sin kunskap? In Lars J. Lundgren
All, R., Harrami, O., Postgård, U. & Strömgren, M. 2006. (ed.), Att veta och att göra—Om kunskap och han-
Olyckor, riskanalyser och säkerhetsarbete—några olika dling inom miljövården (in Swedish): 129–171. Lund:
perspektiv inom Räddningsverket (in Swedish). Report Naturvårdsverket Förlag.
P21-480/07. Karlstad: The Swedish Rescue Service Rasmussen, J. 1994. Risk management, adaptation, and
Agency. design for safety. In: B. Brehmer & N.-E. Sahlin (eds),
Andersson, R. 1991. The Role of Accidentology in Occupa- Future risks and risk management. Dordrecht: Kluwer
tional Injury Research. Ph.D. thesis. Arbete och hälsa, Academic Publishers.
vetenskaplig skriftserie 1991:17. Stockholm: Karolinska
Rasmussen, J. 1997. Risk management in a dynamic society:
Institutet. A modelling problem. Safety Science 27(2–3): 183–213.
Campbell, R. 1997. Philosophy and the accident. In R. Cooter
& B. Luckin (eds), Accidents in History: Injuries, Fatali-
ties and Social Relations. Amsterdam: Rodopi.
398
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Evaluation of risk and safety issues at the Swedish Rescue Services Agency
O. Harrami
Swedish Rescue Services Agency, Karlstad, Sweden
Department of Fire Safety Engineering and Systems Safety, Lund University, Lund, Sweden
U. Postgård
Swedish Rescue Services Agency, Karlstad, Sweden
M. Strömgren
Swedish Rescue Services Agency, Karlstad, Sweden
Division of Public Health Sciences, Karlstad University, Karlstad, Sweden
ABSTRACT: This study investigates how evaluation of risk and safety are conceived and managed in
different parts of the Swedish Rescue Services Agency (SRSA). Group interviews were performed within
twelve different sectors of the organisation. The results show that some of the representatives do not consider
themselves doing evaluations of risk, even though they take daily decisions and standpoints that incorporate
evaluation of risk. In most sectors profound reflection and discussion about these issues had only been carried
out to a very limited extent. The different sectors had great difficulties to express or describe how to assess
adequate, sufficient, acceptable or tolerable safety. There is a need for SRSA to develop a more substantiated
foundation for evaluation of risk and safety issues to receive better internal and external understanding of the
decisions, a more transparent process, easier and clearer communication of decisions and standpoints, and better
support to decision-makers.
399
stakeholders agree on the ‘‘risk picture’’, but disagree 11. Emergency preparedness for chemical, biological,
on how to evaluate and assess the risk are even more radiological and nuclear (CBRN) incidents
common. 12. Supervision in four different jurisdictions
The following study on how evaluations of risk and
safety issues are done within the authority, was made as From each sector two or three key persons were
a part of a larger investigation of how the SRSA works selected for the group interview. The selections of key-
with accidents, risk analysis and safety assessment. persons were made in cooperation between the analysis
More findings from the study and a more compre- group and the department director of each sector. The
hensive description of how the study was initiated are key person should have had long experience in working
found in All et al. (2006) and Harrami et al. (in press). within that sector, and be aware of the traditions and
The SRSA is a governmental organisation working views prevalent within the sector.
with miscellaneous types of accidents, safety work and The interviews were performed from October 2004
risk management in many arenas. The authority has through March 2005. Each group interview took
around 800 employees and is active in many areas of approximately three hours to perform. One structured
expertise and the legal competence covers four main question guide was used for all group interviews.
legislations: the Civil Protection Act; the Transport of The question guide consisted of open questions and
Dangerous Goods Act, the Law on Measures to Pre- was structured around different themes such as: the
vent and Limit the Consequences of Serious Chemical phenomenon of accident and injury, actors, safety
Accidents (Seveso Directive) and the Flammable and management, common terms, safety legislation and
Explosive Goods Act. The authority also has com- the use of risk analysis.
missions in education and international humanitarian This paper focused on risk evaluation and the
relief and disaster operations. questions used were:
The objective of this paper is to describe and discuss
how evaluation of risk and safety issues is carried out – When does the SRSA know that ‘‘adequate’’ safety
at the SRSA, and what the basis is for the evaluation. is achieved in the work with decisions, regula-
tions, directions, handbooks, information, guid-
ance, education etc.? How have you decided on
these actions?
2 METHOD – Which principles and directions govern the deci-
sions in your sector? Describe the principles.
This paper studies how the Swedish Rescue Service – Are any legal or recommended risk or safety levels
Agency works with risk evaluation in its operation. used? How are these levels described? Is it possible
Structured group interviews were performed with 12 to assess if the levels are achieved?
different sectors within the organization. The rea-
son why interviews were preferred to questionnaires After the interviews the preliminary results were
were that many of the questions were difficult to presented to the studied sectors both as a report and
describe with clear and simple questions. More cor- at a workshop. Received feedback was included in the
rect interpretations were also facilitated since different final results.
parts of the organization use terms and definitions in
different ways.
In order to structure the application sectors, sev-
eral logics and methods to divide the organisation 3 THE DIFFERENT SECTORS VIEW ON
were considered. The final division was based on a EVALUATION OF RISK AND SAFETY
combination of legislations used, traditions, branches ISSUES
and contexts. The studied sectors are those working
with: Below is a summary of the answers, for each one of
the twelve sectors, on the questions described in the
1. Fire protection in buildings method section above. The summaries are presented
2. Transportation of dangerous goods in the same order and have the same numbering as
3. Flammables the presentation of the sectors in the previous method
4. Explosives (including LPG) section.
5. Land use planning The extent and depth of the answers varied a lot
6. Natural disasters which is apparent from the summaries. One has to
7. Environmental and risk appraisal for industry, bear in mind that the scope and focus of the commis-
including Seveso-establishments sion vary between the studied sectors. There are also
8. Emergency response support variations in other contextual conditions such as the
9. Safety management in municipalities characteristics of the risk, who the stakeholders are
10. National injury prevention program and how adjacent legislation is formulated.
400
3.1 Fire protection in buildings details, subsystems and systems. The assessment is
performed based on experience from normal opera-
The work of this sector is made within the framework
tions and incidents, as well as continuous dialog and
of the Civil Protection Act that is applicable when
discussions with companies and the industry. Ful-
assessing fire protection in existing buildings. The
filment of requirements is primarily done by living
Building Code regulates the construction period up to
up to accepted practice, and only to a minor extent
the approval of the building. The legal requirements on
by satisfying a certain safety criterion. If the prac-
safety actions, shall express the lowest level accepted
tise is not satisfied, the risk owner has to be credible
by society. The requirements shall also be economi-
when asserting that the activity still fulfils the require-
cally reasonable i.e. the action must give a protection
ments. There are three main principles that are used in
that is proportional to the cost. It is possible to require
the assessment: First, as few as possible should be
new actions to a certain extent, but considerations
exposed to risk. Second, the control-room shall be
have to be taken to the regulation that existed when
safe in order to handle control emergencies. Third,
the building was built. These circumstances make
people outside the plant shall not be affected. The
each case unique, which requires profound knowledge
assessment of damages and injuries is based using
about different parts of the system as well as flexibil-
a design scenario that is ‘‘more reasonable’’ than a
ity when assessing the buildings’ safety and risk level.
worst-case scenario. The design scenario is based on
The principles used in the assessment are focused on
experience within the industry, such as information
saving lives and preventing injuries. A key principle
about incidents and similar systems. The rupture of
is that people have to be able to evacuate the build-
a tank/cistern is for example not considered to be a
ing before critical conditions arise. Another important
reasonably empirical damage scenario while a bro-
principle is to protect a third party from injuries and
ken coupling is. Effects of organisational changes are
damages. The interpretation of the regulation and the
very difficult to assess compared to changes in the
assessment of safety levels, are to a certain degree
technological system. The cost for an action shall be
also dependent on the political climate and on to what
(economically) reasonable. There are no legal or rec-
degree recent fires have become a media event.
ommended levels for safety but the regulation states
that as few as possible should be injured. The indus-
3.2 Dangerous goods try calculates probabilistic risk, e.g. individual risk
(IR) and societal risk (SR), in their risk analyses
The objective of the regulatory work for the trans- and wants the SRSA to use probabilistic risk crite-
port of dangerous goods is to ensure safe transport. ria. The risk analyses that calculate IR and SR are
The regulatory work is done within the framework of difficult to assess, primary since the analyses are very
the UN Economic & Social Council (ECOSOC) and uncertain but also because no probabilistic risk cri-
is based on negotiations between the member states. teria have been set. The sector thinks that the focus
39 countries are involved in the work with the rules should be on actions and measures for improving
for road transport, and 42 countries work with the safety instead of focusing on the figures and results
rules for rail transport. There is no set safety target in risk analysis.
level but a general principle that is used in the assess-
ment is that the more dangerous the substance is the
higher safety the level is required. The rules are a 3.4 Explosives
balance between enabling transportation and ensuring A standard model e.g. safety distances is used when
safety. This means that the diverse conditions in the applicable, otherwise a risk analysis should show that
member-states (weather, density of population, road the (process) method doesn’t cause larger risk than
quality, economy etc) may play an important role in similar alternative standard methods. The criteria for
the negotiations. Since the regulatory work is based liquefied petroleum gas (LPG) pipes are based on
on negotiation the political aspects are dominant and long traditions of manufacturing steel and on expe-
this may also be reflected in the outcome. Cost-effect rience from incidents. The principles used for LPG
analyses are utilized to some extent. The rules mainly constructions are: Firstly, the gas has to remain in
address the design of the technical system and to some the containment. Secondly, in case of leakage the gas
extent organisational issues. It is difficult to assess if has to be ventilated. Thirdly, ignition has to be pre-
‘‘adequate safety’’ is achieved. vented. Finally a single mistake or error should not
in it self result in a dangerous situation. The safety
criteria for explosion protection is based on interna-
3.3 Flammables
tional figures and information (e.g. from NATO) and
‘‘Adequate safety’’ is assessed in official inspections adapted for domestic conditions. Three principals are
at the site before permissions are issued. Aspects used for assessing the safety of explosives: An initi-
that are assessed are the design and performance of ation of explosion should be avoided. The explosives
401
should be protected from the surroundings. The sur- Slope Stability (1995) and the Swedish Committee
roundings should be protected from the explosives. It for Design Flood Determination (Flödeskommittén
is very difficult for the sector to assess if the desired 1990). The latter have recently been updated and
safety level is achieved. The absence of accidents is replaced by new guidelines (Svensk Energi, Svenska
interpreted as an indication that the safety level proba- Kraftnät & SveMin 2007).
bly is good. The applied criteria are absolute but some
consideration of the cost of actions may be taken.
3.7 Environmental and risk appraisal for industry
Most authorizations are new and unique cases. The
3.5 Land use planning
work in this sector is therefore similar to the one
Most cases are unique. It is therefore important to described for land use planning (section 3.5). The
collect all possible documents, information and analy- authorization decision is based on risk analysis and
sis. Usually a comprehensive assessment made within on the operators’ answers to complementary ques-
the frame of the Planning and Building Act, balances tions by SRSA. It is very difficult to know if the
different values and makes assessment of the reason- safety level is adequate. Lately the regulation has been
ableness. To a certain extent this assessment also has evolving towards more functional regulation. A cou-
to take the Environmental Code into account, which ple of precedents exist that contains interpretations
assumes that certain codes of consideration have been of how safety and risk evaluations within the juris-
followed. E.g. that sufficient knowledge and best- diction of the Civil Protection Act and the Law on
available-technology have been used, chemicals have Measures to Prevent and Limit the Consequences of
been replaced with less hazardous ones and that the Serious Chemical Accidents (Seveso Directive) should
location of the activity in question is the most appro- be assessed. These precedents constitute directions
priate. In local regulations safety distances are utilized for future assessments. The sector also refers to the
as well as prohibition to establish new hazardous oper- same principles used in the application of risk criteria
ations. It is not possible to assess if adequate safety is presented earlier in section 3.5 (Land use planning).
achieved. One way to approach this issue is to put
safety issues on the agenda. The more safety issues
3.8 Emergency response support
that are discussed and managed in the planning pro-
cess the better, and in some sense the closer you get This sector is both comprehensive and situation-
to ‘‘adequate safety’’. Some principles that are used in dependent, and focuses on two aspects of risk eval-
the application of risk criteria (Davidsson 1997) are: uation: general planning of the fire and rescue work in
(1) the principle of reasonableness i.e. the activity in the municipalities (task, size, location, equipment etc.)
question should not imply risks that might reasonably and safety for the personnel during a rescue operation.
be avoided or reduced, (2) the principle of proportion- The evaluations done in connection with the general
ality i.e. the risks that an activity gives rise to may not planning vary between different municipalities and are
be disproportionate in relation to the benefits, (3) the based on different information and statistics. Statistics
principle of distribution i.e. no individuals or groups on incidents, injuries and accidents are common infor-
should be put at a risk that far exceeds the benefits mation sources. During the last years SRSA has been
they derive from the activity and (4) the principle of developing and promoting other methods which some
avoiding catastrophes i.e. manageable accidents with municipalities have adopted e.g. cost-effect methods
limited consequences are more preferred than ones as well as different measures, indicators and key-
with consequences of catastrophic magnitude. ratios. Evaluations done during a rescue operation are
to a certain degree directed by regulation e.g. prerequi-
sites for conducting a rescue operation and directions
3.6 Natural disasters
for certain activities (e.g. fire fighting with breath-
When assessing adequate safety with respect to ing apparatus and diving). The rescue commander has
flooding, the effects of calculated or estimated to make fast and sometimes difficult assessments and
flows is compared to buildings, public functions and evaluations based on limited information.
other properties and values that have to be protected.
There are no general recommendations for how
3.9 Safety management in municipalities
the municipalities should assess flooding risks. The
municipalities decide permissible water levels for The work of this sector is largely done in the munic-
new settlements. The evaluation of landslides is ipalities, and is based on political decisions that give
mainly assesses through safety factor calculations and directions for the safety work. The priority given to
national recommended safety factors are utilised. safety issues differs between municipalities. A com-
Much of the safety work performed in this sec- mon guiding principle is that saving life is prioritised
tor is based on guidelines from the Commission on compared to saving property, and saving property is
402
prioritised compared to saving the environment. There 4 ANALYSIS AND DISCUSSION
are also continuous discussions about how resources
should be allocated between small and large accidents. 4.1 The view of sectors on risk evaluation issues
Usually the assessment is done by comparing safety
At first during the interviews some of the sectors
levels and accident statistics with similar municipal-
did not consider themselves doing evaluations of risk,
ities as well as with the nation as a whole. Target
even though they take daily decisions and standpoints
levels for the citizens’ protection are in some cases
that in one way or another incorporate the evalua-
expressed. Cost-effect methods are used to a certain
tion of risk. These tasks include issuing permits and
extent.
authorisations, issuing regulation and other guidelines,
developing and providing methods and tools for safety
3.10 National injury prevention program work, promoting safety in certain lines of business or
arenas, giving comments on submitted proposals etc.
The Safe Community concept promotes (Welander
Evaluation seems to be a very integrated, natural and
et al. 2004) systematic safety work at the munici-
unconscious part of the everyday work done by the
pal level. The vision is zero injuries but in reality
different sectors.
technological and other changes cause new types of
The reason for the sectors’ views, not considering
accidents and injuries, and this impedes the achieve-
themselves doing evaluation, have not been analysed
ment of safety goals set within the frame of a vision.
thoroughly. However two possible explanations have
The Swedish Public Health Policy gives general direc-
been seen, and they are both connected to the back-
tions that guide the assessments (Folkhälsoinstitutet
ground and the role of the officials. Most officials
2003). Each municipality sets its own levels based
have a technical or natural science background even
on the guidelines for public health. A common way
though this is gradually changing. This means that
to direct safety work is to identify the most cost-
they are used to working with proposals and solutions
effective actions. Priority is given to saving lives.
that are expressed in figures and charts, and based on
Children’s safety is often prioritised when establishing
calculations and statistical methods. Inspired by the
new housing estates.
work of Lupton (1999), Summerton & Berner (2003)
and Renn (1992), Hultman (2004) describes seven per-
3.11 Emergency preparedness for CBRN incidents spectives on risk within socio-technical systems. Most
SRSA-officials have, and work within, what Hultman
Adequate safety is generally very difficult to assess
describes as, an ‘‘engineering perspective’’ on risk.
for CBRN incidents since the uncertainties are large.
One explanation could be that the term ‘‘evaluation’’
The response time for the national oil protection sup-
has been interpreted as using a certain systematic, sci-
plies is considered to be sufficient. The emergency
entific or quantitative method. Their background may
protection and preparedness for nuclear incidents are
have lead their thoughts to associations about scien-
also considered to be sufficient, even though the pre-
tific evaluation, which they do not consider themselves
requisites for these incidents are continually updated.
doing. Another explanation could be the indistinct role
The assessments of the safety levels for these inci-
of the officials. Most of them are scientific experts by
dents are based on relevant scenarios. The prepared-
profession. They also form a link between the legal
ness has to be flexible in order to adapt to different
world and other experts. If ‘‘evaluation’’ was inter-
situations.
preted as a legal issue they probably did not consider
themselves doing that either.
3.12 Supervision
Supervision is made within the framework of four leg- 4.2 Assessment of adequate or satisfactory safety
islations, and is based on general information about
Most of the respondents thought that the question of
the operation, risk analysis and other documents. It
how they determine if adequate safety is achieved
is not possible to process and consider everything in
was relevant. At the same time many of the sectors
an operation. Strategic choices are made, on what
had difficulties describing how they did the assess-
to study. With improved experience the supervisors
ment. Below is a summary of different views on how
learn how to receive a good picture of the status of
adequate or satisfactory safety is assessed. Adequate,
different operations and how to assess the ‘‘safety
satisfactory, sufficient, acceptable or tolerable safety
level’’. Supervision is made up of two main parts: the
is attained when:
administrative organisation and the hands-on opera-
tion. The main starting-point for the assessments is – no accidents, injuries or deaths occur
the intentions of the legislation. Hence the interpreta- – tests and examinations show that characteristics
tions of the legislation become crucial for the safety for a product or an activity meet predetermined
assessment. thresholds
403
– it can be shown that a product or an activ- 1 2
ity/operation does not have a higher risk level than
other similar products or activities/operations 3
– all experiences acquired by the involved parties are Outcomes
Actions
&
used as far as possible &
Functions
Expectation
– it has been shown that the quantitative safety/risk values
&
Way of work
level is lower than established criteria
– it has been shown that certain required equipment
or functions exist
– a process involving certain parties and including
certain stages, has preceded a safety decision
– a decision becomes a legal case, goes to trial and “The reality” Reasonableness
become a precedent
– a decision on safety is determined in relation to other
factors (adequate safety is relative)
– all the parties are content and nobody complains
about the safety level or actions taken. Figure 1. Three types of discourses on adequate safety were
identified during the interviews. Most common was the type 1
Some of the sectors answered that it is not possible and 2 discourses.
to know or determine if adequate safety is achieved.
One sector thought that adequate safety was not pri- – The precautionary principle
marily a question of achieving a certain safety level or – Zero risk target (Vision zero)
safety goal. Instead the focus should be on the char- – Political decisions and directives
acteristics of the safety work. An operation or activity – Experience and tradition (established practice)
that works systematically and strives for continuous – Lowest acceptable or tolerable risk level
safety improvements should be considered to have – National goals (e.g. Public Health Policy)
adequate safety. – The principle of avoiding of catastrophes
The results show that the sectors have interpreted – Limitation and mitigation of consequences
the question in several different ways. The sectors – The evaluation is transferred to others
have either answered how requirements in regulation – A third party should not be affected by the accidents’
are satisfied (legal view) or how adequate safety is of others
assessed from a scientific or from a philosophical – Balanced consideration and compromises between
point of view. Also the answers given on this question competing interests
could be summarised in three types of main discus- – Saving human lives are prioritised, in relation to
sions (discourses), where discussion type 1 and 2 were saving property and the environment
the most common (Fig. 1).
Type 1: Quantitative risk measures (outcomes and As seen from the results, many sectors refer to
expectations) were discussed and contrasted to each more than one principle. There is sometimes no clear
other. In most case the discussion also included some boundary between two principles. Also some princi-
questions or criticisms of these risk measures (to some ples may include (parts of) other principles. It was
referred to as ‘‘the reality’’). Type 2: Different safety often unclear to what extent the principles were used
actions, necessary functions and ways of managing and what importance the different principles had. For
safety were discussed and contrasted. In most cases some of the sectors it was not clear how the princi-
the discussion also included issues on how to assess ples were utilized in real cases or situations. In a few
the reasonableness of required safety actions. Type 3: cases the sectors did not have a clear picture of which
In a couple of cases the two earlier types of discussions principles governed the evaluation of risk within their
(type 1 and type 2) were contrasted to each other. domain. The reason for the uncertainty about the prin-
ciples, their importance and how they are utilized may
be due to the fact that almost no sector had been carry-
4.3 Principles used for evaluation of risk ing out any profound reflections and discussions about
and safety issues these issues.
All sectors gave example of directions and principles
that were used as starting-points in the evaluation of 4.4 An outline for classification of risk criteria
risk and safety issues. Below is a summary:
An outline for classification of risk criteria has been
– Risk comparison made based on how the sectors assess adequate safety
– Ethics and values and what principles they use in the evaluation process.
– Economic considerations The outline is based on the classifications presented by
404
Mattsson (2000) and Morgan & Henrion (1990). These 4.5 Assessment of reasonableness and the use
classifications have been expanded and modified to of quantified risk criteria
better fit the results found in this study, which have
The issue of reasonableness was common in the
resulted in five groups of criteria:
sectors’ discussion on risk evaluation. The sectors dis-
1. Safety actions and system design criteria cussed reasonableness both regarding the evaluation
2. Rights-based criteria process and the requirements on safety actions. Most
3. Utility-based criteria probably this is due to that the applicable legislations
4. Comparison criteria state that requirements on safety actions shall be ‘‘rea-
5. Comprehensive assessments sonable’’. These legislations may have been influenced
by utility theory, but the assessments of the reasonable-
Group 1 consists of four types of criteria: (a) ness made by the courts have an even more compre-
Detail regulation, commonly regulates actions that hensive scope. The few existing precedents (stated by
target technology, operation and to some extent the courts) have interpreted the meaning of ‘‘reasonable’’
organisation; (b) Functional regulation, expressed as as: the costs for an action shall be proportional to the
a certain function that has to be fulfilled in a given safety turnout of the required action. Also, practical
situation; (c) Measures, indicators and key-ratios, feasibility as well as the question of existing versus
which could be a safety distance, an index or a ratio; new objects/activities is taken into consideration when
(d) Technology-based criteria, that states the best assessing if an action is reasonable.
available technology should be used. In some of the interviewed sectors it is common that
Group 2 include criteria that are rights-based, quan- the industry use quantitative risk analyses (QRA) that
titative and express the highest permitted risk level: present the result as individual and societal risk (i.e.
(a) Zero-risk and similar goals for outcomes, rights-based criteria). In some European countries,
expressed as the accepted level of deaths or injuries; such as the Netherlands and Great Britain, quantita-
(b) Individual risk; (c) Societal risk criteria. The cri- tive risk criteria are used to assess such risk analyses
teria (b) and (c) express the highest accepted level for (Ale 2005). There are no set quantitative risk criteria
expected values of deaths. in Sweden that can be applied when assessing quanti-
Group 3 consists of three types of criteria that all tative risk analysis. Therefore the industry (or a single
come from utility theory and are variants of utility- risk owner), either set their own criteria or refers to
based criteria (Mattson 2000): (a) Cost-benefit: assess levels used in other countries.
if the sum of all benefits of an action shall exceed This situation is perceived as problematic by some
the costs; (b) Cost-effect: assess which action meets sectors, since the Swedish legislation generally pro-
the safety goal to the lowest cost; (c) Multi-attributive motes risk decisions based on overall assessments of
utility criteria: assess different alternatives based on different aspects, standpoints and interests. Also most
a combination of several types of preferences with of the sectors made a distinction between calculated
different weights. risk (expectation values) and actions to manage risk,
Group 4 consists of criteria with three types of com- which is also exemplified by the two most common
parisons: (a) Between the risk/activity in question and types of discussions displayed in Figure 1. Some sec-
similar risks/activities; (b) Between the risk in ques- tors also interpreted that the legislation is more focused
tion and dissimilar types of risks e.g. smoking, driving on risk reducing actions, than on risk as a level or a
and climbing; (c) Between different design alter- condition. The divergent view between the industry
natives, which is common in environmental impact and some of the sectors, on how to use and assess
assessment. quantitative risk analysis arises several questions:
Group 5: The assessment of safety is done together
with many other factors and the assessment does not – Why do the industry calculate individual and soci-
have to be quantitative. The assessment processes do etal risk, even though no quantitative criteria exist?
not have to be as systematic as multi-attributive anal- – Do the industry focus more on risk levels than on
ysis. The outcome of such an assessment may be safety actions?
difficult to predict since these assessments are unique – Is it possible for authorities to evaluate the results
for each case. of QRA, even though no quantitative criteria exist?
In some cases ‘‘hybrid criteria’’ are used (Mattsson
2000). These combine different criteria e.g. first soci-
etal or individual risk analysis is assessed followed by
a cost-benefit analysis. Also many of the presented 5 CONCLUSIONS
criteria may be expressed as guideline values/levels
and not absolute values/levels. The difference is that In this study we have striven to give a picture of how
the guideline values are not unconditional and can be the assessment of risk evaluation has been carried out
seen as something to strive for. within the SRSA and to a certain extent also why.
405
The findings in this study show that the evaluations All, R., Harrami, O., Postgård, U. & Strömgren, M. 2006.
of risk and safety issues are done in many different Olyckor, riskanalyser och säkerhetsarbete—några olika
ways, due to several context-dependent factors that perspektiv inom Räddningsverket (in Swedish). Report
influence the assessment. A study that investigates if it P21-480/07. Karlstad: The Swedish Rescue Service
is possible to find more universal foundations for eval- Agency.
Boverket 2005. Riskvärdering—delprojekt 2.1, bilaga till
uations of and decisions on risk within the authority is regeringsuppdrag Personsäkerhet i tunnlar (in Swedish).
desired. Such foundations could perhaps supplement Karlskrona: The National Board of Housing, Building and
or replace some of the existing principles. Planning.
The evaluation component in the authority’s pro- Commission on Slope Stability 1995. Anvisningar för
cesses that include decisions about risk has to be Släntstabilitetsutredningar (in Swedish). Linköping:
elucidated. The benefits of such elucidation could be Royal Swedish Academy of Engineering Sciences.
among other things better internal and external under- Davidsson, G., Lindgren, M. & Mett, L. 1997. Värdering
standing of the decisions, a more transparent process, av risk (in Swedish). Report P21-182/97. Karlstad: The
easier and clearer communication of decisions and Swedish Rescue Service Agency.
Flödeskommittén 1990. Riktlinjer för bestämning av dimen-
standpoints, better support to decision-makers such as sionerande flöden för dammanläggningar. Slutrapport
other officials and politicians, and a reduction of the från Flödeskommittén (in Swedish). Statens Vatten-
influence of individual preferences linked to certain fallsverk, Svenska Kraftverksföreningen and Sveriges
officials. Meteorologiska och Hydrologiska Institut.
A more systematic exploration and discussion of Folkhälsoinstitutet 2003. Sweden’s new public health pol-
these questions is needed within the SRSA if we are icy. National public health objectives for Sweden. Report:
to develop these issues and get a better general view 2003:58. Stockholm: Swedish National Institute of Public
and co-ordination of risk evaluation. Health.
Harrami, O., Strömgren, M., Postgård, U. & All, R.
(in press). Accidents, risk analysis and safety
management—different perspective at a Swedish safety
6 FUTURE STUDIES authority. In Proceedings of ESREL 2008 AND 17th
SRA EUROPE CONFERENCE—Annual Risk, Safety and
Based on the study, the SRSA has concluded that Reliability Conference, Valencia Spain, 22–25 September
improvements are needed and initiated a develop- 2008. Rotterdam: Balkema.
ment study regarding risk evaluation at the authority. Hultman, M. 2005. Att förstå risker—en kunskapsöversikt av
The first ongoing step in the three-year project is to olika kunskapsperspektiv. KBM:s Forskningsserie Report
carry out a review of research done on the subject. nr. 8. Stockholm: Swedish Emergency Management
Agency.
The review will combine four knowledge compila- Lundgren, L.J. & Sundqvist, G. 1996. Varifrån får
tions done by researchers from the fields of sociology, miljövårds-byråkraterna sin kunskap? In Lars J Lundgren
economics, philosophy and technology. (ed.), Att veta och att göra—Om kunskap och han-
The results from the ongoing review could together dling inom miljövården (in Swedish): 129–171. Lund:
with the findings from the study presented in this paper Naturvårdsverket Förlag.
constitute a starting-point for a more substantial foun- Lupton, D. 1999. Risk. Milton Park: Routledge.
dation for the evaluation of risk and safety issues at Mattsson, B. 2000. Riskhantering vid skydd mot oly-
the authority. ckor—problemlösning och beslutsfattande (in Swedish).
Karlstad: Swedish Rescue Services Agency.
Morgan, M.G. & Henrion, M. 1990. Uncertainty—A guide
to dealing with uncertainty in quantitative risk and policy
ACKNOWLEDGMENTS analysis. Cambridge: Cambridge University Press.
Reid, S.G. 1999. Perception and communication of risk, and
We would like to thank the officials participating in the the importance of dependability. Structural Safety 21(4):
interviews for the openness and the Swedish Rescue 373–384.
Service Agency for making it possible to conduct this Renn, O. 1992. Social theories of risk. In S. Krimsky & G.
study. We also would like to thank Prof. Lars Harms- Dominic (eds) 1992. Social theories of risk. Westport:
Ringdahl and an anonymous referee for constructive Praeger Publications.
Summerton, J. & Berner, B. (eds) 2003. Constructing risk
comments on the conference paper.
and safety in technological practise. London: Routledge.
Svensk Energi, Svenska Kraftnät & SveMin 2007. Rik-
tlinjer för bestämning av dimensionerande flöden för
REFERENCES dammanläggningar (in Swedish). Stockholm: Sweden-
ergy, Svenska Kraftnät and SveMin.
Ale, B.J.M. 2005. Tolerable or acceptable: A comparison Welander, G., Svanström, L. & Ekman, R. 2004. Safety
of risk regulation in the United Kingdom and in the Promotion: An Introduction. Stockholm: Karolinska
Netherlands. Risk Analysis 25 (2): 231–241. Institutet.
406
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
J.M. Hagen
Gjøvik University College
E. Albrechtsen
SINTEF Technology and Society/Norwegian University of Science and Technology, Trondheim, Norway
ABSTRACT: The paper compares how information security in critical infrastructures is regulated in two differ-
ent sectors and how the regulations can influence organizational awareness. It also compares how organizational
information security measures are applied in the sectors, and discusses how the sectors can learn from each
other. The findings document considerable differences in legal framework and supervision practices, in use
of organizational information security measures and the top management engagement. Enterprises belonging
to the finance sector have more widespread use of organizational security measures, and the respondents are
also more satisfied with the management engagement and the organization’s performance according to the legal
requirements. The paper argues that information security audit by authorities can be one important contribution
to information security awareness, and top management commitment to security, and that the sectors can learn
from each other by sharing information on how they deal with information security.
407
state of the art regarding the management’s role in finance sectors. This is a moderate sample, and
information security. Section 3 presents the applied limits our ability to conduct statistical analysis to
research method. Section 4 provides an overview of reveal associations.
the Electric Power Supply and the Finance Industry Therefore, we have chosen to present the results as
in Norway and the applied supervision methodolo- descriptive statistics. A few hypotheses have also been
gies. In section 5 we compare the two sectors studying formulated and tested by independent samples t-tests.
the security attitudes and applied organizational secu- The independent-samples t-test procedure compares
rity measures. Discussion of the findings is given in means for two groups of cases. Ideally, for this test, the
Section 6. Section 7 provide the answers of the research subjects should be randomly assigned to two groups,
questions, and section 8, show the way ahead, and con- but this is not the case when we study enterprises
cludes that it will be useful to study security cultures within the energy and the finance sector. Therefore, we
within organizations. discuss how differences in other factors, ex. respon-
dents, could be masking or enhancing a significant
difference in means. In addition, the paper has been
2 THE MANAGEMENT’S ROLE through several rounds of validation by the informants.
Information security has developed from a strict tech-
nological discipline to become a multidisciplinary 4 THE ELECTRIC POWER SUPPLY
responsibility for top management (Lobree 2002, AND FINANCE INDUSTRY IN NORWAY
Sundt 2006). Williams (2007) claims that even the
board needs to be assured of effective risk manage- 4.1 The legal framework
ment and the sharing of responsibility for informa-
tion security by a number of individuals within the In Norway, the Ministry of Oil and Energy holds
organization. the administrative responsibility for the energy sec-
Information security law places responsibility for tor. The Norwegian Water Resources and Energy
information security on the management and the Directorate (NVE) oversees the administration of the
boards. Dealing with authorities is a typical manage- energy and water resources. The Norwegian electricity
ment task. Thus, supervision from authorities may be industry finds itself in a unique position interna-
one way to raise top management’s awareness. We tionally, as almost 100% of the country’s electricity
expect that an engaged top management is important production comes from hydro electric power. Nor-
for how the organization adopts information secu- wegian enterprises need to be licensed in order to
rity measures and complies with the law. Studies of supply and dispose electrical energy. Enterprises act
safety have documented that management involve- in accordance with many laws and regulations; how-
ment is important for the safety work within companies ever, the most important, dealing with contingency
(Simonds 1973, Simonds & Shafai-Sharai 1977). It and information security, are the Energy Act, the
is reasonable to believe that this experience could be Energy Direction and the Contingency Direction § 4
transferred to the information security field. and 6. The regulations deal with the planning, build-
ing and conduct of different electrical enterprises,
including emergency preparedness. They place certain
3 METHOD requirements on electrical enterprises’ protection of
critical information systems and sensitive and classi-
We have carried out two exploratory case studies; fied information, and demand that enterprises provide
one on financial law and supervision, and one on the Assurance Reports.
energy law and supervision within the hydroelectric The Ministry of Finance holds the superior adminis-
power supply sector. Data on supervision practices was trative responsibility for the country’s financial sector.
collected during the summer 2006 from textual mate- The Financial Supervisory Authority of Norway over-
rials and personal interviews with representative from sees Norways’s financial markets and regulates the
the Norwegian supervisory authorities and four com- financial sector. Like the hydroelectric power enter-
panies. Authorities in Sweden, Finland, Denmark and prises, financial enterprises act in accordance with
UK were also contacted by mail (Hagen et al. 2006). many laws and regulations. The most important legal
In the spring 2007, a web based survey was car- acts are the Financial Supervisory Act, and the related
ried out among IT-officers in different sectors (Hagen Information and Communication Technology (ICT)
et al. unpubl.). This survey addressed organizational Direction. The ICT Direction deals with informa-
security measures like user education, procedures and tion security. Thus, one major difference between the
controls and tools, compliance to law and the effec- sectors is that the financial sector has within the hydro-
tiveness of supervision. Out of a total of 87 answers, electric power supply industry is regulated according
only 34 were related to the electric power supply and to § 4 and 6 in the Contingency Direction.
408
4.2 The supervision methodology 5 COMPARATIVE ANALYSES
The two Norwegian regulatory authorities chosen for
5.1 The answers
this study conduct their supervisory controls in dif-
ferent manners, still there are some similarities. In Of the 87 received answers, 21 were from hydro elec-
both sectors, supervision is conducted in the follow- trical enterprises and 13 from saving banks. Table 1
ing way: The enterprises go through a pre-evaluation, identifies the distribution of the answers and the
which aims to evaluate the risks, importance and sta- respondents of the questionnaire.
tus of the enterprises. Then, the authority notifies the The data shows that within the finance sector more
enterprises which are selected to undergo supervision. managers answered the questionnaire compared with
The Authority requests information, arranges meet- the hydro electric power industry in which responses
ings, and collects more information, analyses it and from IT personnel dominated.
documents deviations. In this process the dialog is About half of the respondents report that they out-
important. Then, the enterprises are given a deadline source some or all IT operation. This corresponds with
to close the deviations. the findings in other surveys (Hagen 2007).
Both the Norwegian Water Resources and Energy
Directorate and the Financial Supervisory Authority 5.2 Top management commitment and quality
have developed guidelines to assist the enterprises of security work
in their effort to comply with information security
law. In addition, they both offer training and give The questionnaire included questions about the
advices. respondents’ judgements of top management engage-
But, there are also certain differences. The supervi- ment and the compliance to information security
sion methodology of the Norwegian Water Resources law.
and Energy Directorate is based on NS-EN ISO 19011, Table 2 summarises the results of paired sample
which describes an audit methodology and specifies t-tests. A Likert scale was used, ranging from 1 =
requirements for auditors. It has developed a hand-
ful of ‘‘yes/no’’ questions based on the text of the
Table 1. Respondnets (N = 34).
law. The Financial Supervisory Authority has devel-
oped a comprehensive questionnaire based on the Electric power Finance
ICT Directive and COBIT, and uses this to audit
the IT processes. This is a far more comprehen- Manager 1 4
sive tool than the handful of questions posed by the IT 17 1
Norwegian Water Resources and Energy Directorate. Economy 0 2
Within the hydroelectric power industry, information Security 2 3
Advisor 1 2
security supervision is just a part of a more com-
prehensive security supervision, while the finance
Total counts 21 12
sector supervision is characterized by a sole focus on
information security, and is deeply rooted in the ICT
Direction. In addition, more human resources are ded-
icated to the information security supervisory process Table 2. Securty attitudes towards information security
within the financial sector than in the electric power (N = 34). Mean ranging from 1 = strongly disagree to
industry. 5 = strongly agree.
When requirements to close deviations are not
met, both authorities can withdraw the licences. Yet, Mean
punishment practices may vary: The Financial Super-
visory Authority of Norway publishes any deviations Electric
power Finance Sig.
that are not closed within the deadline. This may
impact the market’s trust to the current financial Engaged top
enterprise and management. The Norwegian Water management 3.33 4.62 0.001
Resources and Energy Directorate require the devi- Info.sec. is frequently
ation closed, and any enterprise not closing the devia- on the agenda 2.29 3.08 0.057
tion risks fines. Also, the addressee of the supervision Legal requirements
report varies: Within the financial sector the report is are satisfied 4.14 4.69 0.035
Supervision increases
addressed to the board, placing responsibility on the
the top manage-
board; within the hydro electrical power supply indus- ments’
try, the supervisory report is addressed to the company engagement 3.95 4.25 0.399
(Hagen, Nordøen and Halvorsen, 2007).
409
strongly disagree to 5 = strongly agree. The results Looking at the share of enterprises experiencing secu-
show mostly high mean values, which means that the rity incidents (Table 5), we see that a larger number
respondents agree to most statements. Tests of differ- of electric power supply enterprises report incidents
ences in attitudes reveal that the respondents within typically caused by insiders, compared with finan-
the finance sector view top management engagement cial enterprises. A subsequent hypothesis may be that
to be higher compared with the respondents from the there exists a relationship between high organizational
electric power supply sector. Within the finance sector, security awareness and low probability for security
information security is also more often on the man- breaches by own employees. The data set is unfor-
agement’s agenda, and there is also a stronger focus tunately too small to conduct a Chi-square test of the
on meeting legal requirements. There are, however, no hypothesis.
significant differences regarding the respondents view
on the effect of supervision, but a high mean value
indicates that the respondents agree that supervision 5.3 How could the sectors learn from each other?
has some effect. Within the Norwegian electricity industry, focus
Table 3 shows that most organizational security placed upon information security has increased dur-
measures are widely adopted in the finance sector. ing the last years, both through national information
Security classification of systems and personnel are, security strategy initiatives and research on protection
however, mostly applied by electric power supply of critical infrastructure (Nystuen & Hagen, 2003).
organizations. One possible explanation might be the The traditional security focus in the sector has been
security regime that developed after the Second World on national security, physical security and emergency
War with focus on protection of power plants and in case of natural disasters and war. Information secu-
critical infrastructures in case of war. rity has become important in particular during the last
The survey also inquired about the frequency to 10–15 years, and is now a critical input in process
which risk analysis and internal and external audits operation and trade.
were conducted. Independent sample t-tests show sig- In the finance sector, however, information secu-
nificant differences between the sectors; the financial rity has been close to core business ever since money
sector performs more frequently risk analysis and became electronic signals. If the IT systems are
audits compared with the electric power industry. down or the IT services not secure, this would not
Summing up the findings so far, it seems reason-
able that the information security awareness is higher
in the finance sector compared with the electric power
industry. This is documented by the respondents’ Table 4. Risk analysis and audits (N = 34). Scale used:
judgement of top management engagement and a more 1 = never, 2 < every third year, 3 < yearly, 4 = yearly.
widespread use of organizational information security
Mean
measures.
The data also shows that the overall majority of Electric Sig.
both the financial and the electrical power supply power Finance level
organisations have routines for the reporting of inci-
dents, and that the employees in both sectors often act Risk analysis 3.05 3.77 0.003
according to the routines and report security incidents. Internal audit 3.10 3.85 0.002
External audit 2.62 3.46 0.016
410
only prohibit money transfers, but also disrupt the We know from this study that both electric power
reputation of the financial enterprise. industry and finance sector authorities have developed
Compared with the electrical power supply sector, guidelines and in addition provide their supervisory
the respondents within the finance sector report more objects with advice and assistance. The differences in
far-reaching security measures, higher management legal framework, amount of human resources spent
engagement in information security and more satis- in supervision of information security and applied
faction with compliance to legal requirements. The supervision methodologies mirror the organizational
financial sector is also supervised according to a dedi- security awareness in the two critical infrastructures.
cated information security direction and by a far more High organizational security awareness corresponds
comprehensive method. with less exposure to insider threats. The finance sec-
The electrical power supply sector could learn from tor has adopted the most comprehensive approach,
the financial sector how to improve organizational which is mirrored in wider use of security measures,
awareness and adopt organizational information secu- a more engaged top management and less reporting
rity measures. The financial sector could also learn of insider incidents. Our findings confirm the theo-
from the electric power supply sector how to clas- ries that a legal framework affects how information
sify information, personnel and systems into different security measures are adopted by organizations (Sundt
security classes, and how emergency exercises can 2006, Lobre 2002).
prepare the organizations for different threat scenarios. It is reasonable to believe that the differences in
To learn and share knowledge about information laws and regulations and how compliance to laws
security practices and its effects, mutual trust and a is supervised can have an impact on organizational
secure meeting places are needed. The survey data awareness, including top management engagement in
shows that the organizations are participating in a information security. When supervising, the author-
wide range of different security forums, but we do ities place responsibility on the management. The
not see many of them participate in the same forum. quality of the supervision methods and the kind of
The authorities could facilitate meetings to estab- applied sanctions might impact the engagement of the
lish connection among enterprises in the different top management. If the management is engaged, it
sectors. Another possibility is that the National Secu- will be aware of the need for information security
rity Agency facilitates such meetings through the measures to comply with the laws, and assure that
NorCerts’ forums. This could be a good starting point. security measures are implemented. In this survey we
We expect that security systems within both sectors found that high management engagement corresponds
would benefit from information sharing and mutual with a high degree of adopted security measures and a
learning. The electric power supply is the most critical lower degree of insider incidents. The findings corre-
infrastructure in modern society. In case of power out- spond with the experiences from safety management
age, most services stop, including financial services. (Simonds 1973, Simonds & Shafai-Sharai 1977) and
On the other hand, the electric power supply sector research on information security law (Sundt 2006,
depends on the finance sector to transfer money when Lobre 2002).
electricity is traded, and the whole society depends We must, however, be aware of alternative expla-
on both electric power supply and services and infras- nations of the findings. Organizational information
tructures for money transfers. If any of these critical security awareness could be related to maturity in
service stops, then production and delivery of all kind information security work within the sectors, or the
of services and goods stop, too. Moreover, in the mod- closeness of information security to core business.
ern society, there is a new evolving interdependency; Unfortunately, the data set is neither designed for it,
the ICT systems that affect the sectors/domains beyond nor large enough, to conduct statistical analysis to test
their boundaries. Both sectors depend critically on the the hypothesis.
ability to communicate, and on ICT providers and
infrastructures that might be located in other countries
6.2 Information security supervision
(Nystuen and Fridheim, 2007).
in other countries and the possibility
to generalize the findings
6 DISCUSSIONS Supervision from a public authority requires a legal
framework. Without laws and directions, there will
6.1 The differences in legal framework
be no public supervisory activities. The supervisory
and supervision practice
practices and related legal framework in Norway, Swe-
The question we raised in this paper asks whether the den, Denmark, Finland, and the UK is documented in
laws and accompanying supervision process of the (Hagen et al, 2007). Norway has close relations to all
authorities have any effects on the organizational secu- these countries, both within the electric power supply
rity awareness of the enterprises under supervision. sector and within the finance sector. The Norwegian
411
authorities use information security supervision to a management should be aware of the use of organiza-
larger extent than the other countries. The Norwegian tional information security measures examined in the
financial sector is in an exceptional position because survey, as the measures would influence in their work
of the ICT Direction. The usual practice is to include in someway. It is our view that the study produces
information security requirements as a minor part of valid and reliable results, despite the few answers and
other laws and directions. In Denmark, however, there the variations in identity of the respondents to the
are regulations within the financial industry similar questionnaire.
to the ICT Direction in Norway, and the supervi-
sory process is almost equal to the Norwegian one.
Supervision of information security within the hydro- 7 CONCLUSIONS
electric power supply is, however, in a premature phase
compared to Norway, because information security is In this paper we raised three questions:
not to the same extent regarded as critical. Sweden
does not have information security laws for finance – Do the laws and accompanying supervision process
or hydroelectric power supply, but its Security Act of the authorities have any effects on the organi-
can be applied on critical infrastructures. Finland has zational security awareness and top management
the Data Security Act, which is relevant for all sec- engagement of the enterprises under supervision?
tors, yet there are differences regarding the practical – Are there any differences in security practices
organisation of emergency preparedness. The most between the sectors?
significant differences are, however, related to UK – If there are differences, how could they learn from
practices. The UK does not have information secu- each other to strengthen the information security?
rity regulation similar to the Nordic countries, but
the Centre for Protection of National Infrastructure Our findings support the theory that laws have effect
(previous National Infrastructure Security Coordina- on how organizations adopt information security mea-
tion Centre, NISCC) contributes with knowledge and sures. The findings indicate that both laws and the
advice regarding cyber attacks against critical infras- quality of the supervisory processes could have an
tructures. None of the countries including Norway use effect on how the organizations adopt organizational
indicators or metrics to measure information security information security measures.
and compliance to law. There are differences between the sectors in legal
The differences in the national regimes make it dif- framework, supervision methods and type of sanctions
ficult to generalize the findings in this study and to if the requirements are not met. These differences mir-
conduct meaningful comparisons. It could, however, ror the security practises, attitudes of top management
be interesting to study the information security prac- engagement in information security and the exposure
tices within other countries in more detail to learn more to insider incidents.
about the effects of different supervision approaches Cross-sector learning and knowledge sharing will
and also the effect of laws related to more market strengthen the overall security culture and can be moti-
driven regimes. vated by the mutual dependency between the sectors.
Existing security forums can be used, or the authorities
could facilitate meetings. In this way, security sys-
6.3 Validity and reliability of the data tems within both sectors can benefit from knowledge
The paper is based on both in depth case studies, sharing.
as documented by Hagen et al. (unpubl.) and a sur-
vey. The report has been through several rounds of
validation by the informants. These findings, describ- 8 THE WAY AHEAD
ing the differences in laws and supervision practices,
are therefore considered as both valid and reliable. We will continue to study the effects of organizational
Turning over to the survey, the major problem is information security measures. Further research will
the low response rate and the few responses. How- be conducted on the effect of implemented security
ever, the answers distribute well among the sectors, policy and IT-user training on security culture.
enabling some discussion of variations among the sec-
tors. Besides, personal interviews with representatives
from the sectors confirm the findings. ACKNOWLEDGEMENT
Studying the identity of the respondents to the ques-
tionnaires, there were significant differences between The authors would like to acknowledge Jan Hovden,
the sectors. In the finance sector, mostly manage- Pål Spilling, Håvard Fridheim, Kjetil Sørlie, Åshild
ment answered, while in the electric power industry, Johnsen and Hanne Rogan for their contribution to the
mostly IT personnel answered. Both IT personnel and work reported in this paper.
412
REFERENCES Lobree, B.A. 2002. Impact of legislation on Informa-
tion Security Management, Security Magazine Practices,
COBIT, 2008: Available at www.isaca.org/cobit November/December 2002: 41–48.
Hagen, J.M. 2003. Securing Energy Supply in Norway—Vul- NS-EN ISO 19011, Retningslinjer for revisjon av systemer
nerabilities and Measures, Presented at the conference: for kvalitet og/eller miljøstyring, [Guidelines for audit-
NATO-Membership and the Challenges from Vulnerabil- ing systems for qualitiy management and environmental
ities of Modern Societies, The Norwegian Atlantic Com- management].
mittee, and the Lithuanian Atlantic Treaty Association, Nystuen, K.O. & Fridheim, H, 2007, Sikkerhet og sårbarhet i
Vilnius, 4th–5th December, 2003. elektroniske samfunnsinfrastrukturer—refleksjoner rundt
Hagen, J.M., Albrechtsen, E. & Hovden, J. Unpubl. Imple- regulering av tiltak, [Secure and vulnerable electronic
mentation and effectiveness of organizational information infrastructures—reflections about regulations and secu-
security measures, Information Management & Computer rity measures], FFI-Report 2007/00941.
Security, accepted with revision. Nystuen, K.O & Hagen, J.M. 2003. Critical Informa-
Hagen, J.M., Nordøen. L.M. & Halvorsen, E.E. 2007. tion Infrastructure Protection in Norway, CIP Workshop,
Tilsynsmetodikk og måling av informasjonssikkerhet i Informatik, Frankfurt, a.M, 29.09-02.10.03, 2003.
finans og kraftsektoren. In Norwegian. [Audit tool and Simonds, R.H. & Shafai-Sharai, Y. 1977. Factors Apparently
measurement of information security in the finance and Affecting Injury Frequency in Eleven Matched Pairs of
power sector] FFI/Rapport-2007/00880. Companies. Journal of Safety Research 9(3): 120–127.
Hagen, J.M. 2007. Evaluating applied information security Simonds, R.H. 1973. OSHA Compliance ‘‘Safety is good
measures. An analysis of the data from the Norwegian business’’, Personnel, July-August 1973: 30–38.
Computer Crime survey 2006, FFI-report-2007/02558 Sundt, C, 2006. Information Security and the Law. Informa-
Hole, K.J., Moen, V. & Tjøstheim, T. 2006. Case study: tion Security Technical Report, 11(1): 2–9.
Online Banking Security, IEEE Privacy and Security, Williams, P. Executive and board roles in information secu-
March/April 2006. rity, Network Security, August 2007: 11–14.
Kredittilsynet (The Financial Supervisory Authority of Nor-
way), Risko- og sårbarhetsanalyse (ROS) 2004, In Nor-
wegian [Risk and vulnerability analysis 2004].
413
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Countervailing risks have important implications for risk regulation, as they suggest that gains in
environmental and human health may be coming at a significant cost elsewhere, or even that in some situations,
our cures may be doing more harm than good. This paper expands the prevailing explanation of why risk
reducing measures frequently lead to harmful side-effects which render them uneconomic or even perverse.
Our expansion is three-fold, we: highlight how confirmation bias and various pathologies of complex problem
solving may constrain regulators from foreseeing or even considering the harmful side-effects of proposed risk
reduction measures; argue that limited incentives and capacities for regulatory learning constrain the detection
and correction of harmful side-effects of interventions; and contend that the adversarial nature characterising
many risk conflicts systematically gives rise to perverse trade-offs. We conclude that adaptive, stakeholder-based
forms of regulation are best positioned to reform these pathologies of the regulatory state, and to produce a form
of governance best suited for recognising and addressing the need to make risk trade-offs in what are often highly
charged, contested situations.
1 A BRIEF HISTORY OF UNINTENDED the often latent second and third-order effects of deci-
CONSEQUENCES sions and actions (Dörner, 1996). For various reasons,
we seem ill-suited to this task.
In prehistoric societies, man’s tasks were largely This incongruity has led some of our most promi-
ephemeral problems having no significance beyond nent social theorists and philosophers to focus on the
themselves. He collected firewood, hunted prey, unforeseen and unintended consequences of human
forged tools, and sought mates. The low complex- actions, in contexts ranging from economics, to pol-
ity of both the tasks and the social structures within itics, to social policy (e.g. Popper, 1961; Merton,
which they lay meant that they could be pursued 1936; Hayek, 1973). The driving impetus was the
on an ad hoc basis, and only rarely did the need idea that unintended consequences should be a cen-
to view problems as being embedded within other tral concern of the social sciences, as they constrain
problems arise (Dörner, 1996). Passing through early the ability to predict and therefore control the conse-
human history, man became more dependent on oth- quences of social interventions. In the past generation,
ers and aware of his influence on the environment, the baton has been passed to scholars of risk regulation,
and developed rudimentary economic and political a small but influential group of whom have focussed on
systems to manage these interdependences. Initially, the harmful, unintended consequences of risk reduc-
small-scale sufficiency economies and councils of ing measures in the public and environmental health
elders were sufficient to coordinate the limited divi- arenas (e.g. Graham and Wiener, 1996; Sunstein,
sion of labour and facilitate an understanding of causal 1990; Viscusi, 1996). For example, airbags may pro-
relationships between human activities and the nat- tect adults but kill children; gas mileage standards
ural environment (Hofstetter et al., 2002). However, may protect the environment at the cost of thousands
as specialisation and differentiation grew, technology of lives annually, as they encourage manufacturers
and industrialisation advanced, population burgeoned, to sacrifice sturdiness for fuel-efficiency; drug-lags
and economic and social systems became increasingly stemming from stringent testing requirements may
intertwined, complexity has come to characterise the protect the public from potentially adverse effects of
modern world. We now must deal with a series of un-tested pharmaceuticals, whilst at the same time
closely, and often subtly, related problems, with the diminishing the health of those who urgently need
consequence that our approach to problem solving them; bans on carcinogens in food-additives may lead
increasingly requires attention to interdependencies consumers to use non-carcinogenic products which
of social and natural systems, and an awareness of nevertheless carry even greater health risks, and so on.
415
These countervailing risks have important implica- skew the balancing of target and countervailing risks
tions for risk regulation, as they suggest that recent away from normative ideals. They also draw atten-
gains in environmental and human health may be com- tion to risk compensation, wherein the reductions in
ing at a significant cost elsewhere, or even that in some risk sought by regulatory interventions are partly off-
situations, our cures may be doing more harm than set by behavioural changes which may even shift the
good. This paper expands the prevailing explanation of nature of the risk or the group who bears its burden.
why risk reducing measures frequently lead to harmful For example, safer car designs may encourage faster
side-effects (e.g. Graham and Wiener, 1995; Wiener, or more reckless driving, thus leading to a lower than
1998), and argues that stakeholder-based forms of expected decrease in risk to the driving public, and a
adaptive management are the most effective regula- net increase of risk to pedestrians. The scholars argue
tory arrangements for making optimal risk trade-offs that these compensations are frequently unaccounted
in what are often highly charged, contested situations for in regulatory decision making.
requiring tragic choices to be made under conditions From the perspective of regulatory law and politics,
of ignorance. Graham and Wiener invoke public choice theory to
explain why regulatory decision-making often departs
the norm of a balanced, deliberative consideration of
the public good towards satisfying the vested inter-
2 PERVERSE RISK TRADE-OFFS: THE ests of the more vocal interest groups, often with the
PREVAILING EXPLANATION effect of offloading countervailing harms on those
whose voices were omitted from the regulatory pro-
We shall briefly summarise the dominant explanation cess. Similarly, the scholars hold that jurisdictional
of why externalities arise from risk reducing mea- specialisation and fragmentation of the regulatory
sures, most prominently associated with Professors state leave little incentive for regulatory agencies to
Wiener and Graham (see, e.g. Graham and Wiener, monitor or even consider the harmful effects of their
1995; Wiener, 1998). In short, their argument is that regulations on other domains (e.g. across geographical
the fundamental reason that risk reduction measures boundaries, hazard types, and media, etc.).
sometimes create countervailing risks is the intercon- To summarise Graham and Wiener’s view, then,
nectedness of multiple risks, derived in turn from externalities may arise from risk reduction measures
the interconnectedness of social and environmental because environmental and public health problems
systems. Of course, countervailing risks are not prob- are not hermetically sealed, and so unintended, unde-
lematic for risk regulation per se; difficulties arise sirable side-effects of interventions often arise. The
when, on balance, the trade-off between target and trade-offs between countervailing and target risks are
countervailing risks serves to render a regulation to often uneconomic or perverse because of legal, politi-
be an inefficient allocation of resources, or, more dra- cal and psychological factors which prevent regulators
matically, perverse in the sense that we are left with a from thinking rationally and synoptically about their
net diminution of environmental or public health. And interventions. Broadly speaking, we find much truth
so, their argument goes, we must think systematically in this explanation. However, we suggest that the
when considering risk reduction measures. Based on distorting effect of the availability heuristic is likely
a series of detailed case studies, these scholars show overstated, given that subjective judgements of proba-
that that such systematic thinking is far from the norm bility are relatively minor components of overall risk
in risk regulation, and argue that perverse or uneco- perceptions (see, e.g. Sjöberg, 2000). But this is a
nomic trade-offs routinely arise due to the systematic minor quibble. Our broader argument is that there are
failure of regulatory bodies to account for the full con- additional factors at work in distorting risk trade-offs,
sequences of their interventions in a rational manner. which we expand on in the following section.
This failure is explained in terms of psychology and
with reference to some perverse aspects of regulatory
law and politics.
3 EXTENDING THE EXPLANATION
Graham and Wiener’s psychological angle posits
that the use of heuristics, chiefly availability, to make
3.1 The psychological perspective
probabilistic judgements leads to systemic error in
risk perception and by extension erroneous regulatory In addition to the errors which arise from heuristic
responses to risk. Similarly, cognitive biases, such as judgements, and other, unrelated, cognitive biases, we
loss aversion, are held to explain conservative tenden- can finger various pathologies of complex problem
cies in both risk assessment (e.g. default conservative solving as being plausible suspects in the genera-
assumptions) and risk management (e.g. the precau- tion of perverse risk trade-offs. In doing so, we
tionary principle; over-regulation of risks from new draw upon the dynamic decision making research pro-
sources vs. old sources), which are argued to further gramme (e.g. Dörner, 1996; Brehmer, 1992) which
416
explores individual and group decision making in sim- identified, and then ask why we consider this one to
ulated environments defined by the characteristics of be particularly central to the problem of perverse risk
complexity, opaqueness, and dynamism (e.g. natural trade-offs. The reason is that disputes over proposed
resource management). Given these characteristics, public and environmental health measures are often
such simulations are largely analogous to the dilem- highly charged, emotive issues, given that they concern
mas facing regulators tasked with protecting public the protection or sacrifice of the most fundamental val-
and environmental health. ues: human life, inter-generational equity, ecological
Unsurprisingly, this programme has revealed that health, and so forth. In such situations, where peo-
people generally struggle to deal with complex prob- ple commonly perceive moral absolutes as being at
lems; however, the errors committed by the partici- stake, said people can raise confirmation bias to an art
pants were far from random, instead being indicative form. Thus, those drawing attention to the potentially
of general weaknesses or pathologies in reasoning harmful consequences of proposed risk reduction mea-
and perception when dealing with complex, opaque, sures may be viewed as mere reactionaries or industry
dynamic systems. Those of greatest relevance to us are stooges, and the information or data which they use to
(Dörner, 1996; Brehmer, 1992): the common failure support their position treated with scepticism or sim-
to anticipate the side-effects and long-term repercus- ply ignored. In essence, we propose that confirmation
sions of decisions taken; the tendency to assume that bias leads to the systematic discounting or even neglect
an absence of immediate negative effects following of the likelihood and extent of potentially harm-
system interventions serves as validation of the action ful side-effects of proposed risk reduction measures,
taken; and the habit of paying little heed to emerg- a clear formula for the generation of perverse risk
ing needs and changes in a situation, arising from trade-offs.
over-involvement in subsets of problems. Rather than
appreciating that they were dealing with systems com-
posed of many interrelated elements, participants all
3.2 The perspective of regulatory law and politics
too often viewed their task as dealing with a sequence
of independent problems (Dörner, 1996; Brehmer, Much ink has been spent highlighting the legal and
1992). political constraints to optimising those trade-offs
One conclusion that can been drawn from this is inherent to risk reduction measures (e.g. the use of
that people’s mental models often fail to incorporate absolute standards; the narrow and oft conflicting
all aspects of complex tasks, and so making inferences mandates and missions of regulatory agencies; laws
about side-effects and latent consequences of actions forbidding the use of cost-benefit and health-health
is often a bridge too far (Brehmer, 1992). Although analysis in evaluating certain proposed interventions;
we are to some extent stuck with the limitations of our the traditional legal framing of environmental con-
cognitive capacities, it is worth bearing in mind that flicts as short-term, zero sum questions of authority,
mental models are not solely internal psychological jurisdiction, prohibition and entitlement, etc. See, e.g.
constructs, but are to an extent socially constructed. Viscusi, 1996; Sunstein, 1990; Graham and Wiener,
It thus seems reasonable to assume that, in the con- 1996). Suffice it to say that we question the wisdom
text of risk regulation, the incorporation of a broad of these tendencies towards absolutism and the frag-
range of values, interests, and perspectives within the mentation of the regulatory state, problems which we
decision making process would help to counteract the address in our proposals for reform.
tendency to frame the pros and cons of proposed risk However, the debate on the unintended conse-
reduction measures in an unduly narrow, isolated man- quences of risk regulation has focussed on how such
ner (i.e.expand regulators’ mental models). Moreover, legal and political factors constrain regulatory agen-
enhancing the mechanisms and incentives for regu- cies from accounting for the potentially harmful side-
latory agencies to monitor and evaluate the impacts effects of their interventions before they are enacted;
of their interventions could ameliorate the tendency little thought has been given to the detection and cor-
to neglect latent outcomes of decisions (i.e.lengthen rection of these side-effects post implementation. This
regulators’ mental models). We return to this later. is curious, as the limited incentives and capacities of
We hypothesise that a further contributory factor regulatory agencies to collect feedback and use this
to the phenomenon of perverse risk trade-offs is the for error correction have been bemoaned by numer-
well established phenomenon of confirmation bias. ous scholars (e.g. Dryzek, 1987a; Weale, 1992). These
This refers to the tendency to seek out and interpret limitations seem particularly problematic when one
new information in a manner which confirms one’s considers the radical uncertainty characterising much
preconceived views and to avoid information and inter- of the scientific and technical information underpin-
pretations which questions one’s prior convictions. ning regulatory decisions, as well as the inherent
The reader may, quite rightly, point out that there is a dynamism and stochastic nature of social and natural
veritable litany of psychological biases that have been environments. And so proposals for regulatory reform
417
that seek to address the problem of perverse risk trade- by the various parties to entrench existing positions
offs should look with one eye towards error prevention, and to discredit opponents. This is particularly prob-
whilst casting the other towards error detection and lematic given the objective dearth of our knowledge of
correction. many risks to public and environmental health, and the
value-laden assumptions underlying any comparison
of risk against risk (e.g. what price to put on human life,
3.3 The sociological perspective
how to deal with issues such as equity, how to value
We now turn to consider what a sociological perspec- ecological status, etc.). This relative indeterminacy
tive can tell us about the phenomenon of perverse leaves broad scope for the various disputants to inter-
risk trade-offs. Our central point is that the polarised pret risk analysis outcomes in radically different ways,
nature of debates over proposed regulations, both in and when they have access to power or resources, to
the public arena and within the lobbying process, shape the very outcomes themselves through adopting
is a key precondition for the generation of perverse different assumptions and data gathering procedures,
trade-offs. For simplicity, consider the case where a often within the framework of a defensible scientific
regulatory measure for restricting the use of bromi- methodology. And so even where regulatory agencies
nated flame retardants is proposed. Paradigmatically, are able to formulate a policy which ostensibly bal-
we would see various groups lobbying the architects of ances between the diametrically opposed positions of
the regulatory process (i.e.administrators, bureaucrats, those disputants (i.e.is able to escape the zero sum
legislators): NGOs, industry groups, think tanks, and trap), it is often based on highly politicised and value-
so forth. Those favouring the proposed measure would laden data, meaning that the balancing of harm against
of course highlight the forecast gains in environmental harm is illusory.
and human health arising from a ban, whilst those in
opposition will draw attention to the economic costs
and potential countervailing risks which may it may
give rise to (e.g.through reducing the level of protec- 4 A BRIEF PROPOSAL FOR REFORMING
tion from fires, through promoting a shift to potentially THE REGULATORY STATE
hazardous chemical substitutes about which little are
known, etc.). In this final section, we briefly argue that adaptive,
At a fundamental level, these contrasting policy stakeholder-based forms of regulation are best posi-
preferences arise from what are often sharply con- tioned to reform these pathologies of the regulatory
trasting beliefs, values, norms and interests of the state, and to produce a form of governance best suited
disputants. Of course, that people disagree is hardly for recognising and addressing the need to make risk
revelatory. The problem which arises is that the current trade-offs in what are often highly charged, contested
regulatory state systematically encourages adversarial situations. Our discussion is at a general, abstract level,
relations between these groups, through, for exam- leaving any debate over the finer points of such reforms
ple: the legal framing of many environmental con- to scholars of administrative law and regulatory policy.
flicts as zero-sum questions of prohibition, authority Stakeholder-based governance refers to an array of
and jurisdiction (Freeman and Farber, 2005); often practices where a broad cross-section of stakeholders,
relying on lobbying as a proxy for stakeholder con- selected to represent different interests, come together,
sultations (when the latter occur, they tend to be in person, for long-term dialogue to address policy
infrequent and superficial); and in their occasional issues of common concern, overseen by a neutral
resort to the court for final resolution of disputes. party which initiates, lubricates and oversees discus-
This promotion of competitive rather than co-operative sions, ensuring that they are governed by rules of
behaviour encourages disputants to exaggerate dif- reasoned discourse (e.g.ruling out threat, conceal-
ferences between one another, to ascribe malign ment of information, etc.), and in which decisions
intentions to the positions of others, and to simplify are made by consensus rather than diktat or major-
conflicts through the formation of crude stereotypes ity rule (e.g.Dryzek, 1987b; Innes and Booher, 1999;
(Fine, 2006; Yaffee, 1997). Thus, in many situations, McDaniels et al., 1999). A growing body of research
disputes over risk tradeoffs can resemble prisoners’ suggests that stakeholder-based approaches help build
dilemmas, where co-operation could lead to a mutu- trust and render participants less hostile to the views of
ally acceptable solution which balances harm against others, providing the grounds for mutual understand-
harm, but a fundamental lack of trust leaves the partic- ings of stakeholder assumptions, interests, values,
ipants caught in a zero-sum struggle as they fear that norms and perspectives (e.g. Dryzek, 1987b; Innes and
any compromise would not be reciprocated. Booher, 1999; McDaniels et al., 1999). In short, they
Moreover, in such adversarial settings the underly- create an environment which enables participants to
ing scientific, technical and economic data on which find solutions which accommodate each others’ inter-
risk trade-offs are ostensibly based is often (mis)used ests without harming their own, or learn to view all
418
interests as interconnected and thus conceive of dis- REFERENCES
putes as joint problems in which each has a stake
(Innes and Booher, 1999). Here, the malign influ- Brehmer, B. 1992. Dynamic decision making: human control
ences of narrow mental models, of confirmation bias, of complex systems. Acta Psychologica. 81(3):211–241.
of absolutism, of adversarial relationships, and of the Dörner, D. 1996. Recognizing and avoiding error in complex
omitted voice (all, in some way, related to absolutism), situations. New York: Metropolitan Books.
Dryzek, J. 1987a. Ecological rationality. Oxford: Blackwell.
may be expected to be in large part ameliorated. Dryzek, J. 1987b. Complexity and rationality in public life.
Of course, this is not a full-proof solution, and Political Studies. 35(3):424–442.
harmful, unintended consequences will still arise from Fine, G.A. 2006. The chaining of social problems: solutions
regulatory measures derived from even the most holis- and unintended consequences in the age of betrayal. Social
tic process, in part due to the profound uncertainties Problems. 53(1):3–17.
characterising many public and environmental health Freeman, J. and Farmer, D.A. 2005. Modular Environmental
risk dilemmas, and the temporal nature of social val- Regulation. Duke Law Journal. 54:795.
ues, interests, and perspectives. It is not uncommon Graham, J.D. and Wiener, J.B. 1995. Risk versus risk: trade-
for public, governmental or scientific perceptions of offs in protecting health and the environment. Harvard
University Press.
the rationality of past risk trade-offs to migrate over Hayek, F.A. 1973. Law, legislation and liberty. London:
time, leading to calls for corrective measures or even Routledge and Kegan Hall.
a sharp reversal of the path already taken, such that Hoffstetter, P., Bare, J.C., Hammitt, J.K., Murphy, P.A. and
as observers of the decision process we are left with Rice, G.E. 2002. Tools for comparative analysis of alter-
a sense of déjà vu, and a feeling that the governance natives: competing or complimentary perspectives? Risk
of risk resembles a Sisyphean challenge. Thus, it is Analysis. 22(5): 833–851.
crucial that the regulatory state adopt a more adaptive Innes, J.E. and Booher, D.E. 1999. Consensus building and
approach (e.g. McDaniels et al., 1999), in the sense complex adaptive systems: a framework for evaluating
of viewing decision making iteratively, of placing a collaborative planning. Journal of the American Planning
Association. 65(4):412–423.
strong emphasis on the role of feedback to verify the Merton, R.K. 1936. The unanticipated consequences of
efficacy and efficiency of the policies enacted, and of purposive social action. American Sociological Review.
appreciating the wisdom of learning from successive 1(6):894–904.
choices. McDaniels, T.L., Gregory, R.S. and Fields, D. 1999. Democ-
ratizing risk management: successful public involvement
in local water management decisions. Risk Analysis.
5 CONCLUSIONS 19(3): 497–510.
Popper, K.R. 1961. The poverty of historicism. London:
To conclude, we have argued that stakeholder- Routledge and Kegan Hall.
Sjöberg, L. 2000. Factors in risk perception. Risk Analysis.
based, adaptive approaches to regulatory governance 20(1):1–12.
should reduce the incidence of perverse risk trade- Sunstein, C.R. 1990. Paradoxes of the regulatory state.
offs through a) integrating a broader range of val- University of Chicago Law Review. 57(2): 407–441.
ues, perspectives, interests, and scientific and tech- Viscusi, W.K. 1996. Regulating the regulators. University of
nical information into regulatory decision making; Chicago Law Review. 63(4):1423–1461.
b) transforming what were previously framed as zero- Weale, A. 1992. The new politics of pollution. Manchester:
sum disputes into co-operative searches for mutually University of Manchester Press.
acceptable solutions; and c) promoting the early detec- Wiener, J.B. 1998. Managing the iatrogenic risks of risk
tion and correction of undesirable side-effects of reg- management. Risk: health, safety and environment. 9(1):
39–82.
ulatory measures through providing mechanisms and Yaffee, S.L. 1997. Why environmental policy nightmares
incentives for learning. recur. Conservation biology. 11(2): 328–337.
ACKNOWLEDGEMENTS
419
Maintenance modelling and optimisation
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
P.A. Scarf
Centre for OR and Applied Statistics, University of Salford, UK
C.A.V. Cavalcante
Federal University of Pernambuco, Brazil
R.W. Dwight
Faculty of Engineering, University of Wollongong, Australia
P. Gordon
Faculty of Engineering, University of Wollongong, Australia
ABSTRACT: This paper considers a hybrid maintenance policy for items from a heterogeneous population.
This class of items consists of several sub-populations that possess different failure modes. There are a substantial
number of papers that deal with appropriate mixed failure distributions for such a population. However, suitable
maintenance policies for these types of items are limited. By supposing that items may be in a defective but
operating state, we consider a policy that is a hybrid of inspection and replacement policies. There are similarities
in this approach with the concept of ‘‘burn-in’’ maintenance. The policy is investigated in the context of traction
motor bearing failures.
423
maintenance. Finkelstein and Esaulova (2001b) argue where
that periodic policies do not take account of system-
atic changes that occur in the pattern of ageing of items w(t) = p(1 − F1 (t))/(1 − FMixed (t)).
from a mixed population. In this paper, we propose a
maintenance policy that is a hybrid of inspection main- The lifetime distribution for a mixture of items
tenance and age-based replacement. The inspection from two sub-populations is illustrated in Figure 1.
phase of the policy deals with early failures. The age- Mixtures of this kind do not necessarily have an
based replacement phase deals with normal wear-out. increasing failure (hazard) rate function. Some exam-
We will consider items for which failure implies ples that support the last conclusion have been given
immediate cost-consequences. In this context, for by several authors (Glaser, 1980; Gupta and Gupta,
inspection to be viable, we suppose that a defect 1996; Finkelstein and Esaulova, 2001a; Block et al.,
may arise prior to failure, and that these defects are 2003). Jiang and Murthy (1998) discuss mixtures
detectable at inspection. Before developing this model involving two Weibull distributions. Eight different
in section 4, we discuss mixtures of failure distribu- behaviours for the failure (hazard) rate function for
tions in general. Section 5 present a numerical example the mixed distribution are evident, depending on the
based on traction motor bearing failure. parameter values of the underlying Weibull distribu-
Note that the model we propose is related to burn- tions. For the general case, there are five parameters;
in maintenance. In this policy, items are subjected to the shape of the failure (hazard) rate is dependent
a burn-in test. According to Cha et al., (2004), burn- on the values of the two shape parameters, β1 and
in is a widely used method to improve the quality of β2 , the ratio η2 /η1 of the two scale parameters (and
products or systems after they have been produced. not their individual values) and, finally, the mixing
The implication is that the population of items pro- parameter p.
duced are heterogeneous and poor quality items (with Other authors have explored mixed failure dis-
short operational lives) will be screened during burn- tributions through their mean residual life function
in. This early life screening will be analogous to the (Abraham and Nair, 2000; Finkelstein, 2002).
inspection phase of the hybrid maintenance model that The fitting of Weibull distributions to failure data
we propose. Burn-in maintenance modelling is con- requires care. It is often the case that the data possess
cerned with determining, in combination, optima for underlying structure that is not immediately apparent
the burn-in time and the subsequent preventive main- due to, for example, inspections, left and right cen-
tenance policy for the operational phase (Drapella and soring, or heterogeneity. It would be unfortunate to
Kosznik, 2002; Jiang and Jardine, 2007). Our model fit a two-parameter Weibull distribution to failures
is different in that both inspection and preventive that arise from a mixture, and then adopt an age-
replacement will be carried out during the operational based for the items based on the fitted two-parameter
phase of the item. Weibull since the implied critical replacement age
would be inappropriate for both sub-populations of
2 MIXED FAILURE DISTRIBUTIONS items (Murthy and Maxwell, 1981). A full discussion
fMixed (t) = pf1 (t) + (1 − p)f2 (t), Figure 1. Mixed distribution (____ ). Underlying Weibull
distributions, We (η1 = 3, β1 = 2.5) (... . ) and We
hMixed (t) = w(t)h1 (t) + [1 − w(t)]h2 (t), (η2 = 18, β2 = 5) (-----), mixing parameter p = 0.1.
424
of the fitting of Weibull distributions to data is given 4 THE MODEL
in Jiang and Murthy (1995). In particular, they discuss
the appearance of Weibull plots when the underlying We use the following notation. For an item,
distribution is a three parameter or a mixed Weibull
distribution. • X is the age at defect arrival with probability density
function fX ;
• H is the delay time from defect arrival to failure
3 MAINTENANCE MODELS WITH MIXED with probability density function fH , independent
DISTRIBUTIONS of X ;
• Δ is the interval between inspections;
As indicated above, there have been many contribu- • K is the number of inspections that will take place
tions on the theme of mixed distributions. However, during the inspection phase which has length KΔ;
there has been less discussion of maintenance policies • Y is the age at failure so that Y = X + H ;
for items with mixed failure distributions. Here we • T is the age at preventive replacement (≥KΔ).
review the main contributions in this area.
We assume that:
Murthy and Maxell (1981) proposed two types
of age-replacement policy for a mixture of items • fX (x) = pf1 (x) + (1 − p)f2 (x) where pis the mixing
from two sub-populations, 1 and 2. In policy I, it is parameter and f1 (x) and f2 (x) follow Weibull dis-
assumed that the lifetime distribution of items for each tributions with characteristic lives η1 , η2 and shape
sub-population is known, but it is not known if parameters β1 , β2 .
an operating item is of type 1 or 2. In the pol- • Inspections are perfect in that defects present will
icy II, it is assumed that the decision maker can, be identified;
by some test that costs α per item, determine if • Defective items are replaced at inspection instan-
an item is of type 1 or 2, and then subsequently taneously and the average cost of replacement of a
replace items from sub-population 1 at age T1∗ or defective item is CR ;
at failure, and replace items from sub-population • Failed items are immediately apparent, cause oper-
2 at age T2∗ or at failure, which ever occurs ational failure of the system, and are replaced
first. Finkelstein (2004) proposed a minimal repair instantaneously with average cost CF ;
model generalized to the case when the lifetime • At the critical replacement age, T , preventive
distribution function is a continuous or a discrete replacement of an item is instantaneous and again
mixture of distributions. As was stated in the intro- costs CR < CF ;
duction, some adaptations of burn-in models have • The cost of inspection is CI < CR ;
being proposed by Drapella and Kosznik (2002) and • On replacement of items (whatever the state of the
Jiang and Jardine (2007). The objective of these replaced item), the system is restored to the as-new
models is to find optimum solutions for a combined state.
burn-in-replacement policy, in order to take into con-
sideration the change in ageing behaviour of items In this way, we assume that the population of items
from a heterogeneous population, represented by a consists of two sub-populations, one weak with a
mixed distribution. The cost advantage of the com- shorter lifetime and one strong with a longer lifetime,
bined policy over the separate policies of burn-in and and failures are anticipated by a defective state. In
replacement is quite small. The combined policy is order to reduce early failures, all items are inspected
also much more complex, and therefore it is difficult with frequency 1/Δ during the inspection phase up to
to decide if the combined policy is superior (Drapella age KΔ. An item will be replaced at the time of the ith
and Kosznik, 2002). Jiang and Jardine (2007) argue inspection if it is defective; it will be replaced on fail-
that preventive replacement is more effective in the ure; it will be replaced preventively at T if it survives
combined policy. to this age. The objective of inspection is to prevent
The burn-in process is not always suitable since early-life failures of weaker items. Inspections act as
a long-burn in period may be impractical. Then, a natural, operational burn-in process, since the weak
the early operational failure of short-lived items items will fail much earlier than strong items. The
may become a possibility. For this reason, in the objective of preventive replacement, which takes place
next section, we propose a model that is simi- over a much longer time-scale, is to reduce wear-out
lar to a combined burn-in-replacement policy, but failures in later life.
instead of a burn-in phase we propose a phase of The failure model has three states: good, defective,
inspection to detect the weak items. This can then failed. In the good and defective states, the system is
accommodate, during operation, the evolution of operational. The notion of a defective state allows us to
the ageing behaviour of items from a heterogeneous model inspections: if the delay-time is zero (two-state
population. failure model), then, given our assumption that item
425
failures lead to immediate operational failure, inspec-
T
T −x
tion is futile. Note that the model might to be extended + (x + h)fH (h)fX (x)dhdx
to consider a mixed population of delay-times, a
proportion of which are zero (Christer and Wang, KΔ 0
⎡ ⎤
1995). This effectively relaxes the perfect inspection
T
∞
assumption because it implies that a proportion of fail- + T⎣ (1−FH (T −x))fX (x)dx+ fX (x)dx⎦ .
ures cannot be prevented by inspection. We do not
consider this model here however. KΔ T
The decision variables in the model are K, T and
Δ. KandT are age-related, so that on replacement, the In the same way, developing equation (3) we have
inspection phase begins again. Thus, the maintenance that when K > 0 the expected cost per cycle is
model is analogous to age-based replacement. The
as-new replacement assumption implies that we can
K
use the renewal-reward theorem and hence the long- E(U ) = (iCI + CR )
run cost per unit time as objective function. i=1
Within this framework, the length of a renewal ⎡ ⎤
cycle (time between renewals), V , can take different
iΔ
⎢ ⎥
values, and ×⎣ (1 − FH (iΔ − x))fX (x)dx⎦
(i−1)Δ
V = iΔ (2a)
iΔ
K
+ [(i−1)CI +CF ] FH (iΔ−x)fX (x)dx
if (i − 1)Δ < X < iΔ ∩ X + H > iΔ, (i = i=1 (i−1)Δ
1, . . . , K). Thus, for example, V = Δ, and the item is
replaced at first inspection, if X < Δ ∩ X + H > Δ.
T
Also, + (KCI +CF ) (FH (T −x))fX (x)dx
KΔ
V = Y, (i − 1)Δ < Y < iΔ, (2b) ⎡
T
if X > (i − 1)Δ∩X + H < iΔ, (i = 1, . . . , K); + (KCI + CR ) ⎣ (1 − FH (T − x))fX (x)dx
V = Y, KΔ < Y < T , (2c) KΔ
⎤
if X > KΔ ∩ X + H < T ; and
∞
V =T if X > KΔ ∩ X + H > T . (2d) + fX (x)dx⎦ .
T
The cost incurred per cycle, U , is given by
These expressions simplify when K = 0 to
⎧
⎪
⎪ iCI + CR if V = iΔ, i = 1, . . . , K,
⎪(i − 1)CI + CF
⎨ if (i − 1)Δ < V < iΔ,
T
T −x
iΔ−x
∞
+ (x + h)fH (h)fX (x)dhdx +CR ⎣ (1−FH (T − x))fX (x)dx+ fX (x)dx⎦.
i=1 (i−1)Δ 0 0 T
426
Expressions for E(U ) and E(V ) in the case K = 10
0 could also be derived by noting that the hybrid
policy reduces to age-based replacement with critical
T 8
age T . Then we have that E(V ) = 0 (1 − FY (y))dy
and E(U ) = CF FY (y) + C Ry (1 − FY (y)), where
Frequency
Y = X + H and so FY (y) = 0 FH (y − x)fX (x)dx. 6
Using the above expressions for E(U ) and E(V ),
the optimal hybrid policy of inspection up to age KΔ 4
and replacement at age T for items from a heteroge-
neous population can be determined by minimizing 2
the long-run cost per unit time:
0
E(U ) 1 2 3 4 5 6
C∞ (T , Δ, K) =
E(V ) time to failure/ years
with respect to K, Δ and T . Figure 3. Histogram of bearing failure times for 39 traction
It is interesting to note that hybrid inspection and motors.
replacement policies that have been developed to date
(e.g. Wang and Christer, 2003) are based on the notion
of increasing defect arrival rate and minimal repair. A histogram of bearing failure times is shown in
For these policies, inspections will tend to be carried Figure 3. It is plausible that these failures are early life
out with increasing frequency as the item reaches the failures of items (here bearings) that arise from a mixed
critical age for replacement. This is in direct contrast population. Furthermore, inspections and replacement
to the policy developed in this paper. may account for the reduced number of failures at ages
1, 2, 3, and 4, so that the mixing parameter is some-
what more than 39/2296. Plausible values may be in the
5 NUMERICAL EXAMPLE range be p = 0.04 to p = 0.10. We will assume a mix-
ture with two sub-populations of bearings, the weak
Scarf et al. (2005) consider the lifetimes of bearings items with a Weibull distribution of time to defect (time
in 375V d.c. traction motors used by a commuter rail- in good state) with characteristic life η1 = 3 (years)
way, and investigated preventive replacement policies and shape parameter β1 = 2.5, and the strong items
for these bearings. The railway company uses 2296 with a Weibull distribution of time to defect (time in
traction motors (typically 32 per train), and over a good state) with characteristic life η2 = 18 and shape
period of study observed 39 bearing failures. These parameter β2 = 5. Note, the parameters of the dis-
are shown in a Weibull plot (Fig. 2). tribution of defect arrival time for the strong items
is not based on the data here. As motors were pre-
ventively replaced at 7 years, we would expect to see
0 only very few failures of long-lived (strong) items. An
exponential distribution was arbitrarily chosen for the
delay times, with mean λ=1/2 (year). As the time to
-2 failure is the sum of the time to defective state and
loglog{ 1/(1-i/N))}
427
Table 1. Optimum hybrid policy for various values of cost parameters and failure model parameters. Long run cost per unit
time of optimum policy is C∞ ∗ . Unit cost equal to the cost of preventive replacement (C = 1). Time unit here taken to be one
R
year although this is arbitrary.
β1 η1 β2 η2 p λ CI CF ∗
C∞ T∗ Δ∗ K∗
wear-out phase. As β2 becomes smaller and the sub- of failure is large or the proportion of weak items in the
populations are less distinct, then K ∗ Δ∗ ≈ T ∗ , and it is mixed population is large, regular inspection in early
optimum to inspect over the entire life. When the cost life is recommended.
of inspection is varied, the optimum policy behaves as The similarity of the model to combined burn-in-
expected—lower inspection costs lead to more inspec- replacement policies is discussed. The hybrid mainte-
tions. Also, a longer mean delay time leads to more nance policy can be generalized and extended. Hybrid
inspections and vice versa, implying that inspections inspection and block replacement policies may be
are only effective if there is sufficient delay between developed in a similar manner although the calcula-
defect arrival and consequent failure. The effect of tion of the long-run cost per unit time will be more
varying the mixing parameter can also be observed in difficult. Extensions to repairable systems could also
this table. be considered.
6 CONCLUSION
ACKNOWLEDGEMENTS
In this paper, a hybrid maintenance policy for items
from a heterogeneous population is proposed. A lim- The work presented here was carried out during the
ited number of maintenance models for these kinds visit of the second author to the University of Salford.
of items have been developed to date. In particular This visit was supported by CAPES (the Brazil-
we consider items that arise from a mixture of 2 sub- ian National Mobility Programme), grant number:
populations. The first sub-population represents weak 1045/07-5.
or low quality items (or possibly poor installation of
items), the second stronger, more long-lived items.
The concepts of delay-time in inspection maintenance
and age-based replacement in preventive maintenance REFERENCES
are combined in a hybrid policy that mitigates early
failures of weak items and extends the age at preven- Abraham, B. & Nair, N.U. 2000. On characterizing mix-
tures of some life distributions, Statistical Papers 42(3),
tive replacement of strong items. The behaviour of the 387–393.
policy is investigated for various values of the parame- Ascher, H. & Feingold, H. 1984. Repairable Systems Relia-
ters of the underlying mixture and costs of inspection, bility. New York: Marcel Dekker.
preventive replacement, and failure replacement. This Barlow, R.E. & Proschan, F. 1965. Mathematical Theory of
behaviour is as might be anticipated—where the cost Reliability. NewYork: Wiley.
428
Block, H.W., Savits, T.H. & Wondmagegnehu, E.T. 2003. Gupta, P.L. & Gupta, R.C. 1996. Ageing characteristics of
Mixtures of distributions with increasing linear failure the Weibull mixtures. Probability in the Engineering and
rate. Journal of Applied Probability 40(2), 485-504. Informational Sciences 10(4), 591–600.
Cha, J.H., Lee, S. & Mi, J. 2004. Bounding the optimal Jiang, R. & Murthy, D.N.P. 1995. Modeling failure-data by
burn-in time for a system with two types of failure, Naval mixture of 2 Weibull distributions: a graphical approach,
Research Logistics. 51(8), 1090–1101. IEEE Transactions on Reliability, 44(3), 477–488.
Christer, A.H. 1999. Developments in delay time analysis for Jiang, R. & Murthy, D.N.P. 1998. Mixtures of Weibull
modeling plant maintenance. Journal of the Operational distributions—parametric characterization of failure rate
Research Society, 50(1), 1120–1137. function. Applied Stochastic Models and Data Analysis
Christer, A.H. & Wang, W. 1995. A delay-time based mainte- 14(1), 47–65
nance model for a multi-component system. IMA Journal Jiang, R. & Jardine, A.K.S. 2007. An optimal burn-in
of Management Mathematics 6(2), 205–222. preventive-replacement model associated with a mix-
Drapella, A. & Kosznik, S. 2002. A short communication ture distribution. Quality and Reliability Engineering
combining preventive replacement and burn-in proce- International 23(1), 83–93
dures. Quality and Reliability Engineering International Murthy, D.N.P. & Maxwell, M.R. 1981. Optimal age replace-
18(5), 423–427. ment policies for items from a mixture. IEEE Transactions
Finkelstein, M.S. 2002. On the shape of the mean residual on Reliability 30(2):169–170.
lifetime function. Applied Stochastic Models in Business Nakagawa, T. 2005. Maintenance Theory of Reliability.
and Industry 18(2), 135–146 Springer, London
Finkelstein, M.S. 2004. Minimal repair in heteroge- Scarf, P.A., Dwight, R. & Al-Musrati, A. 2005. On reliability
neous populations. Journal of Applied Probability 41(1), criteria and the implied cost of failure for a maintained
281–286. component. Reliability Engineering and System Safety
Finkelstein, M.S. & Esaulova, V. 2001a. On an inverse prob- 89(2), 199–207.
lem in mixture failure rates modeling Applied Stochastic Valdez-Florez, C. & Feldman, R.M. 1989. A survey of
Models in Business and Industry 17(2), 221–229. yes preventive maintenance models for stochastically deteri-
Finkelstein, M.S. & Esaulova, V. 2001b. Why the mixture orationg single-unit systems. Naval Logistics Quarterly
failure rate decreases. Reliability Engineering and System 36(4), 419–446.
Safety 71(2), 173–177. Wang, W. & Christer, A.H. 2003. Solution algorithms for
Glaser, R.E. 1980. Bathtub and related failure rate character- a nonhomogeneous multi-component inspection model.
izations. Journal of the American Statistical Association,. Computers & Operations Research 30(1), 19–34.
75(371), 667–672.
429
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
M.D. Pandey
Department of Civil Engineering, University of Waterloo, Waterloo, Canada
ABSTRACT: This paper investigates the reliability of a structure that suffers damage due to shocks arriving
randomly in time. The damage process is cumulative, which is a sum of random damage increments due to
shocks. In structural engineering, the failure is typically defined as an event in which structure’s resistance
due to deterioration drops below a threshold resistance that is necessary for the functioning of the structure.
The paper models the degradation as a compound point process and formulates a probabilistic approach to
compute the time-dependent reliability of the structure. Analytical expressions are derived for costs associated
with various condition and age based maintenance policies. Examples are presented to illustrate computation of
the discounted life-cycle cost associated with different maintenance policies
431
structure. This paper investigates the reliability of a function given as
structure that suffers damage due to shocks arriving
randomly in time. The degradation is assumed to be G(x) = P(Y1 ≤ x). (4)
cumulative sum of random damage increments due to
shocks. In fact we consider a more general version It is also assumed that the damages increment Yj and
of the shock model considered in Ito et al., (2005). the shock process N are independent. Since damage
The paper models degradation as a compound point is additive, the total damage Z(t) at time t is given as
process and formulates a probabilistic approach to
compute time-dependent reliability of the structure. N (t)
Analytical expressions are derived for costs associ-
Z(t) = Yj . (5)
ated with various condition and age based maintenance
j=1
policies. Simpler expressions are obtained in case of
the shock process being the Poisson process. Exam-
ples are presented to illustrate computation of the Using the total probability theorem and indepen-
life cycle cost associated with different maintenance dence of the sequence Y1 , Y2 , . . . and N (t), we can
policies. write the distribution of cumulative damage as
This paper is organized as follows. In section 2, we
∞
j
present a general model of the stochastic degradation
process. section 3 describes a mathematical framework P(Z(t) ≤ x) = P Yi ≤ x, N (t) = j . (6)
to evaluate the total maintenance cost of a system over j=0 i=1
a defined planning period. Three types of maintenance
policies are given in section 4 and specific results are The distribution of the sum of j damage increments
derived for the non-Homogeneous Poisson process and is obtained by convolution of G(x) given as
illustrative examples are included. Conclusions are
presented in section 5. G ( j) (x) = P(Y1 + · · · + Yj ≤ x), (7)
∞
Hj (t) = P(N (t) = j), (1) P(Z(t) ≤ x) = Hj (t)G (j) (x). (9)
j=0
and the expected number of shocks as
Substituting H0 (t) = 1 − F1 (t) and Hj (t) = Fj (t) −
R(t) = E(N (t)). (2) Fj+1 (t), j ≥ 1, it can be written as
∞
The probability that the jth shock occurs at time Sj P(Z(t) ≤ x) = 1 + [G (j) (x) − G (j−1) (x)]Fj (t).
during (0, t] is given as j=1
(10)
∞
Fj (t) = P(Sj ≤ t) = P(N (t) ≥ j) = Hi (t). (3) Suppose damage exceeding a limit xcr causes a struc-
i=j
tural failure, this equation can be used to compute
reliability as P(Z(t) ≤ xcr ). This is a fundamental
Consider that the jth shock causes damage of a expression in the theory of the compound point pro-
random amount Yj , and it is assumed that damage cess, which can be used to derive probabilities of other
increments, Y1 , Y2 , . . . , are iid with the distribution events associated with a maintenance policy.
432
2.2 Condition-based maintenance γj = αj − βj
When the total damage Z(t) exceeds an unaccept-
j
able level K, it is referred to as the degradation πj = 1 − αi = G (j) (k).
failure of structure. The failure prompts a corrective i=1
maintenance action (CM) involving the replacement
or complete overhaul of the component (as good as For any n ≥ 1, the collections {A1 , . . . , An , Bn }
new repair). On the other hand, a preventive mainte- and {APM1 , A1 , . . . , An , An , Bn } are both finite
CM PM CM
nance action (PM) is triggered when the total damage partitions of the sample space, so
exceeds a maintenance threshold level k, k < K. For
sake of generality, it is also assumed that the compo-
nent will be replaced after certain age T0 , whichever
n
n
n
Denote the probabilities of these events by αj = P(Aj ), N (t) = n ⇔ Sn ≤ t < Sn+1 . (13)
βj = P(APMj ), γj = P(Aj ) and πj = P(Bj ). We
CM
can express these probabilities in the distribution G as The total cost K(t) up to time t associated with this
follows maintenance strategy is
433
A well-known result is that the long-term expected Let PK be the probability that we have to perform a
average cost C(T ) per time unit is (Tijms 2003) corrective maintenance (CM) at time T .
∞
1 E(C)
C(T ) = lim K(t) = . (15) PK = P(C = cK ; N (T0 ) = n)
t→∞ t E(T )
n=1
∞
n
Consider exponential discounting with discount
= γj Hn (T0 )
factor
n=1 j=1
∞
D(t) = e−rt , (16)
= γj Fj (T0 ). (21)
j=1
where r > 0 is a given discount rate. Let K(t, r) denote
the discounted cost over [0, t] of the given maintenance The probability that at time T0 the total damage is
policy, which is given as still below the managerial level k and the cost of the
maintenance action is c0T is equal to
N (t)
K(t, r) = e−rSj Cj 1{Sj ≤t} . (17) P(C = c0T ) = P(T = T0 ) = 1 − Pk
j=1 ∞
=1− αj Fj (T0 ). (22)
The long-term expected equivalent average cost per j=1
time unit is
It follows that
rE(Ce−rT )
C(T , r) = lim rE(K(t, r)) = (18)
t→∞ 1 − E(e−rT ) P(C = c0k ) = 1 − (P(C = cK ) + P(C = c0T ))
∞
see Weide et al., (2008). = βj Fj (T0 ). (23)
j=1
3.2 Key results For the expected cost for the first maintenance
In order to derive the cost rate using Eq.(15) or (18), we get
a number of probability terms and expectations have
to be evaluated. This section summarizes such expres- E(C) = c0T (1 − Pk ) + c0k (Pk − PK ) + cK PK
sions, whereas their derivations are presented in the ∞
Appendix.
= c0T + cK γj + c0k βj − c0T αj Fj (T0 ).
There are three possible ways for the renewal of
j=1
structure at time T : preventive replacement when
Z(T ) = k or age exceeds T0 or complete failure. The (24)
time interval between the renewals, also referred to as
renewal cycle, is a random variable and its expected If we assume c0 = c0k = c0T and cK = c0 + δK ,
value is given as we obtain a simple expression
∞
T0 E(C) = c0 + δK PK . (25)
E(T ) = πj Hj (x) dx. (19)
j=0 0
A general expression for expected discounted cost
in an interval T is derived, as shown in Appendix, as
It follows immediately from Eq.(11) that the prob-
ability that a maintenance action is necessary before ∞
time T0 equals E(Ce−rT ) = e−rT0 [c0 + δK Cn ] Hn (T0 )
n=0
∞
∞
T0
Pk = P(T < T0 ) = 1 − πn Hn (T0 ). (20) + (c0 Bn + cK Cn ) Hn (x)re−rx dx. (26)
n=0 n=1 0
434
n n
where Bn = j=1 βj and Cn = j=1 γj . It follows that Since ACM1 = {Yi > K}, APM
1 = {Yi ≤ K} and An = ∅
for all n ≥ 2, we get
E(Ce−rT ) = e−rT0 E(C)
E(Ce−rT ) = c0 (1 − I (T0 ))
∞
T0
+r (c0 Bn + cK Cn ) Hn (x)e−rx dx. + δK Ḡ(K) 1 − erT0 H0 (T0 ) − I (T0 ) ,
n=1 0
where as usual Ḡ(K) = 1 − G(K). It follows that the
Taking C ≡ 1, the expected (discounted) length of the long-term discounted value of the expected equivalent
renewal cycle can be obtained as average cost rate is given by Eq.(18) as
∞ rc0 (1 − I (T0 ))
T0 C(T , r) =
−rT −rx I (T0 )
E(e )=1− πn Hn (x)re dx. (27)
0
n=0
rδK Ḡ(K) 1 − e−rT0 H0 (T0 ) − I (T0 )
+ .
All the expressions derived above are completely gen- I (T0 )
eral, without any specific assumptions about the form
of the point process N that describes the random 4.2 Model 2
arrival of shocks in time, see section 2. Note that
In this case k = K and APM
j = ∅, j ≥ 1, which leads to
rE(Ce−rT ) E(C) ∞
lim C(T , r) = lim = = C(T ). T0
r↓0 r↓0 1 − E(e−rT ) E(T ) E(e−rT ) = 1 − G (j) (K) Hj (x)re−rx dx,
j=0 0
435
5 POISSON SHOCK PROCESS where Γ(a, x) denotes the upper incomplete gamma
function
In this Section we analyze the case when the shock
process N (t) is a non-homogeneous Poisson Process ∞
(NHPP) with a continuous intensity function λ(t). If Γ(a, x) = t a−1 e−t dt.
the intensity λ(t) ≡ λ is constant, then the Poisson x
436
190 220
C (T0) C (T ,r)
0
180 Asymptotic Value 200 Asymptotic Value
170
180
160
160
150
140
140
120
130
100
120
110 80
100 60
0 0.5 1 1.5 2 2.5 3 3.5 4 0 0.5 1 1.5 2 2.5 3 3.5 4
Figure 1. Plot of C(T0 ) and the asymptotic value for the Figure 2. Plot of C(T0 , r) and the asymptotic value for the
case a = 2 and b = 2, c0 = 20, δK = 180, Ḡ(K) = 0.40. case a = 2 and b = 2, c0 = 20, δK = 180, Ḡ(K) = 0.40,
r = 0.04.
c0 + δK Ḡ(K)(1 − e−T0 )
2 K
E(C)
= √ [1 − G(K − x)] dG (j−1) (x)
E(T ) π /2 erf (T0 ) 0
c0 + δK Ḡ(K)
→ √ , can be simplified to G (j−1) (K) − G (j) (K). So
π /2
∞ k
Figure 1 contains a plot of the long-term expected Γ(j) − Γ j, ab T0b
[1 − G(K − x)] dG (j−1) (x)
average cost C(T0 ) per unit time as function of T0 . (j − 1)! 0
j=1
It is interesting to see what happens if we consider
∞
discounting. Taking again a = b = 2, we get Γ(j) − Γ j, ab T0b (j−1)
= G (K) − G (j) (K)
√ (j − 1)!
r π r 2 /4 j=1
I (T0 ) = e (erf (T0 + r/2) − erf (r/2)) , ∞
2 a j a
= 1− T0b exp − T0b G (j) (K).
and the long-term expected equivalent average cost j=0
b b
per unit time is obtained by substitution of I (T0 ) in
the expression derived in Subsection 4.1. The limiting So, the long-term expected average cost C(T0 , K) per
value as T0 → ∞ is unit time is
437
6 CONCLUSIONS we get
E[Ce−rT ; N (T0 ) = n] T0
n hn = e−rT0 Hn (T0 ) + Hn (x)re−rx dx.
−r Sj
= c0k βj E[e ; N (T0 ) = n] 0
j=1
n If we substitute this last expression in (33) we get, after
−r Sj interchanging the order of summation
+ cK γj E[e ; N (T0 ) = n]
j=1
438
If c0 = c0T = c0k and cK = c0 + δK , this formula REFERENCES
simplifies to
[1] Barlow, R.E., and Proschan, F., 1965. Mathematical
∞
Theory of Reliability. Wiley, New York.
E[Ce−rT ] = e−rT0 (c0 + δK Cn )Hn (T0 ) [2] Cox, D.R., 1962. Renewal Theory. Methuen, London.
n=0 [3] Dekker, R., 1996. Applications of Maintenance Opti-
mization Models: A Review and Analysis. Reliability
∞
T0 Engineering and System Safety. (51): 229–240.
+ (c0k Bn + cK Cn ) Hn (x)re−rx dx, (35) [4] Feller, W., 1957. An Introduction to Probability
n=1 0 Theory and Its Applications, 3 edn. Wiley, New York.
[5] Ito, K., Qian, C.H. and Nakagawa, T., 2005. Opti-
which is the same as formula (26). Substituting C ≡ 1 mal preventive maintenance policies for a shock
in (34) and noting that model with given damage level. Journal of Quality
in Maintenance, 11(3): 216–227.
∞
T0 T0 [6] Mercer, A. and Smith, C.S., 1959. A Random
Hn (x)re−rx dx = (1 − H0 (x))re−rx dx Walk in Which the Steps Occur Randomly in Time.
0 0 Biometrika, 46: 30–55.
n=1
[7] Nakagawa, T., 2005. Maintenance Theory of Reliabil-
T0 ity. Springer series in reliability engineering. London:
= 1 − e−rT0 − H0 (x)re−rx dx, Springer.
0 [8] Nakagawa, T. and Mizutani, S., 2007. A Summary of
Maintenance Policies for a Finite Interval. Reliability
we get formula (27) Engineering and System Safety.
[9] Smith, W.L., 1958. Renewal Theory and Its Ramifi-
∞
T0 cation. Journal of the Royal Statistical Society, Series
E[e−rT ] = e−rT0 + (1 − πn ) Hn (x)re−rx dx B (Methodological) 20(2)(1): 243–302.
n=1 0 [10] Tijms, H.C. 2003. First Course in Stochastic Models
∞
T0
John Wiley and Sons, New York, NY
[11] Weide, J.A.M. van der, Suyono and Noortwijk,
=1− πn Hn (x)re−rx dx. (36) J.M. van, 2008. Renewal theory with exponential and
n=0 0
hyperbolic discounting. Probability in the Engineer-
ing and Information Sciences, 22(1):53–74.
Differentiating with respect to r followed by substitu-
tion of r = 0 yields
∞
T0
E[T ] = πn Hn (x) dx,
n=0 0
439
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
R. Mullor
Dpto. Estadística e Investigación Operativa, Universidad Alicante, Spain
S. Martorell
Dpto. Ingeniería Química y Nuclear, Universidad Politécnica Valencia, Spain
ABSTRACT: An important number of studies have been published in the last decade in the field of RAM+C
based optimization considering uncertainties. They have demonstrated that inclusion of uncertainties in the
optimization brings the decision maker insights concerning how uncertain the RAM+C results are and how
this uncertainty does matter as it can result in differences in the outcome of the decision making process. In
the literature several methods of uncertainty propagation have been proposed. In this context, the objective of
this paper focuses on assessing how the choice of input parameters uncertain distribution may affect output
results.
441
Mε
2 RELIABILITY AND COST MODELS w = t (1 − ε) + (6)
2
As established in the introduction, the objective of
this paper is focused on the maintenance optimization Now, substituting Eqns (5) and (6) into Eqns (1) and
of safety related equipment, based on reliability and (2) the reliability functions of PAS and PAR models
cost criteria, and considering uncertainty in the equip- are obtained as continuous functions of time.
ment reliability characteristics and in the maintenance Thus, expressions corresponding to the PAS
effectiveness. approach considering linear and Weibull distributions
In this context, the objective of this section is to are given by Eqns (7) and (8):
present the expressions of the objective functions,
averaged reliability and cost, as functions of the α M 2
R(t) = exp − t − mM + (7)
decision variables (maintenance intervals), reliability 2 ε
model parameters and maintenance effectiveness. ⎛
Two models of failure distribution, Weibull and β ⎞
t − mM + Mε
linear, and two imperfect maintenance models, PAS R(t) = exp ⎝− ⎠ (8)
(Proportional Age Set-Back) and PAR (Proportional η
Age Reduction, are considered.
Following the same reasoning, if the PAR approach
2.1 Reliability function is considered the expressions corresponding to
The general expression of reliability function asso- the reliability function are given by Eqns. (9) and (10)
ciated to linear and Weibull failures distribution for linear and Weibull distributions, respectively.
respectively are given by:
α α Mε 2
R(t) = exp − t (1 − ε) + (9)
R(w) = exp − w2 (1) 2 2
2
⎛ β ⎞
t (1 − ε) + M2ε
w β R(t) = exp ⎝− ⎠ (10)
R(w) = exp − (2) η
η
where w is the age of the component, which depends Using Eqns. (7) to (10) the averaged reliability
on the imperfect maintenance model selected, α is the function can be obtained as:
linear aging rate and β and η are the shape factor and
the characteristic time which represents the time scale, 1 L
R= R(t)∂t (11)
respectively. L 0
To take into consideration imperfect maintenance,
the expressions of PAS and PAR models described in Where R(t) is obtained from Eq. (9) and (10).
(Martorell et al., 1999) are used. These expressions
are the following:
2.2 Cost function
m−1 The relevant costs in analyzing maintenance opti-
w =t− (1 − ε)k ε τm−k−1 (3) mization of safety-related equipment include the cost
k=0 of performing preventive and corrective maintenance
and the cost associated with replacing the component
w = t − ε τm−1 (4) (Martorell et al., 2002). The following expressions are
used to quantify these costs
where t is the chronological time, ε the maintenance
cma
effectiveness which range in the interval [0,1], τ the cm = 8760 · (12)
time between two maintenance activities and m the M
number of maintenance tasks executed in a period L. 1
Assuming that the period between maintenance cc = 8760 · (ρ + h ∗ M) cca (13)
M
activities is constant and equal to M, Eqns (3) and coa
(4) are simplified to: co = 8760 · (14)
L
M where the term cm represents a yearly cost contribution
w = t − mM + (5)
ε as consequence of performing preventive maintenance
442
on the component over a year period, cc represents a functions the MOP can be expressed as:
yearly cost contribution as consequence of performing
corrective maintenance and co is the overhaul cost that min e(C) + (1 − ) e(R)
represents the yearly cost associated with replacing the subject to : R ≥ Rr ; C ≤ Cr (19)
component with periodicity L. In addition, parameters
cma and cca represent the cost associated with con- that is, the minimization of convex combinations of
ducting each preventive and corrective maintenance, both efficiency functions, being the weighting coef-
respectively, coa represents the total cost of replacing ficient and e(C) and e(R) the efficiency of each feasible
the component while ρ is the cyclic or per-demand solution which can be evaluated as:
failure probability. For the PAS model, the average
hazard function h∗ is obtained considering the lin- C − Cr
ear and Weibull distributions, obtaining the following e(C) = (20)
Cr − Co
expressions:
Rr − R
Mα(2 − ε) e(R) = (21)
h = ∗
(15) Ro − Rr
2ε
The point (Cr , R0 ) is obtained to maximize the
∗ Mβ−1 β
equipment reliability where the cost function evalu-
h = (1 − (1 − ε) ) (16) ated at its initial value, Ci , acts as restriction, and
(εη)β
(C0 , Rr ) is the result of taking as objective function
the equipment cost which must be minimized keeping
If the PAR model is considered the expressions of the reliability function greater than its initial value, Ri .
the averaged hazard function are given by: The problem of optimization of the mainte-
nance considering reliability and cost criteria has
α been solved using Sequential Quadratic Programming
h∗ = (ε M + L (1 − ε)) (17) (SQP) (Biggs, 1975).
2
Finally, the global cost of the equipment C can be The problem to tackle in this section is how to bound
derived by summing up the corresponding cost contri- the uncertainty present in objective functions optimum
butions of the relevant components using Eqns. (12) values. In the uncertainty analysis N sets of input
to (14). parameters x = (x1 , x2 , . . . , xN ) containing variables
are selected randomly. After N runs with fluctuat-
ing inputs, using a crude Monte Carlo sampling, we
obtain N random varying output vectors which carry
3 MULTI-OBJECTIVE OPTIMIZATION
information on the fluctuating input.
PROCEDURE
The statistical evaluation of the output parameters
is based on the distribution-free tolerance limits elab-
A Multiobjective Optimization Problem (MOP) con-
orated by Wilks (Wilks, 1941) and extended by Guba
siders a set of decision variables x, a set of objective
(Guba et al., 2003).
functions f(x) and a set of constraints g(x) based on
We assume the output comprise p dependent vari-
decision criteria. In our problem, the MOP consists
ables. Carrying out N runs, we get a sample matrix
in determining the maintenance intervals, over the
Y = [yij ] where column j corresponds to the result
replacement period, on each component of the equip-
obtained in the j-th sampling for the p variables.
ment, which maximize the equipment reliability, R,
Using this matrix can be obtained the appropriate
while minimize its cost, C, subject to restrictions
intervals [Li, Ui]γ/β, that is, the construction of
generated by an initial solution (Ci , Ri ), usually deter-
p pairs of random variables Li (y1 , y2 , . . . , yN ) and
minate by the values of current maintenance intervals
Ui (y1 , y2 , . . . , yN ), i = 1, 2, . . . , p such that
implemented in plant.
Applying the so called weighted sum strategy, the
L1 Lp
multiobjective problem of minimizing the vector of P ··· g(y1 , . . . , yp )∂y1 . . . ∂yp > γ = β
objective functions is converted into a scalar problem U1 Up
by constructing a weighted sum of all the objective
functions. In particular, if we have two objective (22)
443
Since the probability of coverage depends on Table 1. Number of runs to obtain tolerance intervals for
the unknown joint density function of the output k · p at γ/β levels.
g(y1 , . . ., yp ), it is necessary to use a reasonable proce-
dure such that the probability β is independent of the β
joint distribution function of outputs variables.
The generalized version of this method, known as k·p 0.90 0.95 0.99
truncated sample range, consist of being L as the γ 0.90 1 22 29 44
greatest of the r smallest values in the sample and 2 38 46 64
U the smallest of the r largest values, that is, let 3 52 61 81
y(1), y(2), . . .y(N) be the sample values of y arranged 4 65 76 97
in order of increasing magnitude, then the toler- 0.95 1 45 59 90
ance interval [L,U] is taken as [y(r), y(N − r + 1)] 2 77 93 130
such that the couple coverage/confidence is achieved. 3 105 124 165
Coverage (γ) measures the proportion of the distri- 4 132 153 198
0.99 1 230 299 459
bution included in the random interval [L,U] while
2 388 473 662
confidence (β) is the confidence level. 3 531 628 838
In this work we use the not truncated version where 4 667 773 1001
r = 1, so the tolerance interval becomes [y(1), y(N)],
the minimum and maximum, respectively, values in
the sample, so coverage/confidence levels achieved
depend only in the sample size N. This version consist Table 1 shows the number of runs needed to deter-
of arranging all rows in the sample matrix in order of mine tolerance intervals for some usual couples of
increasing magnitude of first row and selecting y1 (1) coverage/confidence levels.
as L1 and y1 (N) as U1 . Then, first and last columns
are removed from the arranged sample matrix which is 5 APPLICATION CASE
arranged again, now, in order of increasing magnitude
of second row. From this updated sample matrix, we The application case is focused on the optimiza-
choose y2 (1) as L2 and y2 (N − 2) as U2 , then, first tion process of preventive maintenance associated to
and last columns of this matrix are removed to con- motor-operated safety valves of a Nuclear Power Plant.
tinue selecting tolerance limits for next variables. We The equipment consists of two main components
continue this embedding procedure to the last row of (actuator (A) and valve (V)) in serial configuration.
the sample matrix and define p-dimensional volume Reliability (α, β, and η) and maintenance effectiveness
(ε) parameters have been previously estimated using
Vp = [L1, U1] · [L2, U2] · · · · · [Lp, Up] (23) the Maximum Likelihood Estimation (MLE) method.
So, the problem considers how the uncertainty asso-
which achieves Eq. (22) depending only on the sample ciated to reliability and to maintenance effectiveness
size N. parameters affect on maintenance optimization pro-
Now, it is necessary to find the sample size N cess based on system reliability and cost (R+C)
which achieves the coverage/confidence levels previ- criteria.
ously selected, since achieving these levels depends Table 2 shows the distribution probability, the
only on the selected sample size. imperfect maintenance model and the reliability data
The relation between coverage/confidence levels for the actuator and valve necessary to quantify the
and the sample size can be evaluated as: equipment reliability. These values represent mean
values obtained in the estimation process. In addi-
N−kp tion, single cost data necessary to quantify the yearly
N j equipment cost are showed in Table 3.
β= γ (1 − γ)N−j (24) Additionally, maximum likelihood estimators have
j
j=0 the property to be distributed asymptotically. Thus,
it is possible obtain the parameters joint distribution
where γ and β are couple coverage/confidence levels, which is given by:
N the searched sample size, k the number of limits for
the tolerance intervals (k = 1, 2 one or two sided con-
(β, η, εA , α, εV ) ∼ N(μ,
C) (25)
fidence levels) and p the number of objective functions
compromised in the output. Then, confidence level is
the value, in N-kp, of the distribution function of a ran- Being μ the mean vector and C the variance-
dom Binomial variable with sample size N and success covariance matrix. By using the MLE method the
probability γ, the coverage level. following values are obtained:
444
Table 2. Reliability data. intervals for two outputs have been performed. After
arranging the rows of the sample matrix of runs, the
Actuator Valve first and the last value of each output is selected as its
lower and upper tolerance limit, after explained remov-
Distribution Weibull Linear
ing of columns explained, obtaining like this 0.95/0.95
IM∗ model PAS PAR
ε 0.8482 0.7584 coverage/confidence limits for all solutions obtained
α – 1.54E-9 in the optimization process which constitute upper and
β 7.4708 – lower tolerance limits to the Pareto front. Figures 1 and
η 15400 – 2 show the tolerance limits obtained for reliability and
cost values, respectively.
Now, we analyze the influence in the tolerance lim-
its considering that the reliability and effectiveness
Table 3. Single cost data for actuator and valve. maintenance parameters are normally distributed but
assuming they are not dependent, thus is:
cca cma coa
Component [C
=] [C
=] [C
=]
β ∼ N(7.4707, 0.1572)
Actuator 3120 300 1900
Valve 3120 800 3600 η ∼ N(15397, 40808)
⎛ ⎞ εA ∼ N(0.8482, 2.2587e − 4)
7.4707
⎜ 15397 ⎟ α ∼ N(1.7343e − 9, 2.7619e − 20)
⎜ ⎟
μ
= ⎜ 0.8482 ⎟ (26)
⎝1.73e − 9⎠ εV ∼ N(0.7584, 8.4261e − 4)
0.7584
The values associated to the mean and the standard
and deviation of the normal distributions are obtained from
⎛ ⎞
0.1572 −5.5646 −1.6944e − 3 0 0
⎜ −5.5646 4.0808e + 4 −2.3730 0 0 ⎟
= ⎜−1.6944e − 3 −2.3730 2.2587e − 4
⎟
C ⎜ 0 0 ⎟ (27)
⎝ 0 0 0 2.7619e − 20 2.9647e − 12⎠
0 0 0 2.9647e − 12 8.4261e − 4
The optimization process is performed under relia- the mean vector and variance-covariance matrix given
bility and cost criteria y = {R,C} and the maintenance by Eqs. (25) and (27). Figures 3 and 4 show the results
intervals for each component act as decision variables. obtained in the optimization process for reliability and
The equipment reliability and associated cost have cost functions, respectively.
been quantified using the analytical models previously
introduced. A Sequential Quadratic Programming
(SQP) method is used as algorithm to optimization.
(Biggs, 1975). 0,861
Both, equipment reliability and cost functions are
considered to be deterministic in the sense that when
all necessary input data for the model are specified 0,860
they provide only one value for every output. However,
as inputs of the equipment reliability and cost mod-
els fluctuate according to distribution law reflecting 0,859
uncertainty on parameters and equipment reliability
and cost will fluctuate in repeated runs. In this case a
multivariate normal distribution whose parameters are
0,858
given by Eqns. (25) and (27) is used to characterize 3000 3100 3200 3300 3400 3500 3600
uncertainty.
Following distribution free tolerance intervals
approach discussed in section 4 to address uncertainty, Figure 1. R-C plot of uncertain results considering depen-
Wilks’ equation results in 153 runs to achieve lev- dency and parameters normally distributed (Tolerance limits
els of 0.95/0.95 for coverage/confidence in two sided for cost function).
445
Figure 5. R-C plot of uncertain results considering indepen-
Figure 2. R-C plot of uncertain results considering depen- dency and parameters uniform distributed (Tolerance limits
dency and parameters normally distributed (Tolerance limits for cost function).
for reliability function).
446
6 CONCLUDING REMARKS Gill PE, Murray W, Wright MH. Practical Optimization.
London Academic Press 1981.
This paper presents an analysis of the results obtained Guba A, Makai M, Pal L. Statistical aspects of best estimation
in the preventive maintenance interval optimization method-I. Reliability Engineering & System Safety 2003;
of a safety-related equipment based on reliability and 80: 217–232.
Malik MAK. Reliable preventive maintenance scheduling.
cost criteria and considering that reliability and main- AIIE Transactions 1979; 11: 221–228.
tenance effectiveness parameters are random variables Marseguerra M, Zio E, Podofillini L. Optimal reliabil-
which introduce uncertainty in the decision making ity/availability of uncertain systems via multi-objective
process. genetic algorithms. IEEE Transactions on Reliability
So, how the input parameters distribution affect 2004; 53(3): 424–434.
to the output results is analyzed. Thus, different Martorell S, Sanchez A, Carlos S, Serradell V. A tol-
input parameters distribution and independency or erance interval based approach to address uncertainty
dependency among parameters were considered. The for RAMS+C optimization. Reliability Engineering &
application case shows that the effect on the tolerance System Safety 2007; 92: 408–422.
Martorell S, Sanchez A, Carlos S, Serradell V. Age-dependent
intervals of the type of distribution of the parameters reliability model considering effects of maintenance and
is not significant. However, significant differences are working conditions. Reliability Engineering & System
observed when dependence or independence among Safety 1999; 64: 19–31.
the parameters is considered. Martorell S, Sanchez A, Carlos S, Serradell V. Simultaneous
and multi-criteria optimization of TS requirements and
maintenance at NPPs. Annals of Nuclear Energy 2002;
ACKNOWLEDGMENTS 29(2): 147–168.
Nutt WT, Wallis GB. Evaluation of nuclear safety from the
Authors are grateful to the Spanish Ministry of Edu- outputs of computer codes in the presence of uncertainties.
Reliability Engineering & System Safety 2004; 83: 57–77.
cation and Science for the financial support of this Rocco CM, Miller AJ, Moreno JA, Carrasquero N, Medina M.
work in the framework of the Research Project Ref. Sensitivity and uncertainty analysis in optimization pro-
ENE2006-15464-C02-01 which has partial financial grams using an evolutionary approach: a maintenance
support from the FEDER funds of the European Union. application. Reliability Engineering & System Safety
2000; 67(3): 249–256.
Sanchez A, Martinez-Alzamora N, Mullor R, Martorell S.
REFERENCES Motor-operated valve maintenance optimization consid-
ering multiple failure modes and imperfect maintenance
Biggs MC. Constrained minimization using recursive models. Proceedings of ESREL 2007.
quadratic programming. Towards Global Optimization, Wald A. Setting of tolerance limits when the sample is large.
North-Holland 1975: 341–349. Annals of Mathematic Statistics 1942; 13: 389–399.
Bunea C, Bedford T. The effect of model uncertainty on main- Wilks SS. Determination of the sample size for setting tol-
tenance optimization. IEEE Transactions on Reliability erance limits. Annals of Mathematic Statistics 1941; 12:
2002; 51(4): 486–493. 91–96.
447
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
T. Niezgoda
Military University of Technology
ABSTRACT: The forecasting of reliability and life of aeronautical hardware requires recognition of many
and various destructive processes that deteriorate the health/maintenance status thereof. The aging of technical
components of aircraft as an armament system proves of outstanding significance to reliability and safety of the
whole system. The aging process is usually induced by many and various factors, just to mention mechanical,
biological, climatic, or chemical ones. The aging is an irreversible process and considerably affects (i.e. reduces)
reliability and life of aeronautical equipment.
For the items representing the first group one can where: ΔXi = absolute value of deviation of the
predict the instance of time when the diagnostic param- diagnostic parameter from the nominal value;
eter’s boundary condition occurs. One can also predict Xi = current value of the i-th parameter;
the time instance of the item’s safe shut down and then Xinom = nominal value of the i-th parameter.
plan appropriate maintenance actions to be carried out. 3. Any item of the aeronautical equipment is ser-
viceable (fit for use) if the following dependence
occurs:
449
To be clearer, the following terms (notations) Equation (9) is now rearranged to take the form of a
have been introduced: partial differential equation of the Fokker-Planck type:
where: zi = absolute value of deviation of the Since C is a random variable, an average value of
diagnostic parameter from the nominal value; this variable is introduced. It has the form:
g
zi = absolute value of boundary deviation of the
diagnostic parameter from the nominal value. Cg
Equation (3) can be, therefore, written down in E[C] = Cf (c)dc (11)
the following form:
Cd
g
zi ≤ zi (6)
where: f (c) = density function of the random variable
C; Cg , Cd = upper and lower values of the random
4. Values of changes in diagnostic parameters grow
variable C.
randomly.
Taking account of equation (11) while considering
5. Changes in diagnostic parameters accepted for the
formula (10) the following dependence is arrived at:
assessment of health/maintenance status of indi-
vidual items of aeronautical equipment are inde-
pendent random variables, i.e. any change of any ∂u(zi , t) ∂u(zi , t) 1 ∂ 2 u(zi , t)
= −b + a (12)
of these parameters does not result in any change ∂t ∂zi 2 ∂zi2
in values of other parameters.
6. The method has been dedicated to some selected where: b = E[C]—an average increment of value of
items of the aeronautical equipment, namely to deviation of the diagnostic parameter per time unit;
those for which the rate of changes in diagnos- a = E[C 2 ]—a mean square increment of value of
tic parameters can be described with the following deviation of the diagnostic parameter per time unit.
dependence: We need to find a partial solution of equation (12),
one that at t → 0 is convergent with the so-called
dzi Dirac function: u(zi , t) → 0 for zi = 0, but in such
=C (7)
dt a way that the function integral u(zi , t) equals to unity
for all t > 0. This solution takes the form:
where: C = operating-conditions dependant ran-
dom variable; t = calendar time. 1 (zi −B(t))2
u(zi , t) = √ e− 2A(t) (13)
The dynamics of changes in values of deviations 2πA(t)
of assumed diagnostic parameters, if approached ran-
domly, is described with a difference equation. One where:
arbitrarily chosen parameter zi has been accepted for
analysis. The difference equation for the assumptions t t
made takes the form (Tomaszek 2001): A(t) = adt = at B(t) = bdt = bt
0 0
Uzi ,t+Δt = PUzi −Δzi ,t (8)
Function (13) is a probabilistic characteristic of
where: Uzi ,t = probability that at the instance of time changes of the diagnostic parameter due to effects
t the deviation of a diagnostic parameter takes value of aging processes, the rate of which can be deter-
zi ; P = probability that the value of the deviation mined with equation (7). Density function of changes
increases by value Δzi within time interval of Δt. in value of the diagnostic parameter can be used
Equation (8) takes the following form if function directly to estimate reliability and life of an aeronau-
notation is used: tical device, the health/maintenance status of which is
estimated with this parameter. Applying the density
u(zi , t + Δt) = u(zi − Δzi , t) (9) function of changes in values of the diagnostic param-
eter to determine distribution of time of exceeding the
where: u(zi , t) = time-dependant density function of boundary condition is a good example of such a solu-
changes in diagnostic parameter. tion. Probability of exceeding the boundary value by
450
the diagnostic parameter can be presented using den- dependence (20):
sity functions of changes in the diagnostic parameter
(Tomaszek 2001): ∞
σ = 2
t 2 f (t)zig dt − (E [T ])2 (20)
∞ 0
1 (zi −bt)2
e−
g
Q(t, zi ) = √ 2at dz (14)
g
2π at Hence
Zi
g √ g 2 g 2
azi + b zi 5a2 z
σ = 2
+ 4 − i2 (21)
To determine the density function of time of exceed- b3 4b 2b
g
ing the admissible value of deviation zi for the first
time one should use the following dependence: The presented method of determining the distri-
bution of time of exceeding the boundary condition
by the diagnostic parameter allows of finding the
∂ g
f (t) = Q(t, zi ) (15) density function) of time of reaching the bound-
∂t ary state. On the basis thereof one can determine
reliability of a given item of aeronautical equip-
Substitution with equation (14), introduced in equa- ment, the health/maintenance status of which is esti-
tion (15), gives: mated by means of the diagnostic parameter under
consideration:
∞ t
∂ 1 (zi −bt)2
f (t) = √ e− 2at dz (16) R(t) = 1 − f (t)zig dt (22)
∂t 2π at
g
Zi 0
451
in the course of operating them. A maximum likeli- Storage batteries 12-SAM-28
hood method was used in order to estimate parameters
a and b in the equation (17). Gained with the hitherto 1,2
596
R(t)
0,6
condition by values of the diagnostic parameter f (t) 525
0,4 112
and the reliability function R(t). They are shown in 180
28
4 112 41.19 23.47
27 109
5 525 50.71 32.17
26
574 6 170 47.8 30.38
Capacitance - Q[Ah]
180
25
112
7 159 26.13 10.61
24 525 8 330 23.73 6.98
170
23
159
9 280 29.12 12.32
22
330 10 596 20.85 5.7
21
280
20 596
19
18
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Service life - t[months]
throughout the operational phase thereof. Determina-
tion of how the values of diagnostic parameters and
Figure 1. Characteristic curves of the changes in capaci- deviations thereof increase enables determination of
tance values for storage batteries 12-SAM-28. time interval, within which a given item remains fit
for use (serviceable).
Dependence for the rate of changes in value of
Storage batteries 12-SAM-28
the diagnostic parameter, i.e. equation (7), is of pri-
0,06
mary significance in this method. The method will
596
not change substantially if other forms of this depen-
0,05
280 dence (i.e. equation (7)) are used. These different
0,04
330 forms may result in changes of coefficients in the
159
170
Fokker-Planck equation (10), which in turn will result
f(t)
0,03
525 in changes of the dependences for both an average
112
0,02
180
value and variance of the density function of changes
0,01
574 of the diagnostic parameter. The method offers also
109 a capability of describing aging and wear-and-tear
0
0 10 20 30 40 50 60 70 80 90 100
processes within a multi-dimensional system. The
Service life - t[months]
above-presented method allows of:
452
• estimation of reliability and life of some selected REFERENCES
items of aeronautical equipment on the grounds of
diagnostic parameters recorded in the process of Jaźwiński, J. & Żurek J. 2007. Wybrane problemy sterowania
operating them, zapasami. Radom.
• verification of the process of operating some Tomaszek, H. & Wróblewski, M. 2001. Podstawy oceny
selected items of aeronautical equipment to main- efektywnosci eksploatacji systemów uzbrojenia lot-
niczego. Warszawa.
tain the required level of reliability between partic- Żurek, J. 2006. Żywotność śmiglowców. Warszawa.
ular checks. Żurek, J. & Tomaszek, H. 2005. Zarys metody oceny
The way of proceeding suggested in the method niezawodności statku powietrznego z uwzglednieniem
under examination can be adopted for specific char- uszkodzeń sygnalizowanych i katastroficznych (naglych).
Warszawa.
acteristics of aging and wear-and-tear processes
that affect various items of aeronautical equipment
throughout operational phase thereof.
453
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
J. Clavareau
Université Libre de Bruxelles (U.L.B), Service de métrologie Nucléaire, Belgium
Grant F.R.I.A, Belgium
P.E. Labeau
Université Libre de Bruxelles (U.L.B), Service de métrologie Nucléaire, Belgium
ABSTRACT: All systems are subject to aging. When a component is aging, its global performances are decreas-
ing. In order to reduce the effect of aging on a system, preventive maintenance actions can be performed. Yet the
rejuvenation of a unit that can be achieved thanks to these interventions is most of the time not total, and does not
correspond to the classical as-good-as-new assumption. Imperfect maintenance models have been proposed in the
literature in order to embody the partial efficiency of preventive actions. This paper reviews the approaches that
are available in the literature to model imperfect maintenance. It also proposes to extend and modify some of them,
in order to obtain a simple and mathematically exploitable model, associated with a more realistic time-dependent
behavior of the component than that corresponding to the application of previous imperfect maintenance models.
455
Brown & Proschan 1983 envisaged a repair model behavior:
in which a repair is minimal (As Bad As Old) with a
probability p and degraded with a probability 1 − p. β t β−1
λ(t) = ( ) . (2)
Minimal repair means that the failure rate after repair α α
is the same as before the failure. The degradation
of the component considered is an increase of the where α is the scale parameter (in time unit) and β is
failure rate. With a constant failure rate between fail- the shape parameter of the distribution.
ures, this model leads to a piecewise increasing failure
rate in time. A variant of this model for preven- 2.1 Review of failure rate impact models
tive maintenance can be deduced from there. In this
preventive maintenance model, the preventive inter- 2.1.1 Arithmetic Reduction of Intensity (ARI) model
vention is AGAN with a probability p and ABAO with Following Doyen & Gaudoin 2004, we will define the
a probability 1 − p. Arithmetic Reduction of Intensity (ARI) as follows:
Generally, imperfect preventive maintenance the failure rate after maintenance is taken equal to
models can be divided in two classes (Doyen & Gau- the failure rate before maintenance, minus a given
doin 2004) depending on whether the maintenance quantity.
actions affect the failure rate (Nakagawa 1986, Naka- We can distinguish three particular cases:
gawa 1988, Zequeria & Bérenguer 2006) or the effec- – The reduction is a fraction of the augmentation of
tive age (Canfield 1986, Kijima 1988, Malik 1979, the failure rate from the last maintenance. We have,
Martorell et al., 1999) of the component. We can also immediately after the M th PM intervention:
cite a hybrid model (Lin et al., 2000) for which the
effect of the maintenance actions reduces the value of λ+ − − +
TM = λTM − ρ(λTM − λTM −1 ). (3)
both the failure rate and the effective age. Obviously
the value of the failure rate is determined by the value where ρ is the efficiency of the maintenance
of the effective age, so there is a direct link between between 0 and 1, TM is the time of the M th PM
the two classes. Yet we will see below that the main- action, λ−TM the value of the failure rate just before
tenance effect modeled with one of the two classes is the maintenance and λ+ TM the value of the failure rate
not straightforwardly obtained with the other one. just after the maintenance.
These works discuss ways of modeling the mainte- This model is called ARI1 and gives the following
nance effects either in case of preventive maintenance failure rate at time t:
(PM) or in case of corrective maintenance (CM). Here
we will summarize the main formulations in the case λt = λ(t) − ρλ(TMt ) (4)
of preventive maintenance with minimal repair (the
component’s state just after repair is the same as just where Mt is the is the number of maintenance
before failure) which is equivalent to compute the dis- actions up to time t.
tribution of the first failure. If repair are not minimal We can see that the failure rate at time t is thus given
the intervention effect can be modeled exactly in the by only one subtraction.
same way that the intervention effect of a preventive – The reduction is proportional to the global wear out
imperfect maintenance. In this work we will thus focus before the maintenances. This model is called ARI∞
on the formulation where CM is minimal. and we have:
The distribution of the failure time is completely
characterized by the conditional failure intensity λ+ − −
Tm = λTm − ρλTm . (5)
defined by:
Considering a constant time interval TPM between
1 two consecutive preventive maintenance actions and
∀t ≥ 0, λt = lim P(Nt+dt − Nt = 1| Ht ) (1)
dt→0 dt minimal repair in case of failure, the ARI∞ model
gives the following expression of the failure rate at
where Ht is the past history of the component, i.e. the time t:
set of all events having occurred before t and Nt the
number of failures observed up to time t. For the sake
Mt −1
of simplicity, we will use the expression ‘‘failure rate’’ λt = λ(t) − ρ (1 − ρ)j λ((Mt − j)TPM ) (6)
instead of ‘‘conditional failure rate’’ in the sequel of j=0
the text.
All the above cited references assume that the initial where Mt is the number of maintenance actions
failure (i.e, the failure rate before any maintenance performed up to time t. The reduction is thus pro-
action) rate is strictly increasing. The initial failure portional to a potentially infinite sum, hence the
rate is then most of the time given by a Weibull-like name of the model.
456
– An intermediate case between the two previous failure mode, with the failure rate λ(t), and the non-
ones can be considered. If we keep only the first maintainable failure mode, with the failure rate h(t).
m terms in the sum in (6), we have the ARIm They propose to take into account dependence between
model: these two competing failure modes. The failure rate
of the maintainable failure mode is the sum of the
t −1)
min(m−1,M
initial failure rate λ(t) plus a positive value p(t)h(t).
λt = λ(t) − ρ (1 − ρ)j λ ((Mt − j)TPM ) They suppose that without imperfect PM the maintain-
j=0 able failure mode is AGAN and the non-maintainable
(7) failure mode remains unchanged.
Under this model the failure rate of the component
The ARI1 and ARI∞ models are then particu- at time t is given by:
lar cases of the ARIm model. In the ARI family of
models, the value ρ = 0 means that the interven- λt = h(t) + λ(t − Mt TPM ) + p(t − Mt TPM )h(t) (9)
tion is ABAO but, when ρ = 1, the intervention is
not AGAN because the failure rate evolution with With this model, the efficiency of maintenance is
time is different from the evolution of the initial decreasing with time.
failure rate of the component. This behavior is at In this model, there is no flexibility in the main-
the same time an advantage and a drawback of the tenance impact to adapt it to a specific type of
model: there is a part of the aging, related to the maintenance action. The maintenance efficiency does
working time, that is unavoidable, but the replace- not depend on the undertaken actions on the compo-
ment of a component is not included in the model nent, but only on the internal parameters which are the
of impact. Figure 1 below illustrates the behavior maintainable and the non-maintainable failure rates,
of different models including ARI1 and ARI∞ for a as well as the model of dependence between these two
given initial failure rate. We can see that the ARI failure modes. It also seems difficult to determine the
models result in a piecewise vertical translation of the dependence function p(t) for practical cases.
failure rate value and hence keep the wear out trend.
Figure 1, below, gives an example of the result-
ing failure rate for different maintenance efficiency 2.2 Review of effective age impact models
models, including ARI1 and ARI∞ models. In these models, the actual working time is replaced
by an effective age, denoted τt in the estimation of the
2.1.2 Nagakawa model failure rate at time t. The value of this effective age
Nakagawa 1986, 1988 give a model where each PM should represent the state of wear out of the compo-
resets the value of the failure rate to 0. But after a PM, nent. The concept of effective age is sometimes also
the failure rate evolution is increased by an adjustment referred to as virtual age in the literature.
factor θ bigger than 1. We have: As for the failure rate model, following Doyen &
Gaudoin 2004, we will define the Arithmetic Reduc-
λ+
Tm = θ λ(t − Mt TPM )
Mt
(8) tion of Age (ARA). In the ARA model, the effective
age after maintenance results from a decrease of the
This Nagakawa model assumes that the failure rate effective age before the maintenance. We can also dis-
of a component after a PM action is a product of the tinguish between an ARA1 model, an ARA∞ and the
adjustment factor and the failure rate before the action. general ARAm model:
The value of the adjustment factor is a measure of the
PM quality. Indeed, if θ is equal to 1, the maintenance – ARA1 : the reduction of the effective age due to the
is AGAN. This model seems non-intuitive because in intervention is proportional to the increase of age
a certain way, the PM action increases the failure rate. between two maintenance actions:
If the factor θ intends to emphasize the fact that there
is an irreversible part in the aging, it seems that θ must τT+M = τT−M − ρ(τT−M − τT+M −1 ), (10)
then depend on the working time. Indeed, in this situ-
ation, the higher the frequency of the PM, the higher with the efficiency ρ such that 0 ≤ ρ ≤ 1 and
the increase of the failure rate evolution, what is unex- λt = λ(τt ).
pected. Also, there is no ABAO possibility because – ARA∞ : the reduction of the effective age due to
the model always resets the failure rate to 0. the intervention is proportional to the age before
maintenance:
2.1.3 Maintainable and non-maintainable failure
mode model τT+M = τT−M − ρτT−M , (11)
In Zequeira and Bérenguer 2006, the failure process
is separated in two failure modes: the maintainable with 0 ≤ ρ ≤ 1 and λt = λ(τt ).
457
– ARAm : by analogy with the ARIm , with a constant
maintenance time interval and a constant efficiency,
we can define:
t −1)
min(m−1,M
τt = t − ρ (1 − ρ)j (Mt − j)TPM (12)
j=0
458
In Samrout et al., 2008, the authors propose that a PM Barlow and Proschan model of imperfect repair, there
action reduces the effective age of the component by a is no difference between the ABAO and the AGAN
reduction factor (such as in an ARA∞ model) depend- interventions before aging has started.
ing on the costs of the intervention. Percy and Kobbacy
2000 propose that the intensity function is given by: 3.2.1 Location parameter impact model
κ(t) = κ0 (t)eγ x for hazards following a PM and by:
T
Because the aim of the PM is to maintain the unit
λ(t) = λ0 (t)eω y for hazards following a CM, where t
T
performance in an acceptable range, one can imag-
measures time since the most recent event and x is the ine that, before aging started, the effect of a PM is
vector of working state variables, which can possibly to delay the wear-out onset of the component. We
be modified by the maintenance actions. can model this delay by using, instead of an effec-
tive age, an effective location parameter in equations
(17) and (18). The effect of a PM will then be to
3 MODEL EXTENSION increase this effective location parameter. Two models
can be proposed. In the first one the location param-
3.1 Bi-Weibull failure rate eter is incremented by an amount proportional to the
maintenance period TPM :
The previously cited papers always consider strictly
increasing failure rates in their applications. The lat- νT+M = νT−M + ρTPM (19)
ter follow a power law according to equation (2). This
form is quite different from the bathtub curve usually where the maintenance efficiency ρ is between 0 and
agreed upon as the most realistic time-dependent evo- 1. When ρ is equal to 0, the intervention is ABAO and
lution of the failure rates. After the ‘‘infant mortality’’ when ρ is equal to 1, the intervention is AGAN.
region, there is a possibly long period of life where Equation (17) gives:
the component’s aging is limited, or even negligible,
as long as the physical characteristics of the system
under study are or are maintained within an accept-
M
νT+M = ν0 + ρTPM = ν0 + M ρTPM (20)
able range. Nonetheless the component is aging and
i=0
at some point, the aging process accelerates, and it is
preferable to replace the component than to maintain
where ν0 denotes the initial value of the location
it. To approach this behavior, we can use an initial fail-
parameter.
ure rate constant in a first period of time, before being
In the second model, the location parameter is equal
increased by an additional contribution following the
to the initial location parameter incremented by an
power law:
amount proportional to the age of the component:
λ(t) = λ0 if t ≤ ν
νT + = ν0 + ρτT − . (21)
β t − ν β−1 (17) M M
λ(t) = λ0 + ( ) if t > ν
α α If we suppose that repairs are minimal, we have
τTi− = M ∗ TPM and thus equation (21) is equivalent to
The corresponding cumulative distribution is given
by the following bi-Weibull law: equation (20).
We can also see that the model of equation (21) is
equivalent in terms of failure probability to the ARA∞
1 − e−λ0 t if t ≤ ν
F(t) = t−ν β (18) model. Indeed, if we compute the value τT+M − νT+M ,
1 − e−λ0 t−( α ) if t > ν because, in the model from equation (21), the age
after maintenance, τT+M , is the same as the age before
Later, we will call λ0 the constant failure rate and ν maintenance, τT−M , we have:
the location parameter.
τT+M − νT+M = τT−M − ρτT−M − ν0 (22)
3.2 Maintenance model
With this assumption of a constant failure rate on an And the quantity τT−M −ρτT−M is equal to the effective
initial period, the previous models of imperfect inter- age after intervention in the model ARA∞ (equation
vention are partly irrelevant as they assume the aging (11)). Thus, when the effective age at time t, τt , is lower
has already started from the beginning of the com- than the location parameter, the delay till the aging
ponent operation. Indeed, it would be meaningless to onset due to the imperfect PM can be symmetrically
reduce this constant failure rate if no major change obtained by reducing the value of the effective age or
is made on the component. In the same way, in the by increasing the value of the location parameter.
459
3.2.2 Extended effective age model When the effective age at time t, τt , is lower than the
We propose thus to use the effective age as a degrada- location parameter, the failure rate of the component
tion criterion. Depending on the previous interven- is constant and the maintenance can delay the start of
tions, the effective age will give the global perfor- the aging process. When the age is greater than the
mance state of the component. With this assumption location parameter, if, mathematically, relation (23)
we only have one parameter describing the entire aging is still applicable, the meaning is different. We have
process of the component. Before any intervention on two different cases: If δM is greater than τT−M − ν, the
the component, its effective age is equal to its working aging of the component is stopped and the failure rate
time. The interventions can modify the value of the is again constant, decreased down to the value λ0 . If
effective age and between two consecutive interven- δM is lower than τT−M − ν, the aging of the component
tions, in normal working conditions, it is assumed that is not stopped and the failure rate is still increasing but
the increase of the effective age is equal to the time with a translation in time corresponding to δM .
between the two interventions. With this model, the corresponding cumulative
In most of the works cited in the review of section 2, distribution at time t, after an intervention at time ts is:
excepted Zequeira & Bérenguer 2006, Fouathia et al.,
⎧
2005 and Clavareau and Labeau 2006, the mainte-
⎪ 1 − e−λ0 (t−ts ) if τt ≤ ν
nance action is characterized by a constant efficiency ⎪
⎪
⎪
⎪ τt −ν β
and a constant cost at each intervention, no matter what ⎨1 − e−λ0 (t−ts )−( α ) if τt > ν
maintenance period is considered. With an effective F(τt ) = and τs+ ≤ ν (25)
⎪
⎪
age model, it leads to considering that the absolute ⎪
⎪ τt −ν β
⎪
⎩1 − e−λ0 (t−ts )−( α )
if τs+ > ν
effect of the maintenance is always higher when the τs+ −ν β
−( α )
maintenance time interval is increasing, but with no e
impact on the intervention cost. When we are trying to
optimize the interval of maintenance, it seems not log- where τt = τs+ + (t − ts ) is the effective age of the
ical, that the same intervention, with the same costs, component at time t, τs+ is the effective age just after
can better restore the component, only because the intervention.
component is more aged.
The amount of effective age decrease after a PM 3.2.3 Intervention Impact model
intervention will obviously depend on the action When a component ages, part of this aging cannot
undertaken during this intervention. We propose to be rejuvenated, unless a bigger cost is required. In
not fix a priori the efficiency of the maintenance but practice, this model allows us to envisage that each
to relax this assumption and let the maintenance effect maintenance operation may have a different impact.
vary as a function of the undertaken action in the This impact should not be taken constant. Moreover,
maintenance interventions. We will have: we can assume, as Wu and Clements-Croome 2005,
that δM is a random variable embodying the variability
τT+M = τT−M − δM (23) in the resulting state of the component. The value or
the distribution of δM must also depend on the age of
The amount of the decrease, δM , will characterize the component if the expected effect of a preventive
the effect of the M th maintenance. The value of δM maintenance is less and less efficient as the number of
can be interpreted directly as the augmentation of the maintenance actions undergone by a component gets
expected residual lifetime of the component due to the higher.
intervention. With this formalism, if δM is equal to The model also allows considering a limited PM
0, the intervention is ABAO, if δM is equal to τT−M the in order to maintain the initial working conditions
maintenance is AGAN, if δM is lower than τT−M it corre- and performances, and a more important PM with a
sponds to an imperfect intervention and possibly if δM better efficiency to recover the loss of performances
is greater than τT − the intervention is more than perfect. due to degradation. The latter type of PM should be
M
Note that the ARA1 and ARA∞ models are par- performed with a lower periodicity and it entails higher
ticular cases of this more general model. In ARA1 , costs than the limited, usual one. With this point of
the maintenance effect, δM , is equal to ρTPM , and, in view, the decision to replace a component is in compe-
ARA∞ , we have δM = ρτT−M . tition with the decision to make or not a more important
and costly maintenance with a large effect on the
In the case of the initial failure rate (15) we have a
component state but with a higher risk of failure than
resulting conditional failure rate given by:
the replacement.
λt = λ0 if τt ≤ ν Figures 2 and 3 illustrate the impact of this kind
of mixed maintenance, for a component with an ini-
β τt − ν β−1 (24) tial failure rate following (24) with λ0 = 1/10 u.t.−1 ,
λt = λ0 + ( ) if τt > ν
α α α = 10 u.t, β = 2.5, ν = 5 u.t.
460
the action undertaken from one intervention to another
one. This variation seems natural when the working
time grows in order to keep the performances of the
system in an acceptable range.
The model is also suitable in the case where the
repairs are not minimal. In this case, each intervention,
including repairs, will affect the effective age.
461
costly maintenance resources. In order to model such a Canfield RV., 1986, ‘‘Cost optimization of periodic preven-
maintenance impact, we have to consider a bi-Weibull tive maintenance’’, IEEE Trans Reliab; 35:78–81.
distribution for the failure times with a constant fail- Clavareau J. and Labeau P.E., 2006 ‘‘Maintenance and
ure rate and an increasing part, starting after a certain replacement policies under technological obsolescence’’
useful life, which is lengthened via maintenance. Proc. of ESREL’06. Estoril (Portugal), 499–506.
Doyen L., Gaudoin O., 2004, ‘‘Classes of imperfect repair
We think also that the maintenance intervention models based on reduction of failure intensity or effective
should not have a constant efficiency but that these age’’, Rel. Engng. Syst. Safety; 84:45–56.
interventions act differently depending on which type Fouathia O., Maun J.C., Labeau P.E., and Wiot D., 2005,
of intervention is actually undertaken on the compo- ‘‘Cost-optimization model for the planning of the renewal,
nent. Consequently we propose to relax the common inspection, and maintenance of substation facilities in
hypothesis of a maintenance effect proportional to Belgian power transmission system’’, Proc. of ESREL
a given quantity (the maintenance interval or the 2005. Gdansk (Poland); 631–637.
effective age before intervention in the most com- Kijima M., Morimura H., Suzuki Y., 1988, ‘‘Periodical
mon cases). We think that this formulation allows replacement problem without assuming minimal repair’’,
Eur. J. Oper. Res; 37:194–203.
us to investigate more realistic issues, such as the Kumar D. and Klfesjo B., 1994, ‘‘Proportional hazard model:
compromise between different interventions (possibly, a review’’, Rel. Engng. Syst. Safety; 44:177–88.
including a replacement) leading to different rejuve- Lin D., Zuo MJ, Yam RCM., 2000, ‘‘General sequential
nation levels of the component’s effective age but with imperfect preventive maintenance models’’, Int J Reliab
different costs and constraints. Qual Saf Eng; 7:253–66.
In conclusion, the proposed model is thought to Malik MAK., 1979 ‘‘Reliable preventive maintenance
be closer to the reality of the maintenance field. It scheduling’’, AIEE Trans; 11:221–8.
allows more flexibility in the modeling but it always Martorell S., Sanchez A., Serradell V., 1999, ‘‘Age-
keeps the assumption that the law parameters describ- dependent reliability model considering effects of mainte-
nance and working conditions’’ , Rel. Engng. Syst. Safety;
ing the failure rate are constant in time. Further work 64:19–31.
will investigate the possibility that the aging process is Nakagawa T., 1986 ‘‘Periodic and sequential preventive
stopped but that it degraded the component, resulting maintenance policies’’, J. Appl. Probab; 23:536–42.
now in a higher constant failure rate λM . Nakagawa T., 1988 ‘‘Sequential imperfect preventive main-
Also events in the environment of the component tenance policies’’, IEEE Trans Reliab; 37:295–8.
can affect its performances, hence the aging of the Percy D.F. and Kobbacy K.A.H, 2000, ‘‘Determining eco-
component. For example, the failure of another com- nomical maintenance intervals’’, Int. J. Production Eco-
ponent in the production process can increase the nomics; 67:87–94.
failure probability of the component without causing Samrout M., Châtelet, E., Kouta R., and N. Chebbo,
2008, ‘‘Optimization of maintenance policy using the
an instantaneous failure. Other events, as for example, proportional hazard model’’, Rel. Engng. Syst. Safety;
an overvoltage or a difference in the working tempera- doi:10.1016/j;ress.2007/12.006.
ture can cause such a behavior. As we use the effective Wu S., Clements-Croome D., 2005, ‘‘Preventive maintenance
age as a global state indicator of the components state, models with random maintenance quality’’, Rel. Engng.
one could think of modeling the effect of these events Syst. Safety; 90:99–105.
by an increase in the component’s effective age. Zequeira R.I., Bérenguer C., 2006, ‘‘Periodic imperfect pre-
ventive maintenance with two categories of competing
failure modes’’, Rel. Engng. Syst. Safety; 91:460–468.
REFERENCES
462
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
I.T. Castro
University of Extremadura, Badajoz, Spain
ABSTRACT: Consider a system subject to two modes of failures: maintainable and non-maintainable. When-
ever the system fails, a minimal repair is performed. Preventive maintenances are performed at integer multiples
of a fixed period. The system is replaced when a fixed number of preventive maintenances have been completed.
The preventive maintenance is imperfect and the two failure modes are dependent. The problem is to determine
an optimal length between successive preventive maintenances and the optimal number of preventive mainte-
nances before the system replacement that minimize the expected cost rate. Optimal preventive maintenance
schedules are obtained for non-decreasing failure rates and numerical examples for power law models are given.
463
the effect of the wear-out of the system (due to the non- of the maintainable failures in the interval [kT ,
maintainable failures) in the occurrence of the main- (k + 1)T ), r1,k is given by
tainable failures. Practical applications of this model
are showed in (Zequeira and Bérenguer 2006) where r1,k (t) = r1,0 (t − kT )aN2 (kT ) ,
some examples of dependence between maintainable
and non-maintainable failures are explained.
where a > 1.
In this work, the preventive maintenance actions
5. The system is replaced at the N -th preventive main-
are performed at times kT , k = 1, 2, . . . and the sys-
tenance after its installation. After a replacement,
tem is replaced whenever it reaches an age of NT after
the system is ‘‘as good as new’’ and the replacement
last renewal. When the system fails, a minimal repair
time is negligible.
is performed. Costs are associated with the preven-
6. The costs associated with the minimal repairs for
tive maintenance actions, with the repairs and with the
maintainable and non-maintainable failures are C1
replacements. The objective is to determine an opti-
and C2 respectively. The cost of each preventive
mal length between preventive maintenances and the
maintenance is Cm and the replacement cost is
optimal number of preventive maintenances between
Cr (Cm < Cr ). All costs are positive numbers.
replacements of the system.
The problem is to determine the optimal length
between preventive maintenances and the total number
2 FORMULATION of preventive maintenances before the system replace-
ment. The optimization problem is formulated in terms
We consider a maintenance model under where correc- of the expected cost rate.
tive and preventive maintenances take place according From Assumptions 3 and 4, the preventive mainte-
to the following scheme. nance tasks are imperfect in a double sense. First, the
1. Before the first preventive maintenance, the preventive maintenance does not affect the failure rate
maintainable failures arrive according to a non- of the non-maintainable failures. Second, the accu-
homogeneous Poisson process (NHPP) {N1 (t), t ≥ mulated wear-out due to the non-maintainable failures
0} with intensity function r1,0 (t) and cumulative affect the failure rate of the maintainable failures.
failure intensity function This accumulated wearing is not eliminated under pre-
ventive maintenance actions and it is showed in the
t constant a. If a = 1, non-maintainable failures and
H1 (t) = r1,0 (u)du, t ≥ 0. maintainable failures are independent.
0 From (2), after the successive preventive mainte-
nances, the failure rate of the maintainable failures is
A maintainable failure is corrected by a minimal stochastic and we shall use some results of the theory
repair with negligible repair time. We assume that of the doubly stochastic Poisson processes (DSPP). In
r1,0 (t) is continuous, non-decreasing in t and zero a DSPP, the intensity of the occurrence of the events
for a new system, that is, r1,0 (0) = 0. is influenced by an external process, called informa-
2. The non-maintainable failures arrive according to tion process, such that the intensity becomes a random
a NHPP {N2 (t), t ≥ 0} with intensity function r2 (t) process. An important property of the DSPP is the fol-
and cumulative failure intensity function lowing. If {N (t), t ≥ 0} is a DSPP controlled by the
t
process Λ(t) one obtains that
H2 (t) = r2 (u)du, t ≥ 0.
0 1
P[N (t) = n] = E Λ(t)n e−Λ(t) , n = 0, 1, 2, . . . .
n!
A non-maintainable failure is corrected by a min-
imal repair and the repair time is negligible. We (3)
assume that r2 (t) is continuous and non-decreasing
in t. From (2), the random measure in t where kT ≤ t <
3. The system is preventively maintained at times kT , (k + 1)T and k = 0, 1, 2, . . . is given by
where k = 1, 2, . . . and T > 0. The preventive t
maintenance actions only reduce the failure rate of
the maintainable failures and the failure rate of the Λk (t) = r1,0 (u − kT )aN2 (kT ) du
kT
non-maintainable failures remains undisturbed by
the successive preventive maintenances. = aN2 (kT ) H1 (t − kT ), (4)
4. The non-maintainable failures affect the failure rate
of the maintainable failures in the following way. where H1 (t) denotes the cumulative failure intensity
Denoting by r1,k , k = 0, 1, 2, . . . the failure rate function of r1,0 (t).
464
Denoting by N1 (t) the number of maintainable T
Nopt = min {A(T , N ) > Cr − Cm } , (8)
N ≥0
failures in [0, t] and using (3) and (4), one obtains
that
where A(T , N ) is given by
P[N1 ((k + 1)T ) − N1 (kT ) = n]
−1
1 N2 (kT ) N2 (kT )
N
=E (a H1 (T )) exp −a
n
H1 (T ) , A(T , N ) = C1 H1 (T ) NgN (T ) − gk (T )
n! k=0
E [N1 (kT , (k + 1)T )] Theorem 1.2 Let C(T , N ) be the function given by
(6). When N is fixed, the value of T that minimizes
= H1 (T ) exp((a − 1)H2 (kT )). (5) C(T , N ) is obtained for T = Topt
N N
where Topt is the
value that verifies
We denote by C(T , N ) the expected cost rate. From
Assumption 6 and using Eq. (5), one obtains that N
B(Topt , N ) = Cr + (N − 1)Cm , (10)
N −1
C1 H1 (T ) exp((a − 1)H2 (kT )) where B(T , N ) is the function given by
k=0
C(T , N ) =
NT
N −1
C2 H2 (NT ) + Cr + (N − 1)Cm B(T , N ) = C1 gk (T ) r1,0 (T )T − H1 (T )
+ , (6)
NT k=0
N −1
where the numerator represents the expected cost
between replacements of the system and the denomi- + C1 gk (T ) {H1 (T )(a−1)kTr2 (kT )}
nator the time between successive replacements of the k=0
system. + C2 (NTr2 (NT ) − H2 (NT )) . (11)
The problem is to find the values T and N that mini- lim r1,0 (t) = ∞, lim r2 (t) = ∞,
mize the function C(T , N ) given in (6). In other words, t→∞ t→∞
to find the values Topt and Nopt such that
N
then Topt < ∞.
C(Topt , Nopt ) = inf {C(T , N ), T > 0, N = 1, 2, 3, . . . }.
(7)
In the problem of optimization given in (7), the
values Topt and Nopt must satisfy the expressions (8)
Theorem 1 and 2 show the optimization problem in
and (10). In general, one cannot obtain an explicit ana-
each variable. The proof of these results can be found
lytical solution for these equations and they have to be
in (Castro 2008).
computed numerically. But, one can reduce the search
of the values Nopt and Topt for a finite set values of the
Theorem 1.1 Let C(T , N ) be the function given by variable N . For that, we use a similar result to Theo-
(6). For fixed T > 0, the finite value of N that rem 11 given in (Zhang and Jardine 1998) p.1118. The
minimizes C(T , N ) is obtained for N = Nopt
T
given by result is the following
465
Lemma 1.1 We denote by T ∗ the following the first preventive maintenance are given by
expression
4 NUMERICAL EXAMPLES To analyze the values Topt and Nopt that verify (7),
Figure 2 shows an enlargement of Figure 1 to clarify
We assume that the intensity functions of the processes the procedure of finding the values Topt and Nopt .
{N1 (t), t ≥ 0} and {N2 (t), t ≥ 0} follow a power law By inspection over these values, one obtains that
model with non-decreasing failure rates, that is, the optimal values for this range of values are Topt =
3.575 and Nopt = 10 with an expected cost rate of
ri (t) = λi βi (λi t)βi −1 , t ≥ 0, i = 1, 2, C(3.575, 10) = 51.281.
Using Lemma 1, one can reduce the search of the
where βi > 1. Let λ1 = 4, β1 = 1.2, λ2 = 0.2, optimal values T and N verifying (7) in a limited range
β2 = 1.2 be the parameters of the failure rates. Con- of values of N . We shall follow the following steps
sequently the failure intensities of the processes before
200 54
N=4
180
N=16 N=14 N=11N=10 N=9 N=8
N=30 N=20 N=12 53.5
160 N=7
140 N=6 53
N=1
120
C(T,N)
N=5
C(T,N)
100 52.5
N=4 N=6
80 N=3
N=2 N=7
52
60
N=8
40 N=9
51.5
20
N=10
0 51
0 5 10 15 20 25 30 35 40 2 2.5 3 3.5 4 4.5 5 5.5 6
T T
Figure 1. Expected cost C(T , N ) versus T for different Figure 2. Expected cost C(T , N ) versus T for different
values of N . values of N .
466
12
1. To find the value Topt that verifies 50
A(0.4869,N) Cr+Cm
12
in (11) Topt verifies the equation
12
B(Topt , 12) − Cr − 11Cm = 0.
Cm 25
T∗ = 12
= = 0.4869.
C(Topt , 12) 51.3431
0.4869
3. To find the value Nopt that verifies 0 10 20 30 40 50 60 70 80 90
N
For that, from Theorem 1 and Figure 3, we obtain B(T , N ) given by (11) and for the different val-
0.4869
by inspection that Nopt = 86. ues of N . By inspection, one obtains that the
4. Finally, we have to find Topt and Nopt that verify optimal values for the optimization problem are
Topt = 3.575 and Nopt = 10 with an expected cost
min {min C(T , N )} = C(Topt , Nopt ). rate of C(3.575, 10) = 51.281.
1≤N ≤86 T >0
N
Figure 4 shows the values of C(Topt , N ) for dif- 5 CONCLUSIONS
N
ferent values of N . The values Topt are obtained
using a root search algorithm for the function In a system with two modes of failures and succes-
sive preventive maintenance actions, we have stud-
ied the problem of finding the optimal length T
68 between successive preventive maintenances and the
optimal number of preventive maintenances N − 1
66 before the total replacement of the system. The two
modes of failures are dependent and their classifi-
64 cation depends on the reduction in the failure rate
after the preventive maintenance actions. For fixed
62 T , an optimal finite number of preventive mainte-
nances before the total replacement of the system
C(Topt , N)
ACKNOWLEDGEMENTS
50
10 20 30 40 50 60 70 80 90 100
N This research was supported by the Ministerio de
Educación y Ciencia, Spain, under grant MTM2006-
Figure 3. Function A(0.4869, N ) − Cr + Cm versus N . 01973.
467
REFERENCES Osaki, S. (2002). Stochastic Models in Reliability and
Maintenance. Springer-Verlag, Berlin.
Ben-Daya, M., S. Duffuaa, and A. Raouf (2000). Mainte- Pham, H. (2003). Handbook of Reliability Engineering.
nance, Modeling and Optimization. Kluwer Academic Springer-Verlag, London.
Publisher. Zequeira, R. and C. Bérenguer (2006). Periodic imperfect
Castro, I.T. (2008). A model of imperfect preventive main- preventive maintenance with two categories of competing
tenance with dependent failure modes. European Journal failure modes. Reliability Engineering and System Safety
of Operational Research to Appear. 91, 460–468.
Lin, D., J. Ming, and R. Yam (2001). Sequential imperfect Zhang, F. and A. Jardine (1998). Optimal maintenance mod-
preventive maintenance models with two categories of els with minimal repair, periodic overhaul and complete
failure modes. Naval Research Logistics 48, 173–178. renewal. IIE Transactions 30, 1109–1119.
Nakagawa, T. (2005). Maintenance Theory of Reliability.
Springer-Verlag, London.
468
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
C. Bérenguer
Université de Technologie de Troyes/CNRS, Troyes, France
ABSTRACT: The paper deals with the maintenance optimization of a system subject to a stressful environment.
The behavior of system deterioration can be modified by the environment. Maintenance strategies, based not only
on the stationary deterioration mode but also on the stress state, are proposed to inspect and replace the system
in order to minimize the long-run maintenance cost per unit of time. Numerical experiments are conducted
to compare their performance with classical approaches and thus highlight the economical benefits of our
strategies.
469
which integrate the deterioration level but also the developments. The gamma process is parameterized
stress information are presented. Finally, numerical by two parameters α and β which can be estimated
results based on generic data are conducted to compare from the deterioration data. Gamma processes have
these different approaches with a classical approach received recently a tremendous amount of attention
and thus will highlight the economical and safety in the reliability and maintainability literature as
benefits of our approach. means to model degradation of many civil engineering
structures under uncertainty (vanNoortwijk 2007).
1
fαδt,β (x) = β αδt xαδt−1 e−βx Ix≥0 (1)
Γ(αδt)
470
impacted by this environment. The covariate influ- replacement is performed during the inspection on Xt
ence can be reduced to a log-linear regression model if the deterioration level belongs to the interval (ξ , L).
if Yt = y; Xy (δt) Γ(α0 eγ y δt, β) (Bagdonavicius and Let cp be the preventive replacement cost (cp < cc ).
Nikulin 2000; Lehmann 2006) where γ measure the This maintenance policy is denoted Policy 0 here-
influence of the covariate on the degradation process. after.
Thus, it is assumed that the system is subject to an
increase in the deterioration speed while it is under
stress (i.e. while Yt = 1), the system deteriorates 3.2 Cost-based criterion for maintenance
according to its nominal mode while it is not stressed performance evaluation
(while Yt = 0). The parameters of the degradation pro-
The maintenance decision parameters which should be
cess when the system is non-stressed are α0 δt (α0 = α)
optimized in order to minimize the long-run mainte-
and β and when the system is under stress α1 δt and
nance cost are:
β with α1 = α0 eγ . In average the shape parameter ᾱ
is α0 (1 + r̄(eγ − 1)). α0 and β can be obtained by • the inspection period τ which allows balancing the
using the maximum likelihood estimation. γ can be cumulative inspection cost, earlier detection and
assimilated to a classical accelerator factor and can be prevention of a failure;
obtained with accelerated life testing method. • the preventive maintenance threshold ξ which
The Figure 1 sketches the evolution of the stress reduces cost by the prevention of a failure.
process and its influence on the system deterioration.
An illustration of the maintenance decision is pre-
sented in Figure 2.
3 DEFINITION AND EVALUATION OF THE The degradation of the unmaintained system state
MAINTENANCE POLICY is described by the stochastic process (Xt )t≥0 . Let in
the sequel the process (X t )t≥0 describes the evolu-
This section presents the maintenance decision frame- tion of the maintained system state. It can be ana-
work. First, the structure of the maintenance pol- lyzed through its regenerative characteristics: after a
icy is presented to define when an inspection or a complete replacement of the system (all the system
replacement should be implemented. The mathemat- components are simultaneously replaced), it is in the
ical expressions of the associated long-run mainte- ‘‘as good as new’’ initial state and its future evolu-
nance cost per unit of time are developed to optimize tion does not depend any more on the past. These
the maintenance decision regarding the system state complete system replacement times are regenerations
behavior. points for the process describing the evolution of the
global maintained system state. Thanks to the renewal
3.1 Structure of the maintenance policy property, we can limit the study of the process to a
renewal cycle, which significantly reduces the com-
The cumulative deterioration level Xt can be observed plexity of the analysis. The renewal-reward theorem
only through costly inspections. Let cix be the uni- (Asmussen 1987) implies that the cost function equals
tary inspection cost. Even if non-periodic inspection the expected costs per cycle divided by the expected
strategies are optimal (Castanier et al., 2003), a peri- length of a cycle:
odic strategy is first proposed. The benefit of such a
choice is a reduced number of the decision parameters,
only the inspection period τ , and an easier implemen- C(t) E(C(S))
C∞ (τ , ξ ) = lim = (4)
tation of the approach in an industrial context. This t→∞ t E(S)
inspection is assumed to be perfect in the sense that it
reveals the exact deterioration level Xt .
A replacement can take place to renew the sys- X(t)
Failure due to an
tem when it is failed (corrective replacement) or to excessive deterioration
prevent the failure (preventive replacement). A cor- corrective level
rective replacement is performed when the system is replacement area L
observed in the failed state during an inspection on preventive
replacement area
Xt . We assume the unitary cost of a corrective replace-
ment cc is composed by all the direct and indirect costs
incurred by this maintenance action. Only the unavail-
ability cost cu per unit of time the system is failed
has to be added to cc . The decision rule for a preven-
tive replacement is the classical control limit rule: if ξ Figure 2. Evolution of the deterioration process and the
is the preventive replacement threshold, a preventive stress process when the system is maintained.
471
where E(W ) is the expected value of the random vari-
35
able and S is the length of a regenerative cycle. The cost
C(S) is composed of the inspections, replacements and
30
unavailability costs and can be written:
25
C∞ (τ , ξ ) =
E(S)
20
cu E(Du (S))
+ (5)
E(S)
15
where Du (t) represents the unavailability time before t.
The computation of the long-run maintenance cost
10
per unit of time is presented in Appendix A, it requires
the evaluation of the reliability function of the main- 0.0 0.2 0.4 0.6 0.8 1.0
472
Proportion of time estimate in order to know the time elapsed
elapsed in the stress in the failed state Du . In this case the cost is
state: r(t) cix + cc + cu .Du
1 ∗ if the cumulative deterioration is lower than
the failure threshold but upper than the cor-
responding preventive threshold a preventive
l1 replacement is implemented with the following
cost: cix + cp .
0 End
1 l1 0 – Step 2: estimation of the cost criterion: the long
Y(t) 1 0
l1 run maintenance cost corresponds to the mean of
1 the Nh costs.
0
T1 T2 T3
4 NUMERICAL RESULTS
Figure 4. Evolution of the inspection time depending on the
state of the stress with Policy 2. This section is devoted to compare the economic
performance of the three proposed policies. The
numerical results are provided here by the use of R
The objective of Policy 2 is to optimize the number (www.r-project.org) software, specific programs are
of thresholds in order to balance the number of deci- developed to numerically evaluate each expectation
sion parameters change and the optimal cost given by in Equation 5 in case of Policy 0 and the classical
policy 1. In this paper, the number of thresholds is numerical gradient procedure provided by the R soft-
not optimized, we present only the performance of ware is used to determine the optimal cost and thus the
this policy in function of the number of the number optimized maintenance decision parameters. A Monte
of thresholds. Carlo approach is used in case of the non-periodic
The following iteration algorithm is used for optimiz- inspection strategies described in section 3.2.
ing Policy 2:
• Step 0: initialization of the maintenance policy: 4.1 Economic performance of Policy 1 compared to
– choice of the number of thresholds: n; Policy 0
– determination of the n policies (τn , ξn ) optimized The curves in figure 5 are the respective representation
with policy 0; of the optimized cost criterion for the Policy 0 and 1.
For i = 1:Nh (1000) They are obtained when the mean proportion of time
• Step 1: estimation of the maintenance cost in one elapsed in the non-stressed state, r̄ varies from 0 to 1.
cycle:
– Step 1.1: initialization of the stress state Y0 and
the deterioration level X0 = 0;
– Step 1.2: simulation of all the dates of stress state
0.65
0.60
473
Policy 2 would have better results than Policy 1
0.625
if we introduced a cost for each change of decision
parameters. Moreover, Policy 2 is easier to implement
Policy 0
Policy 1 than Policy 1 in an industrial context.
Policy 2
0.620
5 CONCLUSION
Co s t
474
• Case 2: at least one inspection has been performed REFERENCES
at t (t ≥ τ ). The probability density function for the
system to have been never replaced is a function of Asmussen, S. (1987). Applied Probability and Queues, Wiley
the observed deterioration level x ∈ (0, ξ ) during Series in Probability and Mathematical Statistics. Wiley.
the last inspection at time ([t/τ ].τ ), (where [.] is the Bagdonavicius, V. and M. Nikulin (2000). Estimation in
integer part function) and of the deterioration level Degradation Models with Explanatory Variables. Lifetime
Data Analysis 7, 85–103.
reached since the last inspection y ∈ (x, L). Hence Castanier, B., C. Bérenguer, and A. Grall (2003). A sequen-
for t ≥ τ , we have: tial condition-based repair/replacement policy with non-
periodic inspections for a system subject to continuous
Rm (t) = P(X (t) < L|X ([t/τ ].τ ) < ξ ) wear. Applied Stochastic Models in Business and Indus-
ξ L−x try 19(4), 327–347.
Cox, D. (1972). Regression models and life tables. Journal
= f (x, [t/τ ].τ )f (y, t)dydx (8)
0 0 of the Royal Statistics B(34), 187–202.
Deloux, E., B. Castanier, and B. C. (2008). Maintenance pol-
E(S), the expected length of a regenerative cycle icy for a non-stationary deteriorating system. In Annual
can be expressed by the two following scenarios: Reliability and Maintainability Symposium Proceedings
2008 (RAMS 2008), Las Vegas, USA, January 28–31.
• the cycle ends by a corrective replacement Gertsbakh, I. (2000). Reliability Theory With Applications to
• a cycle ends by a preventive replacement Preventive Maintenance. Springer.
Grall, A., L. Dieulle, C. Bérenguer, and M. Roussig-
and is given by: nol (2002). Continuous-Time Predictive-Maintenance
∞
Scheduling for a Deteriorating System. IEEE Transac-
tions on Reliability 51(2), 141–150.
E(S) = xτ (Rm ((x − 1)τ ) − Rm (xτ ))dx
Grall, A., L. Dieulle, C. Bérenguer, and M. Roussig-
0 nol (2006). Asymptotic failure rate of a continuously
Scenario1 monitored system. Reliability Engineering and System
∞ Safety 91(2), 126–130.
+ xτ (Rm (x−1)τ − P(X (xτ ) < ξ |X (x − 1)τ < ξ )) Lehmann, A. (2006). Joint modeling of degradation and
0 failure time data. In Degradation, Damage, Fatigue and
Scenario2 Accelerated Life Models In Reliability Testing, ALT2006,
Angers, France, pp. 26–32.
(9) Rausand, M. and A. Hoyland (2004). System Reliability
Theory-Models, Statistical Methods, and Applications
with (Second ed.). Wiley.
Singpurwalla, N. (1995). Survival in Dynamic Environments.
P(X (xτ ) < ξ |X (x − 1)τ < ξ ) = Statisticals Science 10(1), 86–103.
ξ ξ −y Singpurwalla, N. (2006). Reliability and risk A Bayesian
Perspective. Wiley.
f (y, (x − 1)τ )f (z, xτ )dzdy (10) van Noortwijk, J. (2007). A survey of the application of
0 0
gamma processes in maintenance. Reliability Engineering
and System Safety doi:10.1016/j.ress.2007.03.019.
P(Xs > L), the probability of a corrective replace-
Wang, H. (2002). A Survey of Maintenance Policies of
ment on a cycle S is given by: Deteriorating Systems. European Journal of Operational
∞ Research 139, 469–489.
P(Xs > L) = xτ (Rm ((x − 1)τ ) − Rm (xτ ))dx (11)
0
475
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: This paper presents the application of the particle filtering method, a model-based Monte Carlo
method, for estimating the failure probability of a component subject to degradation based on a set of observations.
The estimation is embedded within a scheme of condition-based maintenance of a component subject to fatigue
crack growth.
477
A sequence of measurements {zk , k ∈ N } is p(x0:k | z0:k) = p(ξ0:k | z0:k) δ(ξ0:k − x0:k) dξ0:k (6)
assumed to be collected at the successive time steps
tk . The sequence of measurement values is described
by the measurement (observation) equation: and assuming that the true posterior probability
p(x0:k | z0:k ) is known and can be sampled, an estimate
of (6) is given by (Kalos and Whitlock 1986):
zk = hk (xk , υk) (2)
1
Ns
where hk : Rnx × Rnω → Rnx is possibly non-linear
and {υk , k ∈ N } is an i.i.d. measurement noise vector p̂ (x0:k | z0:k) = δ(x0:k − x0:k
i
) (7)
Ns i=1
sequence of known distribution. The measurements
{zk , k ∈ N } are, thus, assumed to be conditionally
independent given the state process {xk , k ∈ N }. where x0:ki
, i =1, 2, . . . , Ns is a set of independent
Within a Bayesian framework, the filtered posterior random samples drawn from p(x0:k | z0:k ).
distribution p(xk | z0:k ) can be recursively computed in Since, in practice, it is usually not possible to
two stages: prediction and update. sample efficiently from the true posterior distribu-
Given the probability distribution p(xk−1 | z0:k−1 ) tion p(x0:k | z0:k ), importance sampling is used, i.e.
at time k–1, the prediction stage involves using the i
system model (1) to obtain the prior probability dis- the state sequences x0:k are drawn from an arbitrar-
tribution of the system state xk at time k via the ily chosen distribution π(x0:k | z0:k ), called importance
Chapman-Kolmogorov equation: function (Kalos and Whitlock 1986). The probability
p(x0:k | z0:k ) is written as:
p(xk | z0:k−1) = p(xk | xk−1 | z0:k−1)p(xk−1 | z0:k−1)dxk−1
p (ξ0:k | z0:k)
p (x0:k | z0:k) = π (ξ0:k | z0:k)
= p(xk | xk−1)p(xk−1 | z0:k−1)dxk−1 (3) π (ξ0:k | z0:k)
× δ(ξ0:k − x0:k) dξ0:k (8)
where the Markovian assumption underpinning the
system model (1) has been used.
and an unbiased estimate is obtained by (Doucet et al.,
At time k, a new measurement zk is collected and
2001 and Arulampalam 2002):
used to update the prior distribution via Bayes rule, so
as to obtain the required posterior distribution of the
1
current state xk (Arulampalam 2002): NS
p̂∗ (x0:k | z0:k ) = w∗i δ(x0:k − x0:k
i
) (9)
Ns i=1 k
p(xk | z0:k−1) p(zk | xk)
p(xk | z0:k) = (4)
p(zk | z0:k−1)
where:
where the normalizing constant is
p(z0:k | x0:k
i
)p(x0:k
i
)
wk∗i = (10)
p(z0:k )π(x0:k | z0:k )
i
p(zk | z0:k−1) = p(xk | z0:k−1)p(zk | xk)dxk (5)
the entire state sequence x0:k given the measurement p̂(x0:k | z0:k) = w̃ki δ(x0:k − x0:k
i
) (11)
vector z0:k as: i=1
478
where the ‘‘Bayesian’’ importance weights w̃ki are i.e. π(xk | x0:k−1
i
| z0:k ) = p(xk | xk−1
i
) and the non-
given by: normalized weights (16) become (Tanizaki 1997 and
Tanizaki & Mariano 1998):
wki
w̃ki = (12) wki = wk−1
i
p zk | xki (16)
Ns
j
wk
j=1 Actually, in many engineering applications, the
measurements are not available at each time step, but
p(z0:k | x0:k
i
)p(x0:k
i
)
wki = = wk∗i p(z0:k ) (13) rather at regularly scheduled or even opportunistically
π(x0:ki
| z0:k ) staggered time instants k1 , k2 , . . .. Denoting the obser-
vation sequence up to the current time k as the set
For on-line applications, the estimate of the distri- {z}k = {zj : j = k1 , . . ., kf ≤ k}, the Monte Carlo
bution p(x0:k | z0:k ) at the k-th time step can be obtained estimation formalism described above remains valid,
from the distribution p(x0:k−1 | z0:k−1 ) at the previous provided that the weights updating formulas (16) and
time step by the following recursive formula obtained
by extension of equation (4) for the Bayesian fil- (17) are applied only at the observation times k1 , . . . ,
ter p(xk | z0:k ) (Doucet et al., 2001 and Arulampalam kf , whereas the weights wki remain constant at all other
2002): time instants k = k1 , . . ., kf .
The choice of the importance function is obvi- xk = xk−1 + eωk C(ΔKt)nΔt (20)
ously crucial for the efficiency of the estimation.
In this work, the prior distribution of the hid- which represents a non-linear Markov process with
den Markov model is taken as importance function, independent, non-stationary degradation increments.
479
For the observation zk , a logit model can be by the knowledge of the crack propagation stochas-
introduced (Simola & Pulkkinen 1998): tic process and a set of available measurements {z}k
related to it, taken at selected times prior to k. The best
zk xk time to replacement lmin is the one which minimizes
ln = β0 + β1 ln + υk (21)
d − zk d − xk the expression (Christer et al., 1997):
where d is the component material thickness, β0 ∈ expected cost per unit time (k, l)
(−∞, ∞) and β1 > 0 are parameters to be estimated
expected cost over the current life cycle (k, l)
from experimental data and υ is a white Gaussian noise =
such that υ ∼ N (0, συ2 ). expected current life cycle (k, l)
Introducing the following standard transforma- (27)
tions,
where:
zk
yk = ln (22) • l denotes the remaining life duration until replace-
d − zk
ment (either preventive or upon failure),
xk • k + l denotes the preventive replacement time instant
μk = β0 + β1 ln (23) scheduled on the basis of the set of observations
d − xk {z}k collected up to time k,
• d ∗ denotes the critical crack threshold above which
then, Yk ∼ N (μk , συ2 ) is a Gaussian random vari- failure is assumed to occur (d ∗ < d),
able with conditional cumulative distribution func- • cp denotes the cost of preventive replacement,
tion (cdf): • cf denotes the cost of replacement upon failure,
• p (k + i) = P (xk+i > d ∗ | x0:k+i−1 < d ∗ , {z}k ))
yk − μk denotes the conditional posterior probability of
FYk (yk | xk) = P(Yk < yk | xk) = Φ (24)
συ the crack depth first exceeding d ∗ in the interval
(k + i − 1, k + i), knowing the component had not
where Φ(u) is the cdf of the standard normal distribu- failed up to time k + i– 1 and given the sequence of
tion N (0,1). observations {z}k available up to time k,
The conditional cdf of the measurement zk related • P(k + l)denotes the probability of the crack depth
to the degradation state xk is then: exceeding d ∗ in the interval (k, k + l).
Neglecting the monitoring costs:
zk
FZk (zk | xk) = FYk ln | xk
d − zk expected cost over the current life cycle (k, l) =
1 zk = cp (1 − P (k + l)) + cf P (k + l) (28)
=Φ ln − μk (25)
σζ d − zk
where:
with corresponding probability density function: P(k + l) = p(k + 1) + (1 − p(k + 1))p (k + 2) + · · ·
⎛ ⎞2 ⎧
zk ⎪ p (k + 1) l=1
⎜ ln −μk ⎟ ⎪
⎪
⎜ d − zk ⎨ p (k + 1) +
⎪
⎟ l
−1⎜
2⎝ συ ⎟
⎠
1 d = i=2
fZk (zk | xk ) = √ e ⎪
⎪
2π συ zk (d − zk ) ⎪
⎪
i−1
⎩ × (1 − p (k + j)) p (k + i) l > 1
(26) j=1
(29)
The maintenance actions considered for the com-
ponent are replacement upon failure and preventive and
replacement. For a wide variety of industrial compo- expected current life cycle (k, l) =
nents, preventive replacement costs are lower than fail- ⎧
⎪ k +1
ure replacement ones, since unscheduled shut down ⎪
⎪
losses must be included in the latter. ⎨ (k + l) (1 − P (k + l)) + (k + 1) p (k + 1)
=
At a generic time step k of the component’s life, a ⎪
⎪ l
i−1
decision can be made on whether to replace the com- ⎪
⎩ + (k + i) (1 − p (k + j)) p (k + i)
i=2 j=1
ponent or to further extend its life, albeit assuming the
risk of a possible failure. This decision can be informed (30)
480
Within the Monte Carlo sampling framework of
Section 2, an estimate of the unknown conditional
posterior probability p(k + i) may be obtained as:
wkm
m:xkm >d ∗
p̂ (k + i) = (31)
wkn
n:xkn >d ∗
4 CONCLUSIONS
481
estimation of failure probabilities from noisy measure- Doucet, A. & Godsill, S. & Andreu, C. 2000. On Sequential
ments related to the degradation state. Monte Carlo Sampling Methods for Bayesian Filtering.
An example of application of the method has Statistics and Computing 10: 197–208.
been illustrated with respect to the crack propagation Kalos, M.H. & Whitlock, P.A. 1986. Monte Carlo methods.
dynamics of a component subject to fatigue cycles and Volume I: basics, Wiley.
Kitagawa, G. 1987. Non-Gaussian State-Space Modeling
which may be replaced preventively or at failure, with of Nonstationary Time Series. Journal of the American
different costs. Statistical Association 82: 1032–1063.
The proposed method is shown to represent a Kozin, F. & Bogdanoff, J.L. 1989. Probabilistic Models of
valuable prognostic tool which can be used to drive Fatigue Crack Growth: Results and Speculations. Nuclear
effective condition-based maintenance strategies for Engineering and Design 115: 143–71.
improving the availability, safety and cost effective- Marseguerra, M. & Zio, E. & Podofillini, L. 2002. Condition-
ness of complex safety-critical systems, structures and Based Maintenance Optimization by Means of Genetic
components, such as those employed in the nuclear Algorithms and Monte Carlo Simulation. Reliability
industry. Engineering and System Safety 77: 151–165.
Myotyri, E. & Pulkkinen, U. & Simola, K. 2006. Application
of stochastic filtering for lifetime prediction. Reliability
Engineering and System Safety 91: 200–208.
REFERENCES Provan J.W. (ed) 1987, Probabilistic fracture mechanics and
reliability, Martinus Nijhoff Publishers.
Anderson, B.D. & Moore, J.B. 1979. In Englewood Cliffs. Pulkkinen, U. 1991. A Stochastic Model for Wear Predic-
Optimal Filtering. NJ: Prentice Hall. tion through Condition Monitoring. In K. Holmberg and
Arulampalam, M.S. Maskell, S. Gordon, N. & Clapp, T. A. Folkeson (eds). Operational Reliability and Systematic
2002. A Tutorial on Particle Filters for Online Maintenance. London/New York: Elsevier 223–243.
Nonlinear/Non-Gaussian Bayesian Tracking. IEEE Trans. Rocha, M. M. & Schueller, G. I. 1996. A Probabilistic Crite-
On Signal Processing 50(2): 174–188. rion for Evaluating the Goodness of Fatigue Crack Growth
Bigerelle, M. & Iost, A. 1999. Bootstrap Analysis of FCGR, Models. Engineering Fracture Mechanics 53: 707–731.
Application to the Paris Relationship and to Lifetime Seong, S.-H. & Park, H.-Y. & Kim, D.-H. & Suh, Y.-S. &
Prediction. International Journal of Fatigue 21: 299–307. Hur, S. & Koo, I.-S. & Lee, U.-C. & Jang, J.-W. & Shin,
Christer, A.H. & Wang, W. & Sharp, J.M. 1997. A state space Y.-C. 2002. Development of Fast Running Simulation
condition monitoring model for furnace erosion predic- Methodology Using Neural Networks for Load Follow
tion and replacement. European Journal of Operational Operation. Nuclear Science and Engineering 141: 66–77.
Research 101: 1–14. Simola, K. & Pulkkinen, U. 1998. Models for non-destructive
Djuric, P.M. & Kotecha, J.H. & Zhang, J. & Huang, Y. & inspection data. Reliability Engineering and System Safety
Ghirmai, T. & Bugallo, M. F. & Miguez, J. 2003. Particle 60: 1–12.
Filtering. IEEE Signal Processing Magazine 19–37. Tanizaki, H. 1997. Nonlinear and nonnormal filters using
Doucet, A. 1998. On Sequential Simulation-Based Meth- Monte Carlo methods. Computational Statistics & Data
ods for Bayesian Filtering. Technical Report. University Analysis 25: 417–439.
of Cambridge, Dept. of Engineering. CUED-F-ENG- Tanizaki, H. & Mariano, R.S. 1998. Nonlinear and Non-
TR310. Gaussian State-Space Modeling with Monte Carlo Simu-
Doucet, A. & Freitas, J.F.G. de & Gordon, N.J. 2001. An lations. Journal of Econometrics 83: 263–290.
Introduction to Sequential Monte Carlo Methods. In A.
Doucet, J.F.G. de Freitas & N.J. Gordon (eds), Sequential
Monte Carlo in Practice. New York: Springer-Verlag.
482
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Anatoly Lisnianski
The Israel Electric Corporation Ltd., Haifa, Israel
ABSTRACT: This paper considers corrective maintenance contracts for aging air conditioning systems, oper-
ating under varying weather conditions. Aging is treated as an increasing failure rate. The system can fall into
unacceptable states for two reasons: through performance degradation because of failures or through an increase
in demand of cold. Each residence in acceptable state, each repair and each entrance to an unacceptable state are
associated with a corresponding cost. A procedure for computing this reliability associated cost is suggested,
based on the Markov reward model for a non-homogeneous Poisson process. By using this model an optimal
maintenance contract that minimizes the total expected cost may be found. A numerical example for a real world
air conditioning system is presented to illustrate the approach.
483
– RC is the repair cost incurred by the user in t = 0 from state j. According to Howard (1960),
operating and maintaining the system during its the following system of differential equations must be
lifetime; solved in order to find this reward:
– PC is a penalty cost, accumulated during system life
time, which was paid when the system failed. dVj (t) K K
= rjj + aij rij + aij Vi (t),
Let T be the system lifetime. During this time the dt i=1 i=1
system may be in acceptable states (system function- i =j
ing) or in unacceptable ones (system failure). After j = 1, 2, . . . , K (2)
any failure, a corresponding repair action is performed
and the system returns to one of the previously accept-
able states. Every entrance of the system into a set of The system (2) should be solved under specified
unacceptable states (system failure) incurs a penalty. initial conditions:
A Maintenance Contract is an agreement between
the repair team and the system’s owner that guar- Vj (0) = 0, j = 1, 2, . . . , K.
antees a specific level of services being delivered.
The Maintenance Contract defines important param- For an aging system, its failure rate λ(t) increases
eters that determine a service level and corresponding with age. In the case of minimal repair, the intensi-
costs. The main parameter is mean repair time Trm , ties aij , i, j = 1, . . . , K of transitions from state i to
where m(m = 1, 2, . . . , M ) is a possible Maintenance state j corresponding to failures are dependent on time.
Contract level and M is the number of such levels. The total expected reward can be found from differen-
Repair cost crm for individual repair action depends tial equations (2), by substitution of formulae for λ(t)
on repair time and, so, it corresponds to a maintenance instead of corresponding aij values.
contract level m. It usually ranges between the highest
and lowest repair costs. Thus Trmin ≤ Trm ≤ Trmax .
The problem is to find the expected reliability 3 NUMERICAL EXAMPLE
associated cost corresponding to each maintenance
contract and choose the corrective maintenance con- 3.1 The system description
tract, minimizing this cost. According to the suggested
approach, this cost is represented by the total expected Consider an air conditioning system, placed in a com-
reward, calculated via a specially developed Markov puter center and used around the clock in varying
reward model. temperature conditions. The system consists of five
identical air conditioners. The work schedule of the
system is as follows. For regular temperature condi-
2.2 Markov reward model for aging system tions two air-conditioners must be on-line and three
others are in hot reserve. For peak temperature condi-
A Markov reward model was first introduced by tions four air-conditioners have to be on-line and one
Howard (1960), and applied to multi-state system is in hot reserve. The number of the air conditioners
(MSS) reliability analysis by Lisnianski & Levitin that have to be on-line define the demand level.
(2003) and others (Lisnianski (2007), Lisnianski et al., We denote:
(2008)).
We suppose that the Markov model for the system c – is the system operations cost per time unit.
has K states that may be represented by a state space cr – is the repair cost paid for every order of the
diagram as well as transitions between states. Inten- maintenance team;
sities aij , i, j = 1, . . . , K of transitions from state i to cps – is a penalty cost, which is paid, when the
state j are defined by corresponding failure and repair system fails.
rates.
It is assumed that while the system is in any state An aging process in air-conditioners is described
i during any time unit, some money rii will be paid. via the Weibull distribution with parameters α =
It is also assumed that if there is a transition from 1.5849 and β = 1.5021. Therefore λ (t) = 3t 0.5021 .
state i to state j the amount rij will by paid for each Service agents can suggest 10 different Corrective
transition. The amounts rii and rij are called rewards. Maintenance Contracts, available in the market. Each
The objective is to compute the total expected reward contract m is characterized by repair rate and corre-
accumulated from t = 0, when the system begins its sponding repair cost (per repair) as presented in the
evolution in the state space, up to the time t = T under Table 1.
specified initial conditions. The operation cost cop , is equal to $72 per year. The
Let Vj (t) be the total expected reward accumulated penalty cost cp , which is paid when the system fails,
up to time t, if the system begins its evolution at time is equal to $500 per failure.
484
Table 1. Maintenance contract characteristics. The transition intensity matrix for the system is as
shown in (3).
Maintenance Repair cost
contract MTTR ($ per repair) a11 2λ(t) 0 0 0 0 |
M (days) crm
μ a22 2λ(t) 0 0 0 |
0 2μ a33 2λ(t) 0 0 |
1 3.36 36 0 |
2 1.83 40 0 3μ a44 2λ(t) 0
0 λ(t) |
3 1.22 46 0 0 4μ a55
0 0 0 0 5μ a66 |
4 0.91 52
a =
5 0.73 58 λ N 0 0 0 0 0 |
6 0.61 66 0 λN 0 0 0 0 |
7 0.52 74 0 0 λN 0 0 0 |
8 0.46 84 0 0 0 λN 0 0 |
9 0.41 94 0 λN |
0 0 0 0
10 0.37 106 0 0 0 0 0 λN |
| λd 0 0 0 0 0
| 0 λd 0 0 0 0
Following Lisnianski (2007), the variable demand, | 0 0 λd 0 0 0
| 0 λd
representing variable weather conditions, may be 0 0 0 0
| 0 λd
described as a continuous time Markov chain with 0 0 0 0
2 levels. The first level represents a minimal cold | 0 0 0 0 0 λd
| a77 4λ(t) 0 0 0 0
demand during the night and the second level repre-
sents peak cold demand during the day. The cycle time | μ a88 4λ(t) 0 0 0
is Tc = 24 hours and the mean duration of the peak is | 0 2μ a99 3λ (t) 0 0
td = 9 hours. The transition intensities of the model | 0 0 3μ a10,10 2λ (t) 0
can be obtained as | 0 0 0 4μ a11,11 λ (t)
| 0 0 0 0 5μ a12,12
1 1
λd = = = 0.066 hours−1 (3)
Tc − td 24 − 9
= 584 year −1 , where
485
d
2 μ 4 μ
4
2 2μ 2μ
3μ 3 3μ
2
Reserved
Reserved Reserved Reserved 4 10 Main Main Main Main On-line
Main Main On-line On-line On-line
(g=2) = (w=2)
(g=2) < (w=4)
N
4μ 2 4μ
2
d
5μ
5μ
d
| 0 0 0 0 0 0
associated with the repair of the air conditioner, and
| 0 0 0 0 0 0
the reward associated with this transition is the mean
cost of repair. The reward matrix for the system of air | 0 0 cp 0 0 0
|
conditioners is as follows: 0 0 0 0 0 0
|
0 0 0 0 0 0
| 4cop 0 0 0 0 0
| crm 0 0 0 0 0
2cop 0 0 0 0 0 | | 0 4cop cp 0 0 0
crm 2cop 0 0 0 0 | | 0 crm 3cop 0 0 0
0 crm 2cop 0 0 0 | | 0 0 crm 2cop 0 0
|
0 0 crm 2cop cp 0 | 0 0 0 crm 0 0
crm | | 0 0 0 0 crm 0
0 0 0 cop 0
0 0 0 0 crm 0 |
r =
0 0 0 0 0 0 |
0 0 0 0 0 0 | Taking into consideration the transition intensity
0 0 0 0 0 0 | matrix (3), the system of differential equations that
0 0 0 0 0 0 | defines the Markov reward model for the air con-
| ditioning system for the calculation of the total
0 0 0 0 0 0
0 0 0 0 0 0 | expected reward, may be written as shown in (4).
486
x 10
4
4 CALCULATION RESULTS
4
Figure 2 shows the expected Reliability Associated
3.5 Cost for T = 10 years as a function of the Mainte-
Reliability Associated Cost ($)
1
2 4 6 8 10 5 CONCLUSIONS
Maintenance Contract Level
Figure 2. The expected Reliability Associated Cost vs The case study for the estimation of expected reli-
Maintenance Contract Level. ability associated cost accumulated during system
lifetime is considered for an aging system under min-
imal repair. The approach is based on application
of a special Markov reward model, well formal-
The system is solved under initial conditions: ized and suitable for practical application in reliabil-
Vi (0) = 0, i = 1, 2, . . . , 12 using MATLAB® , the ity engineering. The optimal corrective maintenance
language of technical computing.
dV1 (t)
= 2cop − (2λ (t) + λd ) V1 (t) + 2λ (t) V2 (t) + λd V7 (t)
dt
dV2 (t)
= 2cop + crm μ + μV1 (t) − (2λ (t) + μ + λd ) V2 (t) + 2λ (t) V3 (t) + λd V8 (t)
dt
dV3 (t)
= 2cop + 2crm μ + cp λd + 2μV2 (t) − (2λ (t) + 2μ + λd )V3 (t) + 2λ (t) V4 (t) + λd V9 (t)
dt
dV4 (t)
= 2cop + 3crm μ + 2cp λ (t) + 3μV3 (t) − (2λ (t) + 3μ + λd ) V4 (t) + 2λ (t) V5 (t) + λd V10 (t)
dt
dV5 (t)
= cop + 4crm μ + 4μV4 (t) − (λ (t) + 4μ + λd ) V5 (t) + λ (t) V6 (t) + λd V11 (t)
dt
dV6 (t)
= 5crm μ + 5μV5 (t) − (5μ + λd ) V6 (t) + λd V12 (t) (4)
dt
dV7 (t)
= 4cop + λN V1 (t) − (4λ (t) + λN ) V7 (t) + 4λ (t) V8 (t)
dt
dV8 (t)
= 4cop + crm μ + 4cp λ + λN V2 (t) + μV7 (t) − (4λ (t) + μ + λN ) V8 (t) + 4λ (t) V9 (t)
dt
dV9 (t)
= 3cop + 2crm μ + λN V3 (t) + 2μV8 (t) − (3λ (t) + 2μ + λN ) V9 (t) + 3λ (t) V10 (t)
dt
dV10 (t)
= 2cop + 3crm μ + λN V4 (t) + 3μV9 (t) − (2λ (t) + 3μ + λN ) V10 (t) + 2λ (t) V11 (t)
dt
dV11 (t)
= 4crm μ + λN V5 (t) + 4μV10 (t) − (λ (t) + 4μ + λN ) V11 (t) + λ (t) V12 (t)
dt
dV12 (t)
= 5crm μ + λN V6 (t) + 5μV11 (t) − (5μ + λN ) V12 (t)
dt
487
contract (m = 7), which provides Minimal expected Lisnianski, A., Frenkel, I., Khvatskin, L. & Ding Yi. 2007.
reliability associated cost ($14574), was found. Markov Reward Model for Multi-State System Reliabil-
ity Assessment. In F. Vonta, M. Nikulin, N. Limnios, C.
Huber-Carol (eds), Statistical Models and Methods for
REFERENCES Biomedical and Technical Systems. Birkhaüser: Boston,
153–168.
Lisnianski, A., Frenkel, I., Khvatskin, L. & Ding Yi.
Almeida de, A.T. 2001. Multicriteria Decision Making on
2008. Maintenance contract assessment for aging sys-
Maintenance: Spares and Contract Planning. European
tem, Quality and Reliability Engineering International,
Journal of Operational Research 129: 235–241.
in press.
Barlow, R.E. & Proshan, F. 1975. Statistical Theory of Relia-
Lisnianski, A. & Levitin, G. 2003. Multi-state System Relia-
bility and Life Testing. Holt, Rinehart and Winston: New
bility. Assessment, Optimization and Applications. World
York.
Scientific: NJ, London, Singapore.
Finkelstein, M.S. 2002. On the shape of the mean residual
Meeker. W. & Escobar, L. 1998. Statistical Methods for
lifetime function. Applied Stochastic Models in Business
Reliability Data. Wiley: New York.
and Industry 18: 135–146.
Murthy, D.N.P. & Asgharizadeh, E. 1999. Optimal decision
Gertsbakh, I. 2000. Reliability Theory with Applications to
Making in a Maintenance Service Operation, European
Preventive Maintenance. Springer-Verlag: Berlin.
Journal of Operational Research 116: 259–273.
Howard, R. 1960. Dynamic Programming and Markov
Wang, H. 2002. A survey of Maintenance Policies of
Processes. MIT Press: Cambridge, Massachusetts.
Deteriorating Systems. European Journal of Operational
Lisnianski, A. 2007. The Markov Reward Model for a
Research 139: 469–489.
Multi-State System Reliability Assessment with Variable
Demand. Quality Technology & Quantitative Manage-
ment 4(2): 265–278.
488
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
R. Briš
Technical University of Ostrava, Czech Republic
ABSTRACT: The paper presents a new analytical algorithm which is able to carry out exact reliability quan-
tification of highly reliable systems with maintenance (both preventive and corrective). A directed acyclic graph
is used as a system representation. The algorithm allows take into account highly reliable and maintained input
components. New model of a repairable component undergoing to hidden failures, i.e. a model when a failure
is identified only at special deterministically assigned times, is analytically deduced within the paper. All con-
sidered models are implemented into the new algorithm. The algorithm is based on a special new procedure
which permits only summarization between two or more non-negative numbers that can be very different. If the
summarization of very small positive numbers transformed into the machine code is performed effectively no
error is committed at the operation. Reliability quantification is demonstrated on a real system from practice.
489
2.2 Input component models 2.3 Derivation of an unavailability coefficient
for a model with repairable elements
In the first phase of development we will suppose
and occurrence of hidden failures
exponential distribution for the time to failure, pos-
sibly for the time to restoration. Under this condition With the same indication of failure and repair rates
we can describe all frequently used models with both as given above the unavailability coefficient can be
preventive and corrective maintenance by three of the described with the following function:
following models:
P(τ ) = (1 − PC ).(1 − e−λτ )
• Model with elements (terminal nodes in AG) that
can not be repaired μ −μτ −λτ
• Model with repairable elements (CM—Corrective + PC 1 + (e − e ) , τ > 0,
μ−λ
Maintenance) for apparent failures, i.e. a model (2)
when a possible failure is identified at the occur-
rence and immediately afterwards it starts a process
leading to its restoration. where τ is a time which has passed since the last
• Model with repairable elements with hidden fail- planned inspection, Pc is the probability of a non-
ures, i.e. a model when a failure is identified only at functional state of an element at the moment of
special deterministically assigned times, appearing inspection at the beginning of the interval to the next
with a given period (moments of periodical inspec- inspection.
tions). In the case of its occurrence at these times
an analogical restoration process starts, as in the Proof Let Tp is an assigned period of inspections or
previous case. examinations of the functional state of an element. Let
us further indicate
An analytical accurate computation of time depen- PA (t) . . . probability that an element is at time t in
dence of the (un)availability coefficient was for the the correct functional state,
first two situations explained enough and derived in PB (t) . . . probability that an element is at the time
Bris & Drabek (2007). Let us remind that in the t in a failure state,
first case of the element that can not be repaired a PC (t) . . . probability that an element is at the time
final course of unavailability coefficient is presented t in a repair state.
by a distribution function of time to failure of the In the first interval, when t ∈ < 0, TP ), the situa-
element: tion is qualitatively equivalent like an element that can
not be repaired. In the interval between two inspections
the situation is however different. As long as the given
P(t) = 1 − e−λt , element is failed, it converts into the state of repair. As
long as we set a time variable τ as the time which has
passed since the moment of the last inspection, then
where λ is the failure rate. this situation can be noted as
In the second case a relation can be derived on
the basis of Laplace’s transformation for a similar
coefficient PB (τ = 0) = 0
490
In the course of time between two inspections followed 2. In other hypotheses we will need this expression to
one by another it is as follows: be always positive, what is also easy to proof.
PA (τ ) − PA (τ ) · λ · dτ + PC (τ ) · μ · dτ = PA (τ + dτ )
3 THE NEW ALGORITHM
PB (τ ) + PA (τ ) · λ · dτ = PB (τ + dτ )
PC (τ ) − PC (τ ) · μ · dτ = PC (τ + dτ ) 3.1 Probabilities of functional and non-functional
state
After the elementary modification the following set It is evident that probabilities of a functional p and
of differential equations can be obtained, at the known non-functional state q comply with a relation
initial conditions as above:
p + q = 1.
PA (τ ) + λ · PA (τ ) · λ − μ · PC (τ ) = 0
Taking into consideration the final accuracy of real
PB (τ ) − λ · PA (τ ) = 0
numbers in a computer it is important which one from
PC (τ ) + μ · PC (τ ) = 0 p or q we count. If we want to fully use the machine
accuracy, we have to compute the smaller one from
The solution of this set is: both probabilities.
PC · μ PC · μ −μτ Example 1.1 If we counted hypothetically on a com-
PA (τ ) = PA + · e−λτ − e
μ−λ μ−λ puter with three-digit decimal numbers, then for the
value of q = 0.00143, we would instead of a correct
PC · λ −μτ PC · μ
PB (τ ) = e − PA + · e−λτ value p = 0.99857 have only p = 0.999.
μ−λ μ−λ In return for q = 1 − p, we would get: q = 1 − p =
+ PA + PC 0.00100.
It is apparent that it gets to a great loss of accuracy
PC (τ ) = PC · e−μτ if we counted p instead of q.
Seeing that probabilities of a non-function state of
Then the probability that an element is not in the a highly reliable system is very small, we have to
state of correct function inside the interval at the time concentrate on numerical expression of these prob-
τ will be: abilities. For these purposes it is necessary to undergo
a reorganization in a computer calculation and set cer-
P(τ ) = PB (τ ) + PC (τ ) tain rules which do not have the influence on accuracy
of the computation at the numeration process.
PC · λ −μτ
= PA + PC + e
μ−λ
3.2 Problems with computer subtraction of two
PC · μ near real numbers
− PA + · e−λτ + PC · e−μτ
μ−λ The probability of non-functioning of the simplest pos-
= (1 − PC ) · (1 − e−λτ ) sible element (a model with elements that can not be
repaired) is given by the relation
μ
+ PC 1 + (e−μτ − e−λτ )
μ−λ P(t) = 1 − e−λt ,
Thus the relationship (2) is proved. that was supposed as an unavailability coefficient, λ
is a failure rate. Similarly, for other models of system
Note: elements the computation of an expression
1. For the purposes of an effective computer numer-
ical expression (see further) the expression in the 1 − e−x , for x ≥ 0 (3)
brackets can be converted into the formation:
is a crucial moment at probability numerical expres-
μ sion of a non-function (unavailability coefficient).
1+ (e−μτ − e−λτ ) For values x << 1, i.e. near 0, direct numerical
μ−λ
expression written by the formula would lead to great
μ −λτ
=1− e 1 − e−(μ−λ)τ , τ > 0 errors! At subtraction of two near numbers it gets to a
μ−λ considerable loss of accuracy. On personal computer
491
the smallest number ε, for which it is numerically to work with the whole relevant sub-graph. Com-
evident that binatorial character for the quantification will stay
nevertheless unchanged.
1 + ε = 1,
3.4 The error-free sum of different non-negative
is approximately 10−18 . If x ≈ 10−25 , the real value numbers
of the expression (3) will be near 10−25 . A direct
numerical calculation of the expression gives a zero! The first step to the solution of this problem is to find a
As the algorithm was created in a programming method for the ‘‘accurate’’ sum of many non-negative
environment Matlab, for the need of this paper was numbers.
used the Matlab function ‘‘exmp1’’ which enables The arithmetic unit of a computer (PC) works in a
exact calculation of the expression (3). binary scale. A positive real number of today’s PC con-
tains 53 valid binary numbers, see Figure 2. A possible
order ranges from approximately −1000 to 1000.
3.3 The numeration substance of probability The line indicated as ‘‘order’’ means an order of a
of a non-functional state of a node binary number.
The probability of a non-functional state of a node of The algorithm for the ‘‘accurate’’ quantification of
an AG, for which the individual input edges are inde- sums of many non-negative numbers consists from a
pendent, is in fact given by going over all possible com- few steps:
binations of probabilities of the input edges. For 20 1. The whole possible machine range of binary posi-
input edges we have regularly a million combinations. tions (bites) is partitioned into segments of 32
One partial contribution to the probability of a non- positions for orders, according to the following
functional state of the node in Figure1 has a form: scheme in Figure 3: The number of these segments
will be approx.:
q1 · q2 · · · qi−1 pi · qi+1 · · · qj−1 · pj · qj+1 · · · q20 ,
2000 ∼
where a number of occurring probabilities p (here the = 63
32
number equals to 2) can not reach ‘‘m’’. The probabil-
ity of a non-functional state of the node is generally 2. Total sum is memorized as one real number, which
given by a sum of a big quantity of very small numbers. is composed from 32 bite segments. Each from
These numbers are generally very different! these segments has additional 21 bites used as
If the sum will be carried out in the way that the transmission.
addition runs in the order from the biggest one to the 3. At first a given non-zero number of the sum that
smallest ones, certainly a lost stems from rounding off, must be added is decomposed according to before
more than the addition runs in the order from the small- assigned firm borders (step 1) mostly into three
est ones to the biggest values. And even in this second parts containing 32 binary numbers of the number
case there is not possible to determine effectively how at most, according to the scheme in Figure 4. The
much accuracy ‘‘has been lost’’. individual segments are indexed by numbers 1–63.
Note: In the case of dependence of the input edges 4. Then the individual parts of this decomposed num-
(terminal nodes) we cannot express the behaviour of ber are added to the corresponding members of the
an individual node numerically. There is necessary sum number, as in Figure 5.
5. Always after the processing of 220 numbers (the
limit is chosen so that it could not lead to over-
flowing of the sum number at any circumstances)
… 1 ? … ? …
order: 1000 53 places -1000
.. … … ..
32 31 1 0 -1 -2 -32 -33 -34
Figure 1. One node of an acyclic graph with 20 edges. Figure 3. Segments composed from 32 binary positions.
492
0 .. 1 ? ? ? ? ? 3.5 Permissible context of the usage
not leading to the loss of accuracy
32 bits The probability of a non-functional state of a repairable
end of the 1-st
non zero segment element (see section 2.3—a model with repairable ele-
ments and occurrence of hidden failures) is given by
Figure 4. Decomposition of a given non-zero number. the formula (2), which can be adapted to
493
having the value of 2−75 we obtain the value of 2−20 . If
1
we apply the new algorithm, we obtain error-free sum
2
which equals:
494
Figure 10. Dependence of unavailability on time (in hours)
for the Component 1.
495
The process has been numerically realized within a REFERENCES
programming environment Matlab.
Numerical expression of probabilities of a non- Marseguerra M. & Zio E. 2001. Principles of Monte Carlo
functional state of one node of an AG has a combina- simulation for application to reliability and availability
torial character. We have to go over all combinations analysis. In: Zio E, Demichela M, Piccinini N, editors.
of input edges behaviour leading to a non-functional Safety and reliability towards a safer world, Torino, Italy,
September 16–20, 2001. Tutorial notes. pp. 37–62.
state of the node. The astronomic increase of combi- Tanaka T, Kumamoto H. & Inoue K. 1989. Evaluation of a
nations with the increasing number of elements causes dynamic reliability problem based on order of component
that the program will be usable only up to a certain size failure. IEEE Trans Reliab 1989;38:573–6.
of a system. Already at moderate exceeding the criti- Baca A. 1993. Examples of Monte Carlo methods in relia-
cal size of the system it comes to enormous increase bility estimation based on reduction of prior information.
of machine time. All computations above run below IEEE Trans Reliab 1993;42(4):645–9.
1s, on Pentium (R) 4 CPU 3.40GHz, 2.00 GB RAM. Briš R. 2008. Parallel simulation algorithm for maintenance
Model with repairable elements with hidden fail- optimization based on directed Acyclic Graph. Reliab Eng
ures, i.e. a model when a failure is identified only Syst Saf 2008;93:852–62.
Choi JS, Cho NZ 2007. A practical method for accurate
at special deterministically assigned times, has been quantification of large fault trees. Reliab Eng Syst Saf
analytically elicited within the paper. Final formula 2007;92:971-82.
meets the requirement of permissible context which is Briš, R. 2007. Stochastic Ageing Models—Extensions of the
required in the presented algorithm. Classic Renewal Theory. In Proc. of First Summer Safety
The algorithm enables to carry out exact unavail- and Reliability Seminars 2007, 22–29 July, Sopot: 29–38,
ability analysis of real maintained systems with both ISBN 978-83-925436-0-2.
preventive and corrective maintenance. Briš, R. & Drábek, V. 2007. Mathematical Modeling of both
Monitored and Dormant Failures. In Lisa Bartlett (ed.),
Proc. of the 17th Advances in Risk and Reliability Tech-
nology Symposium AR2 TS, Loughborough University:
6 ACKNOWLEDGEMENT 376–393.
Dutuit, Y. & Chatelet E. 1997. TEST CASE No. 1, Periodi-
This work is supported partly by The Ministry of cally tested paralel system. Test-case activity of European
Education, Youth and Sports of the Czech Republic— Safety and Reliability Association. ISdF-ESRA 1997. In:
project CEZ MSM6198910007 and partly by The Workshop within the European conference on safety and
Ministry of Industry and Trade of the Czech reliability, ESREL 1997, Lisbon, 1997.
Republic—project FT-TA4/036.
496
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
P.A.A. Garcia
Universidade Federal Fluminense—Departamento de Administração, Volta Redonda—RJ, Brasil
Fundação Gorceix—Petrobras (CENPES), Rio de Janeiro, Brasil
M.C. Sant’Ana
Agência Nacional de Saúde, Rio de Janeiro, Brasil
V.C. Damaso
Centro Tecnológico do Exército, Rio de Janeiro, Brasil
ABSTRACT: Reliability analyses of repairable systems are currently modelled through punctual stochastic
processes, which intend to establish survivor measures in a failure x repair scenario. However, these approaches
do not always represent the real life-cycle of repairable systems. In order to have a better and most coherent
reality modelling, one has the Generalized Renewal Process (GRP). With this approach, reliability is modelled
considering the effect of a non-perfect maintenance process, which uses a better-than-old-but-worse-than-new
repair assumption. Considering the GRP approach, this paper presents an availability modelling for operational
systems and discusses an optimisation approach based on a simple genetic algorithm (GA). Finally, a case is
presented and the obtained results demonstrate the efficacy of combining GRP and GA in this kind of problems.
497
negligible, compared with the mean-time-between-
failures (MTBF), the point processes are used as
probabilistic models of the failure processes. The com-
monly adopted point processes in PSA are as follows:
(i) homogeneous Poisson process (HPP), (ii) ordinary Vn
Virtual Age
renewal processes (ORP) and (iii) non-homogeneous
Poisson process (NHPP). However, these approaches V2
do not represent the real life-cycle of a repairable V1
system (Modarres, 2006). Rather, they have some
assumptions that conflict with reality. In HPP and ORP,
the device, after a repair, returns to an as-good-as-new
condition, and in a NHPP the device, after a repair,
returns to an as-bad-as-old condition. t1 t2 tn
Kijima & Sumita (1986) introduced the concept of Real Age
generalized renewal process (GRP) to generalize the
three point processes previously mentioned. With this Figure 1. Visualization of virtual age (Adapted from
approach, reliability is modeled considering the effect Jakopino, 2005).
of a non-perfect maintenance process, which uses
a better-than-old-but-worse-than-new repair assump-
tion. Basically, GRP addresses the repair assumption
by introducing the concept of virtual age, which whereas the assumption of q = 1 leads to an NHPP
defines a parameter q that represents the effectiveness (as bad as old). The values of q that fall in the interval
of repair. 0 < q < 1 represent the after repair state in which the
condition of the system is ‘‘better than old but worse
than new’’.
2.1 Generalized renewal process On the basis of this proposition of virtual age,
As mentioned, the probabilistic modeling to be consid- Kijima et al., (1988) has proposed the following
ered in this work to approach repair action, especially approach to calculate the conditional probability of
imperfect repairs, is the generalized renewal process failure:
(GRP). Nevertheless, for a complete understanding
about GRP, it is necessary to define the concept of F(T + y) − F( y)
virtual age (Vn ). F(T |Vn = y) = (3)
1 − F( y)
The Vn corresponds to the calculated age of par-
ticular equipment after the n-th repair action. Kijima
& Sumita (1986) has proposed two ways to modeling where F is the cumulative distribution function.
this virtual age. The first one, commonly named type Considering (without loss of generality), that time
I, consists basically of the assumption that a repair between failures is modeled by a Weibull distribution,
action acts just in the step time just before. With this it follows that
assumption, the virtual age of a component increases
proportionally to the time between failures: ⎡⎛⎞β
q
i−1
Vi = Vi−1 + qYi (1) F(ti , α, β, q) = 1 − exp ⎣⎝ tj ⎠
α j=1
where Vi is the virtual age immediately after the i-th
repair action, and Yi is the time between the (i − 1)-th
i−1 β ⎤
ti + q j=1 tj
and i-th failures. − ⎦ (4)
The type II model considers that the repair can α
restore the system considering the elapsed time since
the beginning of its life. In this model, the virtual age
increases proportionally to the total time.
3 AVAILABILITY MODELING
Vi = q(Yi + Vi−1 ) (2) OF REPAIRABLE SYSTEMS
q can be defined as a rejuvenation parameter in both A preventive maintenance policy has an important role
models. to enhance system availability of any power plant. Nev-
According to this modeling, the result of assuming ertheless, scheduling planning for preventive mainte-
a value of q = 0 leads to an RP (as good as new), nance actions must consider aging characteristics.
498
The higher the degradation the lesser the time Notice that, if ti + man is higher than the mission
between maintenance stops. In turn, to model sys- time, this figure is replaced by Tmiss , which is the under
tems availability under this condition, the following evaluation mission time.
assumptions were made: Considering this modeling approach, the mean
availability is
• After each maintenance task, the component will
not go back to an as good as new condition; ti
• There is a probability of failure during? time 1
n
∗
between maintenance, leading to a corrective action A = A(t)dt (7)
Tmiss i=0 t
and influencing the device unavailability; i−1 +man
• When a component is selected to be maintained, all
the components associated will be unavailable too;
• Time between maintenances is not necessarily 4 MAINTENANCE DISTRIBUTION
constant. AND GENETIC MODELING
Based on these assumptions, a modeling approach The genetic algorithm is used to indicate the preventive
to calculate the component availability considering a maintenance scheduling for each component, in order
maintenance policy is presented. to optimize the system availability along the mission
Considering R(t) as the component reliability, and period. The instants selected by GA for the mainte-
as A(t) its availability, and considering, without loss s nance accomplishment on a certain component should
of generality, that the failure process can be modeled follow a distribution pattern. For instance, it is reason-
by a Power Law process, and time between failures able to suppose that the interval between maintenances
is modeled by a Weibull distribution. Thus, At (t), is reduced as the system ages.
the availability concerning a preventive maintenance This assumption induces choice for a modeling
scheduling, is given by that looks for solutions to the preventive maintenance
planning with some ordination in that distribution
⎧
⎪ t1 (Damaso, 2006). The benefit of such approach is to
⎪
⎪ −μt
μ eμt R−1 (t |V0 )dt + 1,
⎨R(t|V0 )e limit the universe of solutions to be considered, elim-
At1 (t) = t0 inating those that do not have practical sense.Thus,
⎪
⎪0, t0 ≤ t < t1 the search process gains in terms of efficiency and
⎪
⎩
t1 ≤ t < t1 + man computational time.
(5) In this work, a proportional distribution was
adopted, where the intervals between preventive main-
tenances follow a geometric progression (GP).
whereAt1 (t) is the availability for t0 ≤ t ≤ t1 , t0 is The first interval, T1 , starts at the operation begin-
the initial time and t1 is the time to the first main- ning, in t = 0, and goes until the final instant of the
tenance stop; V0 is the virtual age of the component first intervention, T1 :
in the beginning of the simulation. This parameter is
quite important, because in aging characterization, the T1 = T1 − 0 = T1 . (8)
component is not new, but it has a certain level of aging.
For the other maintenance steps, the modeling is as
The subsequent intervals are given as
follows:
Ti+1 = β · Ti , 0 < β ≤ 1, (9)
At1 (t) =
⎧ where i = 1, 2, . . . , n, Ti is the i-th time interval
⎪
⎪ R(t|Vi−1 )e−μ(t−(ti−1 +rep )
⎪ ti
⎪
and β is the proportionality factor (common ratio of
⎪
⎨ the GP). A unitary value of β means that the inter-
• μ eμ(t −(ti−1 +rep )) R−1 (t |Vi−1 )dt + 1,
where Ati (t) is the availability between (i − 1)-th and Tn+1 = Tf − Tn . (10)
i-th maintenance stops, R(t|Vi−1 ) = 1 − F(t|Vi−1 ),
and F(t|Vi−1 ) is done as in equation 4. man is the Considering that n interventions are foreseen during
maintenance time. the component operation time, the expression for the
499
Heat Table 1. Components parameters modeled by Equations (1)
exchanger 1 and (2).
1/μ
Motor 1
V-1
Comp. (days) β α (days) q V0 (days)
Pump 1
500
Motor 1 Pump 1
1.000
1.00
0.90 0.995
0.80 0.990
Availability
0.70
0.985
Availability
0.60
0.980
0.50
0.40 0.975
0.30
0.970
0.20 0 100 200 300 400 500
0.00
0 100 200 300 400 500 Figure 6. Availability of the pump 1.
Time (days)
Pump 2
Figure 3. Availability of the motor 1.
1.000
0.995
Motor 2 0.990
Availability
1.00
0.90 0.985
0.80
0.70
0.980
Availability
0.60
0.50
0.975
0.40
0.30
0.970
0.20
0 100 200 300 400 500
0.10
0.00 Time (days)
0 100 200 300 400 500
Time (days)
Figure 7. Availability of the pump 2.
Motor 3 0.995
1.00
0.90 0.990
Availability
0.80
0.70
0.985
Availability
0.60
0.50
0.40
0.980
0.30
0.20 0.975
0.10
0.00 0.970
0 100 200 300 400 500
0 100 200 300 400 500
Time (days)
Time (days)
501
Valve 1
1.000 Heat Exchanger 1
1.00
0.995
0.90
0.990
Availability
0.80
0.985 0.70
Availability
0.60
0.980
0.50
0.975 0.40
0.30
0.970
0 100 200 300 400 500 0.20
Time (days) 0.10
0.00
0 100 200 300 400 500
Figure 9. Availability of the valve 1. Time (days)
Valve 2
Figure 13. Availability of the heat exchanger 1.
1.000
0.995
Heat Exchanger 2
Availability
0.990
1.00
0.985 0.90
0.80
0.980
0.70
Availability
0.975 0.60
0.50
0.970 0.40
0 100 200 300 400 500
0.30
Time (days) 0.20
0.10
0.00
Figure 10. Availability of the valve 2. 0 100 200 300 400 500
Time (days)
Valve 3
Figure 14. Availability of the heat exchanger 2.
1.000
0.995
Availability
0.990
REFERENCES
0.985
502
surveillance requirements. Rel. Eng. Sys. Saf., Vol. 91, nance in flowshop sequencing problems. Computer &
pp. 1027–1038. Operational Research, Vol. 34, 11, pp. 3314–3330.
Martorell, S., Sanchez, A. and Carlos, S. (2007). A toler- Samrout, M, Yalaoui, F, Châtelet, E. and Chebbo, N.
ance interval based approach to address uncertainty for (2005). New methods to minimize the preventive main-
RAMS+C optimization. Rel. Eng. Sys. Saf., Vol. 92, tenance cost of series-parallel systems using ant colony
pp. 408–422. optimization. Rel. Eng. Sys. Saf, Vol. 89, 9, pp. 346–354.
Modarres, Mohamed (2006). Risk Analysis in Engineer- Taboada, Heidi A., Baheranwala, Fatema, Coit, David W. and
ing— Techniques, Tools, and Trends. Taylor & Francis. Wattanapongsakorn, Naruemon (2007). Practical solu-
Boca Raton, FL. tions for multi-objective optimization: An application to
Rigdon, S.E. and Basu, A.P (2000). Statistical Methods for system reliability design problems. Rel. Eng. Sys. Saf.,
the Reliability of Repairable Systems. John Wiley and Vol. 92, pp. 314–322.
Sons, New York.
Rubéns Ruiz, García-Díaz, J. Carlos and Maroto, Conceptión
(2007). Considering scheduling and preventive mainte-
APPENDIX I
⋅⋅⋅
00101100 01101011 00110010 10000111 00011110 10011001 00010001 00101001 10010001 00111001 00000010 00110011 00000011 10000100 00010011
Genotype: 11101100 00101100 1101011 10011101 01100100 11011101 00111110 11011100 11101101 1101001 01111110 10101100 1101110 11011101 10111110
Phenotype: n β d n β d n β d n β d n β d ⋅⋅⋅
503
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
S. Martorell
Dpto. Ingeniería Química y Nuclear, Universidad Politécnica Valencia, Spain
ABSTRACT: Maintenance planning is a subject of concern to many industrial sectors as plant safety and
business depend on it. Traditionally, the maintenance planning is formulated in terms of a multi-objective
optimization (MOP) problem where reliability, availability, maintainability and cost (RAM+C) act as decision
criteria and maintenance strategies (i.e. maintenance tasks intervals) act as the only decision variables. However
the appropriate development of each maintenance strategy depends not only on the maintenance intervals but also
on the resources (human and material) available to implement such strategies. Thus, the effect of the necessary
resources on RAM+C needs to be modeled and accounted for in formulating the MOP affecting the set of
objectives and constraints. In Martorell et al., (2007), new RAM + C models were proposed to address explicitly
the effect of human resources. This paper proposes the extension of the previous models integrating explicitly
the effect of material resources (spare parts) on RAM+C criteria. This extended model allows accounting
for explicitly how the above decision criteria depends on the basic model parameters representing the type of
strategies, maintenance intervals, durations, human resources and material resources. Finally, an application
case is performed on a motor-driven pump analyzing how the consideration of human and material resources
would affect the decision-making.
505
Maintainability
Failure Reliability
Human Resources
Cause #1 Maintenance strategy #1
Critical Equipment
(Technical Resources)
fs
(degradation mechanisms)
Failure
Working conditions
Maintenance strategy #2 w
M aintainability
Cause #2
Strategies
fN
… …
Maintenance strategy #j
Failure
Task #1 Task #2 … Task #k … dN HN
Cause #i
Non-
… … Schedu led
Dominant ur ds Hs
Maintenance Plan Scheduled
Failure Causes
506
On the other hand, testing and maintenance tasks influence the real downtime (d) for developing this
affect the component age. In general, one can assume task (see Figure 3).
that each testing and maintenance activity improves Therefore, the downtime depends, between other
the age of the component by some degree, depending factors, on the delay associated with the availability
on its effectiveness, what is often called ‘‘imperfect of human (TDH ) and material resources (TDM ). Both
maintenance’’, which is a natural generalization of two delay times are assumed equal to 0 (TDH = 0 and
extreme situations (Bad As Old (BAO) and Good As TDM = 0) for a scheduled task.
New (GAN) models). Based on Figure 3, the downtime, d, can be esti-
There exist several models developed to simulate mated for a maintenance task using the following
imperfect maintenance (Martorell et al., 1999b). In relationship:
this paper, two models that introduce the improvement
effect of the maintenance depending on an effective- d = F(ST ) · d + TDH
ness parameter are considered. Both models assume
that each maintenance activity reduces the age of + (1 − F(ST )) · d + max (TDH ; TDM ) (3)
the component in view of the rate of occurrences
of failures. These models are the Proportional Age where F(ST ) is associated with the cumulative distri-
Reduction (PAR) represented by bution function of a random variable x representing
the probability of demand of spare parts, that is,
α
λ = λ0 + · [1 + (1 − ε) · ( f · RP − 1)] (1) F(ST ) = P(x ≤ ST ) (4)
2·f
being ST the inventory associated to a particular spare.
and the Proportional Age Setback (PAS), repre- Thus, eqn. (4) represents the probability that a given
sented by amount of spares x required for performing a given
maintenance task are available, so the delay (if any)
α (2 − ε) must be due to the human delay only, see eqn. (3).
λ = λ0 + · (2)
2·f ε On the other hand, in case of spares shortage; this
occurs with a probability given by:
where RP is the Replacement Period, f is the frecuency
associated to each testing and maintenance task, and 1 − F(ST ) = P(x > ST ) (5)
ε its effectiveness in preventing the equipment from
developing the particular degradation or failure cause. the delay is given by the maximum value between
human and material delay, max(TDH , TDM ). In addi-
tion, d is the downtime if it is assumed that delay time
2.2 Maintainability models is equal to zero, TD = 0, which can be estimated as:
Maintenance represents all activities performed on
H
equipment in order to assess, maintain or restore d = (6)
it’s operational capabilities. Maintenance introduces (ηP · NP + ηE · NE ) · κ [NP + NE ]
two types of positive aspects: a) corrective mainte-
nance restores the operational capability of the failed being NP and NE the number of own and external
or degraded equipment and b) preventive mainte- personnel involved in this task, respectively. Both,
nance increases the intrinsic reliability of non-failed own personnel and external workforce have an effi-
equipment beyond the natural reliability. ciency associated in performing such task, which
On the contrary, maintenance also introduces is represented by ηP and ηE respectively. Function
adverse effects, called the downtime effect that rep-
resents the time the equipment is out of service to Delay Man-Hours
Task Task Task
overcome maintenance (corrective, preventive, repair, Launched
TD
Starts
H
Ends
overhaul, etc.). Thus, the adverse effect depends on
TD = max {TDH, TDM}
the Maintainability (M) characteristics of the equip-
ment. Maintainability represents the capability of the
equipment to be maintained under specified condi-
tions during a given period, which depends not only
TDPH Human Delay
on the equipment physical characteristics imposing a
given number of man-hours (H) to perform an indi- Material Delay
vidual maintenance task, but also on the human and TDM
507
κ[.] represents the law of decreasing effectiveness 2.4 Cost models
as human resources which is formulated as follows
Two types of costs are considered: a) costs associated
(Ricardo, 1821):
to performing surveillance and maintenance activities,
and b) costs related to the management of spare parts
1
κ[N ] = exp K · −1 + (7) inventory. In the following subsections these costs are
N developed.
where K ranges in the interval [0,1]. 2.4.1 Surveillance and maintenance costs
The relevant costs in analyzing test surveillance and
2.3 Availability models maintenance (TS&M) optimization of safety-related
equipment include the contributions to the cost model
Each couple dominant failure cause and maintenance of standby components, which, in general, undertake
task is associated at least one contribution to the equip- surveillance testing, preventive maintenance and cor-
ment unavailability, which corresponds to one of the rective maintenance to restore their operability after a
following equations (Martorell et al., 2002). failure has been discovered during a test (Martorell
et al., 2000b, 1996c, 1999). Each couple domi-
1 1 nant failure cause and maintenance task is associated
ur = 1 − · 1 − e−λ·I ≈ ρ + λ · I (8)
λ·I 2 one cost contribution to the equipment total LCC
(Life-Cycle Cost), which corresponds to one of the
following equations in accordance to the unavailability
uS = fS · dS (9) contributions above (Martorell et al., 2001):
508
on a number of factors as proposed in the following inventory, depends on the number of failures and
equation: maintenance tasks in this interval L.
In order to obtain this cost contribution, it it required
NP · S first to obtain the average inventory level in the period
cHP =
(16) L considering the demand of spares associated to
Neq · (fA · TPA )
∀A∈P failures. Two possibilities are considered, which are
showed in Figures 4 and 5 respectively.
where the unknown variables S and Neq represent Figure 4 shows a situation in which the demand of
the annual salary and number of similar components spare parts, xi , in the period L, is lower than the original
respectively assigned to everyone of the NP own inventory level ST .
personnel. The aggregation extends over all of the Figure 5 represents the case in which the demand,
tasks, scheduled or not, affecting the equipment being xi , exceeds the original inventory, ST , in the period L.
performed by Np personnel. When the inventory level is equal to reorder point,
Finally, c1D represents the unitary cost due to a plant R, new spares are ordered. However, in this case,
outage. the ordered spares arrive after the L1 and the origi-
nal inventory is not enough for the period L. As it is
2.4.2 Costs of spare parts observed in Figure 5, L1 is the duration in which the
The cost related to the management of spare parts is original spare inventories decrease from ST to 0.
assumed to consist of the following contributions:
Ci = ch + co + cex (17)
509
Based on Figures 4 and 5, the average inventory 2.5 Aggregation of availability and cost models
level, Iav , in the period L can be evaluated as: for a given strategy
∞
As proposed in Martorell et al., (2007), under the
ST RCM approach, each couple dominant failure cause
Iav = + R − λ · TDM
i=0
2 and maintenance strategy is associated a global effi-
∞ ciency affecting partially equipment availability and
+ (xi + R) · P(x = xi ) (18) associated costs, which are associated with both the
R
probability that this failure occurs and the develop-
Based on the inventory average level, Iav , given ment of the strategy itself, which, in turn, depends on
by eqn. (18), the yearly cost contribution due to the the frequency of developing scheduled and unsched-
inventory holding, ch , can be evaluated as: uled tasks belonging to the maintenance strategy and
their corresponding durations and costs. Thus, the
ch = p · Iav · csp + cdp (19) unavailability and cost models for a given strategy can
be formulated accordingly by simply aggregating the
where p is the percentage of the average total inventory previous single task models for the k tasks involved
cost considered, and csp and cdp represent, respectively, in j-nth strategy used to cope with i-nth failure cause
the cost of a spare part and the depreciate cost per spare (i → j).
part.
2.4.2.2 Inventory ordering costs Ui→j = Ui→j, k (24)
The yearly cost contribution due to the inventory order- ∀ k∈j
ing, cio , includes: a) costs for a regular order, cro ,
b) cost of expedited order, ceo , and c) urgency or Ci→j = Ci→j, k (25)
emergency order cost,cuo ., which can be formulated ∀ k∈j
as follows:
λ Eqns. (24) and (25) are similar to their equivalents
co = · (ceo + cro + cuo ) (20)
ST in Martorell et al., (2007). However, notice the sort
contributions and their formulation vary as follows.
where ceo is a fixed ordering cost for order, cro is the What concern unavailability contributions, the
cost for a regular order, which can be calculated as: main difference comes from the novel formulation of
the duration of the a maintenance task to cope with
cro = csp · ST (21) a given dominant failure cause, see eqns. (3) to (7),
which now addresses also the possibility of not having
and cuo is the emergency order cost, which is calculated spare parts available at the time of a demand, in particu-
(see Figure 5) as: lar for performing an unscheduled task (e.g. corrective
maintenance), which introduces a delay time in start-
∞
ing the task while one is waiting for a spare part that
cuo = cu · (xi − R) · P(xTDM = xi ) (22) has been ordered urgently.
i=R What concern cost contributions, one important dif-
ference comes also from the novel formulation of the
being cu the emergency cost per spare part and xTDM duration of the maintenance task to cope with a given
the demand of spare part during the delay associated dominant failure cause. Moreover, the novel formula-
to material resources. tion of the cost for a given couple (i → j) addresses
2.4.2.3 Holding excess costs now additional cost contributions, i.e. those contribu-
Based on Figure 4, the average surplus stock cost can tions used to address the cost of managing spare parts
be evaluated it xi < (ST − R) as: as described in section 2.4.2, which are also formu-
lated for a given couple (i → j). The remaining cost
ST contributions, i.e. those associated with surveillance
cex = (cop − cdp ) · ((ST − R) − xi ) · P(x = xi ) and maintenance costs, as described in section 2.4.1,
i=0 keep almost the same as formulated in Martorell et al.,
(23) (2007), except what concerns eqn. (15) in this paper,
where an additional third constant term appeared in
where cop is the opportunity cost per spare part, as a the right hand side of this equation, which was used to
consequence of that the capital invested in its purchase account for the cost of the spares used in a given tasks.
is not available for other uses, and cdp represents the This additional term does not make sense now, as this
component depreciate cost. contribution was included to address in a simplified
510
way the cost of managing spare parts, which however study after performing the RCM process described in
is well represented now with the extended modeling Martorell et al., (1995). In addition, Table 2 shows the
of section 2.4.2. maintenance plan selected in Martorell et al., (2005b),
which allows covering all the dominant failure causes
of the equipment. This table shows the associated
2.6 Equipment based aggregation of availability
surveillance and maintenance tasks belonging to a type
and cost models
of strategy identified to be appropriate (Y) or not (N)
Following the reasoning introduced above, one can to control every cause and the maintenance intervals
realize there is a need to find out a set of maintenance (I ), originally optimized.
strategies to prevent the component from developing Tables 3 and 4 show the additional data necessary
all of its dominant failure causes since more than one for using the models proposed in section 2. Table 3
normally applies. shows the data related to human resources. Table 4
According to the study in Martorell et al., (2007) shows data related to material resources. For sake of
there is not a unique combination of maintenance
strategies to cope with all the dominant failure causes.
Each combination is associated a given equipment Table 2. Maintenance plan selected to cover dominant
failures causes.
availability and corresponding cost given by
Task I (hrs) Failure causes
U= ui→j (26)
∀ i→j c1 c2 c3 c4 c5 c6
Lub oil change (t1) 26000 Y N Y N N N
C= ci→j (27) Operational test (t2) 13000 Y N N N Y N
∀ i→j Visual inspection
Motor (t3) 26000 Y Y N N N N
Visual inspection
3 APPLICATION EXAMPLE Pump (t4) 26000 N N N Y N Y
511
U -C plot for several strategies of human us stocks
0,0515
(1,0,0)
Without stocks
0,0510
Without Reorder point
Reorder point (R)
0,0505 (1,0,1) (1,0,1)R
(Np, Ne, Stock)
(2,0,0)
0,0500
(1,0,2)R
(1,2,0) (1,0,3)R
Unavailability
0,0495
(1,3,0)
(1,4,0) (1,1,1)
0,0490 (3,4,0)
(2,4,0) (4,4,0)
(1,2,1)
0,0485 (1,1,2)R (1,1,2)
(1,1,3)R
0,0480 (1,2,2)
(1,2,3)R
(1,0,3)
(1,2,4)R (2,2,3)
0,0475 (2,2,4)R (3,2,3)
(3,2,4)R (4,2,3) (3,2,4)
(4,2,4)
(4,2,4)R
0,0470
0,0465
2000 4000 6000 8000 10000 12000 14000 16000
Cost
Figure 6. Unavailability and cost effects of using different couples [NP, NE].
simplicity, it has been considered herein that task 4, highest unavailability. On the contrary, when a stock of
which covers dominant failure cause 4 as shown in spare parts is considered it results in a decrease of the
Table 3, is the only one that requires spare parts. Data unavailability at expenses of an increase of the costs.
related to the equipment reliability characteristic and Comparing two alternatives, with or without
others not included herein are the same as proposed in reorder point, the former provides better results in
Ref. Muñoz et al., (1997). terms of both unavailability and cost, which may
As said, the results obtained in Martorell et al., suggest that management of spare parts with reorder-
(2005b) have been adopted as a reference point. Next, ing point dominates equivalent solutions without
a sensitivity study has been performed to analysis the reordering.
effect observed on the unavailability and cost scores
under several when the human and material resources
are taken into account. Several management policies 4 CONCLUDING REMARKS
have been considered, which address own versus exter-
nal personnel and spare part inventory only for sake of This paper proposes the extension of previous models
simplicity. developed by the authors to integrating explicitly the
Figure 6 shows the effect of changing the human effect of material resources (spare parts) on RAM+C.
and material resources, i.e. use of different triplets This novel modeling allows accounting for explicitly
[NP , NE , ST ] representing own personnel, external how the above decision criteria depends on the basic
taskforce and spare parts inventory respectively, for model parameters representing the type of strategies,
performing the maintenance plan selected with the maintenance intervals, durations, human resources
periods showed in Table 2. Three alternatives were and material resources.
considered: a) without stocks, b) with stocks but with- An application example is performed on a motor-
out reorder point and c) with stocks and reorder point. driven pump analyzing how the consideration of
Consequently, three curves were found representing human and material resources affects the decision-
each a non-dominated set of solutions in the space making. It shows how changes in managing human and
U-C for the corresponding alternative. material resources affect both cost and unavailability.
Figure 6 shows the alternative with the lowest It is observed also, unavailability can be reduced by
costs corresponds to the case of having no inventory. introducing a spare inventory, although, logically, this
Nevertheless, this situation is the one that imposes the option supposes a greater cost. Finally, management
512
of spare parts with reordering point provides better Martorell, S., Sanchez, A., Carlos, S., Serradell, V. 2004.
results than without reordering. Alternatives and challenges in optimizing industrial safety
using genetic algorithms. Rel. Engng & System Safety,
Vol. 86 (1) 25–38.
ACKNOWLEDGMENTS Martorell, S., Villanueva, J. F., Carlos, S., Nebot, Y.,
Sánchez, A., Pitarch J. L. and Serradell, V. 2005a
RAMS+C informed decision-making with application to
Authors are grateful to the Spanish Ministry of Educa- multi-objective optimization of technical specifications
tion and Science for the financial support of this work and maintenance using genetic algorithms. Reliability
(Research Project ENE2006-15464-C02-01, which Engineering & System Safety, 87(1):65–75.
has partial financial support from the FEDER funds Martorell, S., Carlos, S., Sanchez, A. 2005b. Use of met-
of the European Union). rics with multi-objective GA. Application to the selection
of an optimal maintenance strategy in the RCM context.
In Proceedings of European Safety and Reliability
Conference ESREL 2005. Ed. Tailor & Francis Group,
REFERENCES pp. 1357–1362.
Martorell, S., Carlos, S., Sanchez, A. 2006. Genetic
Axsäter, S. 2006. Inventory Control. Springer, United States Algorithm applications in surveillance and maintenance
of America. optimization. In Computational Intelligence in Reliabil-
Crespo, A. 2007. The maintenance management frame work: ity Engineering. Volume 1: Evolutionary techniques in
models and methods for complex systems maintenance. reliability analysis and optimization Ed. Springer.
Springer series in reliability engineering. Martorell, S., Villamizar, M., Sanchez, A., Clemente G. 2007.
Kaufmann, A. 1981. Métodos y Modelos Investigación de Maintenance modeling and optimization integrating
Operaciones. CIA. Editoral Continental, S.A. de C.V, strategies and human resources. European Safety
Mexico. And Reliability Conference (ESREL 2007). Stavanger,
Leland T. Blank, Anthony Tarquin. 2004. Engineering Noruega.
Economy. McGraw-Hill Professional. United States. Muñoz, A., Martorell, S., Serradell V. 1997. Genetic algo-
Martorell, S., Muñoz, A., Serradell V. 1995. An approach rithms in optimizing surveillance and maintenance of of
to integrating surveillance and maintenance tasks to pre- components. Reliability engineering and system safety,
vent the dominant failure causes of critical components. Vol. 57, 107–120.
Reliability engineering and systema safety, Vol. 50, Ribaya, F. 1999. Costes. Ediciones Encuentro, Madrid.
179–187. Ricardo, D. 1821. On the principles of Political Economy and
Martorell S., Sanchez A., Serradell V. 1999. Age-dependent Taxation. John Murray, Albemale-Street, London.
reliability model considering effects of maintenance and Sarabiano, A. 1996. La Investigación Operativa. Edisorfer,
working conditions. Reliability Engineering & System S. L, Madrid.
Safety, 64(1):19–31 Sherbrooke, C. 2004. Optimal Inventory Modeling Of Mod-
Martorell, S., Carlos, S., Sanchez, A., Serradell, V. eling Of Systems, United States of America.
2001. Simultaneous and multi-criteria optimization of Starr, M. y D. Miller. 1962. Inventory Control: Theory and
TS requirements and maintenance at NPPs. Annals of Practice,Prentice-H all, Englewood Cliffs, United States
Nuclear Energy, Vol. 29, 147–168. of America.
513
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: We look the use of expert judgement to parameterize a model for degradation, maintenance
and repair by providing detailed information which is then calibrated at a higher level through course plant
data. Equipment degradation provides signals by which inferences are made about the system state. These may
be used informally through the use of red/yellow/green judgements, or may be based on clear criteria from
monitoring. Information from these signals informs the choices made about when opportunities for inspection
or repair are taken up. We propose a stochastic decision model that can be used for two purposes: a) to gain
an understanding of the data censoring processes, and b) to provide a tool that could be used to assess whether
maintenance opportunities should be taken or whether they should be put off to a following opportunity or
scheduled maintenance. The paper discusses the competing risk and opportunistic maintenance modeling with
expert judgement and the broad features of the model. Numerical examples are given to illustrate how the process
works. This work is part of a larger study of power plant coal mills reliability.
515
production, there is a real need to avoid unplanned opportunities often depend on the duration and eco-
shutdowns. However, there are regular opportunities nomic dependence for set up costs which may require
arising from the failure of systems elsewhere in the a compromise in some circumstances.
plant. Furthermore, there is a level of redundancy The concept of opportunistic maintenance and com-
in the coal mills which may be used when required. peting risk modeling is important within an industrial
Hence it is the case that equipment in need of repair power plant. The role of expert judgments within
and operating in a degraded state may continue to be the maintenance area may give an insight and bet-
used until an opportunity presents itself. The model ter understanding of the interrelationships between
described here is designed to capture this type of events which could strongly support our modeling
situation and to be quantifiable by expert judgements. later. Expert judgment in maintenance optimization
is discussed in Noortwijk, et al. (1992). Their elicited
information is based on discretized lifetime distribu-
1.2 Competing risks tion from different experts. That is, they performed a
straightforward elicitation of failure distribution quan-
The competing risk problem arises quite naturally
tiles, rather than the kind of information being sought
in coal mill reliability. An intuitive way of describ-
for the model we build here.
ing a competing risks situation with k risks, is to
assume that to each risk is associated a failure time
Tj , j = 1, . . ., k. These k times are thought of as the
failure times if the other risks were not present, or 2 BASE MODEL
equivalently as the latent failure time arising from each
risk. When all the risks are present, the observed time Here we consider the basic model discussed in Alkali
to failure of the system is the smallest of these fail- & Bedford (2007). This model explicitly assumes that
ure times along with the actual cause of failure. For some kind of information about the state of the sys-
further discussion of competing risk models in gen- tem is known to the decision-maker. The basic idea
eral see ..Tsiatis (1975) and Crowder (2001). Bedford behind the model is that the decision makers percep-
(2005) also discussed the use of competing risk mod- tions about the state of the system is driven by discrete
els in reliability. Specific models are considered in events whose occurrence changes the underlying fail-
.Langseth & Lindqvist (2006), .Bunea & Mazzuchi ure rate of the system. Such discrete events might be
(2006), .Cooke & Morales-Mapoles (2006). Yann et external shocks, or might be internal shocks as a result
al., (2007) introduce a generalized competing risk of internal degradation of the system. These shocks
model and use it to model a particular case of for which occur randomly but can be observed by the decision
potential time to next preventive maintenance and cor- maker. We discuss the single failure rate and multiple
rective maintenance are independent conditionally to failure rate case.
the past of maintenance processes. For more specific
applications in reliability see the surveys of reliabil-
ity database in perspective see Cooke and Bedford 2.1 Single failure mode model
(2002). In this model only one category of failure mode is
considered. The failure time of the model requires
us to define the failure time distribution through a
1.3 Opportunistic maintenance process rather than through the more conventional fail-
Opportunistic maintenance can be defined as a strat- ure rate/survival functions approach, although these
egy that preventive maintenance actions on a com- quantities could be calculated.
ponent can be performed at anytime by other com- We define an increasing sequence of shock times
ponents’ failure or arrival of preventive replacement S0 = 0, S1 , S2 , . . . and for the period between shocks
ages of designated components (separate replacement) (Si−1 , Si ], a failure rate λi (t), t ∈ (0, Si − Si−1 ]. The
or the joint replacement, Kececioglu & Sun (1995). distribution of failure time T is defined conditionally:
Opportunistic maintenance can clearly have impacts Given that T > Si−1 the probability that T > Si is
on component and hence on system reliability. Oppor- equal to
tunities, interrupt replacement options and many unde-
sirable consequences of interruptions are discussed ⎛ −Si−1
Si
⎞
in Dagpunar (1996). Opportunities occur randomly exp⎝− λi (t)dt ⎠ . (1)
and sometime have restricted durations, implying that
only restricted packages can be executed. The main 0
idea is to set up a model to determine an optimal
package for individual packages and to develop cost and given that t ∈ (0, Si − Si−1 ] it has conditional
criterion, Dekker & Smeitink (1994). Maintenance failure rate λi (t − Si−1 ).
516
Clearly, given S0 = 0, S1 , S2 , . . . the failure rate for 2.3 Competing risk data
T is fixed (deterministic), but prior to knowing S0 =
The model above will generate competing risk data as
0, S1 , S2 , . . . the failure rate is stochastic.
follows. Let X be the time of the system failure, and let
This definition of a failure time, while relatively
Z be the time at which an opportunity would be taken.
unusual, has the advantage that it links fairly easily
The data that would be recorded in the plant records
to an elicitation scheme that can be used to assess a
would be min(X , Z) and the indicator of which event
simplified model using expert judgement. The sim-
had occurred. Note that as a consequence of the above
ple parametric version of this model assumes that
model, and consistent with practice, we can have that
there are a finite number of shocks that the times
P(X = Z) = 0.
between shocks are exponential (possibly with differ-
From the plant record data we can estimate only
ent parameters) and the failure rate in between shocks
the subsurvival function for X and Z, but not
is constant. Hence the parameters of this model are the
the true survival functions. Recall that the survival
number of shocks n the mean times between shocks
functions are
μ1 , μ1 , . . . , μn and the failure rate between shocks
λ1 , λ1 , . . . , λn (where S1 is the ith shock and λi is the
rate in the period (Si−1 − Si ], and Sn+1 = ∞). The SX (t) = P(X > t), SZ (t) = P(Z > t), (3)
expression for the conditional distribution function
given the shock times is given as and the subsurvival functions are
SX∗ (t) = P(X > t, X < Z), SZ∗ (t) = P(Z > t, Z < X )
j−1
− (Si+1 −Si )λi +(t−Sj )λj
F (t|S1 , S2 , . . . . . . , Sn ) = 1 − e i=1 (4)
(2)
A simple quantity that measures the degree of cen-
where λi is the failure rate after shocks i, and Sj is the soring is SX∗ (0) = P(X < Z). This is simply the
largest event time less than t. probability that the next event will be a failure rather
than a maintenance action.
2.2 Opportunistic maintenance time
In order to model the censoring process, we need to 2.4 Multiple failure modes
model two things:
Very often there is more than one failure mode rel-
• how opportunities arise, and evant to system performance. In terms of competing
• when opportunities are taken. risk, these may be modelled as different variables that
In the setting we are considering, opportunities arise are competing themselves to fail the system. For the
typically as a result of faults elsewhere in the plant— purposes of this paper we assume that there are just
typically upstream. As there is a whole mixture of two failure modes. In many cases it seems reasonable
different fault types occurring, it is natural to assume to suggest that different failure modes develop accord-
that opportunities arise according to a Poisson process. ing to statistically independent processes, but as they
The modelling of when opportunities are taken is the develop further there may be some dependence. We
area where we can capture the idea that opportuni- capture these ideas in the following model. Associ-
ties will be taken with some knowledge of the system ated to each failure mode there is a set of shock times
state, and hence that the censoring of failure data will S0 = 0, S1 , S2 , . . . . We denote the ith shock associated
be correlated to the actual failure times. In this model to the kth failure mode by Sik and assume that there
we assume that the decision maker will choose to take are m(k)shocks for the kth mode.
the first opportunity after the system has encountered a The associated failure rate given that we have just
critical shock, or been assessed as in a critical state. We had the ith shock for Failure Mode 1 and the jth shock
denote this time, the time at which the system would be for Failure Mode 2 is denoted byλi,j .
maintained as Z. Note that Z can be equivalently writ-
ten as the first opportunity after the subjective failure Theorem 1.1 Suppose for a given system there are
rate has increased above a critical level. This is proba- two modes in which the system can fail. If the two
bly the way the decision makers will be thinking of Z. shock time processes are independent, and λi,j can be
However, so as not to confuse the definition of the written in the form λi,j = λi + λj then the failure times
model parameters with steps taken in the elicitation X1 and X2 from failure modes 1 and 2 respectively, are
process (where experts are asked for ratios of fail- independent.
ure rates, rather than absolute failure rates) we define
Z in terms of a critical shock rather than a critical Sketch Proof : Consider the conditional survival joint
failure rate. probability given the shock times,
517
P X1 > t, X2 > t|S01,... Sm(1)1 , S02,... Sm(2)2 (5) • Straightforward: identification of the failure modes,
identification of signals (note that is often done
and by splitting the terms for the shocks the resulting informally through use of green amber red codings,
distribution is given as but may not be thought of as a signal in the sense
that we are using it).
P(X1 > t|S01,... Sm(1)1 ).P(X2 > t|S02,... Sm(2)2 ) (6) • Moderate difficulty: quantification of distributions
for times to shocks, specification of relative risk
(i.e. ratios of the λi,j ).
Hence the conditional survival probability factor- • Very difficult: specification of absolute values for
izes because of the additivity assumption on λi,j . the λi,j .
Under the assumption that the two shock processes are
independent, we can then say that the unconditional The elicitation procedures and model quantifica-
survival probabilities also factorize. tion/validation steps have to be designed to use infor-
Hence when the two failure mode processes are mation at the least difficulty level possible. Clearly,
considered to be truly independent, then they can be the model does require information about the abso-
modelled as two different cases of the base model, and lute values of the λi,j , but we can also use empirical
the failure rates added together. However, when they data to calibrate the model. This represents something
are not considered independent then can capture this of a departure from previous competing risk models
in one of two ways: that we have considered, where the aim was usually to
check identifiability of the model—i.e. whether or not
1. The shock time processes are dependent the parameters could be estimated from the data.
2. The failure intensities are not additive.
The simplest way in which the shock processes 3.1 Single model
could be dependent is for there to be common shocks Here we assess the set of signals, the mean times to
for both failure modes. For the purposes of this paper signals, and the relative increase in risk after a signal.
we shall not consider more complex forms of depen-
dency between the shock processes. Regarding failure
intensities, we would typically expect that the fail- 3.2 Two failure modes
ure intensities are additive for early shocks, and then The model assumes that, by default, the failure intensi-
may become superadditive for late shocks, that is ties arising from different failure modes are additive.
λi,j > λi + λj Hence they can be elicited in a first round accord-
ing the procedure used for the single mode situation.
Remark 1.1 When there is more than one failure However, to provide a check on interactions, we check
mode, there is a modelling issue relating to the mean- whether there is a critical signal level after which we
ing of the failure intensities. While in the single failure could expect the FM of the other to be affected, or
mode model we can simply consider the failure inten- if there is a common signal. Then we explicitly elicit
sity to cover failures arising from any reason, when relative risk values above the critical signal levels.
there are two or more failure modes we have to dis-
tinguish failure intensities arising from the different 4 MODEL CALIBRATION
failure modes. This will avoid double counting of any
residual failure intensity not ascribable to those two For simplicity, from now on we just consider the single
failure modes, but also ends up not counting it at all. failure mode case, but the other case works similarly.
Therefore in this case, if there are significant failure Since the elicitation steps above only give the failure
intensities from residual failure causes, then it is best rates up to an unknown constant, we have to calibrate
to explicitly assess these alongside the main failure the overall model. Suppose that the relative failure
modes, so that the failure intensities can be properly rates elicited from the experts are κ1 , . . . , κn , so that
added. the actual failure rates are of the form ακ1 , . . . , ακn .
The following result allows us to consider the impact
of the calibration variable α: α
3 ELICITATION
Theorem 1.2 The marginal distribution for X , is
The purpose of using this modelling approach is that it stochastically decreasing as a function of α.
makes discussion with experts easier. However, there
is always a problem with obtaining good expert data, Proof. It is enough to show that the probability of
and some parts of the model will be easier to assess failure after time t is increasing as a function of α. In
than others. In particular, one would expect turn, for this, it is enough to show that the conditional
518
probability of failure after time t given the shock times, first is 0.2 and to the second is 0.8. The distribution
is increasing. However, that is clear since this is of time between shocks is modelled as exponential.
There are three failure rates associated to the periods
j−1
demarked by the two shocks. We suppose that the fail-
exp −α. (Si+1 − Si )κi + (t − Sj )κj ure rate ratios are estimated as increasing by a factor
i=1 of 10 each time, that is, the failure rate in the sec-
ond period is 10 times the initial rate, and that in the
where j is the largest integer such that Sj < t. third period is 10 times that in the second. Finally, we
assume that the mean time between opportunties is 1.2,
In practice we can use this result to scale model out- and that there is a major overhaul after time 10 (so that
puts to the observed failure data. However, to do that no times observed will ever be larger than 10 in any
we also need to take into account the censoring taking case). Finally, we assume that the current opportunis-
place in the observed data. What we actually see in tic maintenance strategy is to take the first opportunity
the observed data is the effect of current opportunistic that arises after the second shock.
maintenance decisions. Because we do not have a closed form solution to
the model, we simulate it as follows:
Theorem 1.3 If the opportunistic maintenance inter-
vention shock level is held constant, then the subdistri- 1. Simulate the shock times
bution function evaluated at any point tis increasing as 2. Calculate the conditional distribution function for
a function of α. In particular, the probability of observ- the lifetime given the shock times as in Equation
ing a failure, P(X < Z), is increasing as a function of α. 2, and simulate a lifetime.
3. Simulate a set of opportunity times and then choose
P(X = t, t < Z|S1 , S2 , . . . , Sn ) the first one beyond the critical shock time, as the
time at which opportunistic maintenance would be
= P(X = t|S1 , S2 , . . . , Sn , t < Z) carried out.
P(t < Z|S1 , S2 , . . . , Sn ) We sampled 1000 cases (in excel) and used these
= P(X = t|S1 , S2 , . . . , Sn )P(t < Z|S1 , S2 , . . . , Sn ). to numerically estimate the quantities of interest such
as the failure distributions and the probability of
The proof is similar to that given above, using the observing a failure.
fact that the opportunistic maintenance time is inde- Assuming that the scaling variable α = 1, we get the
pendent of the failure time, given the shock times, for following distributions for the underlying failure time,
The first term is increasing in α while the second is maintenance time, and their minimum, see Figure 1.
constant in α. The above result allows us to use the When we increase the scaling parameter to 1.5, this
empirically observable quantity P(X < Z) as a way increases the overall failure rate, thus making it more
of calibrating the model by finding the appropriate α. likely that a failure will be observed. This is illustrated
in Figure 2.
Although we have concentrated here on trying to When we reduce the scaling parameter to 0.5, this
establish a value for the scaling parameter α, it is reduces the overall failure rate, making it less likely
worth also looking at other parameters. In particular, that a failure will be observed, as illustrated in Figure 3
although we assumed that the experts were able to give below.
mean times until shocks, and the rate of opportunities,
it is possible to see whether a scaling adjustment of 1.2
these values would improve the overall fit of the model
to observed data. These are, however, secondary ‘‘tun- 1
ing parameters’’ that should only be considered after Taken
the α has been fitted. This fine tuning is then carried 0.8 opportunity
out using a different distance quantity—for example Failure time
using Kolmogorov-Smirnov distance on the observed 0.6
and model-based subdistribution functions. Minimum
0.4
5 RESULTS 0.2
519
1.2 difficult to quantify from plant data both because of
the cost of cleansing the data sufficiently to make it
1 amenable to statistical analysis, and also because—
Taken due to identifiability problems—it may not be possible
0.8 opportunity to characterize a unique model in any case.
Failure time The model discussed here is designed to bring the
0.6
mathematical modelling closer in to line with the way
0.4 Minimum plant operators and maintainers adjust their beliefs
about the reliability of the equipment. Although we
0.2 have described the model in terms of shocks occurring
to the system, in practice these may not be hard discrete
0 events, but the progression of degradation past a stan-
0 5 10
dardized level (for example, where a vibration monitor
consistently measures high vibration, or where the cri-
Figure 2. Failure time distribution with α = 1.5. teria used by the operator to move the equipment state
from green to amber state have been met). Such transi-
1.2
tions are the ways in which staff assess a change in the
risk of system failure, and therefore it is reasonable
1 to build the subjective component reliability around
Taken
them.
0.8 opportunity The model described here is a dependent competing
Failure time
risk model where maintenance times are statistically
0.6 dependent on the component lifetime, and where
Minimum different failure modes can also be modelled in a
0.4
dependent way. In the former case the dependence
0.2
arises through the use of signals to the decision maker
about the component state, which both change the
0 rate of failure and which also lead to opportunities for
0 5 10 15 20 maintenance being taken. In the latter case the depen-
dency arises through the same signals marking failure
Figure 3. Failure time distribution with α = 0.5. rate changes for distinct failure modes, and through
other potential interactions.
Table 1. Probability of failure with varying α
values.
ACKNOWLEDGEMENTS
alpha P(X < Z)
This research is part of an EPSRC funded project on
0.4 0.230 dependent competing risks. We would like to thank
0.6 0.256 Scottish Power for its support in this project.
0.8 0.313
1 0.346
1.2 0.402
1.4 0.470 REFERENCES
1.6 0.599
Alkali, B.M. and T. Bedford. 2007. Competing Risks and
Reliability Assessment of Power plant Equipment. 17th
Finally we give a table showing how the prob- Advances in Risk and Reliability Symposium (AR2 TS)
ability of observing failure depends on the scaling 17th–19th April. Loughborough University.
parameter α. Bedford, T. 2005. Competing risk modelling in relabil-
This confirms empirically the theoretical result ity, in Modern Mathematical and Statistical Methods
given above, and shows that the scaling parameter is a in Reliability, Series on Quality Reliability and Engi-
neering Statistics, Vol 10. Eds A. Wilson, N. Limnios,
first order model parameter. S. Keller-McNulty, Y. Armijo, CRC Press.
Bunea, C. and T. Mazzuchi. 2006. Competing Failure Modes
in Accelerated life Testing. Journal of Statistical Planning
6 CONCLUSIONS and Inference 136(5): 1608–1620.
Cooke, R. and O. Morales-Mapoles. 2006. Competing Risk
Expert judgement has an important role to play in the and the Cox Proportional Hazards Model. Journal of
development of fine detail models. Such models are Statistical Planning and Inference 136(5): 1621–1637.
520
Crowder, N. 2001. Classical Competing Risks. Chapman & Langseth, H. and B. Lindqvist. 2006. Competing Risks for
Hall: Boca Raton Repairable Systems: A Data Study. Journal of Statistical
Dagpunar, J.S. 1996. A maintenance model with opportu- Planning and Inference 136(5): 1687–1700.
nities and interrupt replacement options. Journal of the Meyer, M.A. and J.M. Booker. 2001. Eliciting and Analyzing
Operational Research Society 47(11): 1406–1409. Expert Judgment: A practical guide, SIAM.
Dekker, R. and E. Smeitink. 1994. Preventive Maintenance Noortwijk, V., J. Dekker, R. Cook and T. Mazzuchi. 1992.
at Opportunities of Restricted Durations. Naval Research Expert judgement in maintenance optimization. IEEE
Logistics 41: 335–353. Transaction on Reliability 41(3): 427–432.
French, S. 1986. Calibration and the Expert Problem. Tsiatis, A., 1975. A nonidentifiabilty aspect of the problem
Management Science 32(3): 315–321. of competing risks. Proceedings of the National Academy
Kececioglu, D. and F.B. Sun. 1995. A General Discrete-Time of Sciences of the USA 72(1): 20–22.
Dynamic-Programming Model For The Opportunistic Yann Dijoux, L. Doyen and O. Gaudoin., 2007. Conditionally
Replacement Policy And Its Application To Ball-Bearing Independent Generalized Competing Risks for Mainte-
Systems. Reliability Engineering & System Safety 47(3): nance Analysis. 5th Mathematical Methods in Reliability
175–185. Conference, Strathclyde University, Glasgow Scotland.
521
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
523
For a data set consisting of N component CM type is recursively established as
histories;
pi (j|Vi )
– nj is the number of component histories for which
⎛⎛ ∞ ⎞
a posterior analysis has revealed
that the jth failure
type occurred and we have N = rj=1 nj . = ⎝⎝ g(yi |u, j)fi−1 (u + ti − ti−1 |j, Vi−1 )du⎠
0
For the component index, k = 1, 2, . . ., nj ; ⎞ ⎛⎛ ∞
r
– bk is the number of monitoring points, × pi−1 ( j|Vi−1 )dyi ⎠ ⎝⎝ g(yi |u, d)· · ·
– T̃k is the failure time, d=1 0
– tkbk is the time of the last CM point; T̃k − tkbk > 0. ⎞ ⎞
3 DEFINITIONS (3)
where f0 (x|j, V0 ) ≡ f0 (x|j). At the ith CM point, a where, θ j is the unknown parameter set. After insert-
posterior conditional pmf for the forthcoming failure ing the relevant pdf’s and re-arranging, the likelihood
524
function can be written as 6 INITIAL CASE ANALYSIS
⎛⎛
nj
bk ∞ In preparation for a larger project, we applied the
L(θ j ) = ⎝⎝ g(yki |u, j)fk,i−1 (u + tki − tk,i−1 | failure type RL estimation model to a test data set
k=1 i=1 0 of component monitoring histories (with associated
⎞ ⎞ failure times) obtained from a certain model of air-
craft engine. The objective of the analysis is to assess
· · · · · · j, Vk,i−1 )du⎠ fkbk (T̃k − tkbk |j, Vkbk )⎠ (7) the applicability and performance of the failure type
model when applied to multivariate oil-based CM
information.
See Carr & Wang (2008) for details. Maximisation We select forms and parameterise using histori-
of equation (7), with respect to θ j , is undertaken using cal CM data sets and the model is applied to new
an optimisation algorithm such as the BFGS quasi- component monitoring information for demonstra-
Newton method on the log of the likelihood function. tion purposes. The model is also compared with a
To select between different forms for f0 and g, we use general model with no failure type assumptions to
the Akaike information criterion (AIC). illustrate the benefits of the failure type model.
The prior probabilities that each failure type will More information on the analysis will be given at
occur for a given component are estimated from the the conference and in an extended version of this paper.
data set and described using the pmf p0 (j) ≈ nj /N for
j = 1, 2, . . . , r. 6.1 The data
The CM data we are considering consists of the parts
5 ASSESSING THE MODEL per million (ppm) of contaminating metallic particles
in oil lubrication samples that are obtained from a
To assess the applicability of the methodology for a type of component used in aircraft engines. At each
given scenario, we compare the failure type RL esti- monitoring point, we observe the ppm of iron (Fe),
mation model against a single general stochastic filter copper(Cu), aluminium (Al), magnesium (Mg) and
for the RL with no failure type assumptions. For the chromium(Cr). Initially, 10 component CM histories
general model, the posterior conditional RL pdf is are used for the purpose of fitting the models. The
CM information from 2 ‘new’ components is then
(2) used to demonstrate the application of the models and
g (2) (yi |x)fi−1 (x + ti − ti−1 |Vi−1 )
fi(2) (x|Vi ) = compare the performance of the failure type RL esti-
∞ (2) mation model and the general model with no failure
g (2) (yi |u)fi−1 (u + ti − ti−1 |Vi−1 )du
0 type assumptions.
(8)
6.2 Model fitting
The comparison is achieved using an average mean
square error (AMSE) criterion. At the ith CM point To reduce the dimensionality of the data and remove
for the kth component, the MSE is any potential collinearity between the individual CM
variables over time, principal components analysis
∞ (PCA) is applied to the covariance matrix of the CM
variables. After PCA, we have a vector of principal
MSE ki = (x + tki − T̃k )2 fi(a) (x|Vi )dx (9)
components at time ti ; yi = {yi1 , yi2 , . . ., yik } where,
0
yic = αc1 Fei + αc2 Cui + αc3 Ali + αc4 Mgi + αc5 Cr i
for models a = 1, 2. For the failure type RL model,
the AMSE is represents the cth principal component and Fei , for
example, is the cumulative iron reading at the ith CM
r
bk nj
point. Figure 1 illustrates the standardised first prin-
AMSE = MSE jki /N (10) cipal component over time and the associated failure
j=1 k=1 i=1 times for the 10 components that are to be used to fit
the models.
and for the general filter, the AMSE is
6.2.1 Failure type RL estimation model
N
bk
For the failure type RL estimation model, the individ-
AMSE = MSE ki /N (11) ual filters are parameterised using those CM histories
k=1 i=1 that are relevant to the particular failure type. As
525
2 influence of the jth failure type) is
1.5
fi (x|j, Vi ) =
Standardised 1st PC
1
(yz −μj (x+ti −tz ))2
βj
i −
2σj2
0.5 (x + ti )βj −1 e−(αj (x+ti )) e
z=1
0
(yz −μj (u+ti −tz ))2
0 200 400 600 800 1000 1200 1400 1600 1800
∞ βj
i −
2σj2
– 0.5 (u + ti )βj −1 e−(αj (u+ti )) e du
u=0 z=1
-1
(15)
–1.5
Time
and using equation (3), the posterior conditional pmf
Figure 1. Illustrating the first principal component over
for the forthcoming failure type is
time and the associated failure times for the model fit data.
∞
βj
pi (j|Vi ) = (σj2 2π)−1/2 (u + ti )βj −1 e−(αj (u+ti ))
indicated in figure 1, it is possible to group the CM u=0
histories according to the observed failure times and
the behaviour of the first principal component over
i −
(yz −μj (u+ti −tz ))2
2σj2
time. The first failure type is defined as underlying ··· × ··· e pi−1 (j|Vi−1 )du
behaviour that results in failure within the range 0 z=1
≤ T < 1200 and for the second failure type, we have ∞
T ≥1200 as the specified range. (u + ti−1 )βj −1 e−(αj (u+ti−1 ))
βj
i−1 −
(yz −μj (u+ti−1 −tz ))2
r
β βj 2σj2
f0 (x|j) = αj j βj xβj −1 e−(αj x) (12) × e du
z=1 d=1
where, x > 0 and αj , βj > 0 for j = 1, 2. For lin- ∞
β
early independent principal components, we have the (σd2 2π)−1/2 (u + ti )βd −1 e−(αd (u+ti )) d · · · × · · ·
combined conditional pdf
u=0
where, μj (x) is a function of the RL. Note that, when 6.2.2 Failure type 1
applying the models to new component information, In equation (12), a Weibull prior distribution is used
the same principle component and standardisation to model the initial residual life under the influence
transformations must be applied to the CM data before of a given forthcoming failure type. Using the like-
insertion into the models. lihood function in equation (7) and the 7 component
Using equations (2), (12) and (13), the posterior histories deemed to have failed according to failure
conditional RL pdf at the ith CM point (under the type 1, the shape and scale parameters are estimated as
526
Table 1. The estimated parameters and selection results Table 3. The estimated parameters and selection
under the influence of failure type 1. results for the general model.
μ1 (x) μ (x)
527
1 1
2
0.8 0.8
Probability
Probability
0.6 0.6
2
0.4 1
0.4
0.2 0.2 1
0 0
0 100 200 300 400 500 600 700 0 500 1000 1500
Time Time
Figure 2. Tracking the forthcoming failure type over time Figure 4. Tracking the underlying failure type over time
for the first new component. for the second new component.
1200 Actual RL
Actual RL
1500
1000 FM Model RL
FM Model RL 1200 Estimate
Residual Life
Residual Life
800 Estimate
General Model
600 General Model RL 900 RL Estimate
Estimate
400 600
200
300
0
0 100 200 300 400 500 600 700 800 0
Time 0 500 1000 1500
Time
Figure 3. Comparing the conditional RL estimates of the
failure type and general models for the first new component. Figure 5. Comparing the conditional RL estimates of
the failure type and general models for the second new
component.
failed according to failure type 1 and the second
according to type 2. We demonstrate the tracking of the
appropriate forthcoming failure type over time using
equation (16) and compare the mean RL estimates at Again, the failure type model correctly tracks the
each CM point with those obtained using the general forthcoming type, as illustrated in figure 4. Figure 5
model. demonstrates that the failure type model tracks the RL
With regard to the modelling of optimal mainte- more accurately and rapidly than the general model.
nance and replacement decisions, the availability of This is again reflected in the AMSE results with
a posterior conditional pdf for the residual life is of 68172.64 for the failure type model and 84969.59 for
greater use than a point estimate. With this in mind, the general model.
we use equations (10) and (11) to compare the AMSE
produced by the models for the two new components.
Figures 2 and 3 illustrate the tracking of the failure 7 DISCUSSION
type and the conditional RL estimation for the first
new component. In this paper, we have presented a brief overview of
It is evident from figure 2 that the failure type a model for failure type analysis and conditional RL
model correctly tracks the forthcoming failure type estimation. The modelling concepts have been demon-
over time. The conditional RL estimation process is strated using a trial oil-based data set of component
more accurate using the failure type model, as illus- monitoring observations. Although the data set is rel-
trated in figure 3, when compared with the general atively small, the results do indicate that the failure
model. This is also reflected in the AMSE results with type model could be very useful for CM scenarios
94884.66 for the failure type model and 105309.92 for that display different behavioural patterns and have
the general model. categorisable failures.
Figures 4 and 5 illustrate the tracking of the failure In the case study, the failure types are categorised
type and the conditional RL estimation for the second according to the time at which the failure occurs and
new component that is known, in hindsight, to have the behaviour of the various CM processes over time.
failed according to failure type 2. However, for operational components, the definition
528
of different failure types can be used to represent REFERENCES
different types of operation, or potentially different
faults in the system that are affecting the future life of Makis, V. and Jardine, A.K.S. (1991) Optimal replacement
the component. in the proportional hazards model, INFOR, 30, 172–183.
In the initial analysis, we compared the performance Zhang, S. and Ganesan, R. (1997) Multivariable trend anal-
of the failure type model with a general model with no ysis using neural networks for intelligent diagnostics of
rotating machinery, Transactions of the ASME Journal of
failure type assumptions. The models are compared Engineering for Gas Turbines and Power, 119, 378–384.
using a MSE criterion. At each monitoring point, the Wang, W. and Christer, A.H. (2000) Towards a general con-
MSE criterion compares the fit of the established con- dition based maintenance model for a stochastic dynamic
ditional RL pdf about the actual underlying residual system, Journal of the Operational Research Society, 51,
life. When utilised in maintenance and replacement 145–155.
models, if the density is tighter about the actual value, Wang, W. (2002) A model to predict the residual life of rolling
the decisions are improved in the sense that, greater element bearings given monitored condition information
operational time is available whilst still avoiding the to date, IMA Journal of Management Mathematics, 13,
occurrence of failures. The AMSE is substantially 3–16.
Vlok, P.J., Wnek, M. and Zygmunt, M. (2004) Utilising sta-
smaller, particularly in the second case, when using tistical residual life estimates of bearings to quantify the
the failure type model. influence of preventive maintenance actions, Mechanical
We are currently in the process of applying the Systems and Signal Processing, 18, 833–847.
model to a much larger project involving multiple Banjevic, D. and Jardine, A.K.S. (2006) Calculation of reli-
potential failure types that are categorised according ability function and remaining useful life for a Markov
to both the nature of the CM information and the failure time process, IMA Journal of Management Math-
associated failure times. ematics, 286, 429–450.
Carr, M.J. and Wang, W. (2008a) A case comparison of
a proportional hazards model and a stochastic filter for
condition based maintenance applications using oil-based
ACKNOWLEDGEMENT condition monitoring information, Journal of Risk and
Reliability, 222 (1), 47–55.
The research reported here has been supported by the Carr, M.J. and Wang, W. (2008b) Modelling CBM failure
Engineering and Physical Sciences Research Council modes using stochastic filtering theory, (under review).
(EPSRC, UK) under grant EP/C54658X/1.
529
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: The present work proposes a two-stages modeling framework which aims at representing both
a complex maintenance policy and the functional and dysfunctional behavior of a complex multi-component
system in order to assess its performances in terms of system availability and maintenance costs. A first stage
consists in a generic model of component, developed to describe the component degradation and maintenance
processes. At the second stage, a system of several components is represented and its behavior is simulated when
given operating profile and maintenance strategy are applied, so as to estimate the maintenance costs and the
system availability. The proposed approach has been validated for a simplified turbo-pump lubricating system.
531
and failure phenomena and to the effects of mainte- System operation
System failure
nance actions. All these observations have led to the behaviour model model
definition of a general and overall description of all
the aspects related to a system and its components
behavior and the different possible maintenance tasks Generic component
applied. PERFORMANCES model
EVALUATIONS
532
Operating
profile Environment Degradation
Mechanism
Influencing
Degradation Preventive Factors Failure Mode
Symptoma Level i
Mechanisms Maintenance occurence
Corrective
Failure Modes
Maintenance Maintenance Level n
System Dysfunction Effects on system Figure 3. Degradation and failure processes modeling.
Rectan-gular elements represent general aspects and phe-
Figure 2. Generic modeling of a maintained component. nomena in-volved in the described behavior and oval elem-
Rec-tangular elements represent the phenomena and aspects ents precise their different possible states. Black arrows
in-volved in a maintained component behavior and arrows represent evolution transitions and grey arrows represent the
de-scribe how they are interacting together. impact of one pheno-mena on another.
Degradation
Component unavailability, due either to failure Mechanism
Symptom
mode occurrence on an unscheduled way, either to pre-
ventive maintenance operation on a scheduled way, is
deterministic in terms of effects on the system opera- Unsignificant
tion. Unavailability duration is also linked to resources Maintenance:
sharing problems, since specific materials or mainte- Repair
nance repair teams have to be available at a given time Significant
to perform the needed tasks. Symptom
observation
Maintenance:
3.2 Component degradation behavior Detection
533
Figure 4 describes the relationships between degra- Table 1. RCM method Maintenance Tasks characteristics.
dation, symptom and maintenance.
Task Activation Effects
Corrective maintenance
3.3 Component maintenance process
Repair Failure mode Unavailability
Within RCM method, different types of maintenance occurrence failure repair
tasks can be performed, devoted to different phenom-
ena to detect and with different effects on the compo- Predetermined preventive maintenance
nent behavior. The model developed has already been
dedicated to this type of strategies in order to let them Scheduled Time period
been represented integrally. Replacement elapsed Unavailability
Indeed, maintenance activities effectiveness is mod-
eled to represent the ability of preventive actions to Condition-based preventive maintenance
detect components degradations, and the ability of
External Time period No unavailability
both preventive and corrective actions to modify and
inspection elapsed symptom
keep under control the degradation mechanism evolu- detection
tion in order to avoid failure occurrence, as shown on Overhaul Time period Unavailability
Figures 3 and 4 with the impact of Maintenance on the elapsed degradation
various phenomena described. detection
Other maintenance policies such as opportunistic Test Failure observed
maintenance are defined at the system level model during stand-by Unavailability
and their activation are made thanks to information period failure repair
exchange between the component-level model and the Symptom >
system maintenance model. Preventive detection threshold Unavailability
In addition to duration and costs, tasks are differing Repair degradation > degradation
repair threshold repair
in terms of nature, activation condition, and effects on
the component state and on its availability, as shown
in Table 1. Regarding repair tasks effectiveness, repair
action are considered either As Good As New, As
Bad As Old or partial and detection tasks are defined still in evolution with an increasing probability of fail-
with some possible non detection and false alarm risk ure mode occurrence). Finally, tests are performed
errors. are expensive but efficient tasks that are performed
A focus can be made on the differences between the on stand-by components to detect an eventual fail-
various condition base maintenance detection tasks, ure before the component activation, but can have bad
ie external inspections, overhauls and tests, and their effects on it.
relative vantages and disadvantages. Indeed they are
differing both in terms of unavailability engendered
for the component under maintenance and in terms
4 SYSTEM MODEL: MAINTENANCE COST
of efficiency of the detection with a relative impact
ASSESSEMENT
on the task performance cost. In particular, on one
hand, overhaul performance implies both the compo-
4.1 Three models to describe the system behavior
nent scheduled unavailability and a high cost but is
really efficient in terms of detection since it consists The system level consists in representing a system
in a long and detailed observation of the component to of several components and simulating its behaviour
evaluate its degradation states and eventually decide when given operating profiles and maintenance strate-
to repair it preventively. On the other hand, external gies are applied, so as to estimate the maintenance
inspections are less expensive and consist in observe costs and the system availability. This is done through
the component without stopping it. These two van- three different models describing its dysfunction and
tages imply a larger distance from the degradation functioning behaviour and the maintenance rules.
with some associated error risks of non detection or The system dysfunction model describes all the
false alarm. Obviously, this kind of task can easily be degradation/failure scenarii that can affect the system.
used to observe some eventual symptoma characteris- It gives out the global performance indicators of the
tics of one or more degradation mechanisms evolution, maintained system. Indeed, it allows the evaluation of
and so some appreciation error can exist when deci- the system unavailability, due either to a failure either
sion of preventive repair are taken (treatment of the to some maintenance actions, and also the associated
bad degradation mechanisms whereas another one is maintenance costs.
534
The system operation model aims at describing the A global maintenance cost model can be defined by
nominal behavior and the operating rules of the sys- Equation 1:
tem. This model interacts with the component models
and evolves according to the operating profile and
to the needs of the system : activating of a required ni ci + tsu csu + tuu cuu
i
component, stopping of a superfluous component, . . . Cost(Strategy) = lim
TMiss→∞ TMiss
Obviously the operating behavior of the system can-
(1)
not be described by the simple juxtaposition of the
component-level models and it is necessary to take into
account all the possible interactions and dependences where T miss = the mission time throughout which the
between components. At this level one can model spare system operates, ni = number of maintenance task i
equipments, activating of defense systems in case of performed;ci = cost of maintenance task i; tsu = time
an equipment failure, stopping of a line in case of the system is under scheduled unavailability; tuu =
maintenance of one of its component, . . . time the system is under unscheduled unavailability;
In the system maintenance model, one can define csu = cost of scheduled unavailability; cuu = cost of
the applied system maintenance strategy. It allows the unscheduled unavailability.
description of grouping procedures which are used to According to Equation 1, one can decide to asses
take advantage of economic or technical dependences the global costs of strategies that differ in terms of
between components in the case of opportunistic main- tasks type and frequency, knowing their relative costs
tenance. This model also includes resources sharing of operation in order to impact on the associated
and availability problems due to a limited number of durations of scheduled and unscheduled unavailability
repair teams or specific tools and spare parts stocks. engendered.
4.2 Interactions between the different models 5 CASE STUDY AND RESULTS
The three system-level models and the component-
level model interact together in order to represent 5.1 Model development and validation: Petri Nets
completely the system behavior, its unavailability and and Monte Carlo simulation
expenditures, knowing the behavior of its components The proposed generic methodology has been imple-
and the maintenance tasks that are carried out. mented using the Stochastic Synchronized Petri nets
Component-level models give information on com- (SSPN) and it has been coupled with the Monte Carlo
ponents states (failure, unavailability for maintenance) simulation to compute the performances assessment
and on maintenance costs to the three other system- of industrial systems, see e.g. (Barata et al., 2002;
level models which evolve according to this input data Bérenguer et al., 2007; Dutuit et al., 1997).
and possibly sent feedback data. For systems dependability studies, SSPN offer a
As shown on Figure 1, the system operation model powerful and versatile modeling tool that can be used
sends information to the component-level models to jointly with Monte Carlo simulation, which is widely
active a stand-by component or stop an auxiliary com- used in this kind of work, see e.g. (Barata et al., 2002;
ponent that has become useless after the repair of the Simeu-Abazi & Sassine 1999).
main component. In order to validate the modeling approach, simu-
The system maintenance model can send data to lations of real complex systems behavior have been
the component-level model to force the maintenance made to study the effects of parameters variations,
of a component coupled together with a component such as maintenance tasks period, on the system
already in maintenance. behavior, with really interesting results obtained that
have encouraging further developments to improve its
specificities.
4.3 Maintenance strategy assessment
The overall model presented permit maintenance
5.2 Case study: Turbo-pump lubricating system
strategies assessment by evaluating the performances
obtained from the system on which a given strategy is We provide here results obtained on a part of a sim-
applied. plified turbo-pump lubricating system, described on
This takes into account both the maintenance costs, figure 5, to underline the main originality of the
depending on the number of tasks performed and the proposed approach, that is the capability of multi-
relative resources used and the system availability and component system modeling and complex mainte-
unavailability during its mission time. nance assessment. In particular the objective of the
535
Cl1 Failure Mode 1 Failure Mode 2
(Unscheduled (Impossible starting)
Po1 shutdown)
Ca
Degradation Degradation
Po2 Cl2
Mechanism A Mechanism B
(Bearing Wear) (Oxydation)
case study was to compare different possible strate- Figure 6. Description of the relationships between the
gies in terms of global cost, composed of different degrada-tion mechanisms, failure modes and symptoma
type of tasks, depending on their periodicity. considered in the modeling of Pumps P01 and P02 behavior.
Expert opinions and information data have been
collected to define components and system charac-
teristics as well as those of the maintenance tasks Failure Mode 3 Failure Mode 4
(No opening) (External leaks)
possibility performed, to let the modeling approach
been applied and simulated.
Indeed, for each component, degradation mecha-
nism and maintenance tasks basic parameters such as
those in table 2 have to be specified.
Obviously, maintenance tasks are also described Degradation Degradation
in terms of periodicity and decision rule criteria, Mechanism C Mechanism D
that is which degradation levels can be observed and (Axis blocking) (Joint wear)
when preventive repair are decided to be performed.
These characteristics defined the maintenance strategy
applied and simulated.
To model the particular case presented, for each Symptom 3
component, the main degradation mechanisms have (Deposits)
been characterized in terms of levels of degradation
and relative failure rate for the various possible fail-
ure modes, possible symptoma and their probability Figure 7. Description of the relationships between the
degrada-tion mechanisms, failure modes and symptoms con-
or delay of apparition and evolution until some signif-
sidered in the modeling of check valves Ca1 and Ca2
icant thresholds. We also defined the evolution transi- behavior.
tions from one degradation level to the successive one
and finally, the influencing factors that have effects
on the mechanisms evolution. In the present case Then, different tasks were considered to define
study, mechanism evolution has been modelled using the preventive maintenance strategies applied to the
a Weibull Life-Time distribution law, whose parame- system with condition-base maintenance for pumps
ters were depending on the mechanisms described and and check valves and systematic maintenance for the
the information available from the experts, to compute sensor :
the time of the transition from one degradation level
to the successive one. – Pumps Po1 and Po2 degradation can be notified
In particular the following statements, described directly by practicing overhauls, specifics to each
on Figures 6 and 7, have been defined regarding degradation mechanisms, or indirectly thanks to
the different relationships between the degradation external inspections, to detect the symptoms even-
mechanisms, associated symptoma and failure modes tually appeared. Then, depending on the detec-
considered for each component: tion results, preventive repair can be performed
Concerning Sensor Ca, only very rare random to avoid failure mode occurrences. As previously
occurrence of an electronic failure has been consid- said, overhauls are very effective detection tasks
ered, and no symptom nor degradation mechanism. but engender component scheduled unavailability
536
Table 2. Basic parameters needed for model simulation.
for maintenance, whereas external inspections are been represented by means of classical reliability tools
made without stopping the component but present such as failure and event trees. In particular, the two
a risk of error in the detection (non detection or branches composed of pump and check valve are oper-
false alarm). Moreover, in the proposed case study, ating on a redundancy way and the switch over from
one of the symptoms can appear due to the two one to the other is made thanks to the sensor which
degradation mechanisms, which implies another detect the failure of the activated branch and lead to
error risk for the repair decision that can be taken the activation of the stand-by one.
after the component inspection : the possible repair Condition-based and systematic maintenance tasks
of the bad mechanism without reducing the fail- are performed with a given frequency in order to
ure mode occurrence probability linked to the other detect and repair if necessary component degradation
mechanism. to avoid their failure. After the activated branch has
– Check-valves Ca1 and Ca2 degradation can also be failed, the other branch is activated so as to render
notified directly by practicing overhauls specifics possible the corrective repair without creating some
to each degradation mechanisms. Since one of the additional unavailability.
degradation mechanisms cannot be detected thanks The system can be unavailable either on a scheduled
to an associated symptom, external inspections can way, for a preventive maintenance task performance,
only be performed to detect the evolution of the or on an unscheduled way, due to some component
other mechanisms, avoiding the performance of the failure.
relative specific overhaul.
– Sensor Ca failure is supposed to be random and Different strategies, differing essentially on the type
rare so a systematic repair is performed before its of preventive tasks performed on the pumps and check
expected occurrence. valves, have been simulated and for each one an eval-
uation of the relative maintenance costs as defined
Finally, the way the entire system can function by Equation 1 has been computed according to the
or become failed or unavailable for maintenance has variation of the tasks periodicity. The objective was
537
Maintenance global costs Minimal strategies global costs
5000 1400
4500
1200
4000
1000
3500
3000 800
2500 600
2000
400
1500
1000 200
500 0
0 Maintenance strategies
Maintenance tasks periodicity increasing
Figure 10. Costs maintenance for maintenance strategies
Figure 8. Costs maintenance for a strategy made of made of both overhaul and external inspections. Black bar
overhauls. represent the minimal cost of the only overhauls strategy,
grey bars represent the minimal cost of both overhauls and
external in-spections strategies.
Maintenance global costs
4500
the fact that all the external inspections tasks repre-
4000 sent some non detection and false alarm error risks
which are even more important regarding degradation
3500
mechanism C. It is indeed impossible to detect its evo-
lution through some symptom detection and it has been
3000
assumed that it is done with a very poor efficiency due
2500
to the distance between the degradation evolution and
the task performance.
2000 Thus, it is interesting to compare the advantage
of performing both the different type of tasks. By
1500 so doing, it is indeed possible to control the system
components degradation evolution indirectly when
1000 possible, with external inspection devoted to some
Maintenance tasks periodicity increasing symptom detection, and also on a more direct way
with overhauls. Those are more efficient in terms of
Figure 9. Costs maintenance for a strategy made of external degradation detection and, when performed with a
in-spections. higher periodicity, the global maintenance costs can
be reduced.
Figure 10 presents the minimal global costs for
different strategies composed as follow:
to compare the strategies in terms of costs difference
induced by preferring one type of detection task to
the other one, ie overhauls and external inspections, – external inspections supported by overhauls to
for the preventive maintenance of pumps and check detect degradation mechanism A, B and D, ie
valves, given the relative characteristics of the tasks. those detectable through some symptom obser-
Figure 8, presents the results obtained for a strat- vation, with overhauls preformed with a higher
egy only made of overhauls for pumps and check periodicity than external inspections one,
valves; whereas on Figure 9, only external inspec- – overhauls to detect the evolution of degradation
tions were performed to detect pumps and check valves mechanism C, since it is not convenient in terms
degradation. of efficiency to observe it through external inspec-
As it is easy to note, even if external inspections are tions.
less costly and do not induced some system unavail-
ability, the second strategy evaluation leads to higher Again, strategies were differing in terms of tasks
maintenance global costs. That is obviously due to periodicity and are here compared to the minimal cost
538
corresponding of the strategy composed only by over- tems. In MM2007 proceedings Maintenance Management
hauls to show that some appropriate combinations conference, Roma, 27–28 September 2007.
render possible to reduce the global maintenance costs. Barata, J., Guedes Soares, C., Marseguerra, M. &
Zio, E. 2002. Simulation modeling of repairable multi-
component deteriorating systems for on-condition main-
tenance optimisation. Reliability Engineering and System
6 CONCLUSIONS Safety 76: 255–267.
Dekker, R. 1996. Applications of maintenance optimization
The objective of the work presented here is to model models : a review and analysis. Reliability Engineering
and to simulate maintenance programs in order to pro- and System Safety 51(3): 229–240.
vide quantitative results which could support choices Dutuit,Y., Chatelet, E., Signoret, J.P. & Thomas, P. 1997.
between different maintenance tasks and frequen- Dependabiliy modeling and evaluation by using stochas-
cies. The approach is dedicated to multi-component tic Petri Nets :Application to two test cases. Reliability
systems and RCM type complex maintenance strate- Engineering and System Safety 55: 117–124.
gies. This is done through a structured and modular Marseguerra, M. & Zio, E. 2000 Optimizing Maintenance
and Repair Policies via a combination of Genetic Algo-
model which allows taking under consideration depen- rithms and Monte Carlo Simulation. Reliability Engineer-
dences between system components due either to ing & System Safety 68(1): 69–83.
failures either to operating and environmental condi- Moustafa, M.S., Abdel Maksoud, E.Y. & Sadek, S. 2004.
tions. Maintenance activities effectiveness is modeled Optimal major and minimal maintenance policies for dete-
to represent the ability of preventive actions to detect riorating systems. Reliability Engineering and System
components degradations, and the ability of both pre- Safety 83(3): 363–368.
ventive and corrective actions to modify and keep Simeu-Abazi, Z. & Sassine, C. 1999. Maintenance inte-
under control the degradation mechanism evolution gration in manufacturing systems by using stochastic
in order to avoid failure occurrence. It also let take Petri Nets. International Journal of Production Research
37(17): 3927–3940.
into account resources sharing problems such as repair Valdez-Flores, C. & Feldman, R.M. 1989. A survey of
teams or spare parts stocks. A case study regarding the preventive maintenance models for stochastically dete-
modeling of a turbo-pump lubricating system shows riorating single-unit systems. Naval Research Logistics
how the approach can efficiently been used to compare Quarterly 36: 419–446.
various maintenance strategies.
REFERENCES
539
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Redundancy Allocation Problems (RAPs) are among the most relevant topics in reliable sys-
tem design and have received considerable attention in recent years. However, proposed models are usually
built based on simplifying assumptions about the system reliability behavior that are hardly met in practice.
Moreover, the optimization of more than one objective is often required as, for example, to maximize sys-
tem reliability/availability and minimize system cost. In this context, a set of nondominated solutions—system
designs with compromise values for both objectives—are of interest. This paper presents an ACO approach
for multiobjective optimization of availability and cost in RAPs considering repairable systems subjected to
imperfect repairs handled via Generalized Renewal Processes. The dynamic behavior of the system is modeled
through Discrete Event Simulation. The proposed approach is illustrated by means of an application example
involving repairable systems with series-parallel configuration.
541
attempts to imitate system behavior by randomly gen- times between failures (see, for example, Busacca
erating discrete events (e.g. failures) during simulation et al., (2001), Chiang & Chen (2007), Juang et
time (mission time). In addition, the DES flexibility al., (2008)). This hypothesis does not allow for the
permits the introduction of many system real aspects, incorporation of the effects of component deteriora-
such as the taking into account the availability of tion and may incur in grotesque estimation errors of
maintenance resources during mission time. some important performance measures such as sys-
tem availability (Bowles 2002). Although Cantoni
et al., (2000) tackle repairable systems with imper-
fect repairs, they consider constant failure rates from
1.1 Previous works
the moment that a component returns into opera-
Shelokar et al., (2002) exemplify the application of tion until the occurrence of the very next failure.
ACO coupled with a strength Pareto-fitness assign- Moreover, they use a Brown-Proschan (B-P) model
ment to handle multiobjective problems in reliability of imperfect repairs, which is a specific type of failure
optimization. In the context of electrical systems, intensity model (Doyen & Gaudoin 2004).
Ippolito et al., (2004) propose a multiobjective ACO In a recent paper, Kuo & Wan (2007) emphasizes
to encounter the optimal planning strategy for elec- that other optimization approaches than GA, such as
trical distribution systems. The authors use as many ACO, may be investigated and more widely applied
ant colonies as many handled objectives and the algo- in solving RAPs. Besides, they also stress that non-
rithm is divided in two different phases: a forward renewable multi-state systems ought to be taken into
phase in which each ant colony attempts to optimize account in RAPs approaches.
separate objectives and a backward phase in which In this paper, as an attempt to join ACO and non-
nondominated solutions are taken into account. ACO renewable systems in RAPs, a multiobjective ACO
was applied by Liang & Smith (2004) to solve a RAP algorithm coupled with DES is provided to solve RAPs
with the single objective for maximizing system reli- in the context of repairable systems with components
ability subject to costs and weight constraints. They subjected to imperfect repairs. The two selected objec-
assume nonrepairable components with constant reli- tives are the system average availability and the total
ability values over mission time. Nahas & Nourelfath system cost. DES is used to obtain the former objec-
(2005) use ACO to find the best set of technologies to tive and also some parameters required for the cost
form a series system with the aim of obtaining maximal calculation over the established mission time. The sys-
reliability given budget constraints. So as in Liang & tem cost is composed of the components acquisition
Smith (2004), reliability values are fixed during mis- and operating costs, corrective maintenance costs and
sion time. Zhao et al., (2007) use a multiobjective ant costs incurred due to system unavailability. A limited
colony system approach in order to maximize reliabil- amount of maintenance resources is considered to give
ity in a RAP with a series-parallel system formed by maintenance support to the entire system. As soon as
k-out-of-n: G subsystems. It is important to emphasize a component fails, a maintenance resource is required
that the authors do not obtain a set of nondominated and if it is available, a delay time is generated accord-
solutions, since they only aim to maximize system ing to an Exponential distribution. Each component
reliability subject to cost and weight constraints. Nev- is supposed to have times to failure (TTF) modeled
ertheless, each component features—reliability (r), by Weibull distributions. The times to repair (TTR), in
cost (c) and weight (w)—are summarized in the quo- turn, are assumed to be exponentially distributed with
tient (r/(c + w)), which is used as a problem-specific different means.
heuristic information during the execution of ACO. The desired outcome is a set of nondominated sys-
The majority of the works in the literature regard- tem designs. The decision maker can then have an idea
ing ACO for solving RAPs does not give enough of system average availability during mission time and
attention to the system reliability aspect. RAPs of the related costs that might have been spent at the
are usually built based on simplifying assumptions end of that period. Moreover, note that the system life-
about the reliability behavior of the system and time cycle is thus taken into account and it is not a
of its components in order to facilitate the prob- merely issue of obtaining compromise designs at the
lem modeling and solution. These simplifications system acquisition moment.
(e.g. considering nonrepairable components with The paper organization is as follows. Section 2
constant reliability values over mission time) are introduces some concepts related to GRP and to
often non-realistic and do not permit the evalua- multiobjective optimization. Section 3 details the
tion of some important real-world problems. Indeed, use of multiobjective ACO, whereas Section 4
models for repairable systems in RAPs using GA describes the DES approach considered in this work.
as optimization algorithm assume that components In Section 5 an example application is discussed
have constant failure rates, i.e., that they have an and the following section gives some concluding
underlying Exponential distribution to model the remarks.
542
2 PRELIMINARIES of Equation 1 yields:
543
hi (x) ≤ 0, i = p + 1, . . ., m (7) based on the single objective Ant System for the Trav-
eling Salesman Problem (TSP) proposed by .Dorigo
where z is the vector formed by k objective functions, et al., (1996). The following subsections are dedicated
x is the n-dimensional vector of decision variables, p is to the discussion of the proposed multiACO.
the number of equality constraints gi (x) and m−p is the
quantity of inequality constraints hi (x). Frequently, in 3.1 Input data
the multiobjective context, a unique solution that opti-
mizes all objectives is very difficult to be found or it Initially it is necessary to identify the number of
does not exist. Thus, a set of compromise solutions subsystems in series (s), the maximum (ni,max ) and
among objectives, i.e. nondominated solutions, may minimum (ni,min ) number of redundant components in
be encountered. A solution is said to be nondominated ith subsystem, i = 1, . . ., s. Each subsystem can be
if, for all objectives, it has a performance at least as composed by different technologies, which may have
great as the performances of the other solutions and, different reliability and cost features. Hence, it is also
at least for one of the objectives, its performance over- required the quantity of available component types (ci ,
come the performance of the others. In mathematical i = 1, . . ., s) that can be allocated in each subsys-
terms: tem. With this information, the ants’ environment is
constructed.
Moreover, information about components TTF and
x 1 x 2 ⇔ fh (x 1 ) ≥ fh (x2 ), ∀h and TTR distributions and the components related costs
fh (x1 ) > fh (x2 ), for some h (8) need to be specified. The ACO specific parameters
nAnts, nCycles, α, β, ρ and Q are also required and
they are discussed in Subsection 3.3.
where denotes that x 1 dominates x 2 (i.e., x 1 is
nondominated) considering a maximization problem.
Otherwise, if a minimization problem is taken into 3.2 Environment modeling
account the symbols ≥ and > must be replaced by The environment to be explored by the ants is mod-
≤ and <, respectively. Once the set of nondominated eled as a directed graph D = (V , A), where V is the
solutions (also known as Pareto front) is obtained, the vertices set and A is the arcs set. D has an initial vertex
decision maker can choose any of the solutions to be (IV) and a final vertex (FV) and is divided in phases
implemented according to his preferences. that are separated by intermediate vertices. An inter-
Optimization methods usually handle multiobjec- mediate vertex indicates the ending of a phase and also
tive problems by transforming them into a single objec- the beginning of the subsequent phase and therefore
tive problem and then applying classical mathematical is common to adjacent phases. In this work, a phase
programming methods such as linear and nonlinear is defined as the representation of a subsystem and
programming (Luenberger 1984). The Weighted Sum vertices within a phase represent either its extremities
Method and the ε-Perturbation Method are examples or the possible components to be allocated in paral-
of traditional multiobjective approaches (Coello et al., lel in such subsystem. The quantity of vertices of the
2002, Deb 1999). However, a significant drawback in ith phase is equal to ni,max · cti plus the two vertices
applying those methods is the fact that they have to indicating its beginning and its ending.
be executed several times in order to obtain different Vertices are connected by arcs. Firstly, consider a
nondominated solutions. Moreover, objective func- problem with a unique subsystem. Hence, there is only
tions that do not have some features such as continuity one phase with IV and FV, but intermediate vertices
and differentiability render these classical methods are not necessary. IV is linked to all vertices within
useless. the existent phase (except FV), which in turn are con-
Alternatively, stochastic optimization methods nected with each other and also with FV. Now suppose
based on nature such as ACO can be applied in opti- a problem involving two subsystems. Then, an inter-
mizing multiobjective problems given their flexibility mediate vertex plays the role of FV for the first phase
in handling each objective separately. Since these and also the role of IV to vertices within the second
methods consider various potential solutions simulta- phase. All vertices in second phase (except the ver-
neously, a number of Pareto solutions can be reached tex indicating its beginning) are linked to FV. These
in a single execution of the algorithm. instructions can be followed in the case of s subsys-
tems. Arcs linking vertices within ith phase belong to
such phase.
3 MULTIOBJECTIVE ACO For the sake of illustration, Figure 1 shows an
example of a directed graph representing an ants’ envi-
The multiobjective ACO (multiACO) put forward in ronment, where s = 2, n1,min = 1, n1,max = 2, ct1 = 2,
this work is a problem specific algorithm which is n2,min = 1, n2,max = 1, ct2 = 4.
544
where ρ is the pheromone evaporation between times
t and t + m. The quantity τvw is obtained by
nAnts
τvw = τvw,k (11)
k=1
545
3.4 Dominance evaluation
The desired result of multiACO is a set of nondomi-
nated solutions (N ), which may contain all compro-
mise system designs found during the algorithm run.
Therefore each ant is evaluated for each objective and
has a number of associated objective values equal to
the quantity of objectives (each objective is treated
separately).
The set N is updated at the end of each cycle.
Firstly, however, a set of candidate solutions (CS) to
be inserted in N is obtained by the assessment of the
dominance relation among ants within the cycle under
consideration. If ant k is dominated by other ants in
the current cycle, then it is not introduced in CS. Oth-
erwise, if ant k is nondomidated in relation to all ants
in the present cycle, then it is inserted in CS. Next, it is
necessary to evaluate the dominance relation of each
element in CS in relation to solutions already stored
in N . Suppose that ant k is in CS, then: (i) if ant k is
dominated by elements in N , then ant k is ignored; (ii)
if ant k dominates solutions in N , then all solutions
dominated by ant k are eliminated from N and a copy
of ant k is inserted in N .
546
and each component number of repairs and operating
time.
5 EXAMPLE APPLICATION
s
mi
CA = caij · xij (14)
i=1 j=1
Figure 3. Pseudocode for the system availability where s is the number of subsystems, mi is the quantity
estimation. of components in subsystem i, caij is the acquisition
cost of the jth component type of the ith subsystem
and xij is the quantity of that component.
zk [=1(available); =0(unavailable)] and tk be the com-
ponent state, system state and time at the kth step, s
mi
xij
respectively. Moreover, let ck be a counter of the num- CO = coij · toijk (15)
ber of times that the system is available by the end i=1 j=1 k=1
of the kth step, hi (·) and mi (·) be the time to failure
and repair time probability density functions of the
where coij is the operating cost per unit time for the jth
component i, and A(tk ) be the system availability at
component type of the ith subsystem and toijk is the
time tk . If nC is the number of system components, a
operating time of the kth copy of that component.
DES iteration can be written in pseudocode as shown
in Figure 3.
In a nutshell, the algorithm described above may be
s
mi
xij
CCM = ccmij · nijk (16)
thought in the following way: while the process time
i=1 j=1 k=1
ti is lower than the mission time tk , the following steps
are accomplished: (i) the time to failure τi of the com-
ponent i is sampled from hi (·); (ii) ti is increased by τi ; where ccmij is the corrective maintenance cost for the
(iii) the condition (ti ≥ tk ) means component i ends jth component type of subsystem i and nijk is the quan-
kth step on an available condition (zik = 1); otherwise, tity of repairs to which the kth component is subjected
component i failed before the kth step; (iv) in the lat- over mission time.
ter, the repair time xi is sampled from mi (t) and ti is
increased by it; if (ti ≥ tk ) the component iends kth CU = cu · tu (17)
step under a repair condition and therefore unavailable
(zik = 0); (v) upon assessing the states of the nC com- where cu is the cost per unit time related to system
ponents at the kth step, the system state zk is assessed unavailability and tu is the system unavailable time
via the corresponding system BDD; (vi) finally, the during mission time. Hence, C = CA + CO + CCM +
counter ck is increased by zk . The aforementioned pro- CU , in which C is the system total cost. The variables
cedure is repeated M times, a sufficiently large number toijk (Equation 13), nijk (Equation 14) and tu (Equation
of iterations, and then the availability measure A(tk ) 15) are obtained via DES of the system dynamics.
at kth step is estimated dividing the values ck by M . Moreover, it is considered a repairable system
A number of random variables are obtained via DES with 3 subsystems in series, S1 , S2 and S3 . The
and fed back to multiACO with the aim of calculating minimum and maximum number of components in
the objectives (that is, system mean availability and parallel and the quantity of different technologies for
system total cost): system operating/unavailable time each subsystem are listed in Table 2.
547
Figure 4. Flowchart of the used multiACO + DES.
Table 2. Subsystems features for example application. Components characteristics are presented in Table 3.
The components corrective maintenance and operat-
ni,min ni,max cti ing costs are taken as 2% and 10% of the acquisition
cost, respectively. Moreover, cu = 500 monetary
S1 1 3 5
units.
S2 1 6 5
S3 1 4 3 The parameters for the multiACO were nAnts =
100, nCycles = 50, α = 1, β = 1, ρ = 0.5 and Q =
1. System designs were evaluated over a mission time
equals to 365 time units. A set of 47 nondominated
Components are supposed to have their failure pro- solutions were obtained, as shown in Figure 5. Some
cess modeled according to a GRP. More specifically, of the alternative system designs indicated in Figure 5
it is assumed a Kijima Type I model with TTF given are presented in Figure 6.
by Weibull distributions with different scale (α, in
time units), shape (β) and rejuvenation (q) parameters. 5.1 Return of investment analysis
On the other hand, TTR are exponentially distributed
with different parameters (λ) per component type. All system designs in the set of nondominated solu-
In addition, components are subjected to imperfect tions are optimal in accordance with the multiobjective
repairs. As soon as a component fails, the repair does approach. However, the decision maker may select
not start immediately and it is necessary to check only one system design to be implemented. In order to
the availability of required maintenance resources. If guide such selection, he can make a return of analysis
resources are available, a random time representing investment, that is, observe the gain in system mean
the logistic time for resource acquisition is generated availability in relation to the required investment in
according to an Exponential distribution with λ = 1, the corresponding system design. Mathematically the
i.e., the failed component must wait up to such time return of investment (ROI ) is:
to go under repair. Otherwise, the failed component
waits in queue for the required maintenance resources. ROI = (Ak − Ak−1 )/(Ck − Ck−1 ) (18)
548
Table 3. Components features for example application.
6 CONCLUDING REMARKS
REFERENCES
Although there are some works in the literature apply-
ing ACO in RAPs, they often make simplifications Banks, J., Carson, J.S., Nelson, B.L. & Nicol, D.M. 2001.
concerning system reliability behavior that are usu- Discrete event system simulation. Upper Saddle River:
ally not satisfied in practical situations. Therefore this Prentice Hall.
549
Bowles, J.B. 2002. Commentary—caution: constant failure- non-negative Markovian increments. Journal of Applied
rate models may be hazardous to your design. IEEE Probability 23: 71–88.
Transactions on Reliability 51(3): 375–377. Kuo, W. & Wan, R. 2007. Recent advances in optimal relia-
Busacca, P.G., Marseguerra, M. & Zio, E. 2001. Multiob- bility allocation. IEEE Transactions on Systems, Man and
jective optimization by genetic algorithms: application to Cybernetics 37(4): 143–156.
safety systems. Reliability Engineering & System Safety Liang, Y.-C. & Smith, A.E. 2004. An ant colony optimization
72: 59–74. algorithm for the redundancy allocation problem (RAP).
Cantoni, M., Marseguerra, M. & Zio, E. 2000. Genetic IEEE Transactions on Reliability 53(3): 417–423.
algorithms and Monte Carlo simulation for optimal plant Luenberger, D.G. 1984. Linear and nonlinear programming.
design. Reliability Engineering & System Safety 68: Massachusetts: Addison-Wesley.
29–38. Michalewicz, Z. 1996. Genetic algorithms + data struc-
Chiang, C.-H. & Chen, L.-H. 2007. Availability allocation tures = evolution programs. Berlin: Springer.
and multiobjective optimization for parallel-series sys- Nahas, N. & Nourelfath, M. 2005. Ant system for reliabil-
tems. European Journal of Operational Research 180: ity optimization of a series system with multiple-choice
1231–1244. and budget constraints. Reliability Engineering & System
Coello, C.A.C., Veldhuizen, D.A.V. & Lamont, G.B. 2002. Safety 87: 1–12.
Evolutionary algorithms for solving multiobjective prob- Rauzy, A. 2001. Mathematical Foundations of Minimal
lems. New York: Kluwer Academic. Cutsets. IEEE Transactions on Reliability 50: 389–396.
Deb, K. 1999. Evolutionary algorithms for multicriterion Rigdon, S.E. & Basu, A.P. 2000. Statistical methods for the
optimization in engineering design. In: Proceedings of reliability of repairable systems. New York: John Wiley &
Evolutionary Algorithms in Engineering and Computer Sons.
Science (EUROGEN’99). Shelokar, P.S., Jayaraman, V.K. & Kulkarni, B.D. 2002. Ant
Dorigo, M., Maniezzo, V. & Colorni, A. 1996. Ant system: algorithm for single and multiobjective reliability opti-
optimization by cooperating agents. IEEE Transactions mization problems. Quality and Realiability Engineering
on Systems, Man and Cybernetics 26(1): 29–41. International 18(6): 497–514.
Dorigo, M. & Stützle, T. 2004. Ant colony optimization. Taboada, H. & Coit, D.W. 2006. MOEA-DAP: a new multiple
Massachusetts: MIT Press. objective evolutionary algorithm for solving design allo-
Doyen, L. & Gaudoin, O. 2004. Classes of imperfect repair cation problems. Under review. Reliability Engineering &
models based on reduction of failure intensity or virtual System Safety.
age. Reliability Engineering & System Safety 84: 45–56. Taboada, H., Espiritu, J. & Coit, D.W. 2007. MOMS-GA:
Goldberg, D.E. 1989. Genetic algorithms in search, optimiza- a multiobjective multi-state genetic algorithm for system
tion, and machine learning. Reading: Addison-Wesley. reliability optimization design problems. In print. IEEE
Ippolito, M.G., Sanseverino, E.R. & Vuinovich, F. 2004. Transactions on Reliability.
Multiobjective ant colony search algorithm for optimal Wolsey, L.A. 1998. Integer programming. New York: John
electrical distribution system strategical planning. In: Wiley & Sons.
Proceedings of 2004 IEEE Congress on Evolutionary Yañes, M., Joglar, F. & Modarres, M. 2002. General-
Computation. Piscataway, NJ. ized renewal process for analysis of repairable systems
Juang, Y.-S., Lin, S.-S. & Kao, H.-P. 2008. A knowledge with limited failure experience. Reliability Engineering
management system for series-parallel availability opti- & System Safety 77: 167–180.
mization and design. Expert Systems with Applications Zhao, J.-H., Liu, Z. & Dao, M.-T. 2007. Reliability optimiza-
34: 181–193. tion using multiobjective ant colony system approaches.
Kijima, M. & Sumita, N. 1986. A useful generaliza- Reliability Engineering & System Safety 92: 109–120.
tion of renewal theory: counting process governed by
550
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
A. Lisnianski
The Israel Electric Corporation Ltd., Haifa, Israel
I. Frenkel
Center for Reliability and Risk Management, Industrial Engineering and Management Department,
Sami Shamoon College of Engineering, Beer Sheva, Israel
ABSTRACT: This paper considers reliability measures for aging multi-state system where the system and
its components can have different performance levels ranging from perfect functioning to complete failure.
Aging is treated as failure rate increasing during system life span. The suggested approach presents the non-
homogeneous Markov reward model for computation of commonly used reliability measures such as mean
accumulated performance deficiency, mean number of failures, average availability, etc., for aging multi-state
system. Corresponding procedures for reward matrix definition are suggested for different reliability measures.
A numerical example is presented in order to illustrate the approach.
551
continuous-time stochastic process that takes its values If, for example, the state K with highest perfor-
from the set g = {g1 , g2 , . . ., gk }, G(t) ∈ g, where gi is mance level is defined as the initial state, the value
the MSS output performance in state i, i = 1, 2, . . ., k. VK (t) should be found as a solution of the system (1).
Transition rates (intensities) aij between states i and j It was shown in Lisnianski (2007) and Lisnianski
are defined by corresponding system failure and repair et al., (2007) that many important reliability measures
rates. The minimal repair is a corrective maintenance can be found by the determination of rewards in a
action that brings the aging equipment to the con- corresponding reward matrix.
ditions it was in just before the failure occurrence.
Aging MSS subject to minimal repairs experiences
reliability deterioration with the operating time, i.e. 2.2 Rewards determination for computation
there is a tendency toward more frequent failures. In of different reliability measures
such situations, the failure pattern can be described
by a Poisson process whose intensity function mono- For an availability computation, we partition the set of
tonically increases with t. A Poisson process with states g, into g 0 , the set of operational or acceptable
a non-constant intensity is called non-homogeneous, system states, and g f , the set of failed or unaccept-
since it does not have stationary increments (Gerts- able states. The system states acceptability depends
bakh 2000). Therefore, in this case corresponding on the relation between the MSS output performance
transition intensities will be functions of time aij (t). and the desired level of this performance — demand,
which is determined outside the system. In general
case demand W (t) is also a random process that can
2.1 Non-homogeneous Markov reward model take discrete values from the set w = {w1 , . . ., wM }.
The desired relation between the system performance
A system’s state at time t can be described by a
and the demand at any time instant t can be expressed
continuous-time Markov chain with a set of states
by the acceptability function (G(t), W (t)) (Lisni-
{1, . . ., K} and a transition intensity matrix a = |aij (t)|,
anski & Levitin 2003). The acceptable system states
i, j = 1, . . ., K. For Markov reward model it is assumed
correspond to (G(t), W (t)) ≥ 0 and the unaccept-
that if the process stays in any state i during the time
able states correspond to(G(t), W (t)) < 0. The last
unit, a certain cost rii is paid. It is also assumed that
inequality defines the MSS failure criterion. In many
each time the process transits from state i to state j
practical cases, the MSS performance should be equal
a cost rij should be paid. These costs rii and rij are
to or exceed the demand. Therefore, in such cases the
called rewards (Hiller & Lieberman 1995). A reward
acceptability function takes the following form:
may also be negative when it characterizes a loss or
penalty. Such a reward process associated with sys-
tem states or/and transitions is called a Markov process (G(t), W (t)) = G(t) − W (t) (3)
with rewards. For such processes, in addition to a tran-
sition intensity matrix a = |aij (t)|, i, j = 1, . . ., K,
a reward matrix r = |rij |, i, j = 1, . . ., K should be and the criterion of state acceptability can be expres-
determined (Carrasko 2003). sed as
Let Vi (t) be the expected total reward accumulated
up to time t, given the initial state of the process as
time instant t = 0 is in state i. According to Howard (G(t), W (t)) = G(t) − W (t) ≥ 0 (4)
(1960), the following system of differential equations
must be solved under specified initial conditions in
order to find the total expected rewards: Here without loss of generality we assume that
required demand level is constant W (t) ≡ w and
all system states with performance greater than or
dVi (t) K K
= rii + aij (t)rij + aij (t)Vj (t) equal to w corresponds to the set of acceptable states
dt and all system states with performance lower than w
j=1 j=1
j =i correspond to the set of unacceptable states.
We define the indicator random variable
i = 1, 2, . . ., K (1)
1, if G(t) ∈ g0 ,
In the most common case, MSS begins to accumu- I (t) = (5)
late rewards after time instant t = 0, therefore, the 0 otherwise.
initial conditions are:
The MSS instantaneous (point) availability A(t) is
Vi (0) = 0, i = 1, 2, . . ., K (2) the probability that the MSS at instant t > 0 is in one
552
of acceptable states: in a Markov reward model should be defined as
A(t) = Pr{I (t) = 1} = Pi (t) (6)
w − gj , if w− gj > 0,
rjj = (10)
i∈g0 0, if w− gj ≤ 0.
where Pi (t) is the probability that at instant t the system
is in state i. All transitions rewards rij , i = j should be zeroed.
For an aging MSS an average availability is often Therefore, the mean reward Vi (T ) accumulated dur-
used. The MSS average availability A (T ) is defined as ing the time interval [0, T ], if state i is in the initial
a mean fraction of time when the system resides in the state, defines the mean accumulated performance
set of acceptable states during the time interval [0, T ], deficiency
T ⎧ T ⎫
1
A (T ) = A(t)dt (7) ⎨ ⎬
T Vi (T ) = E (W (t) − G(t))dt (11)
0 ⎩ ⎭
0
To assess A(T ) for MSS, the rewards in matrix r
can be determined in the following manner.
where E - expectation symbol and G(0) = gi .
• The rewards associated with all acceptable states Mean Time To Failure (MTTF) is the mean time
should be defined as 1. up to the instant when the MSS enters the subset of
• The rewards associated with all unacceptable states unacceptable states for the first time. For its computa-
should be zeroed as well as all the rewards associated tion the combined performance-demand model should
with all transitions. be transformed - all transitions that return MSS from
unacceptable states should be forbidden, as in this case
The mean reward Vi (T ) accumulated during inter- all unacceptable states should be treated as absorbing
val [0, T ] defines a time that MSS will be in the set of states.
acceptable states in the case where state i is the initial In order to assess MTTF for MSS, the rewards
state. This reward should be found as a solution of the in matrix r for the transformed performance-demand
system (1). After solving the system (1) and finding model should be determined as follows:
Vi (t), MSS average availability can be obtained for
every i = 1, . . . , K: • The rewards associated with all acceptable states
should be defined as 1.
Ai (T ) = Vi (T ) T (8) • The reward associated with unacceptable (absorb-
ing) states should be zeroed as well as all rewards
Usually the state K is determined as an initial state associated with transitions.
or in another words the MSS begins its evolution
in the state space from the best state with maximal In this case, the mean accumulated reward Vi (t)
performance. defines the mean time accumulated up to the first
Mean number Nfi (T ) of MSS failures during the entrance into the subset of unacceptable states or
time interval [0, T ], if state i is the initial state. This MTTF, if the state i is the initial state.
measure can be treated as a mean number of MSS Reliability function and Probability of MSS failure
entrances into the set of unacceptable states during during the time interval [0, T ]. The model should be
the time interval [0, T ]. For its computation rewards transformed as in the previous case — all unacceptable
associated with each transition from the set of accept- states should be treated as absorbing states and, there-
able states to the set of unacceptable states should fore, all transitions that return MSS from unacceptable
be defined as 1. All other rewards should be zeroed. states should be forbidden. Rewards associated with
In this case the mean accumulated reward Vi (T ), all transitions to the absorbing state should be defined
obtained by solving (1) provides the mean number of as 1. All other rewards should be zeroed. The mean
entrances into the unacceptable area during the time accumulated reward Vi (T ) in this case defines the
interval [0, T ]: probability of MSS failure during the time interval
[0, T ], if the state i is the initial state. Therefore, the
Nfi (T ) = Vi (T ) (9) MSS reliability function can be obtained as:
553
3 NUMERICAL EXAMPLE According to the state space diagram in Figure 1 the
following transition intensity matrix a can be obtained:
Consider a multi-state power generating unit with
nominal generating capacity 360 KWT. Correspond-
ing multi-state model is presented in fig.1 and has 4 −μ14 0 0 μ14
different performance levels: complete failure level
0 −μ24 0 μ24
(g1 = 0), two levels with reduced capacity (g2 = a=
0 0 −μ34 μ34
215 KWT, g3 = 325 KWT), and level of perfect λ λ42 (t) λ43 − (λ41 + λ42 (t) + λ43 )
41
functioning (g4 = 360 KWT).
Aging was indicated as increasing transition failure (13)
rate λ42 (t) = 7.01 + 0.2189t 2 . Other failure rates are
constant: λ41 = 2.63 year −1 and λ43 = 13.14 year −1
Repair rates are the following: μ14 = 446.9 year 1 , In order to find the MSS average availability Ā(T )
μ24 = 742.8 year 1 , μ34 = 2091.0 year 1 . according to introduced approach we should present
The demand is constant w = 300 KWT and power the reward matrix r in the following form.
unit failure is treated as generating capacity decreasing
below demand level w.
The state-space diagram for the system is presented
0 0 0 0
in Figure 1. 0 0 0 0
r = r ij =
0
By using the presented method we assess the MSS (14)
average availability, mean total number of system 0 0 1
0 0 0 1
failures, accumulated mean performance deficiency,
Mean Time To Failure and Reliability function for 5
years time interval.
The system of differential equations (1) will be
presented as the following:
4
g4 = 360 dV1 (t)
= −μ14 · V1 (t) + μ14 · V4 (t)
dt
dV2 (t)
= −μ24 · V2 (t) + μ24 · V4 (t)
λ43 μ 34 dt
dV3 (t)
= 1 − μ34 · V3 (t) + μ34 · V4 (t)
dt
3 dV4 (t)
g3 = 325 = 1 + λ41 · V1 (t) + λ42 (t) · V2 (t) + λ43 · V3 (t)
dt
μ 24
λ42 (t) − (λ41 + λ42 (t) + λ43 ) · V4 (t) (15)
w = 300
The system of differential equations must be sold
under initial conditions: Vi (0) = 0, i = 1, 2, 3, 4.
The results of calculation one can see in Figure 2.
g2 = 215 λ41 2 μ 14 Calculation results are presented for two cases: for
aging unit with λ42 (t) = 7.01 + 0.2189t 2 and for non-
aging unit where λ42 = 7.01 ≡ constant.
In order to find the mean total number of system
failures Nf (t) we should present the reward matrix r
in the following form:
0 0 0 0
g1= 0 1
0 0 0 0
r = rij = (16)
0 0 0 0
1 1 0 0
Figure 1. State space diagram of generated system.
554
1 The system of differential equations must be sold
under initial conditions: Vi (0) = 0, i = 1, 2, 3, 4.
0.998
The results of calculation are presented in Figure 3.
0.996 In order to find Accumulated Performance Defi-
Average Availability
dV3 (t)
50 = −μ34 · V3 (t) + μ34 · V4 (t)
dt
dV4 (t)
40 = λ41 + λ42 + λ41 · V1 (t) + λ42 (t) · V2 (t)
dt
30 + λ43 · V3 (t) − (λ41 + λ42 (t) + λ43 ) · V4 (t)
20
(19)
61320
555
unacceptable states should be forbidden and all unac- The system of differential equations (1) will be
ceptable states should be treated as absorbing state. presented as follows:
The state space diagram may be presented as follows.
According to the state space diagram in Figure 5 dV0 (t)
=0
transition intensity matrix a can be presented as dt
follows: dV3 (t)
= 1 − μ34 · V3 (t) + μ34 · V4 (t)
dt
dV4 (t)
0 0 0 = 1 + (λ41 + λ42 (t)) · V0 (t) + λ43 · V3 (t)
a= 0 −μ34 μ34 ,
dt
λ41 + λ42 (t) λ43 − (λ41 + λ42 (t) + λ43 ) − (λ41 + λ42 (t) + λ43 ) · V4 (t) (22)
(20) The system of differential equations must be sold
under initial conditions: Vi (0) = 0, i = 0, 3, 4.
The results of calculation are presented in Figure 6.
In order to find Mean Time To Failure we should In order to find Probability of MSS failure during
present the reward matrixes r in the following form the time interval [0, T ] we should present the reward
matrixes r in the following form
0 0 0
0 0 0
r = r ij = 0 0 0
(23)
r = r ij = 0 1 0
(21) 1 0 0
0 0 1
The system of differential equations (1) will be
presented as follows:
dV0 (t)
=0
dt
4 dV3 (t)
g4=360 = −μ34 · V3 (t) + μ34 · V4 (t)
dt
dV4 (t)
= λ41 + λ42 (t) + (λ41 + λ42 (t)) · V0 (t)
dt
+ λ43 · V3 (t) − (λ41 + λ42 (t) + λ43 ) · V4 (t)
μ34
(24)
3 0.12
g3=325
0.1
Mean Time to Failure (years)
0.08
w=300
0.06
0.04
0.02
0
0
0 0.2 0.4 0.6 0.8 1
Time (Years)
Figure 5. State space diagram of generated system with
absorbing state. Figure 6. Mean time to failure.
556
1 Barlow, R.E. & Proshan, F. 1975. Statistical Theory of Reli-
ability and Life Testing. Holt, Rinehart and Winston:
New York.
0.8
MSS Reliability Function
REFERENCES
557
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Weibull models appear to be very flexible and widely used in the maintainability field for
ageing models. The aim of this contribution is to systematically study the ability of classically used one-mode
Weibull models to approximate the bathtub reliability model. Therefore, we analyze lifetime data simulated
from different reference cases of the well-known bathtub curve model, described by a bi-Weibull distribution
(the infant mortality is skipped, considering the objective of modeling ageing). The Maximum Likelihood
Estimation (MLE) method is then used to estimate the corresponding parameters of a 2-parameter Weibull
distribution, commonly used in maintenance modeling, and the same operation is performed for a 3-parameter
Weibull distribution, with either a positive or negative shift parameter. Several numerical studies are presented,
based first on large and complete samples of failure data, then on a censored data set, the failure data being
limited to the useful life region and to the start of the ageing part of the bathtub curve. Results, in terms of
quality of parameter estimation and of maintenance policy predictions, are presented and discussed.
559
ν ≥ 0 are called scale, shape and location parameters, avoiding to implicitly assume λc (0) = 0 The PDF
respectively. H (.) is the step function. has the following conditional form:
The 3-parameter Weibull rate models the failure βc
mode due to ageing, and is active only for t>ν. In βc −1 t−νc
βc t−νc − ηc
other words, a failure of the system in time t>0 can ηc ηc e
occur by: fc (t) = βc H (t) (6)
−νc
− ηc
a) a contribution due to the exponential distribution, e
which describes a random failure of the system for
any t>0
b) a contribution due to the Weibull distribution for 4 MAINTENANCE COSTS ANALYSIS
t>ν , where ν is a positive location parameter (a shift).
It means that we assume that this failure mode, which We assume the following hypotheses in our analysis
is based on the effect of ageing of the system, can of the maintenance policy:
occur only if t>ν. • Costs are kept constant and do not change with time
(interest rate or inflation are not considered).
• Repair durations are contemplated as negligible.
3 APPROXIMATE WEIBULL MODELS USED • Failures are detected instantaneously.
IN THE COMPARISON • Labour resources are always available to repair.
The following three maintenance strategies (Kece-
We assume the following probability density functions cioglu 1995; Vansnick 2006) are considered.
(PDF) for our parameter estimation study:
• Weibull model with 2 parameters: 4.1 Periodic replacement: As Bad as Old (ABAO)
βa −1 βa In this policy an item is replaced with a new one at
βa t − t
every Tp time units of operation, i.e. periodically at
fa (t) = e ηa
(2)
ηa ηa time Tp , 2Tp , 3Tp , . . . . If the component fails before
Tp time units of operation, it is minimally repaired so
When ν = 0 and λ0 = 0, the model is reduced that its instantaneous failure rate λ(t) remains the same
to the 2-parameter Weibull law. The corresponding as it was prior to the failure.
cumulative distribution function (CDF) is: The expected total cost will be presented per unit
time and per preventive cost, and the predetermined
βa maintenance interval is denoted by Tp . For the analysis,
− t
Fa (t) = 1 − e ηa
(3) it is interesting to introduce a new coefficient r, the
ratio of the curative cost over the preventive cost:
The scale parameter symbol ηa has the following Cc
meaning: Solving equation (3) for t = ηa we have: r= (7)
βa
Cp
ηa
−
Fa (ηa ) = 1−e ηa
= 1 − e−1 The total expected cost per unit time can be
= 1 − 0.3679 = 0.6321 (4) written as
560
4.2 Age replacement: AGAN (As-Good-As-New) • parameter η is the characteristic time of the ageing
failure mode, and
The AGAN maintenance strategy consists of replac-
• parameter ν is a time shift corresponding to the delay
ing the component with a new one after it has failed
before the onset of ageing.
or when it has been in operation for Tp time units,
whichever comes first. The total expected total cost per
unit time per preventive cost of a component depends 5.1 Characterization of useful period
on a summation of contributions of preventive and
curative costs: In this section, we specify the value of the parameter
related to the useful period (i.e. period with a constant
γ (Tp ) R(Tp ) + r(1 − R(Tp )) failure rate λ0 ) of our model of reality.
= Tp . (11) We set 1/λ0 = 14000 h, because this value is
Cp R(t) dt
0 close to that estimated for reciprocating compressors
whose modelling were an inspiration of our study
4.3 Block replacement: AGAN (Vansnick 2006). This arbitrary choice hence defines
the time units of the problem, and only 3 independent
In this maintenance strategy an item is replaced parameters remain.
preventively (maximum repair) at time points
Tp , 2Tp , 3Tp , and so on. In addition to this, the com-
ponent is maintained correctively (maximum repair) 5.2 Parameters describing ageing
each time it fails. The total expected total cost per
unit time per preventive cost can be expressed as In this section, we specify values of parameters related
(Kece-cioglu1995) to the ageing part of our model of reality. We assume
the following parameters in our tests:
γ (Tp ) 1 1 − R(Tp ) • The values (2, 2.5, 3, 3.5, 4) are assumed for the
= + r Tp . (12)
Cp Tp R(t) dt shape parameter β. We have chosen these values
0
because when β = 2, the increasing failure rate part
(due to ageing), is increasing linearly with time and
5 PARAMETER ESTIMATIONS OF ONE-MODE for values of β higher than 2 the curve is increasing
WEIBULL LAWS BASED ON SAMPLINGS non-linearly.
FROM THE BATHTUB CURVE MODEL • The value of the scale parameter η is selected in the
following way:
The aim of the section is to show the possible paradox Since MTTF = ν + η(1 + (1/β)) holds for a
between the classical reference to the bathtub-shaped single Weibull law, the straightforward observation
failure rates and the usual way of resorting to basic, is that η is a characteristic time on which the ageing
one-mode Weibull laws to model ageing and deduce process spans.
maintenance policy optimization. This is first per- Then we can use the following quantity ηλ0 as a
formed by assuming that the real behavior of the measure of the relative duration of the ageing failure
failure rate obeys a bathtub shape, in which the infant mode with respect to the purely random one. Let us
mortality is neglected (so that a bi-Weibull is used), assume that ηλ0 < = 1 holds in our cases because
by sampling failure data from this assumed reality, the ageing period lasts less time than the useful life
then by estimating the parameters of reduced 2- or period. Then we use the following range for values
3-parameter Weibull models and by comparing the (λ0 is kept constant in all cases):
predictions of optimal maintenance period based on ηλ0 = (1, 0.9, 0.8, 0.7, 0.6) (13)
this estimation with that deduced from the assumed
reality. In a second time, we also analyse failure data Even if this assumption might be valid in many
censored at the real MTTF point, which is an approxi- cases, in some situations however, one could meet
mation of the industrial reality where data are usually a behavior of the component where ageing starts
limited. quite quickly, even if it is then likely to be a slower
Parameters (η, β, ν) and λ0 have to be chosen to process than in other cases.
define what is the initial ‘‘reality’’ of the failure density • The value of the location parameter ν is selected
of the component. from the following equation:
Actually, three of these parameters correspond to
characteristic times: R(ν) = (0.9, 0.8, 0.7, 0.6, 0.5, 0.4) (14)
• parameter 1/λ0 represents the Mean Time To Fail-
ure (MTTF) of the random failure mode taken Here R(ν) denotes the reliability function of the
alone, reference model at the end of the useful period
561
(i.e. period with constant failure rate λ0 ):
6 RESULTS OF THE ESTIMATIONS the interval [1.17, 1.9] for the 3-parameter Weibull
model with a positive location parameter, and the same
In this section the predetermined maintenance interval range was obtained for the 2-parameter Weibull model.
(Tp ) obtained with the 2- and 3- parameters Weibull On this account, the ability of these approximations
models will be compared to the Tp given by the to model the wear-out effects given by our reference
reference model, which was presented in Section 5. model is limited. It does not cover the reference model,
As examples, the next figures show the results of the which is represented by the shape parameters within
analysis done in these two different situations. Figures the interval [2, 4]. In fact, the estimation using the
1 and 2 show sorted results (i.e. in the 150 reference Weibull model with a positive location parameter is
cases considered) of the optimal predetermined main- not very beneficial: Because of random failures, rep-
tenance intervals for the reference model (denoted as resented by the second part of the bathtub model,
4P ABAO) with bounds corresponding to the mini- the effect of a positive shift of the location param-
mum cost multiplied by the factor 1.05 (denoted as eter is negligible in our cases: the estimated values
4P Int. Sup and 4P Int. Inf, respectively). We assume of the location parameter were very close to zero
the ratio between the curative cost over the preven- (≈ 2.10−8 h).
tive cost r = 10 in all cases. These figures also show It seems that the paradox in the Weibull estima-
results of the poor ability of the 2- and 3- parame- tion leads to a conservative maintenance policy in
ters Weibull models (denoted as 2P ABAO and 3P the first situation. Optimal maintenance intervals esti-
ABAO, respectively) to provide fitting of the assumed mated by one-mode Weibull models are almost in all
reality. cases smaller compared to the optimal maintenance
In the first situation, the results estimated from 2- period of the assumed reference model: Estimated val-
and 3- parameters Weibull models are conservative: ues of Tp for the 3-parameter Weibull model with a
the estimated values of the shape parameter were in positive location parameter and also for 2-parameter
562
Figure 3. Parameters of the reality (1, 3, 0.8), Situation 1. Figure 4. Parameters of the reality (1, 3, 0.8), Situation 1.
Failure rate. Expected cost per unit time and per preventive cost.
Weibull model correspond to 35 − 82% of the val- In Figure 3, the hazard function of the reality and
ues of Tp obtained with the reference models. When its 2- or 3-parameters approximations for the first sit-
the 3-parameter Weibull model with a negative loca- uation are presented. The symbol ‘‘Zero’’ represents
tion parameter is assumed, the situation is better: The the MLE results related to the Weibull model with 2
estimated values of Tp reached 43-100 percent of the parameters. The symbol ‘‘Neg’’ represents the Weibull
reference Tp . In 7 cases (i.e. in 4.66% of all assumed model with 3 parameters including a negative shift
cases), the value of Tp was correctly estimated. and finally the symbol ‘‘Pos’’ represents the Weibull
In the second situation (i.e. with censored data), the with 3 parameters, including a positive shift. We can
results estimated from the 2- and 3- parameter Weibull see that the wear-out period of the assumed bathtub
models are also not desirable: In 36.66% of the estima- ‘‘reality’’ is hardly modelled by the one-mode distribu-
tions done we obtain a value of the shape parameter tions. Although the Weibull 2P and 3P approximations
β<1 (a rejuvenation!). This means that there is no model accurately only the useful period of the reality,
minimum of the expected cost per unit time and per it can be seen that it is not a problem to find the optimal
preventive cost function. It is thus not interesting to preventive maintenance period Tp in both situations,
schedule a systematic preventive maintenance; this is see Figures 4 and 5. This happens because in these sit-
completely wrong in comparison the reference model. uations the optimal preventive maintenance period is
In 43.34% of the estimations, the estimated value of the found before the ageing process becomes strong. For
shape parameter obtained lies in the interval [1, 1.2]. this reason, approximations appear acceptable.
This values also does not correspond to the reference In this example it is also worth noticing the
model and the expected cost per unit time and per pre- MLE results obtained with the Weibull 2P and 3P
ventive cost becomes almost constant. Finally, in 20% approximations in the second situation: (η, β, ν) =
of the analyses, the estimated value of the shape param- (12487, 1.11, 0) and (η, β, ν) = (12319, 1.18, −91).
eter is between 1.2 and 1.62. This fact does not enable We observe that these results of parameter estimations
us to model correctly the wear-out effects given our do not imply similar results in estimating of Tp ’s, see
reference model. Figure 5. This little difference in shape parameters
As it was said in Section 5.2, in order to express implies that the Weibull 2P displays difficulties to find
what ‘‘reality’’ is being considered in each case, the a minimum in its corresponding expected cost and per
parameters that determine it can be expressed by the unit time per preventive cost function.
3-uple (ηλ0 , β, R(ν)). Let us analyse the behavior of
two selected realities more deeply.
6.2 Reality (ηλ0 , β, R(ν)) = (0.6, 2, 0.6)
Figure 6 contains failure rates for situation 1. Although
6.1 Reality (ηλ0 , β, R(ν)) = (1, 3, 0.8)
cost predictions in situation 1 remain numerically
In this case, obtaining good policy predictions may not non-problematic, see Figure 7, both approximation
be determined by the wear-out period approximation functions display difficulties to find a minimum in
quality in this case. their corresponding expected cost per unit time and
563
Figure 5. Parameters of the reality (1, 3, 0.8), Situation 2. Figure 7. Parameters of the reality (0.6, 2, 0.6), Situation 1.
Expected cost per unit time and per preventive cost. Expected cost per unit time and per preventive cost.
564
to successfully fit more than exactly one part of the REFERENCES
bathtub curve reliability model.
Kececioglu, D. (1995). Maintainability, Availability and
Operational Readiness Engineering Handbook. Prentice
ACKNOWLEDGMENT Hall.
Meeker, W. Q. and L. A. Escobar (1995). Statistical Methods
for Reliability Data. John Wiley & Sons.
Pavel Praks (from VŠB-Technical University of Murthy, D. N. P., M. Xie, and R. Jiang (2004). Weibull Models.
Ostrava, the Czech Republic)’s postdoctoral stay at the John Wiley & Sons.
Université Libre de Bruxelles, Belgium is part of the Vansnick, M. (2006). Optimization of the maintenance of
ARC Project - ‘‘Advanced supervision and depend- reciprocating compress or based on the study of their per-
ability of complex processes: application to power formance deterioration. Ph. D. thesis, UniversitéLibre de
systems’’. Bruxelles.
565
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: In this paper, a maintenance model for a deteriorating system with several modes of degradation
is proposed. The time of change of mode and parameters after the change are unknown. A detection procedure
based on an on-line change detection/isolation algorithm is used to deal with unknown change time and unknown
parameters. The aim of this paper is to propose an optimal maintenance versus detection policy in order to
minimize the global maintenance cost.
567
modeled. The sea gradually erodes the flood barrier state at time t can be summarized by a scalar random
and the barrier is deemed to have failed when it is no ageing variable Xt . When no repair or replacement
longer able to withstand the pressure of the sea. action has taken place, (Xt )t≥0 is an increasing stochas-
If through inspections it is discovered that the sys- tic process, with initial state X0 = 0. If the state of
tem has failed, a corrective maintenance operation the process reaches a pre-determined threshold, say
immediately replaces the failed system by a new one. L, the system is said to be failed. The system can be
Preventive maintenance actions are performed in order declared as ‘‘failed’’ as soon as a defect or an important
to avoid a failure occurrence and the resulting period of deterioration is present, even if the system is still func-
inactivity of the system. The preventive maintenance tioning. This means that it is no longer able to fulfill
operation is less costly than the corrective maintenance its mission in acceptable conditions. The threshold L
operation. The preventive maintenance action takes is chosen in respect with the properties of the consid-
place when the system state exceeds a predetermined ered system. It can be seen as a safety level which has
threshold known as the preventive threshold. not to be exceeded. The behavior of the deterioration
The inter-inspection interval times and the value of process after a time t depends only on the amount of
the preventive threshold are two factors which influ- deterioration at this time.
ence the global maintenance cost. For example, in The parameters of the deterioration process (Xt )t≥0
the case of costly inspections it is not worthwhile to can suddenly change at time T0 . After T0 the mean
inspect often the system. But if the system is scarcely deterioration rate suddenly increases from a nominal
inspected, the risk of missing a failure occurrence value to an accelerated rate at time T0 . The first mode
increases. In (Grall, Dieulle, and Berenguer 2002) corresponds to a nominal mode denoted by M1 and the
or (Dieulle, Bérenguer, Grall, and Roussignol 2003) accelerated mode is denoted by M2 . In this paper, the
and (Bérenguer, Grall, Dieulle, and Roussignol case of two degradation modes is treated but this choice
2003) authors propose condition-based inspec- is not restrictive. The results exposed in this paper
tion/replacement and continuous monitoring replace- can be generalized to the case of multiple degradation
ment policies for a single-mode deteriorating system. modes which can be subject to further works.
In those previous works, a maintenance cost model In this paper, it is assumed that the deterioration
is proposed which quantifies the costs of the main- process in mode Mi (i = 1, 2), denoted by (Xti )t≥0 , is
tenance strategy and propose a method to find the a gamma process i.e. for all 0 ≤ s ≤ t, the increment
optimal strategy leading to a balance between mon- of (Xti )t≥0 between s and t, Yt−s = Xti − Xsi , fol-
itoring and maintenance efficiency. When the system lows a gamma probability distribution function with
undergoes a change of mode it seems reasonable to shape-parameter αi .(t − s) and scale parameter βi .
incorporate the on-line information available about the This probability distribution function can be written
system in the maintenance decision rule. In (Fouladi- as follows:
rad, Dieulle, and Grall 2006; Fouladirad, Dieulle,
− βy
and Grall 2007) authors studied the on-line change 1 yαi (t−s)−1 e i
detection in the framework of the condition based fαi (t−s),βi (y) = · 1{y≥0} .
(αi (t − s)) βiαi (t−s)
maintenance in the case of known parameters after
(1)
the change.
In this paper an adaptive maintenance policy based
on an embedded optimal on-line change detection
algorithm is proposed. The originality is due to the fact The average deterioration speed rate in mode Mi is
that the parameters after the change (i.e. the parame- αi (t − s).βi and its variance is αi (t − s).βi2 .
ters of the second mode) can take unknown values, but It should be recalled that gamma process is a pos-
these values belong to a known and finite set. itive process with independent increments. It implies
In section 2, the deteriorating system is described. frequent occurrences of tiny increments which make
In section 3, an adequate maintenance decision rule is it relevant to describe gradual deterioration due to
proposed. Section 4 is devoted to the presentation of continuous use such as erosion, corrosion, con-
the on-line change detection algorithm. A method for crete creep, crack growth, wear of structural com-
the evaluation of the maintenance cost is proposed in ponents (van Noortwijk 2007; Cooke, Mendel, and
section 5. In section 6 numerical implementations of Vrijling 1997; Çinlar, Bažant, and Osman 1977;
our results are presented and analyzed. Blain, Barros, Grall, and Lefebvre 2007; Fran-
gopol, Kallen, and van Noortwijk 2004). Furthermore,
the gamma process is the existence of an explicit
2 SYSTEM DESCRIPTION probability distribution function which permits feasi-
ble mathematical developments. It has been widely
The system to study in this paper is an observable sys- applied to model condition-based maintenance, see
tem subject to accumulation of damage. The system (van Noortwijk 2007).
568
The originality of this paper is due to the existence change detection result. As in (Saassouh, Dieulle, and
of unknown parameters after the change. In (Fouladi- Grall 2005),(Fouladirad, Dieulle, and Grall 2006) and
rad, Dieulle, and Grall 2006; Fouladirad, Dieulle, and (Fouladirad, Dieulle, and Grall 2007), the preventive
Grall 2007) the second mode parameters are known maintenance decision is based on different preventive
in advance but in this paper the second mode parame- thresholds corresponding to each of the possible dete-
ters are no longer known in advance. They Take their rioration modes of the system. Such maintenance poli-
values in the following set: cies are extensions of inspection/replacement struc-
tures for single mode deteriorating systems. Let Anom
S = {(α21 , β21 ), . . . (α2K , β2K )} (2) and Aac be the decision thresholds associated to
the ‘‘limit’’ cases corresponding to the single-mode
As card(S) = K, there are K different possibilities deterioration system. The decision threshold Anom
of second degradation mode. (respectively Aac ) is chosen in order to minimize the
It is supposed that the mode M2 corresponds to an cost criterion of the nominal single-mode deteriorat-
accelerated mode so in the second mode the parame- ing system. In the nominal mode the threshold Anom
ters are such that α2 .β2 > α1 .β1 . The case of a slower is effective and as soon as the system is supposed to
second mode is discarded because the systems we con- have switched in the second mode (accelerated mode)
sider can not be stabilized nor deteriorate slower than then threshold is adapted from Anom to Aac .
before. The possible decisions which can arise at each
inspection time tk are as follows:
569
in complex systems. A first attempt to use an opti- As it is initially proposed by (Lorden 1971), usually
mal on-line abrupt change detection in the framework in on-line detection algorithms the aim is to min-
of maintenance policy is presented in (Fouladirad, imize the mean delay for detection/isolation in the
Dieulle, and Grall 2006), (Fouladirad, Dieulle, and worst case:
Grall 2007). The on-line change detection algorithms
permit to use online available information on the dete- τ ∗ = max τ ∗l , (5)
rioration rate to detect the occurred abrupt change 1≤l≤K
time. These algorithms take into account the informa- τ ∗l = sup esssupτ
tion collected through inspections, so they treat with T0 ≥1
on-line discrete observations (i.e. system state at times
(tk )k∈N ). In (Fouladirad, Dieulle, and Grall 2007) is is τ = ElT0 (N − T0 + 1|N ≥ T0 , X1 , . . . , XT0 −1 ).
supposed that a prior information on the change time
is available. In this case an adequate on-line detection for a given minimum false alarm rate or false isolation
algorithm which takes into account the available prior rate:
information on the change time is proposed.
The authors in (Fouladirad, Dieulle, and Grall min min EiT0 (N ν=j ) = a (6)
2006), (Fouladirad, Dieulle, and Grall 2007) con- 0≤i≤K 1≤j =i≤K
sidered the case of two deteriorating modes (one
change time) and known parameters after the change. where E0T0 = E0 .
In this paper, the aim is to propose an adequate Let us recall the detection /isolation algorithm ini-
detection/isolation method when the accelerated mode tially proposed by (Nikiforov 1995). We define the
parameters can take unknown values. These values stopping time N l∗ in the following manner:
belong to a known set defined in (2).
We collect observations (Xk )k∈N at inspection times
k ∈ N. Let be Yk for k ∈ N the increments of the N l∗ = inf N l∗ (k), (7)
k≥1
degradation process. Therefore Yk for k ∈ N follows a
gamma law with density fθi = fαi t,βi according to the
N l∗ (k) = inf t ≥ k, min Skt (l, j) ≥ h (8)
degradation mode Mi , i = 1, 2. We shall denote fl = 0≤j =l≤K
fα2l t,β2l , l = 1, . . . , K, the density function associated
to the accelerated mode when (α2 , β2 ) = (α2l , β2l ). where Skt (l, j) is the the Likelihood ratio between fl and
We shall denote by N the alarm time at which (Yi )
a ν-type change is detected/isolated and ν, ν = fj : Skt (l, j) = ti=k log fflj (Yi)
, and f0 (·) = fθ1 (·).
1, . . . , K, is the final decision. A change detec- The stopping time and the final decision of
tion/isolation algorithm should compute the couple the detection/isolation algorithm are presented as it
(N , ν) based on Y1 , Y2 , . . . . We shall denote by Pr 0 follows:
the probability knowing that no change of mode has
occurred, Pr lT0 the probability knowing that the change N ∗ = min{N 1∗ , . . . , N K∗ } (9)
of mode has occurred at T0 . Under Pr lT0 the incre- ∗
ments Y1 , Y2 , . . . , YT0 −1 have each the density function ν = argmin{N , . . . , N 1∗ K∗
} (10)
fθ1 and a change at T0 has occurred and YT0 is the
first observation with distribution fl , l = 1, . . . , K.E0 In (Nikiforov 1995) author proved that the mean
(resp. ElT0 ) is the expectation corresponding to the time to the detection in the worst case τ ∗ defined by
probability Pr 0 (resp. Pr lT0 ). (5) satisfies the following relations:
The mean time before the first false alarm of a j
type is defined as follow: ln(a)
τ ∗ ≤ max ElT0 (N ∗ ) ∼ as a → ∞ (11)
1≤l≤K ρ∗
ρ ∗ = min min ρlj (12)
E0 (N ν=j ) = E0 inf {N (k) : ν(k) = j} (3) 1≤l≤K 0≤j =l≤K
k≥1
fl
ρlj = fl ln dμ 0 ≤ j = l ≤ K (13)
The mean time before the first false isolation of a j fj
type is defined as follow:
where ρlj is the Kullback-Leibler distance. The
detection/isolation algorithm presented in this section
ElT0 (N ν=j ) = ElT0 inf {N (k) : ν(k) = j} (4) reaches asymptotically the lower asymptotic bound
k≥1 ln(a)
ρ ∗ initially proposed by (Lorden 1971).
570
5 EVALUATION OF THE MAINTENANCE In this work, the cost criterion is optimized as a
POLICY function of the parameter of the considered main-
tenance policy: the detection threshold h defined in
Each time that a maintenance action is performed on (7,8).
the system, a maintenance cost is incurred. Each cor-
rective (respectively preventive) replacement entails a
cost Cc (respectively Cp ). Since a corrective mainte- 6 NUMERICAL IMPLEMENTATION
nance operation is performed on a more deteriorated
system, it is generally more complex and consequently In this section we apply the maintenance policy pre-
more expensive than a preventive one. Hence it is sented in this paper to the case of a system with
supposed that Cp < Cc . The cost incurred by any two degradation modes and four possible accelerated
inspection is Ci . In the period of unavailability of the modes (K = 4).
system (i.e the time spent by the system in a failed The proposed maintenance policies are analyzed by
state) an additional cost per unit of time Cu is incurred. numerical implementations. Throughout this section,
All direct and indirect costs are already included in the values of the maintenance costs are respectively
the unit costs Ci , Cc , Cp , Cu . The maintenance pol- Ci = 5, Cp = 50, Cc = 100 and Cu = 250. For
icy is evaluated using an average long run cost rate the numerical calculations it is supposed that in the
taking into account the cost of each type of mainte- nominal mode M1 , α1 = 1 and β1 = 1. Hence,
nance actions. Let us denote by Np (t) the number of the maintenance threshold Anom is equal to 90.2.
preventive replacements before t, Nc (t) the number The previous value is the optimal value which mini-
of corrective replacements before t, du (t) the cumula- mizes the long run maintenance cost for a single mode
tive unavailability duration of the system before t and deteriorating system in mode M1 . For this optimiza-
Ni (t) the number of inspections before t. We know that tion (from Monte Carlo simulations), we use a single
Ni (t) = [t/t] where [x] denotes the integer part of degradation mode results with t = 4. The couple
the real number x. Let us denote by T the length of a (Anom , t) = (90.2, 4) is the optimal couple which
life-time cycle and TL the random time at which the minimizes the long run maintenance cost for a single
system state exceeds threshold L. The property of the mode deteriorating system in mode M1 . T0 is simu-
regeneration process (Xt )t≥0 allows us to write: lated by a uniform law from Monte Carlo method. To
evaluate each maintenance policy, four different accel-
E(C(t)) E(C(T )) erated modes are considered. So the parameters of the
C∞ = lim = (14) accelerated mode belong to the following set:
t→∞ t E(T )
where (α2 , β2 ) ∈ {(2, 1), (1, 3), (2, 2), (1, 7)}
Let us set the ‘‘inspection scheduling function’’ Table 1. Characteristic data of the second degradation
introduced in (Grall, Dieulle, and Berenguer 2002) mode.
be constant then the threshold Anom and the inter-
inspection time t can be obtained by numerical Real second mode cases 1 2 3 4
minimization of the cost criterion of the single-mode
α2 2 1 2 1
deteriorating system in mode M1 . The threshold Aac β2 1 3 2 7
corresponds to the optimal threshold for the single- Aac 85.6 74.6 73.7 51.6
mode deteriorating system in mode M2 .
571
The ‘‘optimal’’ value of h which leads to a minimal Table 5. Optimal costs corresponding to the maintenance
maintenance cost is numerically calculated. To define with one preventive threshold.
the optimal value of h, the maintenance cost, the false
alarm rate and the isolation rate are obtained for dif- Case 1 2 3 4
ferent values of h in the interval [0, 15]. This interval Costs 1.97 2.21 2.36 2.66
is chosen because the cost remains stable around the
same values after h = 15. The values of h correspond-
ing to the lowest maintenance cost, lowest false alarm
rate and highest correct isolation are defined. To study In table 3 the properties of the maintenance ver-
the impact of the variation of the threshold h on the sus detection/isolation algorithm corresponding to the
properties of the maintenance policy, in addition to value of h which leads to the lowest false alarm rate
the maintenance cost, the probability of preventive and are exposed. It can be noticed that maintenance costs
corrective maintenance for different values of h in the are very close to costs when only one threshold is used
interval [0, 15] are calculated. The choice of h is not (without detection procedure). The use of the detection
always based on the value which minimizes the main- algorithms when a low false alarm is requested doesn’t
tenance cost or which can optimizes the properties of improve the quality of the maintenance policy. In this
the detection algorithm. For example, it is not sensible configuration, a maintenance policy without detection
to take a value of h leading to the lowest maintenance procedure seems to be adequate. The results in table
cost if it corresponds to a false isolation rate close to 1. 4corresponds to the properties of the maintenance ver-
We present in table 2 the properties of the main- sus detection/isolation algorithm corresponding to the
tenance versus detection/isolation algorithm corre- value of h which leads to the highest correct isolation.
sponding to the value of h which leads to the lowest In this table except the case 1 (α2 = 2 and β2 = 1)
maintenance cost. It can be noted that except the case the highest correct isolation is not very high but the
1 (α2 = 2 and β2 = 1) the maintenance costs are very corresponding false alarm rate and maintenance costs
low in comparison with the conservative case when are acceptable. The maintenance cost is still lower than
only one threshold is used presented in table 5. the maintenance policy without detection procedure.
In the first case (α2 = 2 and β2 = 1) the correct isola-
Table 2. Optimal maintenance policy corresponding to the tion rate is always very high. This should be due to the
lowest maintenance cost. global optimization of the detection threshold h. This
optimization is more sensitive to the properties of the
Real second mode cases 1 2 3 4 first case where the two modes are very close. It is
possible that if in the optimization procedure, for each
Maintenance Cost 1.98 1.99 1.99 2.00 second mode l = 1, . . . , K, a detection threshold hl in
Detection threshold 1 1 1 1 equation (7) is used, the result of the correct isolation
False alarm rate 0.9 0.89 0.89 0.88
Correct isolation rate 0.87 0.03 0.04 0.05
could be different. But this method requests a complex
optimization procedure and the feasibility is arguable.
If the only criteria is the result of the maintenance
(low maintenance cost) we can neglect the value of
Table 3. Optimal maintenance policy corresponding to the false alarm rate and false isolation. But if in the
lowest false alarm rate. maintenance procedure the properties of the detec-
Real second mode cases 1 2 3 4
tion algorithms are of great importance we can not
base our choice only on the maintenance cost and we
Maintenance Cost 1.99 2.22 2.37 2.67 should take into account the properties of the detection
Detection threshold 5 7 6 15 algorithm.
False alarm rate 0.016 0.02 0.014 0.24 In figure 1 the maintenance properties correspond-
Correct isolation rate 1 0 0 0 ing to the accelerated mode (α2 = 1, β2 = 3) are
depicted. To illustrate the results the threshold h varies
in [0, 15]. The maintenance cost is stable around 2.2
Table 4. Optimal maintenance policy corresponding to the and reaches its minimum value 1.99 for h = 0. The
highest correct isolation rate. probability of corrective maintenance is very low and
the probability of preventive maintenance is very high.
Real second mode cases 1 2 3 4 We can say that there is mostly a preventive policy.
In figure 2 the detection algorithm properties cor-
Maintenance Cost 1.98 2.09 2.17 2.34 responding to the accelerated mode (α2 = 2, β2 = 2)
Detection threshold 12 2 2 2
False alarm rate 0.018 0.3 0.31 0.27
are depicted. To illustrate the results the threshold h
Correct isolation rate 1 0.19 0.2 0.3 varies in [0, 15]. The false alarm rate is very high for
the small values of h and it decreases as h grows. For
572
3.0
Cost versus h
h > 4, the false alarm rate is close to 0. In the contrary
2.8
2.6
2.4
as h grows the detection delay also grows. It is sensi-
2.2
2.0 ble that for a low detection threshold the false alarm
1.8
1.6
1.4
is very significant and as the detection improves and
1.2
1.0
0 5 10 15
the false alarm decreases the detection delay appears.
Proba of corrective maintenance vs h It is natural that with 0.9 false alarm rate the detection
1.0
0.9
0.8
delay is inexistent.
0.7
0.6 In figure 3 the correct isolation rate correspond-
ing to the accelerated mode (α2 = 2, β2 = 1) is
0.5
0.4
0.3
0.2
0.1 depicted. To illustrate the results the threshold h varies
in [0, 15]. These results show the good quality of the
0.0
0 5 10 15
Proba of preventive maintenance vs h
1.0
0.9
detection/isolation algorithm.
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
7 CONCLUSION
0.0
0 5 10 15
573
Fouladirad, M., L. Dieulle, and A. Grall (2006). The use Lorden, G. (1971). Procedure for reacting to a change in
of online change detection for maintenance gradually distribution. The Annals of Matematical Statistics 42,
deteriorating system. In ES-REL 2006 Congress, Estoril, 1897–1908.
Portugal, 18–22 september, 2006. Nikiforov, I. (1995). A generalized change detection problem.
Fouladirad, M., L. Dieulle, and A. Grall (2007). On the IEEE Transactions on Information Theory 41, 171–187.
use of bayesian on-line change detection for mainte- Saassouh, B., L. Dieulle, and A. Grall (2005, 30 June). Adap-
nance of gradually deteriorating systems. In ESREL 2007 tive maintenance policy for a deteriorating system with
Congress, Stavanger, Norway 25–27 June. random change of mode. pp. 5. ESREL 2005. Avec acte.
Frangopol, D., M. Kallen, and J. van Noortwijk (2004). van Noortwijk, J. (2007). A survey of the application of
Probabilistic models for life-cy cle performance of gamma processes in maintenance. In Reliability Engineer-
deteriorating structures: review and future directions. ing and System Safety.
Progress in Structural Engineering and Materials 6(4), van Noortwijk, J. M. and P. van Gelder (1996). Optimal
197–212. Maintenance Decisions for Berm Breakwaters. Structural
Grall, A., L. Dieulle, and C. Berenguer (2002). Continuous- Safety 18(4), 293–309.
time predective maintenance scheduling for a detetio- Wang, H. (2002). A survey of maintenance policies of
rating system. IEEE transactions on reliability 51(2), deteriorating systems. European Journal of Operational
141–150. research 12, 469–489.
574
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: This paper is concerned with an opportunity-based age replacement policy for a system under two
types of failures, minor and catastrophic. We consider a general distribution for the time to the first opportunity,
dropping the usual assumption of exponentially distributed times between opportunities. Under this model
the system undergoes a minimal repair whenever a minor failure occurs whereas a perfect restoration follows
any catastrophic failure and after the N minor failure. The system is preventively replaced at maintenance
opportunities arising after instant S and also at the moment its age reaches T . We take into account the costs
due to minimal repairs, perfect repairs, opportunity based replacements and preventive maintenances. We focus
on the optimum policy (T ∗ , N ∗ ) that minimizes the long-term cost per unit of time, providing conditions under
which such optimum policy exists.
575
policy is completed with a preventive replacement at Renewal opportunities independent from the sys-
age T . We assume costs derived from minimal and tem arise from time S on with 0 < S < T . Let G(x)
perfect repairs as well as both opportunity-based main- denote the reliability function of the time elapsed from
tenance and preventive maintenance costs, aiming at S to the first maintenance opportunity. We assume
minimizing the expected cost per unit of time. This that whenever the system is renewed, G(x) remains
work is concerned with the conditions under which the same.
there exists an optimum policy (T , N ). To this end the A cycle, that is, the total renewal of the system is
model is described in Section 2 where the cost func- completed after one of the four events described next
tion is also derived. Sections 3 and 4 contain the results
related to the existence of the optimal policy. 1. the renewal that follows a catastrophic failure or the
N th minor failure, whichever comes first, occurring
before S.
2 THE MODEL 2. the renewal that follows a catastrophic failure or the
N th minor failure, whichever comes first, occurring
Consider a system that may experience two types of after S.
failures. Provided that a failure occurs at time x, then 3. a maintenance opportunity.
it belongs to the minor failures class with probabil- 4. a preventive maintenance.
ity p(x) or it is a catastrophic failure with probability
q(x) = 1 − p(x). The former are removed by means Let p1 denote the probability of a cycle ending
of a minimal repair whereas the system is restored after the corrective maintenance that follows events 1)
with a perfect repair after catastrophic failures. In and 2), whereas p2 and p3 represent the correspond-
addition, the system is preventively maintained at ing probabilities of events 3) and 4). The foregoing
age T . probabilities are calculated next.
Let r(x) be the failure rate of the time to the first
failure. Hence, the corresponding reliability function S T
T −S
The distributions corresponding to the first catas- p2 = H (y + S, N )dG(y)
trophic failure and the N th minor failure are indepen- 0
dent. The reliability function corresponding to that
occurring first is given by T
= H (x, N )dG(x − S)
−1 S
N x
H (x, N ) = Dk (x)e− 0 r(u)du
N −2 x
h(x, N ) = q(x)r(x)Dk (x)e− 0 r(u)du p3 = H (T , N )G(T − S)
k=0
x The following formula provides the mean length of
+ r(x)DN −1 (x)e− 0 r(u)du
a cycle
576
−1
S
SN
E(τ ) = xdH (x, N ) MR1 = kDk (x)s(x)q(x)r(x)m(x)dx
0 0 k=0
T
+ xG(x − S)dH (x, N ) S
S + (N − 1)m(x)p(x)r(x)DN −1 (x)s(x)dx
0
T −S
+ (y + S)H (y + S, N )dG(y) S x
0
= p(u)r(u)du h(x, N − 1)dx
0 0
+ T H (T , N )G(T − S)
T
N −1
where the four foregoing terms correspond respec- MR2 = G(x − S) kDk (x)s(x)q(x)r(x)m(x)dx
tively to the mean length of a cycle ending after events S k=0
previously numbered as 1) to 4). The third term in the
formula can be rewritten as T
T + (N − 1)G(x − S)m(x)p(x)r(x)
xH (x, N )dG(x − S) S
S
× DN −1 (x)s(x)dx
Integrating by parts with u = xH (x, N ) and dv =
dG(x − S) leads to T x
= G(x − S) p(u)r(u)du h(x, N − 1)dx
T S 0
xH (x, N )dG(x − S) = −T H (T , N )G(T − S)
S T −S ∞
MR3 = H (x, N − 1)q(x)r(x)
+ SH (S, N ) 0 y+S
y+S
T
+ H (x, N )G(x − S)dx × p(u)r(u)du dG(y)
S 0
T T −S ∞ x
− xG(x − S)dH (x, N ) + p(x)r(x)DN −2(x)e− 0 r(u)du
dx
S 0 y+S
Hence, y+S
S
× p(u)r(u)du dG(y)
0
E(τ ) = xdH (x, N ) + SH (S, N )
0 T −S ∞
T = h(x, N − 1)dx
+ H (x, N )G(x − S)dx 0 y+S
S
S T
y+S
× p(u)r(u)du dG(y)
= H (x, N )dx + H (x, N )G(x − S)dx 0
0 S
T −S
Let us denote MR1 , MR2 , MR3 and MR4 the mean
= H (y + s, N − 1)
number of minimal repairs in cycle ending after one 0
of the four events described above.
In what follows we denote by s(x) and m(x) the y+S
following functions: × p(u)r(u)du dG(y)
0
x
s(x) = e− 0 p(u)r(u)du
T x
x = H (x, N − 1) p(u)r(u)du dG(x − S)
m(x) = e− 0 q(u)r(u)du S 0
577
Integratingby parts with dv = dG(x − S) and u = opportunity arises with cost c2 and also when it is
x
H (x, N − 1) 0 p(u)r(u)du , we get time for preventive maintenance, being c3 the cor-
responding cost. Minimal repairs are worth c4 each.
S Hence the mean cost of a cycle is expressed by the
MR3 = p(u)r(u)du H (S, N − 1) following formula
0
T E[C(τ )] = c1 p1 + c2 p2 + c3 p3 + c4 MR
− p(u)r(u)du H (T , N − 1)G(T − S)
0 = c1 H (S, N ) + c2 H (S, N )
T
T
+ (c1 − c2 ) G(x − S)dH (x, N )
+ p(x)r(x)H (x, N − 1)G(x − S)dx S
S
+ (c3 − c2 )H (T , N )G(T − S)
T x
S
− p(u)r(u)du
S 0 + c4 p(x)r(x)H (x, N − 1)dx
0
T
× G(x − S)h(x, N − 1)dx
+ c4 p(x)r(x)G(x − S)H (x, N − 1)dx
T S
T E[C(τ )]
+ G(T − S) p(u)r(u)du Q(T , N ) =
E[τ ]
0
∞ x
× p(x)r(x)DN −2 (x)e− 0 r(u)du
dx 3 OPTIMUM T WHEN N IS SET
T
L(T , N ) = E[τ ]
Therefore the mean number of minimal repairs in a
cycle is given by C(T , N ) = E[C(τ )]
R(T , N ) = c4 r(T ) + (c2 − c3 )l(T − S)
MR = MR1 + MR2 + MR3 + MR4
S + (c1 − c3 − c4 )(q(T ) + p(T )Z(T ,N ))r(T )
= p(x)r(x)H (x, N − 1)dx
0 with l(x) being the failure rate corresponding to the
T time to the first maintenance opportunity distribution,
+ p(x)r(x)G(x − S)H (x, N − 1)dx G, and
S
DN −1 (T )
Upon catastrophic failures the system is perfectly Z(T , N ) = N −1
restored at cost c1 and so is when a maintenance k=0 Dk (T )
578
N −2 T
Z(T , N ) verifies that 0 ≤ Z(T , N ) ≤ 1 and is increas-
ing with T provided that its corresponding derivative is − (c4 p(x)r(x)Dk (x)b(x)dx
k=0 0
T
dZ(T , N ) DN −2 (T ) − (c1 − c3 ) DN −1 (x)(r(x)
= p(T )r(T ) + p(T )r(T )
dT Dk (T ))2 0
N −1 (N −2+j)!
+ l(x − S))b(x)dx − (c1 − c3 )
j=1 (j−1)!(N −2)! DN −2+j (T ) j − N −1
1 1
× −1
N −1
( Nk=0 Dk (T ))2 × B(T , k)e(T , N )
k=0
Given that
where b(x), B(T , k) and d(T , k) are given by
d(q(T ) + p(T )Z(T , N )) x
b(x) = e− 0 r(u)+l(u−S)du
dT
dq(T ) dZ(T , N ) T
= (1 − Z(T , N )) + p(T ) B(T , k) = Dk (x)b(x)dx, k = 0, 1, . . .
dT dT 0
T
whenever q(T ) is an increasing function with T so is d(T , k) = l(x − S)Dk (x)b(x)dx, k = 0, 1, . . .
q(T ) + p(T )Z(T , N ). Assuming that r(t) is increas- 0
ing and l(x) is decreasing, along with c2 < c3 and Dk (T )F(T )G(T − S)
c1 −c3 −c4 > 0 then R(T , N ) is also increasing. More- e(T , k) = , k = 0, 1, . . .
B(T , k)
over the derivative of Q(T , N ) keeps the same sign of
M (T , N ) which exhibits the same monotonic behav- By means of the next identity
ior than R(T , N ). Therefore as M (0, N ) = −c3 < 0,
if lim→∞ M (T , N ) > 0 and under the foregoing T
assumptions, then Q(T , N ) has a finite minimum TN∗ . p(x)r(x)DN −1 (x)b(x)dx
Such optimum policy is the unique zero of the equation 0
M (T , N ) = 0. In addition the corresponding optimum = DN (T )F(T )G(T − S)
cost is Q(TN∗ , N ) = R(TN∗ , N ). T
+ DN (x)(r(x) + l(x − S))b(x)dx
0
4 OPTIMUM N WHEN T IS SET
which is obtained integrating by parts in the previous
When the time of the preventive maintenance T expression, we get
is fixed in advance, the optimum N should verify
both Q(T , N ) ≤ Q(T , N + 1) and Q(T , N − 1) > W (T , N + 1) − W (T , N )
Q(T , N ). The foregoing conditions are equivalent to N
W (T , N ) ≥ c3 and W (T , N − 1) < c3 respectively,
= B(T , k) (c4 (F(T , N + 1) − F(T , N ))
being W (T , N ) defined as follows
k=0
579
e(T , N ) increases with N . Then, whenever r(x) and conditions that guarantee the existence of an optimum
l(x) are increasing and decreasing respectively along (T ∗ , N ∗ ) seems to be a difficult task.
with c1 − c3 − c4 < 0 and c1 − c2 − c4 > 0, it
follows from (1) that W (T , N ) is increasing. Hence,
under the foregoing assumptions the optimum N when
T is previously set, NT∗ , is the minimum N satisfying REFERENCES
W (T , N ) ≥ c3 . In case that W (T , N ) < c3 for all N
then NT∗ = ∞. Coolen-Schrijner, P., F. Coolen, and S. Shaw (2006). Non-
parametric adaptive opportunitybased age replacement
strategies. Journal of the Operational Research Society.
5 CONCLUSIONS Dekker, R. and M. Dijkstra (1992). Opportunitybased age
replacement: exponentially distributed times between
opportunities. Naval Research Logistics (39), 175–190.
The high cost incurred due to some preventive mainte- Dekker, R. and E. Smeitink (1991). Opportunitybased block
nances motivate carrying out opportunity-based poli- replacement. European Journal of Operational Research
cies. This paper provides conditions under which (53), 46–63.
an optimum opportunity-based policy exists in two Dohi, T., N. Kaio, and S. Osaki (2007). Discrete time
cases, the optimum T ∗ for a given N and the opti- opportunistic replacement policies and their application.
mum N ∗ when N is fixed. Such conditions involve Recent advances in stochastic operations research. World
an increasing failure rate of the time to failure and Scientific.
a decreasing failure rate of the time to the first Iskandar, B. and H. Sandoh (2000). An extended opportunity-
based age replacement policy. RAIRO Operations
opportunity apart from cost-related conditions. Con- Research (34), 145–154.
cerning the simultaneous optimization of both T and Jhang, J. and S. Sheu (1999). Opportunity-based age replace-
N we consider the use of the following algorithm ment policy with minimal repair. Reliability Engineering
proposed by (Zequeira and B´erenguer 2006) and and System Safety (64), 339–344.
(Nakagawa1986): Nakagawa, T. (1986). Periodic and sequential preventive
maintenance policies. Journal of Applied Probability (23),
1. Set N = 1 536–542.
2. If Q(TN∗ +1 , N + 1)) < Q(TN∗ , N ), then go to step 3 Nakagawa, T. (2005). Maintenance Theory of Reliability.
or to step 4 otherwise Springer.
3. N = N + 1 Satow, T. and S. Osaki (2003). Opportunity-based age
4. Set N = N replacement with different intensity rates. Mathematical
and Computer Modelling (38), 1419–1426.
The optimal policy turns out to be (T ∗ , N ∗ ). Note Zequeira, R. and C. B´erenguer (2006). Optimal scheduling
that the foregoing algorithm doesn’t ensure a global of non-perfect inspections. IMA Journal of Management
optimum but just a local one. Moreover obtaining Mathematics (2), 187–207.
580
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
O. Hryniewicz
Systems Research Institute, Warsaw, Poland
ABSTRACT: Maintainable technical systems are considered whose failures can be revealed only by special
inspections. It is assumed that these inspections may be imperfect, i.e. they result may suggest wrong decisions.
Two optimization models are considered: one in which the coefficient of availability is maximized and second in
which related costs are minimized. For both models approximately optimal solutions have been found. Presented
examples show that these solutions are very close to the exact solutions when the time to failure is exponentially
distributed. The paper is illustrated with two numerical examples.
581
F(t). The actual reliability state of this equipment is is given by
revealed by periodical inspection, performed every h
time units. When the failure is revealed the system is Tr = [A1 (h) + A2 ] h + A1 (h) (μ0 + αμa )
renewed or replaced by a new one. (4)
+ A2 μ0 + μr
Let us assume that inspections may not be perfect.
In such a case there exists the probability of a false
Hence, the stationary availability coefficient for
alarm α, which is the probability of revealing non-
this equipment is given by
existent failure of the inspected equipment, and the
probability β of not revealing the actual failure. Such τ
probabilities are always greater than zero when the K (h) = , (5)
Tr (h)
actual reliability state of the considered equipment is
evaluated as the result of a statistical analysis of results where τ = E(T ) is the expected time to failure.
of measurements. From the analysis of (4) and (5) it is obvious then
It is easy to show that the expected number of in case of h tending 0 the expected number of inspec-
of inspections performed during the time when the tion, and thus the expected time devoted to inspections
system is ‘‘up’’ can be expressed as follows tends to infinity. Hence, the availability in such a case
tends to zero. Similarly, when h tends to infinity the
∞
expected duration of the state II is infinite, and the
A1 (h) = i [P (T < (i + 1) h) − P (T < ih)] availability also tends to zero. Hence, there exists an
i=0 optimal inspection interval hk , for which the avail-
(1) ability K(h) attains its maximum. We will consider
∞
= R (ih) , the problem of finding this optimal value in the next
section of this paper.
i=1
The optimization of the inspection interval h can be
also considered as the problem of the minimizations
where R(ih) = 1 − F(ih). Thus, the expected number of some costs. Let us assume that the average cost of
of false alarms is equal to each inspection is equal to c0 . Moreover, we assume
that the average additional cost of a false alarm is equal
EI (h) = αA1 (h) . (2) to cr , and the average cost of systems renewal is equal
to cr . We can also distinguish the average cost related
to a failure cf , but this cost as unavoidable can be also
The expected number of inspections during the time included in the cost of renewal cr which has the same
when the system is ‘‘down’’ entirely depends upon the nature. There exist also losses which depend upon the
probability β, and is equal to duration of state 2. We assume that this cost is propor-
tional to the duration of state 2, i.e. the time between
1 the failure and the moment of its detection, and this
EII (h) = A2 = (3) cost calculated per time unit is equal to cl .
1−β
Now we can calculate the expected costs of inspec-
tions C1 , the expected costs related to false alarms C2 ,
There are numerous examples of such systems. For and the expected costs related to the failure C3 . They
instance, the state of certain production process which can be calculated from the following expressions:
produces items whose quality can be evaluated by
destructive tests may be revealed by periodical sam- C1 (h) = [A1 (h) + A2 ] c0 (6)
pling of its output. Another simple example of such
a system is a battery which back-ups power supply
of other equipments. Such a system is a typical one- C2 (h) = αA1 (h) ca (7)
shot system whose state is usually monitored during
periodical inspections.
In our model we assume that all actions last some C3 (h) = cf + cr + {[A1 (h) + A2 ] h − τ } cl (8)
time during which the system is out of service. Let us
assume that the expected time of inspection is equal to The total expected cost related to one renewal period
μ0 , and does not depend upon the actual state of the is now given by
inspected system. When the inspection reveals a false
alarm the expected additional out of service time is C (h) = C1 (h) + C2 (h) + C3 (h) (9)
equal to μa , and when it reveals an actual failure the
expected repair (renewal) time is equal to μr . There- Similarly to the previous case its easy to show that
fore the expected time between consecutive renewals for h tending to zero and for h tending to infinity the
582
expected cost C(h) is infinite. Thus, there exists an the objective function is in this case expressed as
optimal inspection interval hc , for which the expected
cost C(h) attains its minimum. We will consider the K (h)
problem of finding this optimal value in the next
τ eλh − 1
section of this paper. =
1 + A2 eλh λh
− 1 h + e − 1 (μr + A2 μ0 ) + μ0 + αμa
(14)
A1 (h) (hcl + c0 + αca ) + A1 (h) cl + cl A2 = 0. (12) When we equate to zero the derivative of (17) we
arrive at the following nonlinear equation:
The main computational problem related either to cl A2 e2λh − λcl heλh − eλh [λ(c0 + αca )
the maximization of K(h) given by (5) or the minimiza- (18)
tion of C(h) given by (9) is caused by difficulties with + cl (2A2 − 1)] + cl (A2 − 1) = 0.
the calculation of A1 (h) according to (1), and its deriva-
tive given by (11). This function can be expressed in This equation can be solved only numerically. When
a closed form only for specially defined probability for this purpose we use the Raphson-Newton method
distributions F(t). The only popular probability dis- we need to find the derivative of the left-hand side
tribution for which A1 (h) is given by a close formula of (18). This derivative is given by the following
is the exponential distribution with the hazard rate λ expression:
equal to the reciprocal of the expected time to failure,
i.e. λ = 1/τ . In this case by simple calculations we DC = 2λcl A2 e2λh − λcl eλh (1 + λh)
can show that
− λeλh [c0 + αca + cl (2A2 − 1)] . (19)
1
A1 (h) = . (13) Even in the simplest case of the exponentially
eλh − 1 distributed time to failure the solutions of the opti-
mization problems require numerical computations. In
Let us consider the problem of the minimization both cases it is necessary to find an appropriate initial
of (5) when the time to failure is exponentially dis- value of h. This value can be found using the following
tributed. By elementary calculations we can find that approximate optimization procedure which is based on
583
the following approximation proposed by Hryniewicz Table 1. Comparison of approximately opti-
(1992) mal and optimal inspection intervals.
τ ZK hK hK,opt
A1 (h) ≈ − 0.5 (20)
h 1 31.622 31.485
2 63,245 62,701
This approximation is valid for when h is signifi- 3 94,868 93,645
cantly smaller than τ , and – what is more important – 5 158,114 154,728
is valid for any probability distribution of the time to 10 316,228 302,804
failure.
When we apply this approximation to the objective
function given by (5) we obtain
where
αμa + μ0
W1 = A2 − 0.5, (22) ZK = (28)
A2 − 0.5
584
case given by Table 2. Comparison of approximately opti-
mal and optimal inspection intervals.
τ
Hence, the approximately optimal inspection inter- inspections, measured either in terms of availability
val is given by the following simple expression: or in terms of related costs, are equivalent.
c0 + αca 1
hC = τ . (31)
cl A2 − 0.5 4 NUMERICAL EXAMPLES
Also in this case the optimal solution does not Let us consider two applications of the proposed
depend upon costs of renewal, cr , and failure, cf , as solutions to the optimization problems. As the first
these costs are in this model unavoidable, and are not example let us consider a production machine which
influenced by the inspection policy. In case of perfect produces metal cans. The performance of this machine
inspections, the respective optimal inspection interval is described by its ability to produce tight non-leaky
is now given by cans, and is measured by the probability of the pro-
duction of a good can. There are two types of failures
of this machine. The first one is a catastrophic, and
c0
hC,p = 2τ . (32) may be noticed immediately after its occurrence. We
cl
are interested, however, in failures of the second type
We may also note the similarity between approx- which are manifested by the increased probability of
imately optimal solutions in both considered mod- the production of potentially leaky cans.
els, suggesting the existence of certain equivalence Let us assume that the acceptable quality level,
between both approaches. expressed in terms of the probability of the produc-
In order to evaluate the accuracy of the approximate tion of a leaky can, is equal to p1 = 0.001, i.e.
solution of this optimization problem we compare the there is on average not more than one nonconforming
approximately optimal inspection intervals calculated can for one thousand of produced cans. The non-
from (30) with the optimal values calculated from (18) acceptable level, whose occurrence is treated as the
for the case of the exponential distribution of the time occurrence of machine’s failure is equal to p2 = 0.01,
to failure. As in the previous case we fix the expected i.e. we consider the process faulty if there is on average
time to failure as 1000 time units, and will vary the one or more nonconforming can for each one hun-
value of dred of produced cans. The current performance of
the machine is measured using a sampling inspec-
tion plan taken from the international standard ISO
c0 + αca 1 2859-1 (1999) for which the lot sample size is equal
ZC = (33)
cl A2 − 0.5 to n = 125 cans. The alarm is raised when at least
one nonconforming can is found among the sampled
which determines the relation between hC and τ . The cans. Thus, the probability of a false alarm is equal
results of this comparison are presented in Table 2. to α = 1 − (0.001)125 = 0.1176 and the proba-
The results presented in Table 2 show exactly the bility of not revealing the actual failure is equal to
same properties of the optimal inspection intervals as β = (1 − 0.01)125 = 0.7153. Let us also assume that
it was presented in Table 1 for the previously consid- the cost of this sampling action is equal to c0 = 1
ered model. What is more interesting, the accuracy unit (i.e. we relate all the considered costs to the cost
of approximate solutions, measured in terms of dif- of inspection). When the alarm is raised additional
ferences between optimal and approximately optimal 500 cans are tested, and when all of them are free
results, is very similar for both models. This obser- from defects the alarm is considered as false. Other-
vation confirms our suggestion that the equality of wise, the machine is considered as failed, and renewal
ZK and ZC means that the consequences of making actions have to be undertaken. Note, that in this case
585
the probability of not revealing a failure is equal to Badia, F.G., Berrade, M.D., Campos, C.A. 2002. Opti-
0.0019, so this additional procedure may be consid- mal inspection and preventive maintenance of units with
ered as practically error free. The additional cost of a revealed and unrevealed failures. Reliability Engineering
false alarm is in the considered case equals ca = 4. If & System Safety, 78: 157–163.
we assume that the expected time between consecutive Baker, M.J.C. 1990. How often should a machine be
inspected? International Journal of Quality and Relia-
failures is equal to τ = 1000 time units, and the loss bility Management, 4 (4): 14–18.
per time unit caused by the work of a failed machine Barlow, R.E., Hunter L.C., Proschan F. 1960. Opti-
equals cl = 10, then we have ZC = 0.221, and the mum checking procedures. In: Proc. of the Seventh
approximately optimal inspection interval, calculated National Symposium on Reliability and Quality Control,
according to (32) is equal to 6.986 time units. When 9: 485–495
the time to failure is exponentially distributed the opti- Barlow R.E., Hunter L.C. Proschan F. 1963. Optimum
mal inspection interval, calculated as the solution of checking procedures. Journal of SIAM, 11: 1078–1095.
(18) with the precision to 3 decimal places, is exactly Berger, K., Bar-Gera, K.,Rabinowitz, G. 2007. Analytical
the same. model for optimal inspection frequency with considera-
tion of setup inspections. Proc. of IEEE Conference on
Let us now consider another practical example Automation Science and Engineering: 1081–1086.
where the evaluation of costs is difficult or even hardly Chelbi, A., Ait-Kadi, D. 1999. Reliability Engineering &
possible. In this example we consider a UPS battery System Safety, 63: 127–131.
backup system which backups the power supply of a Chung, K.-J. 1993. A note on the inspection interval of a
continuously working computer system. The failure machine. International Journal of Quality and Reliability
of the UPS system occurs when its batteries are dis- Management, 10(3): 71–73.
charged or/and its switching system is out of order. Collani von, E. 1981. On the choice of optimal sampling
The state of the batteries can be evaluated immedi- intervals to maintain current control of a process. In:
ately. However, the state of the switching system can Lenz, H.-J., et al. (Eds.) Frontiers in Statistical Quality
Control: 38–44, Wuerzburg, Physica Verlag.
be evaluated by tests which last on average 1 time unit. Fung, J., Makis, V. 1997. An inspection model with generally
Let us assume now that the probability of a false alarm distributed restoration and repair times. Microelectronics
is equal to α = 0, 05 (i.e. on average one of every and Reliability, 37: 381–389.
20 routine tests triggers an unnecessary alarm), and Hariga, M.A. 1996. A maintenance inspection model for a
the average time necessary to reveal that this alarm single machine with general failure distribution. Micro-
is actually false is equal to 5 time units. Moreover, electronics and Reliabiliy, 36: 353–358.
let us assume that the probability of not detecting an Hryniewicz, O. 1992. Approximately optimal economic pro-
existing failure is equal to β = 0.1, and - as in the pre- cess control for a general class of control procedures.
vious example - let us assume that the expected time In: H.J. Lenz et al. (Eds.) Frontiers in Statistical Quality
Control IV: 201–215, Heidelberg, Physica Verlag.
between failures is equal to τ = 1000 time units. The ISO 2859-1: 1989(E): Sampling procedures for inspection
approximately optimal inspection interval, calculated by attributes. Part 1. Sampling schemes indexed by
according to (26) is equal to 45.227 time units. When acceptable quality level (AQL) for lot-by-lot inspection.
the time to failure is exponentially distributed the opti- Khan, F.I., Haddara, M., Krishnasamy, L. 2008. A new
mal inspection interval, calculated as the solution of methodology for Risk-Based Availability Analysis. IEEE
(15) equals 44.948 time units, but the availability coef- Transactions on Reliability, 57: 103–112.
ficient (calculated for different values of the renewal Menipaz, E 1978. On economically based quality control
time) are nearly the same. decisions. European Journal of Operational Research, 2:
Both examples show that the proposed approximate 246–256.
Savage, I.R. 1956. Cycling. Naval Research Logistic Quar-
method for the calculation of the optimal inspec- terly, 3: 163–175.
tion interval allows finding of the optimal solution Vaurio, J.K. 1994. A note on optimal inspection inter-
with the help of a simple pocket calculator. What is vals. International Journal of Quality and Reliability
more important, and perhaps even surprising, that the Management, 11(6): 65–68.
approximate solutions are very close to the exact ones. Vaurio, J.K. 1999. Availability and cost functions for period-
ically inspected preventively maintained units. Reliability
Engineering & System Safety, 63: 133–140.
REFERENCES Wang, W., Christer, A.H. 2003. Solution algorithms for
a nonhomogeneous multi-component inspection model.
Badia, F.G., Berrade, M.D., Campos, C.A. 2001. Optimiza- Computers & Operations Research, 30: 19–34.
tion of inspection intervals based on costs. Journal of
Applied Probability, 38: 872–881.
586
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
M. Carvalho
University of Minho, Braga, Portugal
ABSTRACT: Maintenance is one of the main used tools to assure the satisfactory functioning of components
and equipment and the reliability of technological systems. Literature on policies and maintenance models is
enormous, and there are a great number of described contexts where each politics of requisite maintenance is
selected to satisfy technical and financial restrictions. However, by assuming very simplified conditions, many
studies have a limited applicability in reality. Considering a maintenance policy based on periodic inspections,
a model is presented in this article that determines the time interval between inspections that minimizes the
global cost of maintenance per unit of time. It is assumed that the system consists on n series components. It
is recognized the occurrence of failures that are immediately revealed and failures that are only revealed at the
first inspection after their occurrence. The model also incorporates repairing times of components, but both
duration of inspections and duration of preventive maintenance are neglected. The analytical development of
the model allows us to obtain a closed-form function to determine the optimal time period between inspections.
This function will be discussed and a numerical example will be presented.
1 INTRODUCTION Chiang & Yuan (2001) and Wang & Zhang (2006)
also propose similar maintenance models, aiming the
From an operational perspective, the most critical optimization of the global cost, but consider that both
phase in the life cycle of a system of technological the preventive and corrective maintenances are not per-
nature is the phase of operation and maintenance. This fect. Yet, under the same optimizing objective, other
is also the phase that contributes with the biggest parcel authors propose models to multi-component systems.
for the Life Cycle Cost (LCC) of the system. This is the For example, Bris et al., (2003) present a plan of
reason because the problem of estimating the instants periodic maintenance for series and parallel systems,
of time for inspections is considered as of great inter- where the failures are only detected at inspections.
est or (many times) of primordial importance. These Zequeira & Bérenguer (2005) develop an analogous
instants are scheduled to carry out the necessary pre- maintenance policy for a parallel system with two
ventive maintenance of the system in order to maintain components. Barros et al., (2006) add to the previous
it running normally at a pre-specified level of service. model, the possibility of the failures to be detected at
In the last few decades, the problems of mainte- the instant of its occurrence. In all of these works, the
nance and substitution of systems have been exten- repairing times are neglected.
sively studied by many researchers. Optimizing the
maintenance costs has been clearly the most common
formulated objective function and many related mod- 2 THE MODEL
els had been proposed for those problems. Kallen &
Noortwijk (2006) and Badía et al., (2002) develop This paper develops a policy of periodic inspections
models of maintenance policies with imperfect inspec- comprising preventive maintenance actions for n inde-
tions for single component systems, whose failures are pendent components in series. It is considered that the
(or are not) revealed randomly at the instant of failure. failure of a component is immediately revealed with
Their models neglected the duration of maintenances probability p and it is not revealed with probability
and consider that those lead the component to a state 1 − p. The term failure does not necessarily imply that
of as good as new. the system stops working at such an occurrence, but it
587
NOTATION
C Total cost of maintenance per cycle
C1 Cost of maintenance of revealed failures per cycle
C2 Cost of maintenance of unrevealed failures per cycle
I1 Number of inspections until the occurrence of a revealed failure per cycle
I2 Number of inspections until a detention of an unrevealed failure per cycle
D Time of not detention of bad functioning for cycle
U Down-time per cycle
X Lifetime of the system - E[X ] - (MTBF)
n Number of components in the system
T Period of inspection
T∗ Optimal period of inspection
Pr (CMk ) Probability of performing corrective maintenance to k components (k = 1, . . . n) after inspection
CI Cost of each inspection plus preventive maintenance
CD Cost of not detecting a bad functioning (per unit of time)
CU Cost per down-time unit
CR Cost of each corrective maintenance to a component
RS (t) Reliability of the system for a time of mission t
Rk (t) Reliability of the component k for a time of mission t
τ1 Cycle of functioning with revealed failure
τ2 Cycle of functioning with failure not revealed
τR Repairing time of a component (MTTR)
should be understood as the imperfect functioning of but only at the following inspection, failures in other
the system. components that can effectively occur in the mid-
The basic considerations of the model are: time are considered as being of the unrevealed type,
therefore supposing that the system continues to work
• Whenever an failure is revealed, a corrective main-
uninterruptedly (but imperfectly) until the inspection.
tenance is immediately carried out;
Finally, it is admitted only one repair facility, so when-
• The duration of corrective maintenances are taken
ever two or more failures are detected at a given
into account, but assumed as constants;
inspection, the down time, U , will be sum of the
• Unrevealed failures are detected at inspections only;
repairing times of the damaged components.
• The inspections are periodic, perfect and do not have
Considering then a maintenance policy based on
any effect on the reliability of the system;
periodic inspections and maintenances that are sched-
• In a given inspection, if it is found that no failure has
uled for instants iT , (i = 1, 2, . . .), it is intended
occurred in the system (since the previous inspec-
to determine the optimum time interval or period
tion), only a preventive maintenance is taken; if it
between two consecutive inspections, T ∗ , that mini-
is found that one or more failures have occurred,
mizes the average total cost of maintenance for unit of
then a identical number of corrective actions must
time,O[T ]. This cost can be express as:
be performed as well as the regular preventive main-
tenance. Both types of maintenance, corrective and
preventive, restitutes the system (i.e., each of its E [C (τ )]
components) to the condition of ‘‘as good as new’’; O [T ] = (1)
• Duration of inspections and preventive mainte- E [τ ]
nances are neglected (null values).
The structure of the series system determines that In the previous expression, τ represents the func-
the failure of a component implies the failure of the tioning cycle, which is defined as the time interval
system. If the failure of a component is revealed at between two consecutive renewals of the system. The
the instant of its occurrence, it will be immediately length of the cycle depends on the type of the fail-
repaired. In this case, it is considered that only one ures occurred. The occurrence of a revealed failure
repair is conducted; unrevealed failures that may have determines the end of a cycle of functioning and the
occurred before will be repaired at the next scheduled commencement of a new (after repairing). In this case,
inspection. the ending cycle, τ1 , is estimated from the life time
On the other hand, if a given failure (in a given com- of the system and the down-time associated with the
ponent) is not detected immediately at its occurrence repairing of the failure. Thus, the average cycle of
588
functioning is given by: The average time of unavailability, E[U ], is:
589
where Pr(CMk ) represents the probability of occur- where
ring k corrective maintenances in a cycle, and is
given by: +∞
a (T ) = CI RS (iT ) + p (CU τR + CR − CI
n
n
n
i=0
Pr (CMk ) = ...
i1 =1 i2 =i1 +1 ik =ik−1 +1 −CD τR ) + (1 − p) (CU τR + CR − CD τR )
× 1 − Rj (T ) Rt (T )
n
j=i1 ,i2 ,... ,ik t=i1 ,i2 ,... ,ik × n− Rk (T ) − CD E [X ] (19)
(14)
k=1
n b (T ) = p (E [X ] + τR )
E [CM ] = n − Rk (T ) (15)
+∞
k=1
n
+ (1−p) T RS (iT )+τR n− Rk (T )
2.3 Average total maintenance cost per unit of time i=0 k=1
From the equations above, the average total cost per (20)
functioning cycle can be formulated by the following
condensed equation:
Our aim is to determine the optimal time interval
+∞
between inspections, T ∗ , that minimizes the average
total maintenance cost per unit of time, O[T ]. As we
E [C (τ )] = CI RS (iT ) + CU τR + CR × p
will show later, there is no such a finite optimum under
i=1
+∞ certain conditions. Basically, the existence of an abso-
+ (CI + CD T ) RS (iT ) lute minimum for the function O[T ] depends on the
relative amplitude among the various costs integrated
i=0 into the model. And, independently of such relation-
n
+ (CU τR + CR ) n − Rk (T ) ship among costs, it can be shown that T → +∞
whenever O[T ] → CD .
k=1
In the remaining part of this sub-section, we
− CD E [X ] × (1 − p) (16) prove the sufficiency of a relationship among costs
for the existence of a optimal period T ∗ . Badía
et al., (2002) verified the validity of this rela-
Now, applying equation (1) and taking in account tionship for the case of a single component sys-
the relationships expressed in (2), (3), (4) and (16), tem following a maintenance policy with imperfect
the average total cost per unit of time comes as: inspections.
+∞
CI RS (iT ) + CU τR + CR p
i=1
O [T ] = +∞
n
p (E [X ] + τR ) + (1 − p) T RS (iT ) + τR n − Rk (T )
i=0 k=1
(17)
+∞
n
(CI + CD T ) RS (iT ) + (CU τR + CR ) n − Rk (T ) − CD E [X ] (1 − p)
i=0 k=1
+ +∞
n
p (E [X ] + τR ) + (1 − p) T RS (iT ) + τR n − Rk (T )
i=0 k=1
590
and 3 NUMERICAL EXAMPLES
θ ⎠ 1 + 1 ,
E[X ] = ⎝ θ > 0, β > 0
a (T0 ) 1 β
O [T0 ] = CD + < CD = lim O [T ] 10 /β
b (T0 ) T →+∞
Assuming θ = 1, the values of the optimal inspec-
This result proves that the condition defined in (21) tion periods and corresponding minimal cost are cal-
is sufficient for the existence of an absolute minimum culated for each cases. The unit costs considered in
for the function O[T ]. the examples were CI = 10, CD = 100, CR = 25 and
Table 1. Optimum inspection time and optimum cost when the time to failure is a Weibull distribution.
β E [X ] T∗ O [T ∗ ] T∗ O [T ∗ ] T∗ O [T ∗ ]
591
O[T] equal (p = 0.5); this feature is illustrated by Figure 2
400 for the case of β = 2.5.
350 The condition defined in equation (21) indeed
reveals that it is a sufficient condition for the existence
300
of a (finite) optimal value T ∗ . However, it is clearly
250 not necessary, as can be demonstrated by the values of
200 Table 1.
150
100 4 CONCLUSIONS
50
This paper developed a model for a maintenance policy
supported by periodic inspections, suitable for apply-
1 2 3 4 5
ing to technological series systems of n independent
Figure 1. Optimum inspection time and optimum cost when components. The model tolerates the occurrence of
the time to failure is a Weibull distribution. both revealed and unrevealed failures, and the inspec-
tions are considered perfect and instantaneous. The
repairing times are admitted as constant values.
O[T] A relationship among the involved costs of main-
300 tenance, sufficient for the attainment of an optimal
p=0.1 p=0.5
inspection period, was developed and analyzed. Under
250
way, we are studying the possibility of developing a
200 sufficient and necessary condition for the existence of
optimal values inspections periods. We are extending
150 the herein proposed model to integrate other types of
uncertainty inherent to real systems by making use of
100
fuzzy set theory. Moreover, the work presented in this
50 paper can be extended in several directions that would
p=0.9 enhance its applicability too, such as k-out-of-n and
T parallel systems.
0.5 1 1.5 2
592
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Xuejing Zhao
Université de Technologie de Troyes, TROYES Cedex, France
Lanzhou University, Lanzhou, P. R. China
Laurent Bordes
Laboratoire de Mathèmatiques Appliquées
Université de Pau et des Pays de l’Adour, PAU Cedex, France
ABSTRACT: This paper discusses the problem of the optimization of condition based maintenance policy for
a stochastic deteriorating system in presence of covariates. The deterioration is modelled by a non-monotone
stochastic process. The process of covariates is assumed to be a finite-state Markov chain. A model similar
to the proportional hazards model is used to represent the influence of the covariates. In the framework of a
non-monotone system, we derive the optimal maintenance threshold, optimal inspection period and the optimal
delay ratio to minimize the expected average maintenance cost. Comparison of the expected average costs under
different conditions of covariates and different maintenance policies is given by numerical results of Monte
Carlo simulation.
Keywords: condition based maintenance, covariates, Markov chain, proportional hazards model, non-
monotone system, maintenance, expected average cost
593
It is also possible to consider the non-periodic The other particularity of this paper is that we
inspection scheme. In Grall et al., (2002) authors con- compare three different cases for the global expected
sidered the ‘sequence’ inspection/remplacement poli- average maintenance cost: (1) The optimization when
cies where the inspection intervals depend on the infor- the covariates are defined by a Markov chain; (2) The
mation of the system deterioration (a function of the optimization when the covariates Zn = i (i = 1, 2, 3)
deterioration state). Failure is detected only by inspec- are fixed; and (3) The weighted mean of the optimal
tion and a cost of ‘inactivity of the system’ per unit time results for each Z = i (i = 1, 2, 3) weighted by the sta-
is calculated as soon as failure occurs. In order to deal tionary probabilities of the Markov chain. All results
with aperiodic inspections, they used the long-term are illustrated by a Monte Carlo study.
expected average cost per unit time,which is based The structure of the paper is as follows. We model
on of the semi-regenerative properties of the main- the degradation processes by a stochastic univari-
tained system condition with respect to the steady-state ate process in Section 2, where the influence of the
stationary probability distribution of the maintained covariates is modelled by a multiplicative exponen-
system state. Grall et al., (2002) considered a main- tial function. In Section 3 we study the optimization
tenance policy using a multi-level control-limit rule, maintenance problem when there are two thresh-
where failures are detected immediately. olds, corrective replacement threshold and preventive
In this paper we study the optimal policy of periodic replacement threshold. For different maintenance cost
inspection/replacement for a non-monotone deteri- units, we find the optimal preventive threshold, the
orating system with covariates Zt . The stochastic optimal inspection period and the optimal delay ratio.
deteriorating process Dt = D(t|Ft ) represents the Finally, we compare the expected average maintenance
degradation level of the system given the history of the cost per unit time for the three cases mentioned above.
covariates {Zt } : Ft = σ {Zs : s ≤ t}. Dt is modelled by
the difference of two conditional independent stochas-
tic processes (Conditionally on the covariates Zt ). We
suppose that the covariates Zt ∈ {1, . . ., k} form a 2 STOCHASTIC DETERIORATION PROCESS
Markov chain with finite state space which describes a
dynamical environment. Following an approach sim- In this Section, we consider a single-unit replace-
ilar to the proportional hazards model proposed by able system in which an item is replaced with a
Cox (See Cox (1972), also in Gouno et al., (2004)), new one, either at failure or at planned replacement.
the covariates effect is modelled by a multiplicative The degradation of the system is represented by a
exponential function. continuous-state univariate stochastic process D(t)
A method similar to the one proposed by Barker and with initial degradation level D(0) = 0. In this paper,
Newby (2008) is used to give the optimal maintenance without loss of generality, we suppose that the deterio-
policy. Suppose that the system is inspected perfectly ration system has an upward trend degradation, though
at the periodic times Π = {τ , 2τ , . . .}, the system not necessarily monotonically increasing.
states are only known at inspection times, and main-
tenance actions are instantaneous. We shall denote
by Dkτ the process D(t) at t = kτ . We define a 2.1 Deterioration model without covariates
failure threshold L and a maintenance threshold Lp
(Lp < L). Suppose that t = (m + 1)τ is the first Suppose that the system is subject to stochastic dete-
inspection time where D(m+1)τ ≥ Lp , the system is rioration. The level of deterioration is represented by
maintained at the time t = (m + R + 1)τ if (1) a continuous-state univariate stochastic process D(t)
Dmτ < Lp ≤ D(m+r+1)τ < L for r = 0, 1, 2, . . ., R, with initial degradation level D(0) = 0.
where R, defined as the delay ratio, is a decision To describe the non-monotonicity of a system, we
variable to be determined, and (2) Dt < L for t ∈ suppose that the variation of the degradation at t,
[(m + 1)τ , . . . , (m + R + 1)τ ). The system is consid- ΔD(t), is represented by a stochastic process A(t) =
ered to be failed at time GL = inf {t ∈ R+ : Dt ≥ L} X + (t) − X − (t), the difference of two independent
and to be replaced at the first inspection time after its stochastic processes, where X + (t) and X − (t) denote
failure. The purpose is to propose an optimal main- respectively the degradation and improvement of the
tenance policy for the considered system in order system. Suppose that the system can be observed at
to minimize the global long-run expected average each time unit tk (k = 1, 2, . . .), so only the discrete
maintenance cost per time unit. In the framework of stochastic processes D(tk ), X + (tk ) and X − (tk ) can be
the non-monotone system presented previously, we observed, denoted respectively by Dk , Xk+ and Xk− .
derive the optimal preventive maintenance threshold The process Dn (n ≥ 1) is defined as:
Lp , the optimal inspection interval τ and the opti-
mal delay ratio R which lead to a minimal expected + −
average cost. Dn = max(Dn−1 + Xn−1 − Xn−1 , 0), (1)
594
where Xn+ , Xn− are independent random variables, of Let
exponential distribution with mean μ+ −
n and μn resp.
(without loss of generality, we assume that μ+
n ≥ μ−
n ). pij (k) = P(Zk+1 = j|Zk = i) (4)
The distribution function and the density function
of the variable Xn+ − Xn− are given by be the transition probabilities of the process Z. Filtra-
tion Ft = σ {Zs : s ≤ t} denotes the history of the
covariates.
μ−
Fn (x) = n
exp(x/μ−
n )1(x≤0)
We assume that the variation of the degradation at
μn + μ−
+
n time tn only depends on the covariates at time tn . Let
stochastic process D(t|Ft ) be the degradation level of
μ+ +
+ 1− n
exp(−x/μ ) 1(x≥0) , system given Ft . This process is observed at discrete
μ+
n + μn
− n
times t = tn (n ∈ N ). We shall denote by Dn the
1 −
observed process at time t = tn , defined as:
fn (x) = + − exp(x/μn )1(x≤0)
μn + μn + −
Dn = max(Dn−1 +Xn−1 (Zn−1 )−Xn−1 (Zn−1 ), 0), (5)
+ exp(−x/μ+n )1(x≥0) .
for n ≥ 1, where Xn+ (Zn ), Xn− (Zn ) are condition-
ally independent random variables (given Zn ), with
Conditionally on Dk = dk (k = 1, 2, . . . ), for exponential distribution of mean parameters μ+
x > 0, the r.v Dk+1 has the distribution n (Zn )
and μ− n (Zn ) (without loss generality, we assume that
μ+ −
n (Zn ) ≥ μn (Zn )).
P(Dk+1 ≤ x|Dk = dk ) = P(Ak + Dk ≤ x|Dk = dk ) The distribution function and the density function
of the variation An+1 (Zn ) = Xn+ (Zn ) − Xn− (Zn ) are
= P(Ak ≤ x − dk |Dk = dk ) given by
= P(Ak ≤ x − dk ), (2)
μ− (Zn )
Fn (x, Zn ) = exp(x/μ− n (Zn ))1(x<0)
μ+
n (Zn )+ μ−
n (Zn )
and for x = 0,
μ+ (Zn ) exp(−x/μ+ n (Zn )
+ 1− n + 1(x≥0) ,
μn (Zn ) + μ− n (Zn )
P(Dk+1 = 0|Dk = dk ) = P(Ak + Dk ≤ 0|Dk = dk )
exp(x/μ− n (Zn ))
= P(Ak ≤ −dk |Dk = dk ) fn (x, Zn ) = 1(x<0)
μn (Zn ) + μ−
+
n (Zn )
= P(Ak ≤ −dk )
exp(−x/μ+ n (Zn ))
+ + 1 (x≥0) .
μ− −
k exp(−dk /μk )
μn (Zn ) + μ− n (Zn )
= + − . (3)
μk + μk n
So the distribution of Dn = k=1 ΔDk can be
derived using the method of convolution and the total
So conditionally on Dn = dn , the r.v Dn+1 has a probability formula.
mixture distribution, with a density of fn (x − dn ) in To describe precisely the influence of the covariates
μ− − Zn = zn on An , similar to the proportional hazards
(0, +∞) and a mass distribution μ++μ
n
− exp(−dn /μn )
n n model proposed by Cox (1972), we suppose that the
at x = 0. parameters μ+ −
n and μn depend on zn as follows:
μ+ +
n (Zn ) = μn Ψ(Zn )
2.2 Modelling influence of covariates + +
on degradation = μ+
n exp (β1 1(Zn =1) + · · · + βK 1(Zn =K) )
+
We are interested in the influence of covariates on = μ+
n exp (βZn ), (6)
degradation. The covariate process Z = {Z(t), t ≥ 0}
is assumed to be a finite state Markov chain with states
{1, 2, . . ., K} which describe the states of the envi- μ− −
n (Zn ) = μn Ψ(Zn )
ronment, such as normal, warning, dangerous, etc.
− −
The covariates are available only at the time points tk , = μ−
n exp (β1 1(Zn =1) + · · · + βK 1(Zn =K) )
(k = 0, 1, 2, . . .), when we observe the degradation −
process. = μ−
n exp (βZn ), (7)
595
where μ+ −
n (μn ) denote the degradation rate (improve- and
ment rate) of the system when there is no covariates
considered, β + = (β1+ , β2+ , . . . , βK+ ) and β − =
lim πin = πi . (8)
(β1− , β2− , . . . , βK− ), from (6) and (7), these parame- n→∞
ters allow to account the influence of covariates on the
degradation rate.
Considering the symmetrical property of βi , with- where πi is the stationary distribution of the Markov
out loss of generality, in what following, we assume chain.
that β1+ ≤ β2+ ≤ . . . ≤ βK+ and β1− ≤ β2− ≤ . . . ≤ βK− . Furthermore, we shall denote by ΔDn (Z) and
ΔDn (π)) respectively the increments of the degrada-
tion with a covariate process Z a general Markov chain
Example 2.1: An example of the degradation for 100 starting at Z1 = 1 and a steady-state Markov chain with
days (inspected per 5 days) is given in Figure 1, where stationary distribution π.
Zn is a 3-state Markov chain with transition matrix Let us recall that the covariates form a steady-state
⎛ ⎞ Markov chain. Each replacement makes the system
0.95 0.05 0.00 restart from its initial state (D0 = 0) and the covari-
P = ⎝ 0.02 0.95 0.03 ⎠, ates Zn follow their trajectory. Let us denote by τn the
0.00 0.05 0.95 instant of replacement. Hence (Dt )(t≥0) et (Dt+τn )(t≥0)
have the same distribution. So the trajectory of the
and initial state Z0 = 1, β + = (0.2, 0.5, 1) and degradation does not depend on the history before the
β − = (0.1, 0.1, 0.1), the baseline mean parameters replacement, henceforth the deterioration process is a
μ+ −
n = 0.5 and μn = 0.3. Notice that the stationary
renewal process.
distribution Π = (π1 , π2 , π3 ) = (0.3, 0.5, 0.2).
2
3.1 Maintenance decision
Suppose that the system starts at D0 = 0 and is
1
0.0
0 10 20 30 40 50 60 70 80 90 100
inspected perfectly at periodic times Π = {τ , 2τ , . . . }.
(b) The states are only known at inspection times and
maintenance actions are instantaneous. We define
Figure 1. An example of non-maintained deterioration a failure threshold L and a preventive maintenance
system (a) and covariate process (b). threshold Lp (Lp < L).
596
• The system is considered to be failed and correc- [0, Lp ) after an interval of time less than Rτ time units.
tively replaced at the first hitting time We define I = max{s ∈ {1, . . . , R + 1} : D(k+s)τ <
Lp , Dt < L, t ∈ [kτ , (k+s)τ ]}, then event E3 is equal to
GL = inf {t ∈ R+ : Dt ≥ L | D0 = 0}. (9) R
R
{I = s} ≡ E3s . In this case, no maintenance action
• The degradation of the system maybe recover back s=1 s=1
takes place and the decision is reported to (k + s)τ .
to the critical level or below the critical level after
The only cost incurred in interval [kτ , (k + s)τ ] is the
the exceeding (See Fig. 1). So the system can be
inspection cost s × Ci .
still used for a period of time, especially when the
critical level is the preventive threshold. In practice, An example of the maintained system is given in
it is useful to consider this information because it Figure 2, where the preventive threshold is Lp = 20,
can reduce the maintenance cost. So the preventive the corrective threshold is L = 30, the system is
maintenance decision is based on the a last hitting inspected for each 5 days with delay ratio R = 3, the
time other parameters are same as in Example 2.1.
The total maintenance cost in [0, t] is:
HLp = sup{t ∈ R+ : Dt < Lp | D0 = 0}. (10)
Since the last hitting time is not a stopping time, so it C(t) = Ci Ni (t) + Cp Np (t) + CF NF (t) + Cd d(t),
is seemed to have to search alternative way to deal with
this problem. In Barker and Newby (2008) for multi- where Ni (t) (resp. Np (t), NF (t)) is the number of
component described by a Bessel process with drift, inspections (of preventive replacements, of corrective
the maintenance decision is based on the probability replacements) till time t.
that the system never recovers, in other words, they use The expected average cost is:
the probability that the last up-crossing occurs between
the current time and the next scheduled inspection. E(C(t))
We deal with the problem as follows: considering the EC∞ = lim . (11)
increasing tendency of the system degradation and
t→∞ t
the probability of the recover, at the time t when the
degradation is exceed the preventive threshold, we take When the stochastic process (D, Z) forms a regen-
no maintenance action and we continue inspect for a erative process, we can calculate the expected cost per
period of time, say Rτ units time, where R is defined time unit as (Rausand and Høyland (2004))
as the delay ratio, a decision variable to be determined.
At each inspection time tk = kτ when Dkτ < Lp , E(v(Z))
three exclusive events occur: EC∞ (Z) = , (12)
E(l(Z))
(E1 ) Dt ≥ L (for some t ∈ [kτ , (k + R + 1)τ ]). Which
R+1
is equivalent to {(k + s − 1)τ < GL ≤ (k + s)τ } ≡ 35
30
s=1
Degradation
25
R+1
E1s , where E1s means that the system fails at time 20
15
s=1
t ∈ ((k + s − 1)τ , (k + s)τ ]. In this case, a corrective 10
0
and the system returns to the initial state 0. The main- 0 50 100 150 200 250 300 350
(a)
tenance cost includes the corrective replacement cost
CF and cumulated unavailability cost Cd × d, where
d = T − t is the cumulated unavailability time.
Covariates
597
where E(v(Z)) and E(l(Z)) are respectively the Example 2.1. We consider four different cases of unit
expected cost and expected length of a renewal cycle. maintenance cost:
Considering the three above exclusive events E1 to
E3 , and denoting by Vk (resp. Lk ) the total cost (resp. • Case I (Normal cost): Ci = 10, Cp = 60, CF =
the total length) from inspection time Tk to the time 100, Cd = 250;
when the system is replaced, since the total cost Vk • Case II (Expensive PR): Ci = 10, Cp = 100, CF =
(the total length Lk ) is the combination of the cost 100, Cd = 250;
(the length) in a time interval [Tk , Tk+s ) and the total • Case III (Expensive inspection): Ci = 100, Cp =
cost (the length) after Tk+s (s = 1, 2, . . . , R + 1), we 60, CF = 100, Cd = 250;
calculate the total maintenance cost and the length of • Case IV (Inexpensive unavailability): Ci =
a renewal cycle by the following iterative method: 10, Cp = 60, CF = 100, Cd = 100.
For each case of maintenance cost, we compare the
R+1 following three quantities:
Vk = (CF + Ci s + Cd × ((k + s)τ − GL ))1(E1s )
• Optimal Maintenance cost when Zn form a general
s=1
Markov chain;
R+1 • Optimal Maintenance cost when Zn are fixed to Z =
+ (Cp + RCi ) × 1((E2 )) + (Ci s + Vk+s )1(E3s ) , i, (i = 1, 2, 3) respectively;
s=1 • Weighted mean of the optimum cost for Z = i (i =
1, 2, 3) with weight the steady-state probability:
R+1
Lk = (Rτ )1(E2 ) + sτ 1(E1s )
s=1
3
∗
EC∞ = EC∞ (k)πk . (14)
R+1
k=1
+ (sτ + Lk+s ) × 1(E3s ) ,
s=1
1. The optimal maintenance for three parameters:
preventive threshold Lp , the inspection periods τ
and the expectation will be and the delay ratio R
A numerical optimization was used to give the opti-
R+1 mal value of the decision variables Lp∗ = 16, τ ∗ =
E(Vk ) = (CF P(E1s ) + E(Ci s + Cd 12, R∗ = 0 for a deteriorating system with the same
s=1 system parameters depicted in Example 2.1 when
Ci = 10, Cp = 60, CF = 100, Cd = 250. These opti-
× ((k + s)τ − GL ))1(E1s ) ) + (Cp + RCi )
mal values lead to the optimal expected average cost
∗
R+1 EC∞ = 2.8650. Figure 3 gives the iso-level curves of
× P(E2 ) + E((Ci s + Vk+s ) × 1(E3s ) ), EC∞ in the function of (Lp , τ ) and R takes its optimal
s=1 value R∗ = 0.
R+1
E(Lk ) = (Rτ )P(E2 ) + E(sτ 1(E1s ) ) 40
s=1
35
R+1
+ E((sτ + Lk+s ) × 1(E3s ) ). 30
s=1
25
10
5 10 15 20 25 30
L
p
3.2 Numerical simulation
In this section we give some numerical simulation of Figure 3. Iso-level curves of expected average maintenance
our model, the deteriorating system is the same as cost as a function of (Lp , τ ).
598
Table 1. The optimal preventive threshold, the optimal 35
Case1
Case2
inspection period and the expected average maintenance cost Case3
Case4
with periodical inspection. 30
EC∞
Z =1 (14, 33, 0, 1.2658) (16, 27, 0, 1.8097)
Z =2 (12, 21, 0, 2.1614) (16, 18, 0, 3.0943) 15
18
16
Excepted average cost 40
14
30
Expected average cost
12
20
10
8
10
0
4 5 10 15 20 25 30 35 40
2
(b)
35
Case1
0
0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 Case2
Case3
30 Case4
3
0.2, β2 = 0.5.
20
EC∞
15
Results in Table 1 summarize the results of an
optimization for a deteriorating system with different 10
maintenance costs.
In all cases of different unit maintenance cost 5
599
The expected average maintenance cost for system 2. The optimal inspection interval includes the infor-
with a Markov chain is always more than the weighted mation on R, and in order to optimize the aver-
mean (C̄ in Table 1) of the optimal cost for the three age cost, we can only consider the parameters
statical cases, since in Markov chain we have less (Lp , τ ).
information on the degradation system. As a conse- 3. The expected average maintenance cost for system
quence, the weighted mean of the optimal cost also with a covariate Markov chain is always greater
gives a lower bound of the maintenance cost for the than the weighted mean of the optimal cost for the
deteriorating system. three statical cases.
2. Comparison of the optimal expected average
maintenance cost for different unit maintenance
costs
REFERENCES
The influence of each decision variable on the
expected average maintenance cost function is given Bagdonavičius, V. and Nikulin, M. 2000. Estimation in degra-
in Figure 5. The influence is given by the curves of dation models with explanatory variables. Lifetime Data
the expected average cost as functions of the R, τ Analysis 7(1): 85–103.
and Lp respectively. All results show that no matter Barker, C.T. and Newby, M. 2008. Optimal non-periodic
what choice of Lp , R and τ , the expected average inspection for Multivariate degradation model. Reliability
maintenance cost for an expensive inspection (case Engineering and System Safety (In press).
III) is always the most expensive, and the inexpensive Bérenguer, C., Grall, A. Dieulle, L. and Roussignol, M.
unavailability (case IV) is always the cheapest one. 2003. Maintenance policy for a continuously monitored
For fixed τ = 12, R = 0, Figure 5(a) shows deteriorating system. Probability in the Engineering and
Informational Sciences 17(2): 235–250.
that for a relative smaller preventive threshold, the Cox, D.R. 1972. Regression models and life-tables. Journal
preventive replacement cost Cp determine the opti- of the Royal Statistical Society. Series B 34(2): 187–220.
mal maintenance cost (only weak dependence to the Dieulle, L., Bérenguer, C. Grall, A. and Roussignol, M.
cost of unavailability, as indicated by EC∞ (Case I) ≈ 2006. Asymptotic failure rate of a continuously monitored
EC∞ (Case IV)), so it can be seen that the suit- system. Reliability Engineering and System Safety 91(2):
able maintenance policy is mainly the preventive 126–130.
replacement whereas we take a corrective replace- Gouno, E., Sen, A. and Balakrishnan, N. 2004. Optimal
ment for a bigger preventive threshold (this will results step-stress test under progressive type-I censoring. IEEE
in more failure with the cost of Cd , indicated by Transactions on Reliability 53(3): 388–393.
Grall, A., Bérenguer, C. and Dieulle, L. 2002. A condition-
EC∞ (Case I) ≈ EC∞ (Case III)) in Figure 5(a)). based maintenance policy for stochastically deteriorating
For fixed Lp = 16, R = 0, Figure 5(b) shows systems. Reliability Engineering and System Safety 76(2):
that for a smaller inter-inspection such that there is 167–180.
no maintenance cost paid for unavailability, the main- Grall, A., Dieulle, L. Bérenguer, C. and Roussignol, M.
tenance policy is mainly the preventive replacement 2002. Continuous-time predictive-maintenance schedul-
(EC∞ (Case I) ≈ EC∞ (Case IV)), however a correc- ing for a deteriorating system. IEEE Transactions on
tive replacement action will take place for a bigger Reliability 51(2): 141–150.
inter-inspection time. Jia, X. and Christer, A.H. 2002. A prototype cost model of
The optimal maintenance cost increases as R functional check decisions in reliability-centred mainte-
nance. Journal of Operational Research Society 53(12):
increases when Lp = 16 and τ = 12 are fixed, as 1380–1384.
Figure 5(c) shows. Kharoufeh, J.P. and Cox, S.M. 2005. Stochastic models
for degradation-based reliability. IIE Transactions 37(6):
533–542.
4 CONCLUSION Kong, M.B. and Park, K.S. 1997. Optimal replacement of
an item subject to cumulative damage under periodic
In this paper we deal with a non-monotone deteriorat- inspections. Microelectronics Reliability 37(3): 467–472.
ing system with covariates, we use a method similar to Lawless, J. and Crowder, M. 2004. Covariates and random
the proportional hazards model to account the influ- effects in a gamma process model with application to
degradation and failure. Lifetime Data Analysis 10(3):
ence of dynamical covariates, defined by a 3-state 213–227.
Markov chain. Makis, V. and Jardine A. 1992. Optimal replacement in the
Expected average cost is calculated, optimum peri- proportional hazards model. INFOR 30, 172–183.
odic inspection/replacement policies are derived for Newby, M. 1994. Perspective on weibull proportional haz-
different maintenance costs per unit, as a function of ards model. IEEE Transactions on Reliability 43(2):
the preventive level Lp , inspection interval τ and delay 217–223.
ratio R. The results show that: Newby, M. and Dagg, R. 2003. Optimal inspection and
maintenance for stochastically deteriorating systems II:
1. The optimal average cost is an increasing function discounted cost criterion. Journal of Indian Statistical
of the parameters β. Association 41(1): 9–27.
600
Newby, M.J. and Barker, C.T. 2006. A bivariate process Singpurwalla, N.D. 1995. Survival in dynamic environ-
model for maintenance and inspection planning. Inter- nements. Statistical Science 1(10): 86–103.
national Journal of Pressure Vessels and Piping 83(4): van Noortwijk, J.M. 2008. A survey of the application of
270–275. gamma processes in maintenance. Reliability Engineering
Park, K.S. 1988. Optimal continuous-wear limit replace- and System Safety (In press).
ment under periodic inspections. IEEE Transactions on Wang, H. 2002. A survey of maintenance policies of
Reliability 37(1): 97–102. deteriorating systems. European Journal of Operational
Rausand, M. and Høyland, A. 2004. System Reliability Research 139(3): 469–489.
Theory: Models, Statistical Methods, and Applications
(2 ed.). New Jersey: John Wiley & Sons Inc.
601
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Sophie Mercier
Université Paris-Est, Laboratoire d’Analyse et de Mathématiques Appliquées, (CNRS UMR 5050), Champs
sur Marne, Marne-la-Vallée, France
ABSTRACT: Identical components are considered, which become obsolete once new-type ones are available,
more reliable and less energy consuming. We envision different possible replacement strategies for the old-type
components by the new-type ones: purely preventive, purely corrective and different mixtures of both types of
strategies. To evaluate the respective value of each possible strategy, a cost function is considered, which takes
into account replacement costs, with economical dependence between simultaneous replacements, and energy
consumption (and/or production) cost, with a constant rate per unit time. A full analytical expression is provided
for the cost function induced by each possible replacement strategy. The optimal strategy is derived in long-time
run. Numerical experiments close the paper.
603
evaluated by MC simulations. Here again, the length component is correctively replaced and the n − K
of the MC simulations added to the complexity of the non-failed old-type components are simultaneously
model, do not allow to provide the optimal replacement preventively replaced. Before time U1:n , there are
strategy according to the data of the model. exactly n old-type components. After time UK:n ,
The point of the present paper hence is to answer there are exactly n new-type components. For K ≥
−
to the following questions: is the dichotomy proved 2, between times Ui:n and Ui+1:n (1 ≤ i ≤ K − 1),
in case of constant failure rates still valid in case of there are i new-type components and n − i old-type
general failure rates? If not (and it will not), what are ones (see Figure 1).
the possible optimal strategies? Finally, how can we • strategy n: no preventive replacement is performed
find the optimal strategy? at all. Before time U1:n , there are exactly n old-
−
This paper is organized as follows: the model is type components. Between times Ui:n and Ui+1:n
specified in Section 2. Section 3 presents the theoreti- (1 ≤ i ≤ n − 1), there are i new-type components
cal results both for a finite and an infinite time horizon. and n − i old-type ones. After time Un:n , there are
Numerical experiments are lead on in Section 4. exactly n new-type components.
Concluding remarks end the paper in Section 5.
This paper presents the results from (Mercier 2008), Once a new-type component is put into activity at
with different numerical experiments however. Due to time 0 or at time say Ui:n , it is next instantaneously
the reduced size of the present paper, no proofs are replaced at failure by another new-type component.
provided here, which may be found in the quoted paper. The successive life-times of such components are
assumed to form a renewal process with eventual delay
Ui:n ; the i.i.d. inter-arrival times are distributed as
some non-negative r.v. V with P (0 ≤ V < ∞) = 1
2 THE MODEL and P (V > 0) > 0. The renewal function associated
to the non-delayed process is then finite on R+ . Let
We consider n identical and independent components E stand for the expectation with respect of the proba-
(n ≥ 2), called old-type components in the following. bility measure P on (, A) and for A ⊂ A, let 1A be
At time 0, such old-type components are up, in activ- the indicator function with 1A (ω) = 1 if ω ∈ A and
ity. For each i = 1, . . . , n, the residual life-time for the 1A (ω) = 1 if ω ∈ \A. The renewal function is then
i−th component is assumed to be some absolutely con- denoted by ρV with:
tinuous random variable (r.v.) Ui , where Ui ’s are not
necessarily all identically distributed. The i−th (old-
type) component is assumed to fail at time Ui . The ρV (t) = E 1{V (1) +···+V (k) ≤t }
successive times to failure of the n old-type compo- k∈N∗
nents are the order statistics of (U1 , . . . , Un ). They are for t ≥ 0, where V (1) , . . . , V (k) , . . . are the successive
denoted by (U1:n , . . . , Un:n ), where U1:n < · · · < Un:n inter-arrival times. We recall that ρV (t) corresponds
almost everywhere (a.e.). to the mean number of renewals on [0, t] of the non-
All preventive and corrective replacements (by delayed process.
new-type components) are instantaneous. The follow- The envisionned cost function represents the mean
ing replacement strategies are envisioned: total cost on some time interval [0, t]. It is denoted by
• strategy 0: the n old-type components are immedi- CK ([0, t]) when strategy K is used. Two type of costs
ately replaced by n new-type ones at time 0. This are considered:
is a purely preventive strategy. After time 0, there • replacement costs, with economic dependence in
are exactly n new-type components and no old-type case of simultaneous replacements: each solicita-
component any more, tion of the repair team is assumed to entail a fixed
• strategy 1: no replacement is performed before the
first failure, which occurs at time U1:n . At time
U1:n , the failed component is correctively replaced
and the n − 1 non-failed old-type components are
simultaneously preventively replaced. This hence is Failure of old components:
corrective replacements by new ones
a nearly pure preventive strategy. Before time U1:n ,
there are exactly n old-type components. After time
U1:n , there are exactly n new-type components, 0 U1:n U2:n Ui:n Ui+1:n UK-1:n UK:n t
• strategy K (1 ≤ K ≤ n): no preventive replace-
ment is performed before the K−th failure, which Corrective replacements
occurs at time UK:n . This means that only correc- of new components
tive replacements are performed up to time UK:n (at
times U1:n , . . . , UK−1:n ). At time UK:n , the failed Figure 1. Corrective and preventive replacements.
604
cost r (r ≥ 0). Each corrective and preventive Setting
replacement involves a supplementary cost, respec-
1
tively cf and cp , to be added to r (0 < cp ≤ cf ). gK (t) := (CK+1 ([0, t]) − CK ([0, t])) (1)
For instance, the cost for preventive replacement of cp
i units (0 ≤ i ≤ n − 1) which comes along with the for all 0 ≤ K ≤ n − 1, we easily derive the following
corrective replacement of one unit is r + cf + icp . corollary.
• energy and/or production cost, with a constant rate
per unit time (eventually negative, in case of a pro-
duction rate higher than the energy cost rate). The Corollary 2 Let t ≥ 0. For K = 0, we have:
rates for an old-type and a new type unit respec-
tively are η + ν and η, with ν ≥ 0, η ∈ R. r
g0 (t) = (a − 1) FU1:n (t) −
(The cost rate is higher for an older unit). The cp
‘‘energy/production’’ cost for j new-type units and t
k old-type units on some time intervall [t1 , t2 ] is + n bE U1:n − F̄U1:n (t)
( jη + k (η + ν)) (t2 − t1 ), where 0 ≤ t1 ≤ t2 and − aE ρV (t) − ρV (t − U1:n )+
j + k = n.
All components both new-type and old-type are and, for 1 ≤ K ≤ n − 1, we have:
assumed to be independent one with each other.
In all the paper, if X is a non-negative random gK (t) = (a − 1) FUK+1:n (t)
variable (r.v.), its cumulative density function (c.d.f.) t
is denoted by FX , its survival function by F̄X with + (n − K) × bE UK+1:n − UK:n
t
F̄X = 1 − FX and its eventual probability density − FUK:n (t) − FUK+1:n (t)
function (p.d.f.) by fX . For t ∈ R+ , we also set
X t = min (X , t) and x+ = max (x, 0) for any real x. − aE ρV (t −UK:n )+ −ρV (t −UK+1:n )+
Finally, we shall use the following notations:
In order to find the optimal strategy according to the
r + cf mission time t and to the data of the model as in the
a= ≥1 case of constant failure rates (see (Mercier and Labeau
cp
2004)), the point should now be to find out the sign
ν of gK (t) for 0 ≤ k ≤ n − 1. This actually seems to
b= ≥0
cp be impossible in the most general case. However, we
are able to give some results in long-time run, which
is done in next subsection.
3 THEORETICAL RESULTS
3.2 Comparison between strategies 0, 1, . . . , n
3.1 Cost functions on [0, t] in long-time run
We first give our results for a finite mission time t. We first compute the limit of gK (t) when t → +∞.
a
gK (∞) = a − 1 + b −
K E (V )
CK([0, t]) = (r + cf )(FUi:n (t) × (n − K)E (UK+1:n − UK:n )
i=1
cf a
+ (n−K) (r+cf )E(ρV ((t −UK:n )+ )) g0 (∞) = −1+ b− nE (U1:n − U0:n )
cp E (V )
+ cp FUK:n (t) + νE(UK:n
t
) + nηt where we set U0:n := 0.
605
A first consequence is that, if b − a
E(V )
≥ 0 or Theorem 4 If b − E(V a
) ≥ 0, the optimal strategy
alternatively ν ≥
r+cf
,we then have gK (∞) ≥ 0 among 0, . . . , n in long time-run is strategy 0.
E(V )
for all 0 ≤ K ≤ n − 1 (we recall that a ≥ 1 and In case b − E(V ) < 0, assume that U1 , . . . , Un are
a
r+c
cf ≥ cp ). Consequently, if ν ≥ E(V f) , the best strategy i.i.d. IFR r.v. (which may be realized through assum-
among 0, . . . , n in long-time run is strategy 0. Such ing that Ui stands for the waiting time till next arrival
a result is conform to intuition: indeed, let us recall for a stationary renewal process with inter-arrival time
that ν stands for the additional energy consumption distributed as U (0) , where (0)
(0)U is a non-negative
rate for the old-type units compared to the new-type IFR r.v. with 0 < E U < +∞). Assume
ones; also, observe that r+cfE(V )
is the cost rate per unit too that Ui s are not exponentially distributed. The
time for replacements due to failures among new-type sequence (E (DK ))0≤K≤n−1 is then strictly decreasing,
components in long-time run. Then, the result means and, setting
that if replacements of new-type components due to
cf
failures are less costly per unit time than the benefit due a−1 cp − 1
to a lower consumption rate, it is better to replace old- c:= a and d:= ≤ c,
E
(V )−b a
E(V )
−b
type components by new-type ones as soon as possible.
Now, we have to look at the case b − E(V a
) < 0
one of the following cases occurs:
and for that, we have to know something about the
monotony of • if c ≤ E (Dn−1 ) : the optimal strategy among
0, . . . , n in long time-run is strategy n,
• if c > E (D1 ) :
DK := (n − K) (UK+1:n − UK:n ),
– if d > E (D0 ) : the optimal strategy among
0, . . . , n in long time-run is strategy 0,
with respect of K, where DK is the K-th normal-
– if d ≤ E (D0 ) : the optimal strategy among
ized spacing of the order statistics (U1:n , . . . , Un:n ),
0, . . . , n in long time-run is strategy 1,
see (Barlow and Proschan 1966) or (Ebrahimi and
Spizzichino 1997) e.g.. With that aim, we have to • if E DK0 < c ≤ E DK0 −1 for some 2 ≤ K0 ≤
put some assumption on the distributions of the resid- n − 1 : the optimal strategy among 0, . . . , n in long
ual life times of the old-type components at time time-run is strategy K0 .
t = 0 (Ui for 1 ≤ i ≤ n): following (Barlow and
Proschan 1966), we assume that U1 , . . . , Un are i.i.d. In (Mercier and Labeau 2004), we had proved the
IFR (Increasing Failure Rate), which implies that following ‘‘dichotomy’’ property: in case of constant
(DK )0≤K≤n−1 is stochastically decreasing. A first way failure rates, only purely preventive (0), nearly pure
to meet with this assumption is to assume that all preventive (1) or purely corrective (n) strategies can
old-type components have been put into activity simul- be optimal for finite horizon. We now know from last
taneously (before time 0) so that the residual life times point of Theorem 4 that such a property is not valid any
are i.i.d. (moreover assumed IFR). Another possibility more in case of general failure rates, at least for infinite
is to assume that all units have already been replaced horizon and consequently for large t. We now look at
a large number of times. Assuming such replacement some numerical experiments to check the validity of
times for the i-th unit to make a renewal process with the dichotomy property in case of small t.
inter-arrival times distributed as some U (0) (indepen-
dent of i), the residual life at time 0 for the i-th unit may
then be considered as the waiting time until next arrival 4 NUMERICAL EXPERIMENTS
for a stationary renewal process with inter-arrivals dis-
tributed as U (0) . Such a waiting time is known to admit We here assume that Ui ’s are i.i.d IFR random vari-
as p.d.f. the function fU (t) such that: ables with known distribution. Examples are provided
in (Mercier 2008) for the case where the data is the dis-
F̄U (0) (t) tribution of some U (0) and the common p.d.f. fU of Ui
fU (t) = 1R+ (t), (2)
E U (0) is given by (2) (see Theorem 4). All the computations
are made with Matlab.
assuming 0 < E U (0) < +∞. Also, it is proved in All Ui ’s and Vi ’s are Weibull distributed accord-
(Mercier 2008) that if U (0) is IFR, then U is IFR too. ing to W (αU , βU ) and W (αV , βV ), respectively, (all
The r.v. U1 , . . . , Un then are i.i.d. IFR, consequently independent) with survival functions:
meeting with the required assumptions from (Barlow βU βV
F̄U (x) = e−αU x and F̄V (x) = e−αV x
and Proschan 1966).
We are now ready to state our main result: for all x ≥ 0.
606
We take: We finally compute E ρV (t − UK:n )+ with:
αU = 1/103 ; αV = 1/ 2.25 × 103 (3)
E(ρV ((t − UK:n )+ ))
t
βU = βV = 2.8 > 1 (4)
= ρV (t − u)dfUK:n (t)
0
(Ui ’s are IFR), which leads to
n−1
=n
E (U )
10.5, σ (U )
4.1, K −1
t
E (V )
14, σ (V )
5.4. × ρV (t − u)FUK−1 (u)F̄Un−K (u)fU (u)du
0
We also take:
where the renewal function ρV is computed via the
n = 10; η = 0; ν = 0.06; cp = 1; cf = 1.1; r = 0 (5) algorithm from (Mercier 2007).
For finite horizon, the optimization on K is sim-
We compute FUK:n using: ply made by computing all CK ([0, t]) for K =
0, . . . , n and taking the smallest. For infinite horizon,
FU (x)
n! Theorem 4 is used.
FUK:n (x) = t K−1 (1−t)n−K dt The optimal strategy is given in Table 1 for different
0 (K −1)!(n−K)!
values of αV and t, as well as the asymptotic results (all
= IFU (x) (K, n − K + 1) other parameters fixed according to (3–5). We can see
in such a table that the optimal strategy is quickly stable
for 1 ≤ K ≤ n, where Ix (n1 , n2 ) is the incomplete with increasing t. More precisely, the optimal strategy
Beta function (implemented in Matlab), see (Arnold, for a finite horizon t is the same as the optimal strategy
Balakrishnan, and Nagaraja 1992) e.g. for the results in long-time run as soon as t is greater than about
about order statistics used in this section. 3.5 mean lengths of life of a new-type component.
We also use: For t about twice the mean life length, the finite time
optimal strategy is already very near from the long-
n
F̄UK+1:n (t) − F̄UK:n (t) = FUK (t) F̄Un−K (t) time run one. Also, any strategy may be optimal, even
K for small t.
t We now plot in Figure 2 the optimal strategy with
from where we derive E UK+1:n − UK:n
t
due to: respect of t, for αV fixed according to (3). We can
see in such a figure that the behavior of Kopt (opti-
t t mal K) with increasing t is not regular at all. There
E UK+1:n − UK:n
t
= F̄UK+1:n (u) − F̄UK:n (u) du
0
is consequently no hope to get any clear characteriza-
tion of Kopt with respect of the different parameters
for 0 ≤ K ≤ n − 1 (we recall U0:n := 0). in finite horizon as we had in the exponential case in
5 10 10 10 10 10 10 10 10 10 10 10
10 10 10 10 10 10 10 10 10 10 10 10
15 10 10 10 2 2 1 1 1 0 0 0
20 7 7 6 5 5 4 4 3 2 1 1
25 9 9 8 8 7 7 6 5 4 3 1
30 10 10 9 9 8 7 6 4 3 1 0
35 9 9 7 6 5 4 4 2 1 0 0
40 10 9 8 7 6 5 4 3 2 1 0
45 10 9 8 7 6 6 5 3 2 1 0
50 10 9 8 7 6 5 4 3 2 1 0
75 10 9 8 7 6 5 4 3 2 1 0
100 10 9 8 7 6 5 4 3 2 1 0
∞ 10 9 8 7 6 5 4 3 2 1 0
607
(Mercier and Labeau 2004) and as we have here in 10
infinite horizon (Theorem 4).
We next plot Kopt in Figures 3–6 for t fixed (t = 25)
8
with respect of parameters cf , ν, r and cp (all other
parameters fixed according to (3–5), which shows
that Kopt may vary a lot changing one single param- 6
eter. Also, one may note that Kopt decreases with cf
Kopt
(Fig. 3), ν (Fig. 4) and r (Fig. 5). Such observations
4
10
2
8
0
0 0.5 1 1.5
6 r
Kopt
2 10
0 8
0 10 20 30 40 50
t
10
4
8
2
6
0
Kopt
0
1 1.5 2 2.5 3
cf are coherent with intuition which says that preventive
maintenance should be performed all the earlier (or
Figure 3. Optimal strategy w. r. of cf for t = 25. equivalently new-type components should be intro-
duced all the earlier) as failures are more costly, as
10 the difference of costs is higher between both gener-
ations of components, or as economical dependance
8
between replacements is higher. Similarly, Figure 6
shows that Kopt increases with cp , which means that
the higher the cost of a preventive replacement is, the
6 later the preventive maintenance must be performed.
This is coherent with intuition, too.
Kopt
2
5 CONCLUSIONS
608
with each other. We have seen that the variations of Clavareau, J. and P.-E. Labeau (2006a). Maintenance
the optimal strategy with respect of a finite horizon and replacement policies under technological obsoles-
t is much less regular in the present case of gen- cence. In Proceedings of ESREL’ 06, Estoril (Portugal),
eral failure rates than in the case of constant failure pp. 499–506.
rates as in (Elmakis, Levitin, and Lisnianski 2002) or Clavareau, J. and P.-E. Labeau (2006b). Maintenance et
stratégies de remplacement de composants soumis à obso-
(Mercier and Labeau 2004) (see Figure 2). Also, the lescence technologique. In In Proc. Lambda-Mu 15, Lille
main result from (Mercier and Labeau 2004), which (France).
told that the optimal strategy could only be strategy Dekker, R., R. E. Wildeman, and F. A. van der Duyn Schouten
0, 1 or n, namely (nearly) purely preventive or purely (1997). A review of multicomponent maintenance models
corrective, is here false: any strategy among 0, 1, . . . , n with economic dependence. Math. Methods Oper. Res.
may be optimal. 45(3), 411.435. Stochastic models of reliability.
It does not seem possible here to give clear condi- Ebrahimi, N. and F. Spizzichino (1997). Some results on
tions on the data to foretell which strategy is optimal normalized total time on test and spacings. Statist. Probab.
in finite horizon as in case of constant failure rates. We Lett. 36(3), 231–243.
Elmakis, D., G. Levitin, and A. Lisnianski (2002). Optimal
however obtained such conditions in long-time run. 1 scheduling for replacement of power system equipment
A few numerical experiments (see others in (Mercier with new-type one. In Proc. Of MMR’2002 (Mathemath-
2008)) seem to indicate that the optimal strategy in ical Methods in Reliability 2002), Trondheim (Norway),
long-time run actually is quickly optimal, namely for pp. 227–230.
t not that large. The results for long-time run then Mercier, S. (2007). Discrete random bounds for general ran-
seem to give a good indicator for the choice of the best dom variables and applications to reliability. European J.
strategy, even for t not very large. Oper. Res. 177(1), 378–405.
Mercier, S. (2008). Optimal replacement policy for obso-
lete components with general failure rates.Appl. Stoch.
Models Bus. Ind. 24(3), 221–235.
REFERENCES Mercier, S. and P.-E. Labeau (2004). Optimal replacement
policy for a series system with obsolescence. Appl. Stoch.
Arnold, B. C., N. Balakrishnan, and H. N. Nagaraja (1992). Models Bus. Ind. 20(1), 73–91.
A first course in order statistics. Wiley Series in Proba- Michel, O., P.-E. Labeau, and S. Mercier (2004). Monte Carlo
bility and Mathematical Statistics: Probability and Math- optimization of the replacement strategy of components
ematical Statistics. New York: John Wiley & Sons Inc. subject to technological obsolescence. In Proc. Of PSAM
A Wiley-Interscience Publication. 7- ESREL’ 04, Berlin (Germany), pp. 3098–3103.
Barlow, R. E. and F. Proschan (1966). Inequalities for linear
combinations of order statistics from restricted families.
Ann. Math. Statist. 37, 1574–1592.
609
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: The main objective of this work is optimizing the function of maintenance at the foundry of the
company BCR in Algeria. For this, we use a comprehensive approach involving two global areas: organizational
aspect and technical aspect. As a first step, we analyse the reliability of a certain equipment through a Pareto
Analysis. After that, we present the influence of repair times on the unavailability of this equipment. In order
to calculate the optimal renewal times of some spare parts of an equipment (for they present an important time
of unavailability), we first make an economic evaluation, which leads to express the direct and indirect costs
of maintenance. Finally, in order not to charge an available item (good condition), we give an overview of
implementing a ‘‘non destructive control’’.
611
models obtained through the classic test of adequacy
‘‘Kolmogorov-Smirnov’’. The results are in Table 2.
n: Size of sample.
β: Parameter form of the Weibull law .
η: Parameter scale of the law Weibull.
Dks : Statistics empirical test Kolmogorov-Smirnov.
d(n,0.05) : Quantile tabulated test Kolmogorov-Smirnov
with a level of significance equal to 0.05.
The results show that the model of the two param-
eters Weibull is accepted for a level of significance =
0.05 for the facilities: DECRT, ROVT021, ROVT041,
ROVT042, GREN011, GREN021, NOYT020, BASP,
but For the NOYT018 machine, the model of Weibull
Figure 1. Diagram ABC (Pareto). is rejected.
In addition to a tendency of these facili-
ties(equipment) to the Weibull law : DECRT, ROVT-
041, ROVT042, GREN011, GREN021, NOYT020,
their exponentiality in lifetime is validated as well. For
Table 1. Equipment chosen. equipment BASP, ROVT021, the exponential model is
rejected.
Code Designation
612
Table 3. Graphic test.
Curve of
Equip n tendency Model Rate
4 AVAILABILITY OF EQUIPMENTS
613
Table 4. Results of the modeling of the repair times.
Dopr −Dops
Table 6. Results of the modeling of the availability times, where Ddif = Dopr − Dops and Dres = 1−Dopr .
(Mean Time To Failure), and TDM (Mean Down finally we estimate the rate of unavailability caused
Time), in order to evaluate Dopr et Dops . by the repair time annexes.
The results are reported in table 4, table 5 and
table 6. In an effort to highlight the potential impact
of the annexes repair time on the unavailability of Calculate of the reports between the operational
equipments, we have adopted the following steps: unavailability to the supplementary time of left and
the operational unavailability watch that the times
annex of repair represents more the half of the times
calculate, as a first step, the actual availability Dopr unavailability. As analysis of the situation is therefore
and Dops ; indispensable, in order to reduce these times of immo-
calculate, in a second stage, the unavailability bilization. Him also invites to review the politics of the
(Dopr − Dops ) trained by the waiting time of repair; management of the stocks of the pieces of spare and
614
Table 7. The chosen components. 5.3 Replacement depending on the age
to put the adequate means in place for a better hold in Gain = γ (T0 ) − γ (∞).
charge of the repairs.
Where ‘‘T0 ’’ the optimum time is a solution of the
derive of γ (T ), it is a solution of the equation:
5 OPTIMIZATION OF THE RENEWAL T
Cd
λ(T ) R(t)dt + R(t) = . (5)
The importance of the BASP machine possesses in 0 (Cd − Cp )
the chain of production and the rate of unavailability
importing of this one. if Cp > Cd the equation has no solution, the most
It is on this account that we chose to study optimal economical renewal is curative.
replacement for some of its components, in order to
optimize its overall performance. 5.3.1 Research the optimum replacement:
Kelly model
It allows you to determine the optimum time of pre-
5.1 Selection of components ventive change, based on Weibull law parameters and
Kelly abacuses. To use these abacuses it is necessary
we have chosen components which have a fairly large to determine the parameters of Weibull law form and
frequency of use, in order to have enough data. These the ratio r = CCdp .
components are five in number, presented in the
table 7. for this we have modeled the lifetime of components
with the Weibull law. The results are presented in the
table 9.
The results of calculating the optimum time T0 of
5.2 Evaluation of maintenance costs Preventive change are given in the table 10.
The costs involved in a maintenance policy can be
separated into: compressible Cp (cost of preventive 5.3.2 Kay model
maintenance) and Cd (costs of defiance in service). In From the equations (3) and (4) the preferably relation-
the first category are involved the prices of spare parts ship γ (T ) < γ (∞) ) is expressed by the formula:
and Workers. Whatever the planned maintenance is, no T
gain is possible. For the second category, one variable R(t)dt Cp
is taken into account: the cost of the unavailability 0∞ ≥ k + (1 − k) · F(T ), k =
0 R(t)dt Cp + Cd
related to maintenance actions to be carried out. The
results are given in the table 8. (6)
615
Table 9. Modeled the lifetime of components.
616
The optimal times of preventive renewal obtained failures. Then we introduced a phenomenon found in
by the two methods are similar. The difference is due to the collection of data, which is the unavailability linked
the results found by the model Kay, which are based on to repair time annexes, that represents more than half
the values of the whole sample, or on discrete values, of the operational unavailability of equipments.
whereas those found by the model Kelly are obtained The evaluation of the economic consequences has
from an adjustment of a continuous law. led us to express the direct and indirect costs of main-
tenance in order to calculate the time of the optimal
renewal of certain pieces of equipment that presents
6 NON DESTRUCTIVE CONTROL important time (cost) unavailability. This shows that
the decisions of Preventive renewal are not only the
After the results of the optimal time for renewal are results of a technical study.
obtained, and in order not change a component in good For a better system of managing the maintenance,
condition, it is proposed to implement the procedures it is proposed to revise the current system of manage-
of organization of a non destructive control (NCD) ment, by investing in the implementation.
which consists of:
• Define the objectives and the equipments to be
followed, and evaluate the causes of failures; REFERENCES
• Study the feasibility of NCD;
• choose the methods and techniques of the Non- Bunea, C. Bedfford, T. (2002). The effect of model uncer-
destructive inspections to be used; tainty on maintenance optipization. IEEE, 486–493.
• Study and establish guidelines alarm; Canfield, R. (1983). Cost optimisation of periodic preventive
maintenance. IEEE, 78–81.
• Establish economic assessments; Cocozza-Thivent, C. (1997). Processus stochastique et fia-
• train all staff concerned. bilté des systèmes. Springer.
Gasmi, S. love, C. and W. Kahle (2003). A general
repair, proportional-hasard, framework to model complex
7 CONCLUSION repairable systems. IEEE, 26–32.
Lyonnet, P. (2000). La maintenance mathématique et méth-
In this study we used a global approach that uses odes. Tec and Doc.
two main areas: The organizational aspect and the Pellegrin, C. (1997). Fondements de la Décision Mainte-
techno-economic aspect. In a first step, thanks to the nance. Economica.
Pongpech, J. Murth, D. Optimal periodic preventive mainte-
ABC analysis, it was possible to identify the equip- nance policy for leased equipment. Science Direct.
ments that cause more than 60% of immobilization Priel, V. (1976). La maintenance: Techniques Modernes de
of the foundry section. After that, we have mod- Gestion. EME.
eled equipments’ reliability, by using parametric and Yves, G. Richet, D. and A. Gabriel (1999). Pratique de la
non-parametric approaches, which helped to highlight Maintenance Industrielle. Dunod.
the types of failures of these equipments. We have
seen that the majority of these are subject to random
617
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: The inspection and maintenance policy is determined by the crossing of a critical threshold
by an aggregate performance measure. Rather than examining the first hitting time of the level, we base our
decisions on the probability that the system will never return to the critical level. The inspection policy is state
dependent and we use a "scheduling function" to determine the time to the next inspection given the system
state. Inspection reveals the true state of the system and allows the determination of the appropriate action, do
nothing or repair, and the time of the next inspection. The approach is illustrated using a multivariate system
model whose aggregate measure of performance is a Bessel process.
0
1 INTRODUCTION of failure and replacement times GF constitutes a
renewal process. This embedded renewal process is
The models derived in this paper are a natural exten- used to derive the expected cost per unit time over
sion of models which use the first hitting time of a an infinite time horizon (for the periodic inspection
critical level as a definition of failure (Barker and policy) and the total expected cost (for the non-
Newby 2006). Here we develop a model in which periodic inspection policy). The costs are optimized
the system is repaired if the probability of return- with respect to the system parameters.
ing to the critical level is small (a last exit time) and
it has not crossed a second level which corresponds
to catastrophic failure. The intention is to maintain 1.1 Modelling degradation
a minimum level of performance. The approach is The system is complex consisting of N components
appropriate when the system is subject to relatively and its state is an N -dimensional Wiener process
minor repairs until it begins to degrade faster and
requires major repair. This is typically the behaviour of Wt = μt + σ Bt , W0 = 0
infrastructure and large capital items. It also captures
the behaviour of systems which eventually become T
economically obsolete and not worth repairing. The with μ = [μ1 , . . . , μN ]T , Bt = Bt(1) , . . . , Bt(N )
system is complex in the sense that it consists of a where Bt(i) is a standard Brownian motion.
number of components whose states evolve in time. The individual processes are not observed and
The system state is summarized using a Bessel pro- decisions are based on a performance measure
cess Rt ∈ [0, ∞) which is transient and thus tends Rt = Wt 2 , the L2 -norm of Wt . Without loss of gen-
to increase. Transience ensures that the process will erality we assume that σ = 1. Rt is the radial norm
eventually escape to ∞. There are two critical levels, of a drifting Brownian motion starting at the origin, a
ξ and F > ξ . The system is repaired if on inspec- Bessel process Bes0 (ν, μ) starting at the origin with
tion it has a small probability of returning to ξ , and parameter ν and drift μ (Rogers and Pitman 1980)
suffers a catastrophic failure if it reaches F. The time where
to inspection and repair is determined by a scheduling
function (Grall et al. 2002) which gives the time until 1
ν= N − 1, μ = μ2
the next action as a function of the current state. 2
The threshold ξ defines the repair actions and is
incorporated in a maintenance function r. The actions The properties of the Bessel process entail some
are determined by the probability that the process changes in the way the model is developed. Because
has escaped from [0, ξ ) and F defines the failure of the radial part of a Brownian motion with drift starting
the system and hence its replacement. The sequence at x > 0 is not a Bessel process with drift (Rogers and
619
Pitman 1980) we handle repair by adjusting the thresh- Maintenance actions are modelled using a function
olds. The difficulty is resolved by calculating the r to specify the amount by which both of the thresh-
distance remaining between the observed state at repair old values are decreased. The maintenance function
and the threshold and represent repair by restarting depends on the probability of return to ξ :
the process from the origin (in RN ) and lowering the
threshold to that remaining distance. Extensive treat- x, P[Hξ0−x ≤ τ ] ≤ 1 −
ments of the Bessel process with drift and the radial r(x) =
kx, P[Hξ0−x ≤ τ ] > 1 −
Brownian motion are given in (Revuz and Yor 1991;
Pitman and Yor 1981; Rogers and Pitman 1980).
where 0 < < 1 and k ∈ [0, 1].
Standard models can be recovered: = 0 cor-
responds to no maintenance; k = 1 corresponds to
2 PERIODIC INSPECTIONS
minimal repair (as bad as old); and k = 0 corresponds
to perfect repair (good as new).
2.1 Features of the model
The cost function depends on the amount, r, by
2.1.1 Model assumptions which the threshold values are decreased
The model assumes: a) the inspection policy is to
inspect at fixed intervals τ and are perfect and instan- 0, P[Hξ0−r(x) ≤ τ ] ≤ 1 −
taneous; moreover, the system state is known only at Cr (x) =
Crep , P[Hξ0−r(x) ≤ τ ] > 1 −
inspection or failure; b) the system starts from new,
at t = 0 R0 = 0; c) the thresholds are F and ξ < F ;
The transience of the Bessel process implies that Cr
d) each inspection incurs a fixed cost ci ; e) catas-
is well defined, ∀ ∈ (0, 1), ∃ τ ∗ ∈ R+ such that
trophic failure are instantaneously revealed as the first
hitting time of the threshold F; f ) the system is instan-
taneously replaced by a new one at cost Cf ; g) each ∀ τ ≤ τ ∗, P[Hξ0−x ≤ τ ] ≤ 1 −
maintenance action incurs a cost determined by a cost ∀ τ > τ ∗, P[Hξ0−x ≤ τ ] > 1 −
function Cr ; h) the transition density for Rt starting
from x is fτx ( y) ≡ f ( y|x, τ ). 2.1.3 The framework
There are two possibilities, the system fails GF0
≤ τ or
2.1.2 Settings for the model is still working GF ≤ τ after crossing ξ . At inspection
0
The state space in which the process evolves is parti- time t1 and before any maintenance action, the perfor-
tioned into a normal range [0, ξ ), a deteriorated range mance measure is Rt1 = x. Maintenance lowers the
[ξ , { ) and failed [F , ∞), threshold values ξ → ξ − r(x) and F → F − r(x),
so considering the next interval
R+ = [0, ξ ) ∪ [ξ , F ) ∪ [F , +∞) , 1. GF0
−r(x) > τ : the system survives until the next
planned inspection in τ units of time. The next
The decisions are based on the last exit time from inspection is at t1 +τ with cost Ci . The cost of repair
the critical threshold ξ at this next inspection is Cr (r(x)). The perfor-
mance measure at time t1 + τ is R0τ and determines
Hξ0 = sup {Rt ≤ ξ | R0 = 0} the reduction in the thresholds.
t∈R+
−r(x) ≤ τ : the performance measure hits the
0
2. GF
which is not a stopping time. Because Hξ0 is not a threshold F − r(x) before the inspection at t1 + τ .
stopping time, we work with the probability of not The system fails and is instantaneously replaced
returning to the level ξ before the next inspection, with cost of failure Cf . These failure times form a
P[Hξ0−x ≥ τ ]. The catastrophic failure time is renewal process.
Each cycle consists of a sequence of occurrences of
0
GF = inf {Rt = F | R0 = 0} case 1 and ends with case 2 as the system fails and is
t∈R+
replaced.
which is a stopping time. The density of GF x
is g xF .
Inspection at time t = τ (immediately before any
maintenance) reveals the system’s performance mea- 2.2 Optimal periodic inspection policy
sure Rτ . The level of maintenance (replacement 2.2.1 Expected cost per cycle
or imperfect maintenance) is decided according to If Rτ = x at time τ − an inspection prior to any main-
whether the system has failed GF0
≤ τ or is still work- tenance, we set Rτ + = x and the threshold values
ing GF0
≤ τ . Replacement is determined by the first adjusted to F − r(x) and ξ − r(x) at τ + just after
hitting time of threshold F. the action. A recursive argument yields an analytical
620
expression for the cost of inspection and maintenance 2.2.3 Expected cost per unit time
per cycle. The cost per cycle is Vτx given that at Rτ = x. A standard renewal reward argument gives the cost per
unit time.
Vτx = Cf 1{G0 ≤τ } vτx
r
F − (x)
Cτx =
R0 lτx
+ Ci + Cr (x) + Vτ τ 1{G0 >τ }
r
F − (x)
with expressions for vτx , lτx given in (1) and (4)
respectively.
R0
where Vτ τ is the future cost restarting from the
renewed state 0. 2.2.4 Obtaining solutions
0
Taking the expectation: The density, gF , for the first hitting time of a Bessel
process with drift is known only through its Laplace
vτx = E[Vτx ] = A + B (1) transform (Pitman & Yor 1981; Yin 1999). The
transform is for ν > 0
τ
ν
A = E Cf 1{G0 = Cf 0
gF −r(x) ( y)dy β 2 + μ2 Iν (μF)
F −r(x) ≤τ }
E[e− 2 β GF ] =
1 2 0
0
R0 μ Iν (F β 2 + μ2 )
B = E Ci + Cr (x) + Vτ τ 1{G0 >τ }
F −r(x)
τ Solutions to (2) were obtained by performing numer-
= {Ci + Cr (x)} 1 − ical inversions of the Laplace transform using the
−r(x) (
0
gF y) dy
0 EULER method (Abate & Whitt 1995).
τ F −r(x) The Volterra equations (2) and (4) are reformulated
+ 1− 0
gF −r(x) ( y) dy vτy fτ0 ( y) dy as Fredholm equations
0 0
F
vτx = Q(x) + λ(x) K {x, y} vτy dy
We restructure the expected cost as 0
F
F −r(x)
lτx = P(x) + λ(x) K {x, y} lτy dy
vτx = Q(x) + λ(x) vτy fτ0 ( y) dy (2) 0
0
with Q, λ as in (3), P as in (5) and
with
K {x, y} = 1{y≤F −r(x)} fτ0 ( y)
τ
λ(x) = 1 − 0
gF −r(x) ( y) dy They are solved numerically using the Nystrom
0
routine with an N point Gauss-Legendre rule. For
Q(x) = (1 − λ(x)) Cf + λ(x) {Ci + Cr (r(x))} (3) xi ∈ (ξ , F], r (xi ) is not defined since ξ − xi < 0.
For such values we take r (xi ) = kxi , i.e. repair is
2.2.2 Expected length of a cycle undertaken on the system. If ξ − r (xi ) < 0, a cost of
The expected length of a cycle, lτx , is obtained similarly. repair is automatically included at the next inspection
The length of a cycle Lτx is time. This seems to be a reasonable assumption since
Rt is positive and will therefore always stay above such
R0
a threshold with negative value, meaning that the last
Lτx = GF
0
−r(x) 1{G 0 + τ + Lτ τ 1{G0 exit time has already happened and hence that repair
F −r(x) ≤τ } F −r(x) >τ }
must be considered.
R0 The optimal period of inspection and repair thresh-
where Lτ τ is the length of a cycle restarting in state 0. old can then be determined as:
The expected value is
(τ ∗ , ξ ∗ ) = argmin(τ ξ )∈R+ ×[0,F ] {Cτ0 }
F −r(x)
lτx = P(x) + λ(x) lτy fτ0 ( y) dy (4)
0
3 NON-PERIODIC INSPECTIONS
with λ defined in (3) and
3.1 Features of the model
τ
P(x) = 0
ygF −r(x) ( y) dy + τ λ(x) (5) The extension to non-periodic inspection policies
0 shares many features with the periodic policy
621
described in 2.1. The complexities of a dynamic Taking the expectation
programming formulation are avoided by introducing
a scheduling function τ = m(x) which determines the vx = E[V x ] = A + B + C
time τ to the next inspection based on the observed
system state x. The scheduling function develops the m(r(x)) 0
sequence of inspections in the following way: an A = Cf + v0 gF −r(x) ( y) dy
0
inspection at τi reveals Rτi = x, the repair is r(x) and m(r(x))
the next inspection is scheduled at m(r(x)). B = {Ci + Cr (x)} 1 − −r(x) ( y) dy
0
gF
Different inspection policies are obtained through 0
the use of three scheduling functions m1 , m2 and m3 m(r(x))
modelled on the approach in (Grall et al. 2002). C = 1− 0
gF ( y) dy × ···
−r(x)
0
a−1
m1 [x | a, b] = max 1, a − x F
b ··· 1{y≤F −r(x)} vy fm(r(x))
0
( y) dy
⎧ 0
⎨ (x − b) 2
m2 [x | a, b] = 2
(a − 1) + 1, 0 x b
⎩ b which may be re-arranged as
1, x > b.
⎧
√ 2 F
⎪
⎨ a−1 vx = Q(x) + (1 − λ(x)) v0 + λ(x) K {x, y} vy dy
− x + a, 0 x b
m3 [x | a, b] = b 0
⎪
⎩
1, x>b with
All the functions decrease from a to 1 on the interval m(r(x))
[0, b] and then remain constant at 1. The scheduling λ(x) = 1 − 0
gF −r(x) ( y) dy
function m1 decays linearly; the function m2 is con- 0
cave, initially steeply declining and then slowing; the Q(x) = (1 − λ(x)) Cf + λ(x) {Ci + Cr (r(x))}
function m3 is convex, initially slowly declining and
then more rapidly. The different shapes reflect differ- K{x, y} = 1{y≤F −r(x)} fm(r(x))
0
( y)
ent attitudes to repair, m3 tends to give longer intervals
initially and m2 gives shorter intervals more rapidly.
To avoid a circular definition maintenance function 3.3 Obtaining solutions
r employs the performance measure just before repair While (6) contains ν x and ν 0 because we need only the
value of ν 0 we change the equation to
x, P[Hξ0−x ≤ m(x)] ≤ 1 −
r(x) =
kx, P[Hξ0−x ≤ m(x)] > 1 − F
ν x = Q(x) + (1 − λ(x))vx + λ(x) K{x, yt}ν y dy
with 0 < < 1, k ∈ (0, 1]. 0
The next inspection is scheduled at m (r(x)) units (6)
of time with cost Cr (r(x)), where
and solve for ν x as for the periodic model as in (Barker
0, P[Hξ0−r(x) ≤ m (r(x))] ≤ 1 − Newby 2007). The solution is then obtained by setting
Cr (r(x)) = x = 0.
Crep , P[Hξ0−r(x) ≤ m (r(x))] > 1 −
622
Table 1. Optimal parameters given k = 0.9, = 0.5. 160
Ci , Crep , Cf (τ ∗ , ξ ∗ ) vτ0∗ lτ0∗ Cτ0∗ 140
20
0 5 9.5 15
Repair threshold: ξ
4.1.1 The influence of the costs
The response of the model to costs is examined with Figure 1. Effect of parameter ξ on Cτ0∗ with (a, , τ ∗ ) =
(0.9, 0.5, 1.6).
costs Ci ∈ {0.5, 50, 500}, Crep ∈ {2, 200, 2000} and
Cf ∈ {5, 500, 5000}. The optimal period of inspec-
tion τ ∗ , repair threshold ξ ∗ and expected cost per unit
time Cτ0∗ are summarized in table 1. The expected cost Table 2. Optimal inspection period &
expected cost per unit time for different values
and expected length per cycle at the optimum are vτ0∗ of k ( = 0.5).
and lτ0∗ .
As Ci increases the optimal expected cost per unit k τ∗ Cτ0∗
time and the optimal period of inspection increase.
Increasing Ci makes inspection more expensive result- 0 3.4 15.72
ing in less frequent inspection and reduces lτ0∗ because 0.1 3.2 17.04
there will be more failures. 0.2 3.0 18.80
0.3 2.8 20.37
Changing Crep affects the optimal period of inspec- 0.4 2.4 23.08
tion and gives higher values for the optimal repair 0.5 2.4 25.18
threshold. The higher threshold ξ ∗ reduces the fre- 0.6 2.0 28.59
quency of repairs hence reducing costs. The optimal 0.7 2.0 30.02
strategy is driven by the repair threshold which deter- 0.8 1.6 32.78
mines the frequency of maintenance and thus the 0.9 1.6 33.39
optimal expected total cost. 1 1.4 36.21
Increasing Cf increases, τ ∗ and ξ ∗ . For a low cost
of failure (i.e. Cf << Ci + Crep ) the optimal strategy
is to let the system fail and then replace it resulting in
a lower cost than a repair or a simple inspection. with k = 1. Table 2 shows the uniform effect of the
repair parameter. The cycle length decreases and
4.1.2 Investigating the maintenance actions the cost increases as k increases.
The maintenance
9 1 function considered has parameters iii. Repair Parameter: Repair is determined by the
(k, ) = 10 ,2 parameter and the probability
x, P[Hξ0−x ≤ τ ] ≤ 12 P[Hξ0−x ≤ τ ] .
r(x) =
0.9x, P[Hξ0−x ≤ τ ] > 12 The different values for , 0.1, 0.5 and 0.9 reflect
The effects of parameters ξ , k and on the model the decision maker’s attitude towards repair. Values
with (Ci , Crep , Cf ) = (50, 200, 500) are examined. close to 1 corresponds almost certain repair and as the
In Table 1 the optimal parameters are (τ ∗ , ξ ∗ ) = value decreases to 0 repair occurs less frequently, a
(1.6, 9.5). riskier position. The results in table 3 show that only
the threshold responds to .
i. The repair threshold: The optimal solution The model adapts itself to the decision maker’s atti-
depends strongly on ξ when other parameters tudes to repair (the value of ) by moving the optimal
remain fixed as is shown in figure 1. repair thresholds. As increases repairs will be con-
ii. Level of repair: The level of repair increases sidered more often but ξ ∗ increases to restrain the
from perfect repair with k = 0 to minimal repair frequency of repairs. The optimal expected cost per
623
Table 3. Optimal parameters for different . Table 4. Optimal expected total cost and parameters a,
b and ξ .
0.1 0.5 0.9
Repair Scheduling
ξ∗ 8 9.5 11 threshold function a∗ b∗ v∗
τ∗ 1.6 1.6 1.6
Cτ0 ∗ 33.39 33.39 33.39 m1 2.2 1.5 1171.7
m2 2.1 4.2 1169.5
ξ =1 m3 2.1 0.9 1170.4
m1 2.2 1.7 1189.1
m2 2.2 2.9 1194
ξ =2 m3 2.1 1 1189.9
m1 2.4 2.5 1546.3
m2 2.5 2.8 1572.1
ξ =3 m3 2.4 1 1547.8
m1 5.2 3.7 2.3283 × 105
m2 5.2 3.8 2.34 × 105
ξ =4 m3 5.2 1.9 2.3264 × 105
m1 6.5 0.5 3.8437 × 106
m2 6.5 0.7 3.8437 × 106
ξ =5 m3 6.5 0.5 3.8437 × 106
Figure 2. Effect of parameter on the optimal solution Cτ0∗ 4.2.1 The optimal maintenance policy
with parameters (k, ξ ∗ , τ ∗ ) = (0.9, 9.5, 1.6). Table 4 reports the optimal solutions for a range of
thresholds and for the different scheduling functions.
An optimal solution was found in each case. The solu-
tions are not particularly sensitive to (a, b), but range
unit time remains constant in the three cases stud- over several orders of magnitude as the threshold ξ
ied. Figure 2 clearly shows that this is not the case varies.
for inspection periods τ ∈ (τ ∗ , τ=0.1 ], where τ=0.1
satisfies 4.2.2 The influence of costs
We take an example with scheduling function m1 and
∀ t > τ=0.1 : P Hξ0 < t > 1 − 0.1
ξ = 3. The optimal parameters (a∗ , b∗ ) and total cost
For most values in this interval, the expected cost per are summarized in table 4. As Ci increases, the opti-
unit time increases with : the model penalizes a costly mal values of a and b increase making inspection less
strategy that favors too many repairs. For a period frequent when the cost of inspection increases.
of inspection greater than τ=0.1 , the expected costs
per unit time are identical since in all three cases the 4.2.3 Investigating the maintenance actions
approach towards repair is similar: the system will be i. Level of repair: The optimal cost for the
repaired with certainty three optimal inspection scheduling functions and
k ∈ [0, 1] and repair threshold ξ = 3 are shown in
P Hξ0 < t > 0.9 ⇒ P Hξ0 < t > 0.5 Figure 3. In all three cases the expected total cost
increases with k implying a reduction in the amount
⇒ P Hξ0 < t > 0.1 . of maintenance undertaken on the system at each
repair. The system will therefore require more fre-
quent repairs or will fail sooner implying an increase
4.2 Non-periodic inspection policy
in the total expected cost value.
The results are obtained using Bes0 (0.5, 2) for Rt and ii. Attitude to repair: The attitude of the deci-
with fF = 5. The different costs and the main- sion maker towards repair is reflected in the
tenance function’s parameters are (Ci , Crep , Cf ) = parameter ∈ [0, 1]. The optimal expected costs
(50, 100, 200), (k, ) = (0.1, 0.5). obtained with corresponding optimal parameters
The optimal solution is determined by the optimal with = 0.1, 0.5, 0.9 and ξ = 3 are summarized in
parameter values (a∗ , b∗ ) rather than the solution of table 6. Letting approach zero means that the
624
decision maker tends to a safer maintenance 5 SUMMARY
approach. Changes in induce changes in the opti-
mal inspection policy and the resulting optimal The aim of the models derived and investigated in
expected total cost (table 6). the present paper extend an earlier paper (Barker &
Newby 2006) by incorporating catastrophic failure
of the system. Catastrophic failure is represented by
Table 5. Optimal expected total cost and parameters (a, b) introducing a second threshold F to account for catas-
for different values of the maintenance costs, ξ = 3. trophic failure. The threshold ξ is incorporated in the
repair function r as the last exit time from the interval
Ci , Crep , Cf a∗ b∗ v∗ [0, ξ ). The repair decision depends on the probabil-
(5, 100, 200) 2.4 2.4 1467.6 ity of occurrence of this last exit time before the
(50, 100, 200) 2.4 2.5 1546.3 next inspection. The models proposed hence include
(500, 100, 200) 2.5 2.6 2296.7 both a stopping time (the first hitting time) and a
(50, 1, 200) 2.4 2.3 1377.3 non-stopping time (the last exit time). The proba-
(50, 100, 200) 2.4 2.5 1546.3 bility density function of the first hitting time for a
(50, 1000, 200) 2.6 2.5 2971.9 Bessel process with draft being not known explicitly,
(50, 100, 2) 3.2 2.9 203.67 the expression for the expected total cost was solved
(50, 100, 200) 2.4 2.5 1546.3 numerically (a numerical inversion of the Laplace
(50, 100, 2000) 2.4 2.2 13134
transform of the first hitting time’s density function
was required).
The numerical results revealed a strong influence
5500
Inspection strategy considered: m1
of the threshold’s value ξ and parameter k on both the
5000
Inspection strategy considered: m
Inspection strategy considered: m
2 optimal period of inspection and the optimal expected
cost per unit time. Letting parameter vary produced
3
4500
changes in the optimal repair threshold only, sug-
4000
gesting that the optimal strategy aims at keeping a
relatively constant frequency of repairs.
Expected total cost
3500
3000
REFERENCES
2500
625
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Preventive maintenance planning is one of the most common and significant problems faced by
the industry. It consists of a set of technical, administrative and management actions to decrease the component
ages in order to improve the system’s availability. There has been a great amount of research in this area
using different methods for finding an optimal maintenance schedule. This paper proposes a decision model,
integrating Bayesian approach with a multicriteria decision method (MCDM) based on PROMETHEE. This
model determines the best solution for the preventive maintenance policy taking both costs and availability as
objectives and considering prior expert knowledge regarding the reliability of the systems. Several building
considerations regarding the model are presented in order to justify the procedure and model proposed. Finally,
a numerical application to illustrate the use of the model was carried out.
627
reducing stocks of spares and equipment redundancy the decision-making processes related to preventive
reduction, minimizing energy consumption etc (Quan maintenance.
et al., 2007). Many advantages can be gained from a In summary, this paper proposes a multi-criteria
well developed PM program, although they depend on model in order to establish the age t of replacement,
the size and type of plant. The greater one’s asset val- taking into account not only the cost, as in classical
ues per square meter are, the greater will be the return models, but also reliability, as well as how the problem
on the PM program (Worsham, 2000). of data is overcome by means of a Bayesian integrated
The PM program will determine what maintenance approach.
activities should be performed on which items of each
piece of equipment, what resources are needed and
how often the activities should be scheduled. It will 2.2 The service context
only be effective if the tasks demanded for the system Mont (2001) has observed that the service sector
are scheduled at regular intervals (Quan et al., 2007). has undergone significant growth with strong reper-
Production must be considered while planning cussions for the economy. This has caused specific
maintenance, because production schedules may be changes in production systems, which increasingly
interrupted by failures or maintenance tasks. Thus depend on service for their processes, and which have
it is necessary to balance how many interventions resulted in the increasing flexibility of the production
will be made to production in order to make as few systems themselves.
interruptions as possible to perform PM and still main- According to Hirschl et al., (2003), there has to
tain a healthy system with few repairs or corrective be a societal change in consumer behavior. Thus, the
maintenance needs (Sortrakul et al., 2005). idea of keeping a particular piece of equipment for
Numerous studies have been conducted concerning the longest time possible is now an idea that may be
the problem of preventive maintenance. Bevilacqua imputed to consumer mentality. On the producer side,
and Braglia (2000) used AHP for the selection of the this means the longer a particular product is used, the
best maintenance strategies for an Italian oil refinery. more service work will be needed over the life-cycle
Wang et al., (2007) extended Bevilacqua and Braglia’s of the product.
studies by applying a fuzzy analytic hierarchy pro- The sustainable potential of a system of goods and
cess to deal with decision makers’ uncertainties as services does not only depend on this holistic vision
to their judgment. Samrout et al., (2005) applied a which embraces diverse criteria to define operational
heuristic method, called ant colony optimization to procedures, but is also based on the structure of new
a system of series-parallel aiming to minimize the kinds of relationships or partnerships between the
cost of preventive maintenance. A few studies tried actors of the process, leading to new convergences of
to solve the preventive maintenance problem by com- economic interests and a potential optimization of the
bining genetic algorithms and multicriteria, such as use of resources. Therefore the notion of a product is
Lapa et al., (2006), who used reliability and costs no longer just the physical result of a productive pro-
as objectives. Chareonsuk et al., (1997) presented a cess. Rather, it is an integrated concept where goods
PROMETHEE II model to determine the optimal inter- and services are mutually dependent; focusing on con-
val. However, in their model, the criteria were limited sumer needs and demands in an integrated way and at
to an interval of values for both criteria, thus excluding the same time increasing profit and diminishing the
the conflict regions. Cavalcante and Almeida (2005, environmental impact by reducing the volume of goods
2007) also applied the PROMETHE method in dif- manufactured (Manzini et al., 2003).
ferent papers. In one of them, a PROMETHEE II Given the importance of service production systems
methodology was applied, but in addition to not con- and their growth potential for participating in the econ-
sidering any limitation for the criteria values, the omy as well as the ever-stronger tendency towards the
lack or unreliability of data was also considered. In formation of chains, the distinctive features of service
the other paper, PROMETHEE III was used, which production systems are more than enough to justify the
permitted more rational planning for the problem of need for a serious study related to planning for their
preventive maintenance and also took into account maintenance.
external uncertainties.
In this paper, we propose an application based on the
early model (Cavalcante & Almeida, 2007), integrat-
3 THE DECISION MODEL
ing a Bayesian approach with a multi-criteria decision
method (MCDM) based on PROMETHEE, but, unlike
3.1 Multicriteria decision aid
the former, we consider some different aspects regard-
ing uncertainties about life distribution parameters. In According to Gomes et al., (2002), several methods for
addition, we higtilight some important particularities approaching complex processes of decision making
of service systems, which require some changes on have been developed over many years. Abstractions,
628
heuristics and deductive reasoning were developed, Depending on the pre-defined preference function
but only using multi-criteria or multi-objective meth- chosen, it may be necessary to define certain parame-
ods in which the decision maker’s preference structure ters such as q, p and s. According to Brans (1985) the q
was most loyally represented. indifference threshold is the largest deviation which is
Multi-criteria methods have been developed to sup- considered as negligible by the decision maker, while
port and lead the decision maker in evaluating and the p preference threshold is the smallest deviation
choosing the best solution. The problems analyzed which is considered as sufficient to generate a full
by the method can be discrete, when it has a finite preference. The parameter s is used in the case of the
number of alternatives, or continuous, when it has Gaussian criterion and it defines the inflection point
an infinite set of alternatives. It is very important of the preference function. It is recommended that a p
always to remember that these methods do not indi- and q be defined first, in order to choose the s value
cate the solution of the problem, but, instead they between the interval.
support the decision process through alternatives or The decision maker, then, decides a weight wj for
recommendations for actions (Gomes et al., 2002). each criterion that increases with the importance of the
There are two kinds of multi-criteria methods: criterion, and then the weights are normalized to sum
compensatory and non-compensatory methods. Com- up to unity (Brans et al., 2002).
pensatory methods represent the American School and To define the preference function Pj (a, b) = dj (a,
aggregate all the criteria in a unique utility function, b) = fj (a)−fj (b), that assumes values between 0 and 1,
which brings the notion of compensation between the what is evaluated is how the preference of the decision
criteria. Non-compensatory methods do not aggregate maker changes with the difference between the per-
the criteria and for each criterion a weight is defined formance of alternatives for each criterion j(Almeida
that represents its relative importance in the problem. et al., 2002). The behavior can be represented below:
The best known methods of this type are the fami-
lies ELECTRE and PROMETHEE that represent the
French School (Almeida et al., 2002). Pj (a, b) = 0: Preference for a or b
is indifferent,
Pj (a, b) ≈ 0: Mild preference for a
3.2 The PROMETHEE method in relation to b,
(2)
Pj (a, b) ≈ 1: Strong preference for a
The PROMETHEE (Preference Ranking Organiza- or b is indifferent,
tion Method for Enrichment Evaluation) conceived Pj (a, b) = 1: Strict preference for a
by Brans consists of two phases: the construction of in relation to b .
an outranking relation and then the exploitation of
outranking values relations (Almeida et al., 2003).
These French school methods, which include the Once the generalized criteria are defined for each
PROMETHEE family, like the American school, are criterion of the problem, then the calculation of the
used in multi-criteria problems of the type: multi-criteria preference index or aggregate ranking
(4) of every pair of alternatives must be established
(Almeida et al., 2002).
max {f1 (x), f2 (x), . . . , fk (x)|x ∈ A} , (1)
1
n
where A is a set of decision alternatives and fi (x),
i = 1, . . . , k is a set of criteria of which each alterna- π(a, b) = wj Pj (a, b)
W j=1
tive is to be evaluated. Each criterion has its own unit (3)
(Chareonsuk et al., 1997).
n
The application of the PROMETHEE method con- where: W = wj
sists of three steps. First of all, there is the definition j=1
of the generalized criteria, then the calculation of the
multi-criteria index, followed by the determination and
evaluation of an outranking relation (Dulmin et al., And finally, the next step is carried out, which
2003). involves the determination and evaluation of the out-
The preference behavior of the decision maker ranking relations.
will determine a function Pj (a, b) that assumes values For each alternative a ∈ A, two outranking flows
between zero and one, where a and b are alternatives. are determined with respect to all the other alternatives
There are six generalized criteria to choose from, when x ∈ A.
it comes to defining the preference function (Brans, The leaving flow or positive outranking flow (4)
1985). expresses how an alternative a is outranking all the
629
others, so the higher + (a), the better the alternative many advantages, such as the ease and speed at which
(Brans, 1985). decision makers understand the method itself and the
concepts and parameters involved, since they represent
π(a, b) a more meaningful significance for them to relate to,
+ (a) = (4)
n−1 such as physical and economical values (Cavalcante
b∈A
et al., 2005).
The entering flow or negative outranking flow (4)
expresses how an alternative a is outranked by all the
others, so the lower − (a), the better the alternative 3.3 Decision model structure
(Brans, 1985).
3.3.1 Preventive maintenance policy in the service
π(b, a) context
− (a) = (5) Concerning the question of failure control, in par-
n−1 ticular the breakdown of equipment parts, while the
b∈A
paradigm of optimization is well applied to the con-
The complete ranking, which is often requested by the text of the production of goods, it is not efficient in the
decision maker , considers the net ranking flow (6). context of services since the quality of service is intrin-
This particular flow is the balance between the positive sically related to the perception of the consumer, for
and negative outranking flows. Thus the higher the whom the translation into monetary value has little or
(a), the better the alternative (Brans, 1985). no meaning. On the other hand, cost, in a competitive
environment, is of great importance when decisions
(a) = + (a) − − (a) (6) are to be made, and cannot be ignored.
As a result, the choice of a preventive maintenance
After finding the net flow (6), it is possible to apply policy, which in practice refers to the intervals or
the PROMETHEE II method, which results in a total frequency of component replacement, represents a bal-
pre-order, as follows (Brans, 1985): ance between the risk of having a breakdown, keeping
in mind the negative perception that this can cause,
aPb(a outranks b) iff(a) > (b), and the cost related to the policy adopted. Optimiza-
(7) tion, then, no longer makes sense, as there is more than
aIb(a is indifferent to b) iff(a) = (b). one criterion to be observed.
What is needed then is a more appropriate
PROMETHEE III associates an interval [xa , ya ] with approach, for example, multi-criteria decision-aid,
each action a, as follows (Brans and Mareschal, 2002): capable of dealing with conflicts among the criteria
involved in the problem as well as the inclusion in
xa = φ̄(a) − ασa, the decision-making process of the decision-maker’s
ya = φ̄(a) + ασa, preferences.
where (8)
⎧ 3.3.2 Bayesian analyses
⎪ n is the number
of actions,
⎪
⎪
⎪ 1 Bayesian analyses are used in cases where there
⎨ φ̄(a) = (a, b) − (b, a) = 1n (a)
n are insufficient data to directly obtain distribution
b∈A
2 parameters of the model (Cavalcante et al., 2007).
⎪
⎪ σa2 = 1n (a, b) − (b, a) − φ̄(a) ,
⎪
⎪ Accordingly to Procaccia et al., (1997), the feed-
⎩ b∈A
α > 0. back from experience can yield objective factual data.
These data allow the estimation of failure rates in oper-
Then the method defines a complete interval order, ation or probabilities of starting on demand, when
as represented below: the equipment is initially sound. So the combina-
tion of subjective and objective data, prior probability
aP III b (a outranks b) iff xa > yb function and likelihood provided by feedback from
(9) experience, respectively, helps to obtain a posterior
aI III b(a outranks b)iff xa ≤ yb and xb ≤ ya probability density that is richer.
It is extremely important to know that question-
For the problem presented, the use of a non- ing experts can produce much information since they
compensatory method was indicated as the most have different experiences and are even from differ-
suitable solution. Therefore this method favors the ent departments or industries, so their sensitivity to
alternatives with the best average performance. The a specific problem will not necessarily be the same
PROMETHEE method was chosen because of its (Procaccia et al., 1997).
630
Earlier literature often takes the classical approach the reliability function (11) obtained are:
or the combined classical Bayesian approach that pre-
sumes true parameters such as average costs per unit β−1
t β
β t − η
time and failure rates (Apeland et al., 2003). f (t) = e (10)
In the classical approach it is assumed that true η η
parameters exist, like failure rates related to com- − ηt
β
631
Table 1. Input data. Table 4. Decision evaluation matrix.
A1 1
A2 2 Table 5. Preference function and criteria
A3 3 characteristics.
A4 4
A5 5 Characteristics R Cm
A6 6
A7 7 Max/min Max Min
A8 8 Weights 0.55 0.45
A9 9 Preference function V V
A10 10 Indifference limit 0.02 0.08
Preference limit 0.05 0.5
α 0.23
Neta2 11 Time
Beta2 2.34 Alternatives years + −
632
the best to worst: 0,4
Net flow
= A1 > A6 > A7 > A8 > A9 > A10 0
Therefore, the (A3) is the best alternative since –0,2
it is first in the ranking and it represents that the
replacement of the equipment should take place every –0,4
(A3)Years.
Besides, we can highlight that some alternatives –0,6
were considered indifferent, since their general perfor- A1 A2 A3 A4 A5 A6 A7 A8 A9 A10
mance were judged almost the same. This results from Alternatives
enlarging the indifference notion, which mirrors more
suitably the behavior of the decision maker when ana- Figure 1. Ranking of alternatives based on the net flow.
lyzing similar alternatives, especially if it was admitted
that there are uncertainties about some criteria of the
problem. in some intervals. The multi-criteria method applied,
In order to verify the robustness of some param- PROMETHE III, allows not only a better understand-
eters of the model, a sensitivity analysis was car- ing of the parameters, concepts and the method by
ried out. Through this analysis, it is possible to the decision makers, but, also an amplification of the
obtain more interpretative results which enhance the notion of indifference between the alternatives. In this
decision-maker’s understanding of the maintenance way, for practical purposes, where not merely one cri-
problem. terion is important for the establishment of preventive
Therefore, some variations were made up to +/ − periods, for example, for the service context, the deci-
15% on the values of the parameters of weights. As a sion maker can make use of this model, even if some
result, in spite of the fact that there was change in the problems with data have been detected.
ranking, the first three alternatives remain the same. Future studies suggested include the application of
Regarding the parameters called Preference limits the model to enrich some other problems in mainte-
and indifference limits for both criteria, there were no nance context, where some decision criteria beyond
changes to the best alternative for variations of up to the cost are very important for the decision-making
+/ − 15% on these parameters. The most significant process.
change was for the variation on −15% on the prefer-
ence limit for the Reliability criterion. In this case, one
tie was introduced, as we can see:
ACKNOWLEDGEMENTS
A3 > A2 = A4 > A5
This work has received financial support from CNPq
= A1 > A6 > A7 > A8 > A9 > A10 (the Brazilian Research Council).
633
Cavalcante, C.A.V. & Almeida, A.T.de. 2005. Modelo ples taken from the ‘environmentally friendly innovation’.
multicritério de apoio a decisão para o planejamento Journalof Cleaner Production: p. 851–857.
de manutenção preventiva utilizando PROMETHEE Mont, O.K. 2002. Clarifying the concept of product-service
II em situações de incerteza. Pesquisa Operacional: system. Journal of Cleaner Production: p. 237–245.
p. 279–296. Procaccia, H. & Cordier, R. & Muller, S. 1997. Application
Cavalcante, C.A.V. & Almeida, A.T. de. 2007. A multi- of Bayseian statistical decision theory for a maintenance
criteria decision-aiding model using PROMETHEE III for optimization problem. Reliability Engineering and System
preventive maintenance planning under uncertain condi- Safety: p. 143–149.
tions. Journal of Quality in Maintenance Engineering: Quan, G. & Greenwood, G. & Liu, D. & Hu, S. 2007. Search-
p. 385–397. ing for multiobjective preventive maintenance sched-
Chareonsuk, C. & Nagarur, N. & Tabucanon, M.T. 1997. ules: Combining preferences with evolutionary algo-
A multicriteria approach to the selection of preventive rithms. European Journal of Operational Research:
maintenance intervals. International Journal of Produc- p. 1969–1984.
tion Economics: p. 55–64. Samrout, M. & Yalaoui, F. & Châtelet, E. & Chebbo, N.
Dulmin, R. & Mininno, V. 2004. Standardized project man- 2005. New methods to minimize the preventive main-
agement may increase development project success. Inter- tenance cost of series-parallel systems using ant colony
national Journal of Project Management. optimizations. Reliability Engineering & System Safety:
Gomes, L.F.A.M. & Gomes, C.F.S. & Almeida, A.T.de. 2002. p. 346–354.
Tomada de Decisão Gerencial. São Paulo: Editora Atlas. Sortrakul, N. & Nachtmann, H. & Cassady, C.R. 2005.
Hirschl, B. & Konrad, W. & Scholl, G. 2003. New concepts Genetic algorithms for integrated preventive maintenance
in product use for sustainable consumption. Journal of planning and production scheduling for a single machine.
Cleaner Production: p. 873–881. Computers in Industry: p. 161–168.
Lapa, C.M.F. & Pereira, C.M.N.A. & Barros, M.P.de. Tsai, Y.-T. & Wang, K.-S. & Teng, H.-Y. 2001. Optimizing
2006. A model for preventive maintenance planning by preventive maintenance for mechanical components using
genetic algorithms based in cost and reliability. Reliability genetic algorithms. Reliability Engineering and System
Engineering & System Safety: p. 233–240. Safety: p. 89–97.
Levitt, J. 1997. The Handbook of Maintenance Management. Wang, L. & Chu, J. & Wu, J. 2007. Selection of optimum
New York: Industrial Press INC. maintenance strategies based on a fuzzy analytic hierarchy
Levitt, J. 2003. The complete guide to preventive and process. International Journal of Production Economics:
predictive maintenance. New York: Industrial Press INC. p. 151–163.
Manzine, E. & Vezzoli, C. 2003. A strategic design approach Worsham, W.C. 2000. Is preventive maintenance necessary?
to develop sustainable product service systems: exam- Maintenance Resources On-Line Magazine.
634
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Most companies have their maintenance plans and method of conducting them in place now.
The maintenance plan is in agreement with the producer’s recommendations or is changed by the maintenance
technician on the basis of his experiences. The producer’s recommendations for the warranty period needn’t be
the best of course, it’s best for the producer and its warranty. These maintenance strategies could be optimal
for commonly available equipment, but big rotary machines are often unique. Expensive maintenance done
by the producer could be in the long term more profitable because of their better experiences. This paper is
about total cost assessment of big rotary machine (i.e. a hydrogen compressor used in the refinery industry)
related to selected maintenance. Reliability data about MTBF and MTTR, economical evaluation of conducting
maintenance and last but not least—production lost from scheduled shutdown or equipment failure, are all
considered as all of these affect the cost. The companies that have one or more big rotary machines should do
a study of operational costs and they should do profitability assessment of outsourcing maintenance from the
producer. An economical model can find other problems, for example the wrong list of spare parts. The model
proposed in this paper could help companies to do studies for their big rotary machines.
635
Maintenance significantly affects the equipment Table 1. Current cost.
availability
– Preventive maintenance tasks change the reliability, [EUR /
availability, etc. Cost [EUR] [year] year]
– Maintenance tasks are difficult because of the
equipment structure. Purchase cost 3 000 000 30 100 000
Spare parts cost
– It is possible to effectively apply condition – bearings 50 000 4 12 500
monitoring. – rotary 30 000 12 2 500
– seals system 30 000 12 2 500
– seals
6 000 4 1 500
4 REQUIRED INPUTS – 116 000 19 000
Spare parts Storage 1500
Ideally all possible costs should be inputs to the model. and maintenance
Practically it is more useful to focus on the main parts Labour cost 10 000
Monitoring
of cost only. It may not be possible to exactly evaluate
– vibrodiagnostic 3 000
all values. Insufficient statistical data (about failures, –tribology 600
maintenance tasks and costs) have to be replaced by – 3600
estimations. Operating cost
Inaccuracy of some inputs with large cost could be (energy) 1 000 000
so important that these inaccuracies are larger than
some smaller input costs (e.g. administration, rent a
land). These items with small costs are recommended
to be ignored. Table 2. Production losses.
636
Table 3. MTBF, MTTR. service offer of the producer (section 5.3). Other
varieties will be compared with this variety 1.
Reliability quantities MTBF [year] MTTR [day]
Variety 2
Parts in storage 15 10 The maintenance contract includes these points:
Parts not in storage 50 10 + 300
– Training course
– Condition monitoring
– Delivery, storage and maintenance of spare parts
equipments therefore the estimations are the best way – Technical support
forward.
Undesirable events, which stop this equipment and The annual contract price is 60 000 EUR. The esti-
hence stop the production process too, are necessary to mated benefits for the user are MTBF and useful
investigate or eradicate. These events are mostly bear- lifetime increase to 105% and repairing times decrease
ing failure or sealing system failure. It is supposed to 95%. Due to contract existence this will not delay
that the mean time to repair (MTTR) is 10 days, if the the ordering and administration, so the delivery period
needed parts are in storage. If the needed parts are not could be about 8 months.
in storage, it is necessary to add the delivery period.
The delivery period is approximately 10 months for Variety 3
this equipment type (include ordering, the administra- The maintenance contract includes these points:
tive delay, etc.). The mean times between these events
(MTBF) and MTTR are given in table 3. – Training course
MTBF, when the parts are not in storage, includes – Condition monitoring
the possibility that the machine crashes promptly after – Delivery, storage and maintenance of spare parts
repair therefore new parts are not available. – Technical support
– Inspection and overhaul conducting (every 4 years)
– General overhaul conducting (every 12 years)
5.3 Producer services
The annual contract price is 75 000 EUR. The esti-
The producer offers a wide range of services and is mated benefits for the user are MTBF and useful
able to ensure full outsourcing of maintenance. The lifetime increase to 110% and repairing times decrease
offered services are summarized as: to 90%. Due to contract existence this will not delay
the ordering and administration, so the delivery period
1. Training course could be about 8 months.
2. Condition monitoring The benefits of the varieties are summarized in
– online vibrodiagnostic table 4.
– tribology
– technology parameters monitoring
– annual reports 5.5 Varieties evaluation - effectiveness index
The varieties differ in annual purchase cost (includ-
3. Delivery, storage and maintenance of spare parts
ing installation and liquidation), monitoring cost and
4. Maintenance tasks scheduling and conducting
production lost.
– according to machine condition Purchase cost is the same, but annual purchase cost
– periodic inspections depends on useful lifetime (equation 2).
– periodic overhauls and general overhauls
5. 24h Technical support Purchase_ cos t
Annual_purchase_ cos t =
Useful_lifetime
637
Table 4. Benefits of varieties.
Variety Lifetime extension [%] MTBF extension [%] Time to repair reducing [%] Delivery Period [month]
1 0 0 0 10
2 5 5 5 8
3 10 10 10 8
Lifetime MTBF SP in storage MTBF SP not in storage Time to repair Delivery time
[year] [year] [year] [day] [month]
1 30 15 50 10 10
2 31.5 15.75 52.5 9.5 8
3 33 16.5 55 9 8
operational time when the spares are (not) in storage. difficult as variety 2 has better effectiveness index and
These possibilities have different MTBF and MTTR variety 3 generates more savings. It is caused by non-
for each variety and that is why the losses are different. linear dependence between the benefits and contract
Total annual production losses are evaluated according costs.
to formula (2).
5.6 Varieties evaluation—profitability boundary
MTTR_s MTTR_o
Annual_PL = + Another approach is finding boundary values of
MTBF_s MTBF_o
some parameters, which can be modified by main-
∗ ∗
24 PL [EUR/year] (2) tenance. The parameters are spare parts delivery
period, repair time, mean time between failures
Concrete values of direct cost and risks for each and useful lifetime. The contract is profitable if at
variety are given in table 5. least one of these watched parameters achieves its
At first sight it is evident the profitability of contract boundary value. Evaluation of these indicators cor-
making due to savings. Average annual savings are responds to formulas (5)–(8). All formulas compare
generated most by a decrease of catastrophic failure contract price with differences between current cost
risk. The catastrophic failure risk mainly comes from and cost after one parameter change, with the other
the spare parts delivery period. The producer was not parameters the same. The general formula for all
able to provide the spare parts prices dependent on parameters is:
the delivery period, although the user was agreeable
to pay a multiple of the standard prices. The solution CONx = risk(DP) + risk(MTBFs)
is hence contract making and thereby administrative
delay elimination. + risk(MTTR)
The next indicator (except savings) could be the
effectiveness index of the contract. The index indicates + annual_ cos t(LT )[EUR/year] (4)
valuation of investment. The formula for this index
follows, C_ DP = boundary value of delivery period
638
MTTR_s∗ 24∗ PL MTTR_o∗ 24∗ PL − [(MTTR_o(1 − DP)∗ C_RT + DP]∗ 24∗ PL
CONx = (1 − C_RT ) +
MTBF_s MTBF_o
∗ ∗
CONx MTBF_o MTBF_s
⇒ C_RT = 1 − (6)
(MTBF_o∗ MTTR_s + MTBF_s∗ MTTR_o − MTBF_s∗ DP)∗ 24∗ PL
After real values substitution into formulas (5)–(8) additional cost from their purchase cost, storage and
the boundary values are according to table 6. maintenance, but they can sharply change the rate
between MTBF when the parts are / are not in storage.
5.7 Optimal list of spare parts It ultimately affects annual risk.
For every reasonable option of spare parts list
The number of spare parts has an indispensable effect should be done cost analysis including risks. The low-
on the equipment total cost. Spare parts generate est total cost indicates the best spare parts list and in
case of need with maintenance contract making.
Table 5. Annual cost of each variety.
5.8 Summary of results
Variety 1 Variety 2 Variety 3
[EUR/y.] [EUR/y.] [EUR/y.] The presented economical model compares two vari-
eties of outsourcing maintenance with the current
Purchase cost, state. The effectiveness indexes confirm profitability
installation,
liquidation 1 00 000 95 238 90 909
of both varieties. Since both indexes are very high
Spare parts cost 19 000 19 000 19 000 (evaluate the investment nearly 10 times) the rec-
Storage and ommended possibility is variety with more savings -
maintenance variety 3.
of spare parts 1500 1500 1500 In case of input uncertainty it is suitable to evaluate
Labour cost 10 000 10 000 10 000 boundary values of profitability and then consider if it
Monitoring 3 600 0 0 is possible to achieve at least one of these parameters.
Operating cost 10 00 000 10 00 000 10 00 000 Concretely for contract from variety 3 is sufficient for
Production lost example decrease delivery period from 300 days to
– tasks during stop 0 0 0
period
290 days or increase MTBF by 3%.
– failure; SP in storage 2 40 000 2 17 143 1 96 364
– failure; SP not in 22 32 000 17 10 857 16 29 818
storage 6 CONCLUSION
36 06 100 30 53 738 29 47 591
Contract 0 60 000 75 000 Most companies have their maintenance plans and
Savings 0 4 92 362 5 83 509 method of conducting them in place now. The
maintenance plan is in agreement with the pro-
ducer’s recommendations or is changed by the main-
Table 6. Profitability boundary. tenance technician on the basis of his experiences.
Maintenance tasks are conducted by company employ-
Variety 2 Variety 3 ees or contractors for special branches (electrician,
machine staff etc.)
C_ DP 292 290 days These maintenance strategies could be optimal
C_ RT 81 76 %
C_ BF 102.5 103.1 %
for commonly available equipment, but big rotary
C_ LT 250 400 % machines (especially compressors, turbines), which
are made individually based on clients requirements)
639
are often unique. Expensive maintenance done by the No. 1M06047 - Research Center for Quality and
producer could be in the long term more profitable Reliability of Production.
because of their better experiences.
The presented economical model targets risks
related with operational and maintenance cost of REFERENCES
unique equipments and could be used as an instruction
for risk optimization. Moubray J. M.: Reliability-centred Maintenance. Second
edition. Butterworth-Heineman, Oxford, 1997.
Fuchs, P.: Využití spolehlivosti v provozní praxi, Liberec,
2002.
ACKNOWLEDGMENT ISO 14121 (1999): Safety of machinery—Principles of risk
assessment.
This research was supported by the Ministry of Educa- ISO 14040 (2006): Environmental management—Life cycle
tion, Youth and Sports of the Czech Republic, project assessment.
640
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
A. Artiba
Institut Supérieur de Mécanique de Paris (Supmeca), France
ABSTRACT: This paper addresses the selective maintenance optimization problem for a multi-mission series-
parallel system. Such a system experiences several missions with breaks between successive missions. The
reliability of the system is given by the conditional probability that the system survives the next mission given
that it has survived the previous mission. The reliability of each system component is characterized by its hazard
function. To maintain the reliability of the system, preventive maintenance actions are performed during breaks.
Each preventive maintenance action is characterized by its age reduction coefficient. The selective maintenance
problem consists in finding an optimal sequence of maintenance actions, to be performed within breaks, so that
to minimize the total maintenance cost while providing a given required system reliability level for each mission.
To solve such a combinatorial optimization problem, an optimization method is proposed on the basis of the
simulated annealing algorithm. In the literature, this method has been shown to be suitable for solving such a
problem. An application example with numerical results are given for illustration.
641
high reliability, it becomes increasingly important formulation. The optimization method is presented in
to develop appropriate approaches to manage selec- Section 4, and an application example with numerical
tive maintenance decisions when the planning horizon results are provided in Section 5. Conclusion is drawn
considers more than a single mission. In (Maillart, in Section 6.
Cassady, Rainwater, and Schneider 2005), the authors
consider a series-parallel system where each subsys-
2 MULTI-MISSION SERIES-PARALLEL
tem is composed of identical components whose time
SYSTEM DESCRIPTION
to failure is exponentially distributed. The system is
assumed to operate a sequence of identical missions
Consider a series-parallel system S composed of n
such that breaks between two successive missions are
subsystems Si (i = 1, . . . , n). Each subsystem Si
of equal durations. At the end of a given mission,
is composed of Ni independent, and possibly, non-
the only available maintenance action is the replace-
identical components Cij (j = 1, . . . , Ni ). Compo-
ment of failed components. At a given time, the
nents, subsystems and the system are assumed to expe-
average number of successful missions remaining in
rience only two possible states, namely functioning
the planning horizon is defined. To maximize such
state and failure state.
a number, a stochastic programming model is then
Assume that the system is initially new and required
proposed. Numerical experiments are conducted to
to perform a sequence of M missions each with known
perform and compare the results obtained for three
duration U (m), m = 1, . . . , M . Between two succes-
maintenance optimization problems. Nevertheless, the
sive missions there are breaks of known length of time
approach proposed in (Maillart, Cassady, Rainwater,
D(m, m + 1) for m = 1, . . . , M − 1. Namely, the sys-
and Schneider 2005) merely relies on a series-parallel
tem operates according to two successive states: Up
system with few subsystems each composed of com-
state −→ Down state −→ Up state. . . . In the Up
ponents of identical constant failure rates. Further-
state the system is operating while in the Down state
more, replacement of failed components is the only
the system is not operating, but available for any main-
available maintenance action, missions are of identical
tenance actions. Such a scenario may arise for systems
time interval and breaks are also of identical durations.
that operate for some time per a day and then put into
This paper solves the selective maintenance opti-
the down state for the rest of the day.
mization problem proposed in (Khatab, Ait-Kadi, and
Let Aij (m) and Bij (m) be the ages of component Cij ,
Artiba 2007). In (Khatab, Ait-Kadi, and Artiba 2007)
respectively, at the beginning and at the end of a given
the authors consider a system composed of series of
mission m(m = 1, . . . , M ). Clearly, one may write
subsystems each composed of parallel, and possibly,
Bij (m) as:
different components the lifetime of which are gen-
erally distributed. The system operates a sequence of
missions with possibly different durations such that Bij (m) = Aij (m) + U (m). (1)
nonidentical breaks are allowed between successive
missions. During a given mission, a component that If Xij denotes the lifetime of component Cij , then the
fail undergoes minimal repair while at the end of a reliability Rij (m) of component Cij to survive mission
mission several preventive maintenance actions are m is given such that:
available. Each preventive maintenance action is char-
acterized by its ability to affect the effective age of Rij (m) = Pr(Xij > Bij (m) | Xij > Aij (m))
system components. In (Khatab, Ait-Kadi, and Artiba Pr(Xij > Bij (m))
2007), the proposed selective maintenance optimiza- =
tion problem consists in finding an optimal sequence Pr(Xij > Aij (m))
of preventive maintenance actions the cost of which R(Bij (m))
minimizes the total maintenance cost while providing = , (2)
R(Aij (m))
the desired system reliability level for each mission. In
the present work, to solve this problem, we present an
optimization method based on the simulated annealing where R is the survival time distribution function of
algorithm (Kirkpatrick, Gelatt-Jr., and Vecchi 1983). the random variable Xij .
The advantage of such an algorithm, over other meth- If component Cij is characterized by its corre-
ods, is known for its ability to avoid becoming trapped sponding hazard function h(t), then the conditional
at local minima during the search process. reliability Rij (m) can be written as:
The remainder of this paper is organized as follows.
Aij (m) Bij (m)
The next section gives some notations and definitions
related to the studied multi-mission series-parallel Rij (m) = exp hij (t)dt − hij (t)dt
0 0
system. Section 3 addresses the proposed selective
maintenance optimization model and the problem = exp(Hij (Aij (m)) − Hij (Bij (m)), (3)
642
t
where Hij (t) = 0 hij (x)dx is the cumulated hazard performed. To construct such a model, the following
function of component Cij . decision variable is introduced:
From the above equation, it follows that the reli- ⎧
ability of subsystem Si and that of the system S are ⎪
⎨1 if Cij undergoes PM ap
respectively denoted by Ri (m) and R(m) and given as: ap (Cij , m) = at the end of mission m,
⎪
⎩
0 otherwise.
Ni
Ri (m) = 1 − (1 − Rij (m)), and (4) (m = 1, . . . , M − 1) (6)
j=1
In this paper, the selective maintenance problem
n
consists in finding an optimal sequence of mainte-
R(m) = Ri (m). (5) nance actions the cost of which minimizes the total
i=1 maintenance cost while providing the desired system
reliability level for each mission. The total main-
tenance cost is composed of minimal repair cost
3 SELECTIVE MAINTENANCE MODEL CMRij (m) induced by the repair of each compo-
AND PROBLEM FORMULATION nent Cij during each mission m, and the preventive
maintenance cost CPMij (m) of each component Cij
In this paper two types of maintenance are con- that undergoes preventive maintenance at the end of
sidered, namely corrective maintenance (CM) and mission m.
preventive maintenance (PM). CM by means of The cost induced by minimal repairs is function
minimal repair is carried out upon components of components failure rates. Following the work of
failures during a given mission while PM is a Boland (Boland 1982), for a given component Cij , the
planned activity conducted at the end of missions expected minimal repair cost in an interval [0, t] is:
(i.e. within breaks) to improve the overall sys- t
tem mission reliability. It is assumed that com- cmrij hij (x)dx. (7)
ponent failure is operational dependent and the 0
time in which a given component undergoes mini-
mal repair is negligible if compared to the mission According to the above equation, the minimal
duration. repair cost CMRij (m) induced by component Cij during
Each component Cij of the system is character- mission m is such that:
ized by its hazard function hij (t) and its minimal Bij (m)
repair cost cmrij . The preventive maintenance model CMRij (m) = cmrij hij (x)dx, (8)
is given on the basis of the age reduction con- Aij (m)
cept initially introduced by Nakagawa (Nakagawa where Aij (m) and Bij (m) represent the ages of com-
1988). According to this concept, the age of a ponent Cij , respectively, at the beginning and at the end
given component is reduced when PM action is per- of a given mission m (m = 1, . . . , M ) and Aij (1) = 0
formed on this component. In this paper, the vector by definition. If component Cij undergoes preventive
VPM = [a1 , . . . , ap , . . . , aP ] represents the P PM maintenance action ap (p = 1 . . . , P) at the end of
actions available for a given multi-mission system. For mission m, then the value of the component age Bij (m)
each PM action ap (p = 1, . . . , P) is assigned the cost is reduced by the age reduction coefficient α(ap ). In
cpm(ap ) and the time duration dpm(ap ) of its imple- this case, the minimal repair cost CMRij (m) assigned
mentation, the age reduction coefficient α(ap ) ∈ [0, 1] to Cij becomes:
and the set Comp(ap ) of components that may under-
goes PM action ap . Regarding the values taken by g(α(ap ))×Bij (m)
a given age reduction coefficient α(ap ), two par- CMRij (m) = cmrij hij (x)dx , (9)
ticular cases may be distinguished. The first case Aij (m)
corresponds to α(ap ) = 1 which means that the PM
action ap has no effect on the component age (the where the function g is related to the value taken by
component status becomes as bad as old), while the the decision variable ap (Cij , m) and defined to be such
second case is α(ap ) = 0 and corresponds to the that:
case where the component age is reset to the null
α(ap ) if ap (Cij , m) = 1,
value (i.e. the component status becomes as good g(α(ap )) = (10)
as new). 1 otherwise.
Selective maintenance model attempts to specify a
PM action that should be performed, on which com- According to the above equation, the total mini-
ponent and at the end of which mission it has to be mal repair cost CMRij assigned to Cij which undergoes
643
preventive maintenance actions at the end of missions of a given mission. Therefore, time between missions
1, . . . , M − 1 is given such that: should be taken into account as an operation constraint.
The total duration DPM (m) spent by preventive main-
Bij (M ) tenance actions at the end of a given mission m is given
CMRij = cmrij hij (x)dx by the following formula:
Aij (M )
P
n
Ni
−1
P M g(α(ap ))×Bij (m) DPM (m) = dpm(ap ) × ap (Cij , m). (17)
+ cmrij hij (x)dx . p=1 i=1 j=1
p=1 m=1 Aij (m)
(11) Assume that the system has just achieved the first
mission and will operate the remaining missions, and
By using components accumulated hazard rates, let R0 denotes the required reliability level of the
Equation (11) may be written as: system at the beginning of each mission m (m =
⎛ ⎞ 2, . . . , M ). The selective maintenance problem is then
P M −1
formulated as follows: from the vector VPM find
CMRij = cmrij ⎝ΔHij (M + Hij (m, p)⎠, the optimal sequence of PM actions which minimizes
p=1 m=1 the total maintenance cost Ctotal while providing the
(12) desired reliability level R0 . To derive the mathematical
programming model corresponding to such a problem,
where ΔHij (M ) = Hij (Bij (M )) − Hij (Aij (M )) and let the vector S = [s1 , . . . , sK ] be the sequence of PM
ΔHij (m, p) = Hij (g(α(ap )) × Bij (m)) − Hij (Aij (m)). actions performed so that to keep the system reliability
From Equation (12), it follows that the total cost at the desired level R0 . Roughly speaking, the vector
CMR of minimal repair, induced by all components S is of dimension K P and composed of elements
during missions, is given by: of the vector VPM. At the end of a given mission, if
preventive maintenance is required, then the first PM
action to be performed corresponds to the first ele-
n
Ni
CMR = CMRij . (13) ment s1 of S. Whenever, action s1 is not sufficient to
guaranty the system reliability level, in this case PM
i=1 j=1
actions s1 and s2 should be performed simultaneously,
The total preventive maintenance cost CPMij and so on. The mathematical programming model cor-
assigned to component Cij , which undergoes preven- responding to the selective maintenance optimization
tive maintenance actions at the end of missions, is problem is:
given by:
MinimizeCtotal (S) = CMR(S) + CPM (S), (18)
P M −1
Subjectto :
CPMij = cpm(ap ) × ap (Cij , m). (14)
p=1 m=1 R(m + 1) R0 , (19)
It follows, from the above equation, that the total DPM (m) D(m, m + 1), (20)
preventive maintenance cost CPM induced by all
system components is:
sK
ap (Cij , m) 1, (21)
n
Ni p=s1
CPM = CPMij . (15)
i=1 j=1 ap (Cij , m) ∈ {0, 1}, (22)
Ctotal = CMR + CPM . (16) where constraint (20) stands that PM actions under-
taken at the end of a given mission should be completed
To complete the selective maintenance optimization within the allotted time, constraint (21) imposes the
problem, let note that, due to the limited time (break) fact that each component may receive almost one PM
between missions, it may be not possible that all pre- action at the end of each mission, while constraint(22)
ventive maintenance actions be performed at the end is a {0, 1}-integrality constraint.
644
4 OPTIMIZATION METHOD 4.2 Simulated annealing algorithm for the selective
maintenance optimization problem
4.1 The simulated annealing algorithm
In this paper, the simulated annealing algorithm is
Simulated annealing (SA) is one of the most local used as an optimization technique to solve the selec-
search metaheuristics which has been widely studied tive maintenance optimization problem. The solution
and shown to be suitable for a wide range of com- representation is inspired from that of (Levitin and Lis-
binatorial optimization problems, as in the case of nianski 2000) (see also (Nahas, Khatab, Ait-Kadi, and
the selective maintenance optimization problem for- Nourelfath 2007)). The element of the vector VPM
mulated in this paper. The SA principle exploits an of available PM actions are numbered from 1 to P.
analogy between the way a metal cools and freezes The maintenance plan, as a solution, is represented
into a minimum energy crystalline structure and the by a vector S = [s1 , . . . , sK ] with finite length K ≤ P
search for a minimum in a more general system. The and where sp ∈ {1, 2, . . . , P} , for p = 1, . . . , K. The
application of this algorithm to solve combinatorial length of a given solution depends on its feasibility.
optimization problems was initiated by Kirkpatrick The initial feasible solution is derived on the basis of
et al. (Kirkpatrick, Gelatt-Jr., and Vecchi 1983). The the following procedure.
major advantage of SA algorithm over other methods is
known for its ability to avoid becoming trapped at local 4.2.1 Initial solution construction
minima during the serach process. Figure 1 presents 1. Set the length of S to a constant number Kmax
an overview of the SA algorithm. 2. Generate the elements of S from a random permu-
The algorithm starts by an initial solution s gen- tation of the set {1, . . . , P}
erated either randomly or heuristically, and by an 3. Set K = 1
initial temperature Ti . Then, a solution s is randomly 4. Calculate the objective function and the constraint
sampled from the neighborhood V (s) of the current values by using the K first elements (i.e. PM
solution s. The solution s is then accepted or rejected actions) of S
depending on the current temperature Tc and the val- 5. if (K = Kmax ) and (S is not feasible) then return to
ues of the objective function f at points s and s (i.e. step 2
f (s) and f (s )). Since the selective maintenance opti- 6. If (K < Kmax ) and (S is not feasible) then set K =
mization problem consists in maximizing the system K + 1 and proceed from step 4
reliability, it follows that s will be accepted with prob-
ability 1 as a new solution whenever f (s ) > f (s). To define the appropriate neighborhood, several
However, in the case where f (s ) f (s), s will be structures were investigated. The following procedur
accepted with probability which is function of Tc and provides the neighbor solution.
f = f (s)−f (s ). Thisprobability follows Boltzmann
−f 4.2.2 Neighboring solution construction
distribution p = exp . The temperature is 1. Generate randomly a number x from the interval
Tc
decreased following the progression formula Tc = ηTc [0, 1]
where η represents the cooling schedule. The search 2. If (x ≥ 0.5) then choose randomly an element S(i)
process is continued until the termination condition with 1 ≤ i ≤ N , and randomly increase or decrease
T = Tf holds, where Tf is the minimal temperature. by 1 the content of S(i), i.e. S(i) = S(i) + 1 or
S(i) = S(i) − 1
3. If (x < 0.5) then choose randomly two elements
S(i) and S(j) with 1 ≤ i ≤ K and K + 1 ≤ j ≤ P,
and exchange the contents of S(i) and S(j).
It is worth noticing that in order to ensure the
feasibility of a given solution, one needs to evalu-
ate the objective function and the constraints of the
optimization problem. To this end, a procedure was
developed for the feasibility test of a given solution
vector S = [s1 , . . . , sK ].
5 APPLICATION EXAMPLE
645
Table 2. Parameters of preventive maintenance actions.
646
Table 4. The best selective maintenance plan obtained for this problem, an optimization method is proposed on
the required reliability level 0.90. the basis of the simulated annealing algorithm.
Mission m PM action p Cij ∈ Comp(p)
REFERENCES
2 11 C21
4 15,30,26, C22 , C41 , C33 , Boland, P. (1982). Periodic replacement when minimal repair
20,8 C31 , C14 costs vary with time. Naval Research Logistic Quarterly
5 11,34 C21 , C42 29(4), 541–546.
6 15,26,34, C22 , C33 , C42 , Cassady, C. R., W. P. Murdock, and E. A. Pohl (2001).
30,20 C41 , C31 Selective maintenance for support equipement involv-
7 20,30, C31 , C41 , ing multiple maintenance actions. European Journal of
15,8 C22 , C14 Operational Research 129, 252–258.
8 11,20,8, C21 , C31 , C14 , Cassady, C. R., E. A. Pohl, and W. P. Murdock (2001). Selec-
26,15 C33 , C22 tive maintenance modeling for industrial systems. Journal
of Quality in Maintenance Engineering 7(2), 104–117.
Chen, C., M. Q.-H. Mend, and M. J. Zuo (1999). Selec-
tive maintenance optimization for multistate systems. In
Proc. of the IEEE Canadian Conference on Electrical and
Computer Engineering, Edmonton, Canada, 1477–1482.
Cho, D. I. and M. Parlar (1991). A survey of mainte-
nance models for multi-unit systems. European Journal
of Operational Research 51, 1–23.
Dekker, R. (1996). Application of maintenance optimization
models: a review and analysis. Reliability Engineering
and System Safety 51(3), 229–240.
Khatab, A., D. Ait-Kadi, and A. Artiba (2007). Selective
maintenance optimization for multimission series-parallel
systems. European Journal of Operational Research
(submitted).
Khatab, A., D. Ait-Kadi, and M. Nourelfath (2007a). Algo-
rithme du recuit simul pour la rsolution du problme d’op-
timisation de la maintenance slective des systmes srie-
parallle. Seventh International Conference on Industrial
Enginnering, Trois-Rivires, QC, Canada.
Khatab, A., D. Ait-Kadi, and M. Nourelfath (2007b).
Heuristic-based methods for solving the selective main-
tenance problem in seriesprallel systems. International
Conference on Industrial Engineering and Systems Man-
Figure 3. Mission reliability of the system in the planing agement, Beijing, China.
horizon. Kirkpatrick, S., C. D. Gelatt-Jr., and M. P. Vecchi (1983).
Optimization by simulated annealing. Science 220(4598),
671–680.
6 CONCLUSION Levitin, G. and A. Lisnianski (2000). Optimization of
imperfect preventive maintenance for multi-state systems.
In this paper, we proposed a selective maintenance Reliability Engineering and System Safety 67, 193–203.
optimization model for a multi-mission series-parallel Maillart, L., C. R. Cassady, C. Rainwater, and K. Schnei-
der (2005). Selective Maintenance Decision-Making Over
system. Lifetime of each system component is gen- Extended Planing Horizons. Technical Memorandum
erally distributed. The system operates on a plan- Number 807, Department of Operations, Weatherhead
ning horizon composed of several missions such that School of Management, Case Western Reserve University.
between successive missions a break of finite length is Nahas, N., A. Khatab, D. Ait-Kadi, and M. Nourelfath
allotted to perform maintenance actions. Missions as (2007). Extended great deluge algorithm for the imper-
well as breaks are of possibly different durations, and fect preventive maintenance optimization of multi-state
during breaks a list of preventive maintenance actions systems. REliability Engineering and System Safety
are available for system components maintenance. A (submitted).
combinatorial optimization problem is formulated the Nakagawa, T. (1988). Sequential imperfect preventive main-
tenance policies. IEEE Transactions on Reliability 37(3),
objective of which consists in finding, during the plan- 295–308.
ing horizon, an optimal sequence of preventive main- Rice, W. F., C. R. Cassady, and J. Nachlas (1998). Opti-
tenance actions to be performed so that to minimize mal maintenance plans under limited maintenance time. In
the total maintenance cost while providing, for each Proceedings of Industrial Engineering Conference, Banff,
mission, the desired system reliability level. To solve BC, Canada.
647
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: This paper considers a k-out-of-N system with identical, repairable components under called
(m, NG ) maintenance policy. Under this policy, maintenance is initiated when the number of failed components
exceeds some critical level identified by m. After a possible set-up time of spares replacement, at least NG
components should be good in the k-out-of-N system when it is going to be sent back to user. A multi-server
repair shop repairs the failed components. The operational availability of this kind depends on not only the spare
part stock level, the repair capacity, but also the two parameters m and NG of maintenance policy. This paper
presents a mathematical model of operational availability for repairable k-out-of-N system given limited spares
under (m, NG ) maintenance policy. We can make trade-off between the spare part stock level, the number of
repairmen and two parameters of maintenance policy using this model. From the analysis of an example, we get
the some valuable conclusions.
649
2 DESCRIPTION OF PROBLEM waiting for sufficient repaired spare parts. Tr is zero
when there are sufficient spare parts.
In this section, we also describe the k-out-of-N system Given E(Td ) = Td and E(Ts ) = Ts , to compute
with hot standby redundancy. At the start of a system Ao , the key point is to compute the excepted opera-
uptime, all N components are as good as new. The tional time of system E(To ) and the excepted lingering
failure process of each component is characterized by time E(Tr ) which is produced by the waiting for the
a negative exponential distribution with rate λ; where demanding spare parts.
we assume that the component failure processes are
mutually independent. The system functions properly
3.1 Definition
as long as at least k (k > 0) components are available.
It takes (m, NG ) maintenance policy for the system. The state of system is defined as (n, s). It consists
There are c repair teams which especially repair the of the number of operational components n and the
replaced failed components in the repair shop. Each number of available spare parts s. The n and s are
team can repair one failed component in the same constrained by NG ≤ n ≤ N , 0 ≤ s ≤ N + X − NG
time. The repairing time has the negative exponen- and NG ≤ n + s ≤ N + X . Before discussing the
tial distribution with rate μ; where we assume the formulas of E(To ) and E(Tr ), we define the following
time of replacement is short enough to be neglected symbols which will be used in the resolving process.
and each repair team can independently work with- Pr (a, b, c, t) is the probability when the number of
out stopping. The failed component is as-good-as-new failed components is reduced from a to b by the repair
after repair. Also it needs time Td to send the sys- of c repair teams in the time t.
tem to the repair shop after it was dismantled, and Pa (n) is the steady probability when the number
time Ts to fix the system and transit back to the user of operational components is n at the starting time of
after replacement of spare parts. If insufficient spares operational period.
are available, the maintenance completion is delayed Pb (n, s) is the steady probability when the initial
until the number of available components at least is state of operational period of system is (n, s).
NG . Now, we want to get the operational availability p(ns ,ss ),(ne ,se ) is the state translation probability when
Ao of this system given the initial number X of spare the state of system is translated from (ns , ss ) to (ne , se )
parts. during the system operation cycle.
Ps (s) is the steady probability when there are just s
available spare parts at the starting time of the period
of spare replacement.
3 RESOLVING PROCESS
NM is the number of operational components when
the system asks for the repair, and NM = N − m is the
The system cycle starts with all N components as good
fixed value.
as new. We define the system operation cycle which
Z is the maximal number of available spare
is from the system start time to the next and the spare
parts. When the number of components in the sys-
replacement cycle which is from the spare replace-
tem is NG and there is no components needing
ment start time to the next. So the system operation
repaired, the number of availability spare parts is
cycle includes 4 processes: the period of system up,
maximal. So Z = S + N − NG , and the maxi-
the period of system down and in transit to depot, the
mal number of components waiting to be repaired is
period of component replacement, and the period of
also Z.
system in transit back. See Figure 1.
We know the operational availability equals the
expected uptime during a cycle divided by the expected 3.2 The expression of Pr (a, b, c, t)
cycle length. So, we find
Because of frequent use of Pr (a, b, c, t), we give its
formula firstly.
E(To ) If we treat c repair men as c servers, a components
Ao = (1) which are repaired or waiting for the repair as aguests
E(To ) + E(Td ) + E(Tr ) + E(Ts ) which are served or waiting for the service, and the
repairing time of failed components has exponential
where E(To ) is the expected uptime until system down distribution with rate μ, the resolving of Pr (a, b, c, t)
and maintenance, E(Td ) is the expected time during can be treated as the queue model which has sev-
system is down and in transit to depot, E(Tr ) is the eral servers and finite guests. Assume that there are
expected time of the period of component replace- c independent servers with the serving rate μ. The
ment, E(Ts ) is the expected time during system is sum of the guests which are served or are waiting
restored and in transit back. Because we assume the for the service is a at the starting time. There are not
time of replacement can be neglected, E(Tr ) is the time new guests. The waiting guest can enter into any free
650
To Td Tr Ts
……
the period of system is operational the period of system is down and in transit to depot
the period of spare replacement the period of system is restored and in transit back
server. And guests leave when they finish their ser- cμe−cμ(t−τ ) Pr (a − 1, b, c, τ ) for τ at [0, t]. And we
vices. So, Pr (a, b, c, t) equals to the probability when can get the recursive Equation (4).
the sum of the guests which are served or are wait-
ing for the service is b, after t time. The formula of Pr (a, b, c, t)
Pr (a, b, c, t) can be treated according to the following t
conditions. = cμe−cμt ecμτ Pr (a − 1, b, c, τ ) dτ (4)
1. When b > a, as there is not new guest, the sum of 0
651
⎧
⎪ 0 a < b or a < 0 or b < 0
⎪
⎪
⎪
⎪
⎪
⎪ e− min{a,c}μt , a=b
⎪
⎪
⎪
⎪
⎪
⎪
⎪
⎪ Cab e−bμt (1 − e−μt )a−b 0≤b≤a≤c
⎪
⎪
⎪
⎪
⎪
⎪ a−c
⎪
⎪
c−b−1 c
⎪
⎪ C b i
C (−1) i
⎪
⎪
a c−b
c−b−i
⎪
⎪ i=0
⎪
⎪
⎪
⎪
⎪
⎪
⎨ −μ(b+i)t −cμt
a−c−1 C a−c
Pr (a, b, c, t) = × (e − e ) − (7)
j=1 (c − b − i)
j
⎪
⎪
⎪
⎪
⎪
⎪
⎪
⎪ (μt)a−c−j −cμt
⎪
⎪
⎪ ×
⎪ e + Ccb
⎪
⎪ (a − c − j)!
⎪
⎪
⎪
⎪
⎪
⎪ (−1)c−b (cμt)a−c
⎪
⎪
⎪
⎪ × e−cμt ,
⎪
⎪ (a − c)!
⎪
⎪
⎪
⎪ a>c>b≥0
⎪
⎪
⎪
⎪ (cμt)a−b −cμt
⎪
⎩ e , a>b≥c≥0
(a − b)!
3.3 The expression of E(To ) the number of available components and consists of
the number of available spare parts. Because the fail-
In an operational period of system, we use To (n) to
ing time and the repairing time of components both
express the operational time of system when the num-
have the exponential distribution, and the probabil-
ber of available components is n at the starting time of
ity of system state at the end of operational period
operational period. It also means the interval when the
is just related to the system state at the starting time
state of system that has n available components trans-
of operational period, it can form a Markov chain.
lates to the state of system that has n − NM failed
Before resolving Pa (n), we can compute Pb (n, s)
components. Consequently, there is the following
firstly.
equation.
To get Pb (n, s), the key point is to get the trans-
lating matrix of state Q = [p(ns ,ss ),(ne ,se ) ]. The blow is
n−NM −1 discussing p(ns ,ss ),(ne ,se ) .
1
To (n) = (8) We divide (ns , ss ) → (ne , se ) into two phases. The
i=0
(n − i)λ first phase is (ns , ss ) → (NM , sm ). It begins at the start-
ing time of operational period, and ends at the starting
So, we can also get the following equation of E(To ). time of component replacement period. The second
phrase is (NM , sm ) → (ne , se ). It begins at the starting
time of component replacement period, and finishes
N at the end time of component replacement period. The
E(To ) = (Pa (n) · To (n)) time of first phase is t1 . t1 equals to the addition of the
n=NG time when the state of system is available and the time
used to ask for repair and send to the repair shop. And
N
n−NM −1 we can get the following.
1
= Pa (n) · (9)
n=NG i=0
(n − i) λ
ns −N
M −1
1
The equation of Pa (n) is the next thing we are going t1 = To (ns ) + Td = Td + (10)
(ns − i) λ
to discuss. We have known that the state of system i=0
652
sm is the number of available spare parts at the starting p2 (NM , sm , ne , se ) = Pr (N + X − ne , N + S
time of component replacement period. sm can’t be
− ne − se , c, ts ) (13)
less than ss which is the number of available spare
parts at the starting time of operational period. But
it is possible larger than the sum (N + X − ns ) of
3. When ne = N , sm ≥ N −NM and se ≥ sm −N +NM ,
failed components that is repairing or waiting for the
sm can fill the maximal demand of replacement, and
repair. Thus, we can get the constraint ss ≤ sm ≤
the number of available spare parts is sm − N + NM
N + X − ns .
at the end time of replacement.
Consequently, The translating probability of system
state (ns , ss ) → (ne , se ) equals to the addition of the
possibilities for any sm , when the state of system trans-
lates from (ns , ss ) to (NM , sm ), and then from (NM , sm ) p2 (NM , sm , ne , se ) = Pr (X + NM − N − sm ,
to (ne , se ).
X − se , c, ts ) (14)
X +N
−ns
p(ns ,ss ),(ne ,se ) = p1 (ns , ss , NM , sm ) According to (m, NG ) maintenance policy, The con-
sm =ss dition that ne and sm dissatisfy above conditions, is
· p2 (NM , sm , ne , se ) impossible to happen. Thus, p2 (NM , sm , ne , se ) = 0.
Synthesizing the Equation (13),(14) and (15), we
where p1 (ns , ss , NM , sm ) is the translating prob- can get the equation of p2 (NM , sm , ne , se )
ability when the state of system changes from
(ns , ss ) to (NM , sm ) in the first phase. p2 (NM , sm , ne , se ) p2 (NM , sm , ne , se )
is the translating probability when the state of sys-
tem changes from (NM , sm ) to (ne , se ) in the second ⎧
phase. ⎪ Pr (Z, Z − se , c, ts ) ,
⎪
⎪
p1 (ns , ss , NM , sm ) equals to the probability when the ⎪
⎪
⎨ Pr (N + X − ne , N + X − ne − se , c, ts ) ,
number of the components repaired in t1 time is sm −ss . =
So, we can get following equation. ⎪
⎪ Pr (X + NM − N − sm , X − se , c, ts ) ,
⎪
⎪
⎪
⎩
0,
p1 (ns , ss , NM , sm ) = Pr (L1 , L2 , c, t1 ) (11) ne = NG and sm ≤ NG − NM
1. When ne = NG and sm ≤ NG − NM , the number If we take the Equation (12) and (16) in the Equa-
of available components goes back to NG , and the tion (11), we can get p(ns ,ss ),(ne ,se ) . According to the
number of spare parts is reduced to 0 at the end time theory of Markov, there is the following equation.
of replacement process. And p2 (NM , sm , ne , se )
equals to the probability when the number of failed +N −i
N X
components is reduced from Z to Z − se by c repair Pb (n, s) = Pb (i, j) · p(i,j),(n,s) (15)
men. i=NG j=0
653
⎡
p(NG ,0),(NG ,0) ··· p(NG ,0),(NG ,Z) ··· p(NG ,0),(NG +i,0) ··· p(NG ,0),(NG +i,Z−i) |
⎢ .. .. .. .. .. .. ..
⎢ . . . . . . . |
⎢
⎢ p(NG ,Z),(NG,0 ) ··· p(NG ,Z),(NG,Z ) ··· p(NG ,Z),(NG +i,0) ··· p(NG ,Z),(NG +i,Z−i) |
⎢
⎢ .. .. .. .. .. .. ..
⎢ . . . . . . . |
⎢
⎢ p(NG +i,0),(NG,0 ) ··· p(NG +i,0),(NG,Z ) ··· p(NG +i,0),(NG +i,0) ··· p(NG +i,0),(NG +i,Z−i) |
⎢
⎢ .. .. .. .. .. .. ..
Q =⎢ . . . |
⎢ . . . .
⎢ p(NG +Z−i),(NG,0 ) ··· p(NG +i,Z−t),(NG,Z ) ··· p(NG +i,Z−t),(NG +i,0) ··· p(NG +i,Z−t),(NG +i,Z−i) |
⎢
⎢ .. .. .. .. .. .. ..
⎢ |
⎢ . . . . . . .
⎢ ··· ··· ··· |
⎢ p(N0 ),(NG ,0) p(N0 ),(NG ,Z) p(N0 ),(NG +i,0) p(N0 ),(NG +i,Z−i)
⎢ .. .. .. ..
⎣ .. .. ..
. . . . . . . |
p(N ,X ),(NG ,0) ··· p(N ,X ),(NG ,Z) ··· p(N ,X ),(NG +i,0) ··· p(NX ),(NG +i,Z−i) |
⎤T
| ··· p(NG ,0),(N ,0) ··· P(NG ,0),(N ,X )
. .. .. .. ⎥
| .. . . . ⎥
⎥
| ··· p(NG ,Z),(N ,0) ··· p(NG ,Z),(N ,X ) ⎥
⎥
. .. .. .. ⎥
| .. . . . ⎥
⎥
| ··· p(NG +i,0),(N ,0) ··· p(NG +i,0),(N ,X ) ⎥
⎥
. .. .. .. ⎥
| .. . ⎥ (16)
. . ⎥
| ··· p(NG +i,Z−i),(N ,0) ··· p(NG +i,Z−i),(N ,X ) ⎥
⎥
. .. .. .. ⎥
| .. . ⎥
. . ⎥
| ··· ··· ⎥
p(NG ,0),(N ,0) P(N ,0),(N ,X ) ⎥
. .. .. .. ⎥
⎦
| .. . . .
| ··· p(N ,X ),(N ,0) ··· P(N ,X ),(N ,X )
654
time repairing one component
and the repairing time Table 1. The values of the availability for a combination of
(Tc s − 1, s − 1, c ) when the number of demanding m and NG . m is chosen equal to 3.
spare parts is s −1and the number of components wait-
ing for repairing is s − 1. Thus, there is the following Parameter of policy
recursive equation. Initial number of
spare parts (3,5) (3,6) (3,7)
E Tc s , s , c = (20)
X =1 0.8797 0.8797 0.7726
X =2 0.8974 0.8974 0.8359
1
+ E Tc s − 1, s − 1, c X =3 0.9106 0.9106 0.8907
min {s , c} μ X =4 0.9106 0.9106 0.9106
Operationalavailability
⎪
⎪ + s > c and s − c < s ≤ s
⎪
⎪ cμ (c−h)μ ,
⎪
⎪ h−0 0. 86
⎩
0, others Initial number of s pare parts
0. 84
(21) X=1
0. 82 X=2
X=3
655
Table 2. The values of the availability for a combination of 0. 96
Operational availability
Initial number of
spare parts (4,5) (4,6) (4,7) 0. 9
0. 82
0. 96 2 3 4 5
m
0. 94
Figure 4. The values of the availability for a combination
0. 92 of m and NG . NG is chosen equal to 6.
Oper at i onal avai l abi l i t y
0. 9
0. 88
1
0. 86
Initial number of spare parts 0. 95
0. 84 X=1
X=2
0. 9
Operational availability
0. 82 X=3
X=4
0. 8 0. 85
( 4, 6) maintenance policy
( 3, 6) maintenance policy
0. 78 m=4 maintenance policy
5 6 7 0. 8 m=3 maintenance policy
Parameter of policy
Figure 5. The values of the availability for a combination
Initial number of of m, NG and initiation for different values of the number of
spare parts (2,6) (3,6) (4,6) (5,6) spares.
656
5 CONCLUSIONS [2] Deng Zhong-yi. Applicability analysis for N Various
Components Parallel Connection and Maintainability
This paper provides an operational availability model Systems[J]. Journal of Hunan Institute of Engineering.
when thek-out-of-N system takes the (m, NG ) main- 2003, 13(2)(in chinese)
tenance policy with the given number of spare parts. [3] Smith MAJ, Dekker R. Preventive maintenance in a
1-out-of-n system: the uptime, downtime and costs[J].
Through the analysis of an example, we can find that European Journal of Operations Research, 1997, 99:
the influence on operational availability which is pro- 565–83.
duced by initial number of spare parts, repairing ability [4] Fawzi BB, Hawkes AG. Availability of an R-out-of-
and selection of mand NG is expressed clearly from N system with spares and repairs[J]. J Application
the model. And at the same time, the model can pro- Probability, 1991, 28: 397–408.
vides the decision support for the tradeoff between the [5] Frostig E, Levikson B. On the availability of R out of N
maintenance policy and the number of spare parts in repairable systems[J]. Naval Research Logistics, 2002,
the different conditions. 49(5): 483–498.
[6] Karin S. de Smidt-Destombes, Matthieu C. van der
Heijden, Aart van Harten. On the interaction between
maintenance, spare part inventories and repair capac-
REFERENCES ity for a k-out-of-N system with wear-out. European
Journal of Operational Research. 2006,174: 182–200
[1] Karin S. de Smidt-Destombes, Matthieu C. van der [7] Karin S. de Smidt-Destombes, Matthieu C. van der
Heijden, Aart van Harten. On the availability of a Heijden, Aart van Harten. Availability of k-out-of-N
k-out-of-N system given limited spares and repair systems under block replacement sharing limited spares
capacity under a condition based maintenance strat- and repair capacity, Int. J. Production Economics, 2007,
egy[J]. Reliability Engineering and System Safety, 107: 404–421.
2004, 83:287–300.
657
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
K.B. Marais
Department of Industrial Engineering, Stellenbosch University, South Africa
J.H. Saleh
School of Aerospace Engineering, Georgia Institute of Technology, USA
ABSTRACT: Maintenance planning and activities have grown dramatically in importance and are increasingly
recognized as drivers of competitiveness. While maintenance models in the literature all deal with the cost
of maintenance (as an objective function or a constraint), only a handful addresses the notion of value of
maintenance, and seldom in an analytical or quantitative way. We propose that maintenance has intrinsic value
and argue that existing cost-centric models ignore an important dimension of maintenance, its value, and in so
doing, can lead to sub-optimal maintenance strategies. We develop a framework for capturing and quantifying
the value of maintenance activities. The framework presented here offers rich possibilities for future work in
benchmarking existing maintenance strategies based on their value implications, and in deriving new maintenance
strategies that are ‘‘value-optimized’’.
659
The argument for dismissing or not focusing on the value implications of existing maintenance policies,
value of maintenance, when it is made, goes along and deriving new policies based on maximizing value,
these lines: while it is easy to quantify the (direct) cost instead of minimizing the cost of maintenance.
of maintenance, it is difficult to quantify its benefits.
Dekker (1996) for example notes ‘‘the main question
faced by maintenance management, whether main- 2 BACKGROUND
tenance output is produced effectively, in terms of
contribution to company profits, [ . . . ] is very dif- This section provides a brief overview of various
ficult to answer’’. Therefore maintenance planning is maintenance models. The reader interested in exten-
shifted from a value maximization problem formula- sive reviews of the subject is referred to the survey
tion to a cost minimization problem (see Saleh (2008) papers by Dekker (1996), Pham and Wang (1996) and
for a discussion of why these two problems are not the Wang (2002). In the following, we discuss (1) mainte-
same and do not lead to similar decisions in system nance classification, (2) maintenance models, and (3)
design and operation). Incidentally, in many organi- maintenance policies.
zations, maintenance is seen as a cost function, and
maintenance departments are considered cost centers
2.1 Types and degrees of maintenance
whose resources are to be ‘‘optimized’’ or minimized.
In short, as noted by Rosqvist et al., (2007) a cost- Maintenance refers to the set of all technical and
centric mindset prevails in the maintenance literature administrative actions intended to maintain a system
for which ‘‘maintenance has no intrinsic value’’. in or restore it to a state in which it can perform at least
In this paper, we propose that maintenance has part of its intended function(s) [Dekker, 1996].
intrinsic value and that one aspect of this value, the Maintenance type can be classified into two main
net present value, can be captured. We argue that categories: corrective maintenance and preventive
existing cost-centric optimizations ignore an impor- maintenance [Pham and Wang, 1996]. Corrective
tant dimension of maintenance, namely its value, and maintenance (CM), also referred to as repair or run-
in so doing, they can lead to sub-optimal maintenance to-failure (RTF), refers to maintenance activities per-
strategies. We therefore develop a framework built on formed after a system has failed in order to restore its
aspects of existing maintenance models for capturing functionality.
and quantifying the value of maintenance activities Preventive maintenance (PM) refers to planned
by connecting an engineering and operations research maintenance activities performed while the system
concept, system state, with a financial and managerial is still operational. Its aim is to retain the system
concept, the present value (PV). Note that we consider in some desired operational condition by prevent-
‘‘value’’ as the net revenue generated by the system ing (or delaying) failures. Preventive maintenance is
over a given planning horizon. We do not consider further sub-divided into clock-based, age-based, and
additional dimensions of value such as the potential condition-based, according to what triggers mainte-
positive effects of maintenance on environmental or nance activities [Rausand and Høyland, 2004]:
health impacts. Such effects can be incorporated in
– Clock-based maintenance is scheduled at specific
future work, see, for example, Marais et al., (2008)
calendar times; its periodicity is preset irrespective
for a discussion of the quantification of environmen-
of the system’s condition (e.g., every Tuesday).
tal and health impacts of aviation. The system state
– Age-based maintenance is performed at operating
refers to the condition of the system and hence its abil-
time intervals or operating cycles of the system (e.g.,
ity to perform and thereby provide a flow of service
every 500 on/off cycles, or every 4,000 hours of
(hence generate revenue, or ‘‘quasi-rent’’). In order
flight).
to build this connection, we first explore the impact
– Condition-based maintenance is triggered when the
of a system’s state on the flow of service the sys-
measurement of a condition or state of the system
tem can provide over time—for a commercial system,
reaches a threshold that reflects some degrada-
this translates into the system’s revenue-generating
tion and loss of performance of a system (but not
capability. Next we consider the impact of main-
yet a failure). Condition-based maintenance is also
tenance on system state evolution and hence value
referred to as predictive maintenance.
generation capability over time. We then use tradi-
tional discounted cash flow techniques to capture the Opportunistic maintenance encompasses both cor-
impact of system state evolution with and without rective and preventive maintenance and is relevant
maintenance on its financial worth, or PV. For simplifi- for multi-unit systems with economic and functional
cation, we call the results of our calculations the ‘value dependencies in which the failure of one unit, and
of maintenance’. Finally, we discuss the advantages hence its corrective maintenance, offers an opportu-
and limitations of our framework. This work offers nity to perform preventive maintenance on other still
rich possibilities for assessing and benchmarking the functional units.
660
Each type of maintenance can be further classi- maintenance cost, system age, or the number of prior
fied according to the degree to which it restores the maintenance activities [Malik, 1979; Pham and Wang
system [Pham and Wang, 1996]. At one end of the 1996].
spectrum, perfect maintenance restores the system to The third class of models views maintenance as
its initial operating condition or renders it ‘‘as good reducing the virtual age of the system [Kijima et al.,
as new’’. At the other end of the spectrum, minimal 1988]. It is assumed that maintenance reduces the age
repair returns the system to the condition it was in of the system by some proportion (assuming increas-
immediately prior to failing (in the case of corrective ing failure rate, which implies among other things
maintenance), or ‘‘as bad as old’’. In between these that the system exhibits no infant mortality). Perfect
extremes lies imperfect maintenance, which returns maintenance returns the system virtual age to zero,
the system to a condition somewhere in between as while minimal maintenance returns the virtual age to
good as new and as bad as old. Finally, there is also the age immediately prior to the failure. Kijima et al.,
the possibility that maintenance leaves the system in ’s (1988) original model allowed only a reduction to
a worse condition than before the failure, through, for the virtual age of the system following the previous
example, erroneous actions such as damaging adjacent repair effort, though larger reductions in virtual age
parts while replacing a faulty unit. can be seen as resulting from more extensive main-
tenance efforts. Pham and Wang (1996a) assume that
maintenance time increases with subsequent repairs
2.2 Maintenance models
and consider the reduction in virtual age as decreasing
Models used to derive optimal maintenance policies over time—that is, repairs become successively less
generally cover four main aspects [Dekker, 1996]: (1) effective over time.
a description of the system being maintained; (2) a The fourth class of models considers system fail-
model of how the system deteriorates and the con- ures as manifesting as some level of damage or
sequences thereof; (3) a description of the available degradation in response to a shock. These models are
information on the system and the available response therefore referred to as shock models. Perfect main-
options; and (4) an objective function and an analytical tenance then reduces the damage to zero, minimal
framework (or tools) according to which the opti- maintenance returns the damage level to that immedi-
mal maintenance policy is to be derived. This section ately prior to the failure, and imperfect damage reduces
reviews the four main classes of maintenance mod- the damage by some factor greater than zero and less
els, following the reviews in Pham and Wang (1996), than 100%. These models also allow the possibility for
Doyen and Gaudoin (2004), Tan and Raghavan (in less-effective and more expensive repairs over time by
press), and Wang (2002). making the reduction in damage a decreasing function
The first class of models developed considered the of time and by successively increasing the duration
possibility only for perfect or minimal repair [Nak- of maintenance activities over time [Wang and Pham,
agawa, 1979a, b; Pham and Wang 1996]. Thus, 1996a, b].
following maintenance, the system is returned to as In each case these models have been used primar-
good as new with some repair probability p, or to as bad ily to derive maintenance policies that minimize cost
as old with probability (1-p). This basic concept is then or downtime, or that maximize system availability,
expanded to take into account time-dependent repair as we discuss in the next sub-section. In Sections 3
probabilities, the possibility that maintenance causes and 4 we show how a simple model based on aspects
the system to be scrapped or to transition to some inter- of these models can be used to quantify the value of
mediate state, and non-negligible repair times (and maintenance.
hence non-negligible downtime losses).
The second class of models considers maintenance
2.3 Maintenance policies
as improving the failure rate or intensity, and thus
allows the possibility of imperfect maintenance [Block Maintenance policies describe what types of main-
et al., 1985; Pham and Wang 1996]. It is assumed that tenance (repair, replacement, etc.) are considered in
maintenance provides a fixed or proportional reduc- response to what types of events (failure, calendar
tion in failure rate, or that it returns the system to the time, machine cycles, etc.). In the following, we
failure rate curve at some time prior to the mainte- confine our discussion to maintenance policies for
nance activity. Perfect maintenance returns the failure single-unit systems with increasing failure rates.
rate to that of a new system; minimal maintenance One popular maintenance policy is age-dependent
returns it to that of the system immediately prior to preventive maintenance where a system is repaired or
the failure. The improvement factor is the degree of replaced at a pre-determined ‘‘age’’ [Wang, 2002]. The
improvement of failure rate. The improvement factor triggering of maintenance in this case may be prede-
is determined based on historical data, experiment, termined based on machine time (e.g., every 10,000
expert judgment, or by assuming it correlates with cycles) or on time elapsed since the last maintenance
661
activity. Under a random age-dependent maintenance model their state evolution using Markov chains
policy, maintenance is performed based on age and and directed graphs
system availability. This policy takes account of the 2. Second, we consider that the system provides a
fact that systems may not be available for mainte- flow of service per unit time. This flow in turn is
nance in the middle of a production run, for example. ‘‘priced’’ and a discounted cash flow is calculated
A further extension of age-dependent replacement is resulting in a Present Value (PV) for each branch
failure-dependent replacement where the system is of the graph—or ‘‘value trajectory’’ of the system.
repaired in response to failures and replaced when a 3. Third, given our previous two points, it is straight-
given number of failures has occurred, or at a given forward to conceive of the following: as the system
time, whichever occurs first [Nakagawa, 1984]. Many ages or deteriorates, it migrates towards lower PV
other variations on the theme of age-dependent main- branches of the graph, or lower value trajectories.
tenance have been proposed; see Wang (2002) for an 4. Finally, we conceptualize maintenance as an opera-
extensive review. tor (in a mathematical sense) that raises the system
An alternative family of maintenance policies, to a higher PV branch in the graph, or to higher
referred to as periodic preventive maintenance, is value trajectory. We refer to the value of mainte-
based on calendar time. Here maintenance occurs on nance, or more specifically the Present Value (PV)
failure and periodically regardless of the failure or of maintenance, as the incremental Present Value
operating history of the system [Wang, 2002]. Varia- between the pre- and post-maintenance branches of
tions on this theme are developed by selecting degrees the graphs.
of repair from minimal to perfect at specific times or in
response to failures. Further variations are developed In the following section, we set up the analytical
by incorporating the failure or operating history of the framework that corresponds to this qualitative discus-
system. For example, the level of maintenance may be sion.
dependent on the number of previous repairs [Wang
and Pham, 1999].
Sequential preventive maintenance can be seen as 4 MAINTENANCE AND PRESENT VALUE
a variation of periodic PM where the interval between BRANCHES
PM activities is not constant. For example, the PM
interval may be decreased as the system ages, so In developing our value model of maintenance, we
that the system does not exceed a certain operating make a number of simplifying assumptions to keep
time without maintenance [Wang, 2002; Nguyen and the focus on the main argument of this work. These
Murthy, 1981]. assumptions affect the particular mechanics of our cal-
culations but bear no impact on the main results, as will
be shown shortly. Our assumptions are the following:
3 THE VALUE PERSPECTIVE IN DESIGN,
OPERATIONS AND MAINTENANCE: 1. We restrict ourselves to the case of perfect main-
A QUALITATIVE DISCUSSION tenance; in addition we assume that maintenance
does not change the system’s deterioration mecha-
The present work builds on the premise that engineer- nism.
ing systems are value-delivery artifacts that provide a 2. We restrict ourselves to the case of single-unit
flow of services (or products) to stakeholders. When systems.
this flow of services is ‘‘priced’’ in a market, this pric- 3. We only consider systems that exhibit an increasing
ing or ‘‘rent’’ of these system’s services allows the failure rate. In other words, as our systems age, they
assessment of the system’s value, as will be discussed become more likely to deteriorate in the absence of
shortly. In other words, the value of an engineering perfect maintenance.
system is determined by the market assessment of the 4. The systems in our model can be in a finite num-
flow of services the system provides over its lifetime. ber of discrete states, and the current state depends
We have developed this perspective in a number of pre- only on the prior state, though the state transition
vious publications; for further details, the interested probabilities may be time-dependent. This assump-
reader is referred to for example Saleh et al., (2003), tion allows us to model the state evolution of the
Saleh and Marais (2006), or Saleh (2008). system as a Markov process.
In this paper, we extend our value-centric per- 5. The systems in our model have no salvage value at
spective on design to the case of maintenance. Our replacement or end of life
argument is based on four key components: 6. Finally, for simulation purposes, we consider dis-
crete time steps, and assume that the duration of
1. First, we consider systems that deteriorate stochas- maintenance activities is negligible compared with
tically and exhibit multi-state failures, and we the size of these time steps.
662
These assumptions will be relaxed in future work. p11(2) B1
In the following, we consider first how a system
p12(2)
deteriorates under no-maintenance and introduce the p13(2)
concept of ‘‘value trajectories’’ of the system. Next, p11(1)
examples. Failed
p12(0) p22(1) p22(2)
p23(2)
4.1 Deterioration under no-maintenance,
and value trajectories p23(1)
p13(0)
We consider a k-state discrete-time Markov deterio-
rating system with time-dependent transition proba-
bilities as shown in Figure 1, for the no-maintenance Bworst
case with three states. The states are numbered from
1 through k in ascending order of deterioration where Figure 2. Three-state system evolution over time with no
state 1 is the ‘‘new’’ state and state k is the failed state. maintenance.
The time-dependence allows us to take account of the
fact that a new (or deteriorated) system will become
more likely to transition to the deteriorated (or failed) The transition matrix for a system with k states and
state as it ages (time-dependence implies dependence no self-healing is given by:
on the virtual age of the system). With no mainte- ⎡ p (i) p (i) · · · p (i) ⎤
nance the failed state is an absorbing state whence 11 12 1k
it is not possible to transition to either of the other ⎢ 0 p22 (i) · · · p2k (i) ⎥
P(i) = ⎢ .. .. ⎥ (1)
states. Further, it is not possible to transition from the ⎣ ..
. ⎦
deteriorated state to the new state without perform- 0 . .
ing maintenance. In other words, the system can only 0 0 ··· 1
transition in one direction, from new to failed, per-
haps via the deteriorated state (but the system has no i is the index of the time step considered, and P(i) is
self-healing properties). in effect P(ti ) in which ti = iT . For simplification
purposes, we retain only the index i in our notation.
The transition probabilities can be derived from
pnn(i) failure rates as shown by [Macke and Higuchi, 2007].
We represent the evolution of the system over time
using a directed graph, as shown in Figure 2 for a three-
state system. This representation expands on Figure 1
New and allows in effect an easy read of the time-dependent
pnd(i)
transition probabilities, which is difficult to visual-
ize using the traditional Markov chain representation
(Figure 1).
We assume that the probability of transitioning to a
lower state increases over time, and correspondingly
pnf(i) Deteriorated pdd(i) that the probability of remaining in a given state (other
than the failed state) decreases over time:
663
For convenience we assume that the system is The likelihood of the system following a particular
initially in the new state, that is: branch over N steps is given by the products of the
transition probabilities along that branch:
π0 = 1 0 ··· 0 (4)
N
p Bj = pi (Bj ) (7)
i=1
Next, we consider that the system can generate
um (t) revenue per unit time when it is in state m; The right side of Eq. 7 is shorthand for the product
a degraded system having lower capacity to provide of the transition probabilities along the branch Bj .
services (hence generate revenues) than a fully func- Finally, the expected Present Value of the system
tional system. This um (t) is the expected utility model over all the branches is calculated by weighting the
of the system or the price of the flow of service it Present Value of each branch by its likelihood:
can provide over time. We discretize time into small
T bins over which um (t) can be considered constant.
Therefore PV (N ) = p(Bj ) · PV (N , Bj ) (8)
all branches
um (i) = um (iΔT ) ≈ um [(i + 1) ΔT ] (5) Using the Markov chain terminology, this present
value can also be expressed as:
664
Table 1. Branches for a three-state system evolution over four periods.
B1 {1, 1, 1, 1, 1} The system starts in state 1 and remains in this state throughout the four periods.
B4 {1, 1, 1, 2, 2} The system starts in state 1; it remains in State 1 for two periods, then transitions to
the degraded State 2 in the third period and remains in this State 2.
B8 {1, 1, 2, 2, 3} The system starts in State 1; it remains in State 1 for the first period, then transitions
to the degraded State 2 in the second period; it remains in this degraded state for
the third period, then transitions to the failed State 3 in the fourth period.
$250,000
p(B 8 )=0.3%
$200,000
$150,000
$100,000
New
$50,000
$-
Period 1 Period 2 Period 3 Period 4
Perfect
Figure 3. Illustrative value trajectories for a three-state maintenance
system (branches defined in Table 1).
Perfect Deteriorated
maintenance
move back, (1) from a failed state to a deteriorated state
(imperfect corrective maintenance), (2) from a failed
state to a new state (perfect corrective maintenance),
and (3) from a deteriorated state to a new state (perfect
preventive maintenance). These maintenance-enabled Imperfect
transitions are shown in Figure 4. Failed maintenance
In addition to returning the system to a higher-
functional state, maintenance provides another
advantage: it modifies the time-dependent transition
probabilities. In particular, the transition probabilities Figure 4. Performing perfect maintenance returns the sys-
from the new state after perfect maintenance are equal tem to the NEW state.
to those of a new system. That is, performing perfect
maintenance returns the system to the initial transition
Reliability
π j = Pj · · · P2 P1 π 0 (10)
The effect of perfect maintenance is to return
where π j is the vector of probabilities of being in states the system to the initial probability distribution π 0
1 through k. and to the initial transition probability matrix P.
665
and (2) in the case of perfect maintenance, it restores
p11(i) the initial (more favorable) transition probabilities,
p11(0) which in effect ensure that system is more likely to
remain in the ‘‘new’’ state post-maintenance than pre-
maintenance. The two effects of maintenance on the
New value of a system are shown in Figure 7 for a three-
p12(0) state system. The following simple examples will help
p12(i) further clarify this discussion.
p11(0)
Deteriorated pM_2 (B1 ) = p11 (0) · p11 (1) · ... · p11 (n − 2)
Failed and (13)
p12(0) p22(1) p22(2) pM_2 (B1 ) > pnoM_2 (B1 )
Maintenance
p23(2)
ce
p23(1)
te
666
Period 1 Period 2 Period 3 Period 4 Period n+1
Time This incremental Present Value, which in this case
it is calculated at the end of period 1, is what we define
p11(2)
p11(3) p11(n) Branch 1
without
maintenance
as the Present Value of maintenance:
p11(1)
p11(n-2)
p11(0) p11(1)
Branch 1
= $76, 900
p11(1) with perfect
maintenance
occurring at the
end of the
p11(0) Perfect second period
maintenance
occurs here
667
generating capability of the system). In other words, Nguyen, D.G., Murthy, D.N.P. 1981. Optimal preventive
unlike traditional maintenance strategies, which are maintenance policies for repairable systems. Operations
‘‘fixed’’ once devised, a value-optimal maintenance Research 29(6): 1181–1194.
strategy is dynamic and can change with environmen- Pham, Hoang and Wang, Hongzhou. 1996. Imperfect main-
tal and market conditions. tenance. European Journal of Operational Research, 94:
425–438.
Finally, we believe that the framework presented Rausand M., Høyland A. 2004. System Reliability Theory:
here offers rich possibilities for future work in bench- Models, Statistical Methods, and Applications. 2nd Ed.
marking existing maintenance strategies based on their New Jersey: Wiley–Interscience.
value implications, and in deriving new maintenance Rosqvist, T., Laakso, K. and Reunanen, M. 2007. Value-
strategies that are ‘‘value-optimized.’’ driven maintenance planning for a production plant. Reli-
ability Engineering & System Safety. In Press, Corrected
Proof.
Saleh, J.H. 2008. Flawed metrics: satellite cost per transpon-
REFERENCES der and cost per day. IEEE Transactions on Aerospace and
Electronic Systems 44(1).
Block, H.W., Borges, W.S. and Savits, T.H. 1985. Age- Saleh, J.H. 2008. Durability choice and optimal design
Dependent Minimal Repair, Journal of Applied Proba- lifetime for complex engineering systems. Journal of
bility 22(2): 370–385. Engineering Design 19(2).
Brealy R, Myers C. 2000. Fundamentals of Corporate Saleh, J.H., Lamassoure, E., Hastings, D.E., Newman, D.J.
Finance. 6th Ed. New York: Irwin/McGraw-Hill. 2003. Flexibility and the Value of On-Orbit Servicing: A
Dekker, Rommert. 1996. Applications of maintenance opti- New Customer-Centric Perspective. Journal of Spacecraft
mization models: a review and analysis. Reliability and Rockets 40(1): 279–291.
Engineering and System Safety (51): 229–240. Saleh, J.H., K. Marais, K. 2006. Reliability: how much is
Doyen, Laurent and Gaudoin, Olivier, 2004. Classes of it worth? Beyond its estimation or prediction, the (net)
imperfect repair models based on reduction of failure present value of reliability. Reliability Engineering and
intensity or virtual age. Reliability Engineering and System Safety 91(6): 665–673.
System Safety, 84: 45–56. Sinden, J.A., Worrell, A.C. 1979. Unpriced values: Decisions
Hilber, P., Miranda, V., Matos, M.A., Bertling, L. 2007. without market prices. New York: Wiley–InterScience.
Multiobjective Optimization Applied to Maintenance Pol- Tan, Cher Ming and Raghavan, Nagarajan, In Press. A frame-
icy for Electrical Networks. IEEE Transactions on Power work to practical predictive maintenance modeling for
Systems 22(4): 1675–1682. multi-state systems. Reliability Engineering & System
Kijima, Masaaki, Morimura, Hidenori and Suzuki, Yasusuke, Safety. Corrected Proof, Available online 21 September
1988. Periodical replacement problem without assum- 2007. DOI: 10.1016/j.ress.2007.09.003.
ing minimal repair. European Journal of Operational Wang, Hongzhou. 2002. A survey of maintenance policies of
Research 37(2): 194–203. deteriorating systems. European Journal of Operational
Malik, M.A.K. 1979. Reliable Preventive Maintenance Research 139: 469–489.
Scheduling. AIIE Transactions 11(3): 221–228. Wang H.Z., Pham H. 1996. Optimal maintenance policies for
Marais, Karen, Lukachko, Stephen, Jun, Mina, Mahashabde, several imperfect repair models. International Journal of
Anuja, and Waitz, Ian A. 2008. Assessing the Impact Systems Science 27(6): 543–549.
of Aviation on Climate. Meteorologische Zeitung, 17(2): Wang, Hongzhou and Pham, Hoang. 1996. Optimal age-
157–172. dependent preventive maintenance policies with imperfect
Nakagawa, T. 1979a. Optimum policies when preventive maintenance. International Journal of Reliability, Quality
maintenance is imperfect. IEEE Transactions on Relia- and Safety Engineering 3(2): 119–135.
bility 28(4): 331–332. Wang H.Z., Pham H. 1999. Some maintenance models and
Nakagawa, T. 1979b. Imperfect preventive-maintenance. availability with imperfect maintenance in production
IEEE Transactions on Reliability 28(5): 402–402. systems. Annals of Operations Research 91: 305–318.
Nakagawa, T. 1984. Optimal policy of continuous and dis- Waeyenbergh G, Pintelon, L. 2002. A framework for main-
crete replacement with minimal repair at failure. Naval tenance concept development. International Journal of
Research Logistics Quarterly 31(4): 543–550. Production Economics 77(3): 299–313.
668
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
A. Crespo Márquez, P. Moreu de León, J.F. Gómez Fernández, C. Parra Márquez & V. González
Department Industrial Management, School of Engineering, University of Seville, Spain
ABSTRACT: The objective of this paper is to define a process for maintenance management and to classify
maintenance engineering techniques within that process. Regarding the maintenance management process, we
present a generic model proposed for maintenance management which integrates other models found in the
literature for built and in-use assets, and consists of eight sequential management building blocks. The different
maintenance engineering techniques are playing a crucial role within each one of those eight management build-
ing blocks. Following this path we characterize the ‘‘maintenance management framework’’, i.e. the supporting
structure of the management process.
We offer a practical vision of the set of activities composing each management block, and the result of the
paper is a classification of the different maintenance engineering tools. The discussion of the different tools can
also classify them as qualitative or quantitative. At the same time, some tools will be very analytical tools while
others will be highly empirical. The paper also discusses the proper use of each tool or technique according to
the volume of data/information available.
1 THE MAINTENANCE MANAGEMENT of the process and whether the process produces the
PROCESS required result.
The second part of the process, the implementation
The maintenance management process can be divided of the selected strategy has a different significance
into two parts: the definition of the strategy, and the level. Our ability to deal with the maintenance man-
strategy implementation. The first part, definition of agement implementation problem (for instance, our
the maintenance strategy, requires the definition of ability to ensure proper skill levels, proper work prepa-
the maintenance objectives as an input, which will be ration, suitable tools and schedule fulfilment), will
derived directly from the business plan. This initial allow us to minimize the maintenance direct cost
part of the maintenance management process condi- (labour and other maintenance required resources). In
tions the success of maintenance in an organization, this part of the process we deal with the efficiency
and determines the effectiveness of the subsequent of our management, which should be less impor-
implementation of the maintenance plans, schedules, tant. Efficiency is acting or producing with minimum
controls and improvements. Effectiveness shows how waste, expense, or unnecessary effort. Efficiency
well a department or function meets its goals or com- is then understood as providing the same or better
pany needs, and is often discussed in terms of the maintenance for the same cost.
quality of the service provided, viewed from the cus- In this paper we present a generic model proposed
tomer’s perspective. This will allow us to arrive at for maintenance management integrates other mod-
a position where we will be able to minimize the els found in the literature (see for instance [6,7]) for
maintenance indirect costs [3], those costs associated built and in-use assets, and consists of eight sequential
with production losses, and ultimately, with customer management building blocks, as presented in Figure 1.
dissatisfaction. In the case of maintenance, effective- The first three building blocks condition maintenance
ness can represent the overall company satisfaction effectiveness, the fourth an fifth ensure maintenance
with the capacity and condition of its assets [4], or efficiency, blocks six and seven are devoted to main-
the reduction of the overall company cost obtained tenance and assets life cycle cost assessment, finally
because production capacity is available when needed block number eight ensures continuous maintenance
[5]. Effectiveness concentrates then on the correctness management improvement.
669
Effectiveness Effectiveness
Phase 1:
Phase 3:
Definition of the Phase 2: Phase 2: Phase 3:
maintenance Assets priority
Immediate Phase 1:
intervention Criticality Failure Root
objectives and and maintenance Balance
on high impact Analysis Cause Analysis
KPI’s strategy definition Score Card
weak points (CA) (FRCA)
(BSC)
Improvement Phase 4:
Phase 8:
Design of Improvement
Continuous
the preventive Phase 8:
Improvement Phase 4:
maintenance Total Productive
and new Reliability-
plans and Maintenance
techniques Centred
resources (TPM),
utilization Maintenance
e-maintenance
(RCM)
Assessment Efficiency
Figure 1. Maintenance management model.
670
+
-
4
F
C
B
r
e 3 1 2 1 3 Critical
q
u Semi-critical
e
n 2 4 2 Non-critical
A
c
B.C
Maintainability
y
A.B
M
1 3
M
M
C
A
10 20 30 40 50
B.C
A.B
Reliability
R
Consequence
R
R
C
A
Figure 4. Criticality matrix and assets location.
B.C
A.B
D
Delivery
D
D
available resources to mitigate risk in a cost-effective
C
and efficient manner. Risk assessment is the part of the
ongoing risk management process that assigns relative
Working
C
priorities for mitigation plans and implementation. In
Time
A.B
W
W
professional risk assessments, risk combines the prob-
ability of an event occurring with the impact that event
would cause. The usual measure of risk for a class of
B.C
events is then R = PxC, where P is probability and C
Quality
Q
A
Q
is consequence. The total risk is therefore the sum of
the individual class-risks (see risk/criticality matrix in
B.C
Figure 4).
Safety
Risk assessment techniques can be used to pri-
S
A
S
oritize assets and to align maintenance actions to
business targets at any time. By doing so we ensure that
Environment
B.C
E
indirect maintenance cost, the most important mainte-
A
671
Initial RCM
Reach optimal reliability, Phase Implementation phase
A maintainability and
RCM
availability levels team Operational
conformation context Functional
Function Failure modes
failures
Maintenance strategy
definition
Criticality and asset
Asset category
C Sustain – improve
current situation Final Maintenance
plan
Phase documentation
Figure 6. Example of maintenance strategy definition for Figure 7. RCM implementation process.
different category assets [2].
Equipment
Finding and eliminating, if possible, the causes of status &
Optimality
those failures could be an immediate intervention pro- Criteria
functional
dependencies
viding a fast and important initial payback of our
maintenance management strategy. The entire and
detailed equipment maintenance analysis and design Failure
could be accomplished, reaping the benefits of this Dynamics
intervention if successful. Monte Carlo PM
There are different methods developed to carry out Model Schedule
this weak point analysis, one of the most well known Preventive
being root-cause failure analysis (RCFA). This method Maintenance
consists of a series of actions taken to find out why a Plan
particular failure or problem exists and to correct those System
causes. Causes can be classified as physical, human or constraints Work in process
latent. The physical cause is the reason why the asset
failed, the technical explanation on why things broke Figure 8. Obtaining the PM schedule.
or failed. The human cause includes the human errors
(omission or commission) resulting in physical roots.
Finally, the latent cause includes the deficiencies in the and the maintenance/replacement interval determina-
management systems that allow the human errors to tion problems, mid-term models may address, for
continue unchecked (flaws in the systems and proce- instance, the scheduling of the maintenance activities
dures). Latent failure causes will be our main concern in a long plant shut down, while short term models
at this point of the process. focus on resources allocation and control [13]. Mod-
Designing the preventive maintenance plan for a elling approaches, analytical and empirical, are very
certain system (Phase 4) requires identifying its func- diverse. The complexity of the problem is often very
tions, the way these functions may fail and then high and forces the consideration of certain assump-
establish a set of applicable and effective preventive tions in order to simplify the analytical resolution of
maintenance tasks, based on considerations of sys- the models, or sometimes to reduce the computational
tem safety and economy. A formal method to do this needs.
is the Reliability Centred Maintenance (RCM), as in For example, the use of Monte Carlo simula-
Figure 7. tion modelling can improve preventive maintenance
Optimization of maintenance planning and schedul- scheduling, allowing the assessment of alternative
ing (Phase 5) can be carried out to enhance the scheduling policies that could be implemented dynam-
effectiveness and efficiency of the maintenance poli- ically on the plant/shop floor (see Figure 8).
cies resulting from an initial preventive maintenance Using a simulation model, we can compare and dis-
plan and program design. cuss the benefits of different scheduling policies on the
Models to optimize maintenance plan and sched- status of current manufacturing equipment and sev-
ules will vary depending on the time horizon of eral operating conditions of the production materials
the analysis. Long-term models address mainte- flow. To do so, we estimate measures of performance
nance capacity planning, spare parts provisioning by treating simulation results as a series of realistic
672
CAPEX OPEX
Capital Costs Operational Costs
Conventional Maintenance E-maintenance
Development Investment Operation
costs costs costs
Top Management Top Management
Acquisition
Corrective Maintenance + Security, Environment, Production = Reports
Design Non Reliability Costs = Risk
Assets / Assets /
Figure 9. Life cycle cost analysis. Information Source Information Source
673
REFERENCES improvement programmes. International Journal of
production Research, 32(4): 797–805.
[1] EN 13306:2001, (2001) Maintenance Terminology. [9] Kaplan RS, Norton DP, (1992) The Balanced Score-
European Standard. CEN (European Committee for card—measures that drive performance. Harvard
Standardization), Brussels. Business Review, 70(1): 71–9.
[2] Crespo Marquez, A, (2007) The maintenance manage- [10] Tsang A, Jardine A, Kolodny H, (1999) Measur-
ment Framework. Models and methods for complex ing maintenance performance: a holistic approach.
systems maintenance. London: Springer Verlag. International Journal of Operations and Production
[3] Vagliasindi F, (1989) Gestire la manutenzione. Perche Management, 19(7): 691–715.
e come. Milano: Franco Angeli. [11] Moubray J, (1997) Reliability-Centred Maintenance
[4] Wireman T, (1998) Developing performance indica- (2nd ed.). Oxford: Butterworth-Heinemann.
tors for managing maintenance. New York: Industrial [12] Campbell JD, Jardine AKS, (2001) Maintenance
Press. excellence. New York: Marcel Dekker.
[5] Palmer RD, (1999) Maintenance Planning and [13] Duffuaa SO, (2000) Mathematical models in main-
Scheduling. New York: McGraw-Hill. tenance planning and scheduling. In Maintenance,
[6] Pintelon LM, Gelders LF, (1992) Maintenance man- Modelling and Optimization. Ben-Daya M, Duffuaa
agement decision making. European Journal of Oper- SO, Raouf A, Editors. Boston: Kluwer Academic
ational Research, 58: 301–317. Publishers.
[7] Vanneste SG, Van Wassenhove LN, (1995) An inte- [14] Lee J, (2003) E-manufacturing: fundamental,
grated and structured approach to improve mainte- tools, and transformation. Robotics and Computer-
nance. European Journal of Operational Research, 82: Integrated Manufacturing, 19(6): 501–507.
241–257.
[8] Gelders L, Mannaerts P, Maes J, (1994) Man-
ufacturing strategy, performance indicators and
674
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
I.S. Lopes
School of Engineering, University of Minho, Braga, Portugal
A.F. Leitão
Polytechnic Institute of Bragança, Bragança, Portugal
G.A.B. Pereira
School of Engineering, University of Minho, Guimarães, Portugal
ABSTRACT: In industry, spare equipments are often shared by many workplaces with identical equipments
to assure the production rate required to fulfill delivery dates. These types of systems are called ‘‘Maintenance
Float Systems’’. The main objective of managers that deal with these types of systems is to assure the required
capacity to deliver orders on time and at minimum cost. Not delivering on time has often important consequences;
it can cause loss of costumer goodwill, loss of sales and can damage organization’s image. Maintenance cost is
the indicator more frequently used to configure maintenance float systems and to invest in maintenance workers
or spare equipments. Once the system is configured, other performance indicators must be used to character-
ize and measure the efficiency of the system. Different improvement initiatives can be performed to enhance
the performance of maintenance float systems: performing preventive maintenance actions, implementation of
autonomous maintenance, improvement of equipments maintainability, increase of maintenance crews’ effi-
ciency etc. ‘‘Carrying out improvement based on facts’’ is a principle of Total Quality Management (TQM)
in order to step to business excellence. It requires monitoring processes through performance measures. This
work aims to characterize and highlight the differences and relationships between three types of performance
measures—equipment availability, equipment utilization and workplace occupation, in the context of mainte-
nance float system. Definitions and expressions of these three indicators are developed for maintenance float
systems. The relationship between maintenance float systems efficiency and the referred indicators is shown.
Other indicators are also proposed and compared with the first ones (number of standby equipments, queue
length etc.).
675
simulation methods approach the design problem of
units in standby
MFS through the development of meta-models (mod-
els that express the input-output relationship in the
form of a regression equation). Madu (2000) used
Taguchi’s techniques to construct the meta-model.
Chen & Tseng (2003) used Neural Networks.
workstation Maintenance cost is the indicator more frequently
used to configure MFS and to hire maintenance work-
ers or to invest on spare equipments (Zeng & Zhang
1997; Madu & Kuei 1996; Madu 1999; Chen & Tseng
2003). Lopes et al., (2006) present a cost model to
in queue determine the number of float units, the number of
maintenance crews in the maintenance center and the
time between periodic overhauls. Periodic overhauls
are performed to improve equipments reliability and
be attended by to minimize the number of breakdowns.
maintenance servers Once the system is configured, other performance
indicators must be used to characterize and measure
Figure 1. Maintenance Float System representation. the efficiency of the system and to identify the poten-
tial improvement initiatives that can be implemented.
Gupta & Rao (1996) present a recursive method to
undesirable effects in production, caused by down- obtain the steady-state probability distribution of the
times. Spares can be efficiently managed when iden- number of down machines of a MFS. A M/G/1 queue
tical equipments are operating in parallel in the is considered with only one repairman. Gupta & Rao
workstation. This type of system is called a ‘‘Mainte- (1996) use several performance measures to evaluate
nance Float System’’. ‘‘Float’’ designates equipments the efficiency of MFS: the average number of down
in standby and equipments waiting for maintenance machines, the average number of machines waiting in
actions in the maintenance center. Equipment or queue for repair, the average waiting time in queue, the
unit involved in a Maintenance Float System (MFS) average number of operating machines, the machine
switches among different states: operating in worksta- availability and the operator utilization. Each state of
tion, waiting in the queue to be repaired, being repaired the system is characterized by the number of failed
in the maintenance center, waiting until required by the units. Gupta (1997) deals with the same queue model
workstation (see fig. 1). but considers that the server takes a vacation of ran-
Some studies present mathematical and simulation dom duration every time the repair facility becomes
models to configure MFS. One of the first attempts empty.
to determine the number of float units was proposed Lopes et al. (2007) also determine state prob-
by Levine (1965) who uses analytical method based abilities of a float system submitted to preventive
on traditional reliability theory. The author introduced maintenance at periodic overhauls and show the effect
a reliability factor based on the ratio MTTR/MTBF. of performing overhauls in equipments involved in a
Gross et al., (1983), Madu (1988), Madu & Kuei MFS. Each state of the system is defined by the num-
(1996) use Buzen’s algorithm. Zeng & Zhang (1997) ber of failed units (i) and by the number of equipment
consider a system where a key unit keeps the worksta- submitted or waiting for an overhaul ( j). Lopes et al.,
tion functioning and a set of identical units are kept in (2007) conclude that periodic overhauls optimize the
a buffer to replace units sent for repairing. The system efficiency of maintenance crews in the maintenance
is modeled as a closed queue (an M/M/S/F queue), center. Like Gupta & Rao (1996) several mainte-
and the idle probability of the system is obtained. The nance indicators are defined and determined (average
optimal values of the capacity of the inventory buffer queue length, probability of waiting queue occurrence,
(F), the size of repair crew (S) and the mean repair rate average number of units not yet replaced etc.).
are determined by minimizing the total cost Shankar & This work presents and defines three types of
Sahani (2003) consider a float system whose failures maintenance indicators for MFS: equipment availabil-
are classified as sudden and wear-out. Units subject ity, equipment utilization and workplace occupation.
to wear-out failures are replaced and submitted to Workplace occupation and other performance mea-
preventive maintenance actions after a specific time sures are determined for a MFS submitted to periodic
period. Based on the reliability function of the system, overhauls.
authors find the number of floating units needed to This paper is organized as follows—section 2
support the active units such that the number of active discusses equipment availability. Section 3 stud-
units does not change. Most of the studies based on ies equipment utilization. In section 4, workplace
676
occupation is defined. Section 5 and 6 present the
indicators for a MFS submitted to periodic overhauls. Active Waiting be attended in
in standby
Section 7 presents the conclusions. in workstation in the queue maintenance center
0 t
Tup
A= , (1)
Tup + Tdown Figure 3. Equipment utilization in MFS.
677
for time loss (standby time and time spent in the also low. In the second case, the workplace occupation
queue). is high. In this case, the average number of equipments
in standby can give an idea of the equipment utilization
and also of the workplace occupation. If the average
4 WORKPLACE OCCUPATION number of equipments in standby is high, then the
workplace occupation will also be high, once spare
Workplace occupation depends on time between fail- equipments availability is high.
ures and time until replacement of the failed unit
(fig. 4).
Workplace occupation = time in workplace /oper- 5 WORKPLACE OCUPATION FOR A MFS
ating cycle SUBMITTED TO PERIODIC OVERHAULS
This operating cycle (Dw ), however, does not corre-
spond to the cycle defined for equipment availability Based on the model developed in Lopes et al. (2007),
and utilization calculation purposes. This operating workplace occupation is determined. Lopes et al.
cycle (fig. 5) begins when an unit starts operating in (2007) present a preventive maintenance model with
the workstation and ends when another unit takes its replacement at constant time intervals or upon failure
place. For MFS, the new unit is different from the for a network with load-dependent maintenance ser-
failed one and the replacement is performed before vice. Each system state is represented by (i, j), where i
the conclusion of initial unit repair. is the number of failed equipments and j is the number
Dw = time in workstation + time until replacement of equipments waiting or under overhaul. Pi,j denotes
of failed unit occurs the state probability for the MFS. The queue for the
If the replacement of failed equipment is always maintenance center follows FIFO (First In, First Out)
immediate, then the workstation occupation will be 1, discipline. Failed units form a queue and are replaced
meaning that the workplace is always available when while and when spare units are available. Equipment
required. The time to replace equipment is neglected. that needs an overhaul is kept in operation waiting
The time until a new unit starts operating in the for its turn to be attended and the replacement will
workplace depends on time to repair and on the number take place when the overhaul is initiated. If a unit that
of spare equipments. Workplace occupation is related needs an overhaul fails before being attended, it will
with equipment availability and utilization. Equipment be replaced if a spare unit is available. In this case, this
utilization can be low due to time to repair or due to unit is treated like a failed unit.
standby time. In the first case, workplace occupation is Lopes et al. (2007) address both problems:
• number of spare equipments (R) is bigger than the
number of maintenance crews (L); (R ≥ L).
• number of spare equipments (R) is lower than the
number of maintenance crews (L); (R ≤ L).
In this work, the expression for workplace occupa-
tion will be determined for the first problem above.
workplace 1 workplace 2 ...... workplace M
678
actions with a service rate of ‘a’ and ‘b’ respectively.
a) Machine ready to be overhauled
μ can be determined based on the repair rate (μrep ),
on the overhaul rate (μrev ) and on the number of
maintenance crews (L), see equation 4. AL∩AR T
b) Failed machine
t r e−μt
Wr+1 (t) = μr+1 (5)
(r + 1) AL∩AR t
X
The average waiting time is given by equation 6. AL∩AR b2
AL∩AR
∞
t r e−μt r+1 Active machine
t · μr+1 · · dt = , (6)
(r + 1) μ X Failure
0 Failed machine in queue
679
T
– There is at least one spare unit available (AL ∩ AR ∩
680
Once max[0; (i + j − L) · a + 1 − (R − L)] is the (see equation 12).
number of non-replaced failed equipments, then the
failed equipment i + j + 1 will be replaced after the
release of max[0; (i + j − L) · a + 1 − (R − L)]/a ∞ t t r e−μt
μr+1 · · τ · λf e−λf τ · dτ · dt
equipments from the maintenance center (number of 0 0
r!
non-replaced failed equipments divided by the fraction tv = (11)
PF
of failed equipments in the queue).
The time elapsed until the replacement is given by
equation 9. t1 et2 have the same expressions, once maintenance
rates and expressions for the number of releases of
max [0; (i + j − L) · a + 1 − (R − L)] maintenance center until overhaul be initiated (r =
τb2 = (9) i + j − L) are identical.
aμ
Simplifying:
681
6 OTHER MAINTENANCE INDICATORS occupation. It gives information about the workstation
FOR MFS SUBMITTED TO OVERHAULS efficiency.
Improvement in the occupation rate can be
6.1 Average number of equipments waiting achieved by:
for and under maintenance actions
• Increasing the number of spare equipments
For a MFS submitted to preventive maintenance, Increasing the number of spare equipments allows
equipment availability determination needs to incor- increasing the workplace occupation, but it also
porate time to perform an overhaul and time to decreases the equipment utilization rate. Utilization
repair. Then, the number of non-operational equip- needs to be as close as possible to equipment avail-
ments (the related indicator) includes failed equip- ability. However, holding cost of spare equipments
ments and equipments waiting for and under overhaul, and investment made need to be balanced with loss
see equation 16. of production cost.
• Increasing the number of maintenance servers
Pi,j (i + j) (15) The maintenance center will deliver repaired equip-
ments more frequently, and then equipments will
have a higher availability.
6.2 Average number of equipments in the queue • Improving maintenance efficiency
Maintenance efficiency can be enhanced by per-
The average number of equipments in the queue (equa- forming preventive maintenance actions or equip-
tion 17) allows the identification of the need for ment improvement (enhance reliability or main-
maintenance center improvement. tainability); changing work procedures and training
operators. Improving maintenance efficiency has
Pi,j (i + j − L) (16) the same effect as increasing maintenance servers,
i+j≥L but it often requires less investment.
REFERENCES
7 CONCLUSIONS
Alsyouf, I. 2006. Measuring maintenance performance using
The three indicators, equipment availability, equip- a balanced scorecard approach. Journal of Quality in
ment utilization and workplace occupation, addressed maintenance Engineering 12(2):133–149.
in this work are important and need to be used in order Alsyouf, I. 2007. The role of maintenance in improving
to prioritize improvement initiatives and monitor the companies’ productivity and profitability. International
efficiency of MFS. Analytically, it seems complex to Journal of Production economics 105(1):70–78.
determine equipment availability and equipment uti- Chen, M.-C. & Tseng, H.-Y. 2003. An approach to design
lization. It involves quantifying the time in standby. of maintenance float systems. Integrated Manufacturing
However, as shown, some other indicators provide Systems 14(3):458–467.
Gross, D., Miller, D.R. & Soland, R.M. 1983. A closed
similar information and are easier to determine. queueing network model for multi-echelon repairable item
Decision makers use several kinds of indicators to provisioning. IIE Transactions 15(4):344–352.
define and identify improvement initiatives. However, Gupta, S.M. 1997. Machine interference problem with
one of the most important indicators for production warm spares, server vacations and exhaustive service.
processes in the context of MFS is the workplace Performance Evaluation 29:195–211.
682
Gupta, U.C. & Rao, T.S. 1996. On the M/G/1 machine Madu, C.N. & Kuei, C.-H. 1996. Analysis of multiech-
interference model with spares. European Journal of elon maintenance network characteristic using implicit
Operational Research 89:164–171. enumeration algorithm. Mathematical and Computer
Levine, B. 1965. Estimating maintenance float factors on the Modelling 24(3):79–92.
basis of reliability. Theory in Industrial Quality Control Madu, I.E. 1999. Robust regression metamodel for a main-
4(2):401–405. tenance float policy. International Journal of Quality &
Lopes, I., Leitão, A. & Pereira, G. A maintenance float Reliability Management 16(3):433–456.
system with periodic overhauls. ESREL 2006. Portugal: Shankar, G. & Sahani, V. 2003. Reliability analysis of a
Guedes Soares & Zio (eds); 2006. maintenance network with repair and preventive main-
Lopes, I., Leitão, A. & Pereira, G. 2007. State probabili- tenance. International Journal of Quality & Reliability
ties of a float system. Journal of Quality in Maintenance Management 20(2):268–280.
Engineering 13(1):88–102. Zeng, A.Z. & Zhang, T. 1997. A queuing model for designing
Madu, C.N. 1988. A closed queuing maintenance network an optimal three-dimensional maintenance float system.
with two repair centers. Journal of Operational Research Computers & Operations Research 24(1):85–95.
Society 39(10):959–967.
Madu, C.N. 2000. Competing through maintenance strate-
gies. International Journal of Quality and Reliability
Management 17(7):937–948.
683
Monte Carlo methods in system safety and reliability
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: This paper shows a practical view about the behaviour of an industrial assembly in order to assess
its availability and reliability. For that intention it will be used such a complex system like a Bioethanol Plant.
A computerized model will help to create a realistic scenario of the Bioethanol Plant Life Cycle, obtaining an
estimation of the most important performance measures through real data and statistic inference. By this way, it
will be possible to compare and discuss the profit of different plant configurations using the model and following
the initial technical specifications. Basically, the Bioethanol Plant will be divided for that purposes in functional
blocks, defining their tasks and features, as well as their dependencies according to the plant configuration.
Additionally, maintenance information and data bases will be required for the defined functional blocks. Once
these data have been compiled and using any commercial software, it will be possible to carry out a model of the
plant and to simulate scenarios and experiments for each considered configuration. Parameters about availability
and reliability will be obtained for the most important functions, following different plant configurations. From
their interpretation, it will be interesting to consider actions that improve the availability and reliability of the
system under different plant functional requirements. Among other important aspects, it will be researchable
as well a sensitive analysis, i.e., the exploring on how parameters modifications have influence on the result or
final goal.
687
2.2 Data compiling Grain (Starch)
Milling Hydrolysis Saccharifi-
Description: Maintenance information and data base Water
cation
688
Figure 3. Diagram of the mashing, cooking, liquefaction
and fermentation system. Figure 4. Diagram of the distillation and dehydration
system.
3.2 Hydrolysis
The slurry temperature is raised up in order to accel-
erate the hydrolysis of the grain’s starch into solution.
Again there is an optimum depending on the grain
type—if the slurry is too hot, the viscosity is exces-
sive and if too cool, the required residence time for
effective hydrolysis is too long.
689
4.1.3 System availability and unavailability
For the system to be available, each subsystem should
be available. Thus:
Aseries = A1 · A2
690
MDT1 MDT2
state. The probability to find the subsystem #2 in the UA1 · UA2 = ·
failure state is given by: MTBF1 MTBF2
MDT2 Consequently:
MTBF2 + MDT2
MDT1 · MDT2
MDTparallel =
Assuming that: MDT1 + MDT2
691
4.3.3 System availability and unavailability 5.1 System failure rate
For the system to be available, at least (n-m+1)
• CO2 = λMilling + λFermentation
subsystems should be available. Thus:
• Ethanol = λMilling + λFermentation + λDistillation +
λDehydration
n
n! • DDGS = λMilling + λFermentation + λDistillation +
Am_out_of _n = Ai (1 − A)n−i λCentrifugation + λDrying
(n − i)! · i!
i=n−m+1 • Syrup = λMilling + λFermentation + λDistillation +
λCentrifugation + λEvaporation
Using the following equality:
Here it has been included the Hydrolysis and Sac-
n
n! charification in the same process area as Fermentation.
1 = [A + (1 − A)] = n
Ai (1 − A)n−i
i=0
(n − i)! · i!
MDTm_out_of _n =
MDT MTBFDistillation · MTBFCentrifugation
MTBFDis+Cen =
m MTBFDistillation + MTBFCentrifugation
692
5.4 System Mean Down Time (MDT) which can be applied to analyze the reliability charac-
teristics of the whole complex system, in this case, a
• MDTCO2
Bioethanol Plant.
MTBFMilling ·MDTFermentation +MTBFFermentation ·MDTMilling
= MTBFMilling +MTBFFermentation
• MDTEthanol 6 CONCLUSION
MTBFCO2 ·MDTDis+Deh +MTBFDis+Deh ·MDTCO2
= MTBFCO2 +MTBFDis+Deh , With this research we pretend to improve the esti-
mations, demonstrating as well how requirements
Where expressed in initial technical specifications can be
MDTDis+Deh incompatible or even impossible to accomplish for
determined plant configurations. That means, avail-
MTBFDistillation ·MDTDehydration +MTBFDehydration ·MDTDistillation
= MTBFDistillation +MTBFDehydration
ability expectations on proposed configurations of the
whole plant could be lower, having higher reliability
or mantenability on each functional block, following
• MDTDDGS the technical requirements in effect.
MTBFCO2 ·MDTDis+Cen+Dry +MTBFDis+Cen+Dry ·MDTCO2 Additionally, reasonable estimations will be pro-
= MTBFCO2 +MTBFDis+Cen+Dry ,
vided for the production availability, which can be
Where delivered to the final customer in a more realistic
engineering project. These estimations will be based
MDTDis+Cen+Dry on validated calculations of functional blocks consid-
MTBFDis+Cen ·MDTDrying +MTBFDrying ·MDTDis+Cen ered for the model simulation, showing moreover the
= MTBFDis+Cen +MTBFDrying ,
importance and opportunity of a sensitive analysis. It
And can also be decisive for the final selection the plant
technical configuration.
MDTDis+Cen At the same time, this study can also be used to
MTBFDistillation ·MDTCentrifugation +MTBFCentrifugation ·MDTDistillation adjust some initial requirements in the plant technical
= MTBFDistillation +MTBFCentrifugation specification. Once the data have been introduced in
the model, they can be adjusted according to the real
• MDTSyrup =
equipments included in the offer. By the way, it is pos-
MTBFCO2 ·MDTDis+Cen+Eva +MTBFDis+Cen+Eva ·MDTCO2 sible to study logistical aspects like spare parts amount
MTBFCO2 +MTBFDis+Cen+Eva ,
in stock.
Where Finally, not only the availability and reliability are
important, but also the costs estimation is a key factor.
MDTDis+Cen+Eva Therefore, an extension of this study could be to trans-
MTBF ·MDT +MTBF ·MDTDis+Cen fer the information provided in this research to a life
= Dis+Cen Evaporation Evaporation
MTBFDis+Cen +MTBFEvaporation , cycle cost model, with the intention to assess globally
and as above mentioned, the plant.
MDTDis+Cen
MTBFDistillation ·MDTCentrifugation +MTBFCentrifugation ·MDTDistillation ACKNOWLEDGEMENTS
= MTBFDistillation +MTBFCentrifugation
The author would like to thank the reviewers of the
Once developed these formulas for the main parts of paper for their contribution to the quality of this work.
the process, it is possible to continue breaking down
these as deeper as wanted. It is clear that each area
(milling, fermentation, distillation. . . ) in the plant REFERENCES
has actually its own configuration for its different
devices and equipments, with its specific combina- Asociación Española de Mantenimiento. 2005. El Manten-
tion for these subsystems in series or in parallel (see imiento en España: Encuesta sobre su situación en las
for instance the different block diagrams also included empresas españolas.
in Section 3). Bangemann T., Rebeuf X., Reboul D., Schulze A., Szymanski
J., Thomesse J.P., Thron M., Zerhouni N.. 2006. Proteus-
Therefore, and as it has just mentioned, the relia- Creating distribuited maintenance systems through an
bility characteristics can be also broken down till such integration platform. Computers in Industry, Elselvier.
a detail level where is possible to apply real values Benoît Iung 2006. CRAN Laboratory Research Team
for such units. There are published many Data Bases PRODEMAS in Innovative Maintenance and Depend-
which include real values for process equipments, and ability. Nancy University—Nancy Research Centre
693
for Automatic Control (CRAN). CNRS UMR 7039 Hansen, M.T.; Noria, N.; Tierney, T. 1999. What’s your
(http://www.cran.uhp-nancy.fr). strategy for managing knowledge?. Harvard Business
Bourne, M. & Neely, A. 2003. Performance measurement Review.
system interventions: the impact of parent company ini- Henley, E.J. and Kumamoto, H. 1992 Probabilistic Risk
tiatives on success and failure. Journal of Operation and Assessment: Reliability Engineering, Design & Analysis.
Management. ISBN 0 87942 290 4. IEEE Press, US.
Campbell J.D. & Jardine A. 2001. Maintenance excellence. Høyland A & Rausand M, 1994. System Reliability Theory.
New York: Marcel Dekker. 2001. Models and Statistical methods. ISBN 0-471-59397-4.
Carter, Russell A. 2001. Shovel maintenance gains from Wiley-Interscience.
improved designs, tools and techniques. Elsevier Engi- Inc, Renewable Fuels Association. 2001. Ethanol Plant
neering Information. Development Handbook. BBI International. USA
Center for Chemical Process Safety (CCPS)Guidelines for Intelligent Maintenance Centre 2007. www.imscenter.net.
Process Equipment Reliability Data, with Data Tables. Iserman R. 1984. Process fault detection based on modelling
ISBN: 0-8169-0422-7. and estimation methods. Automatica.
Clark J. 1995. Managing Innovation and Change: People, ITSMF, IT Service Management Forum 2007. ITIL v3.
Technology and Strategy. Business & Economics. Information Technology Infrastructure Library. ITIL v2.
Crespo M.A., Moreu de L.P., Sanchez H.A. 2004. Ingeniería Information Technology Infrastructure.
de Mantenimiento. Técnicas y Métodos de Aplicación a Jardine A.K.S., Lin D., Banjevic D. 2006. A review on
la Fase Operativa de los Equipos. Aenor, España. machinery diagnostics and prognostics implementing
Crespo M.A. 2007. The Maintenance Management Frame- condition based maintenance. Mech, Syst. Signal Process.
work. Models and Methods for Complex Systems Main- Jharkharia S. & Shankarb R. 2005. Selection of logistics
tenance. Londres, Reino Unido. Springer. service provider: An analytic network process (ANP)
Dale & Plunkett 1991. Quality Costing. Chapman Hall. approach. International Journal of Management Sciente,
Dandois, P.A. & Ponte, J. 1999. La administración del Omega 35 (2007) 274–289.
conocimiento organizacional. El management en el siglo Kaplan, Robert S. & David P. Norton 1996. The Balanced
XXI. Scorecard: Translating Strategy Into Action . Boston,
Davenport T. 1993. Process innovation: Reengineering MA: Harvard Business School Press.
work through Information Technology. Harvard Business Kent Allen 1990. Encyclopedia of Computer Science and
School Press. Technology. CRC Press.
David John Smith. 2005. Reliability, Maintainability and Klein, M.M. 1994. The most fatal reengineering mistakes.
Risk: Practical Methods for Engineers. ISBN 0-750- Information strategy: The Executive’s J. lO(4) 21–28.
66694-3 Butterworth-Heinemann. Lee J. 1995. Machine performance monitoring and proac-
Deardeen, J. Lilien, G. and Yoon, E. 1999. Marketing tive maintenance in computer-integrated manufacturing:
and Production Capacity Strategy For Non-Differentiated review and perspective. International Journal of Computer
Products: Winning And Losing At The Capacity Cycle Integrating Manufacturing.
Game. International Journal of Research In Marketing. Lee J. 2004. Infotronics-based intelligent maintenance sys-
Deming W. Edwards 1989. Calidad, productividad y compet- tem and its impacts to close-loop product life cycle
itividad: la salida de la crisis. Madrid, Ediciones Díaz de systems. Proceedings of de IMS’2004 International Con-
Santos. ference on Itelligent Maintenance Systems, Arles, France.
Dixon J.R. 1966. Design engineering: inventiveness, anal- Levitt Joel. 2003. Complete Guide to Preventive and Predic-
ysis, and decision making. New York, McGraw-Hill, tive Maintenance. Industrial Press.
Inc. Davis, M. 1988. Applied Decision Support. Prentice Hall,
Dyer R.F. & Forman E.H. 1992. Group decision support Englewood Cliffs .
with the Analytic Hierarch Process. Decision Support Mitchell Ed., Robson Andrew, Prabhu Vas B. 2002. The
Systems. Impact of Maintenance Practices on Operational and
Earl M.J. 1994. The New and the Old of Business Pro- Business Performance. Managerial Auditing Journal.
cess Redesign. Journal of Strategic Information Systems, Mobley Keith 2002. An Introduction to Predictive Mainte-
vol. 3. nance. Elsevier.
EN 13306:2001. Maintenance Terminology. European Stan- Moubray J. 1997. Reliability-centered Maintenance. Indus-
dard. CEN (European Committee for Standardization), trial Press.
Brussels. Nakajima Seiichi 1992. Introducción al TPM (Manten-
European Foundation for Quality Management. 2006. EFQM imiento Productivo Total). Productivity Press.
Framework for Management of External Resources. By Neely, A.D., Gregory, M. and Platts, K. 1995. Performance
EIPM—EFQM. Measurement System Design—A Literature Review and
Gelders, L., & Pintelon, L. 1988. Reliability and mainte- Research Agenda. International Journal of Operations and
nance" in: Doff, R.C. and Nof, S.J. (ed.), International Production Management.
Encyclopedia of Robotics, Application and Automation, Nonaka & Takeuchi 1995. The Knowledge-Creating Com-
Wiley, New York. pany. USA: Oxford University Press.
Goldratt E. 1997. Cadena Crítica. Ediciones Diaz de Santos. Patton, J.D. 1980. Maintainability and Maintenance Manage-
Hammer & Champy 1993. Reengineering the Corporation. ment. Instrument Society of America, Research Triangle
Harper Business. Park, NC.
Hammer M. 1990. Reengineering Work: Don’t Automate Peters T. & Waterman H.R. Jr. 1982. ‘‘In Search of Excel-
Obliterate. Harvard Business Review. lence’’.
694
Pintelon L.M. & Gelders L.F. 1992. Maintenance manage- Turban E. 1988. Decision Support and Expert Systems:
ment decision making. European Journal of Operational Managerial Perspectives. New York: Macmillan.
Research. UNE 66174 2003. Guide for the assessment of quality man-
Porter, M. 1985. Competitive Advantage. Free Press. agement system according to UNE-EN ISO 9004:2000
Prusak Laurence 1996. The Knowledge Advantage. Strategy standard. Tools and plans for improvement. UNE.
& Leadership. UNE 66175 2003. Systems of Indicators. UNE.
Ren Yua, Benoit Iung, Herv!e Panetto 2003. A multi-agents UNE-EN ISO 9001:2000. Quality management
based E-maintenance system with case-based reasoning systems—Requirements. International Organization for
decision support. Engineering Applications of Artificial Standardization.
Intelligence 16 321–333. Wireman, T. 1991. Total Productive Maintenance. Industrial
Saaty, T.L. 1977. A Scaling Method for Priorities in Hier- Press.
archical Structures. Journal of Mathematical Psychology, Yan S.K. 2003. A condition-based failure prediction and
15: 234–281, 1977. processing-scheme for preventive maintenance. IEEE
Saaty, T.L. 1980. The Analytic Hierarchy Process. McGraw Transaction on Reliability.
Hill. Zhu G., Gelders L. and Pintelon L. 2002. Object/objective-
Saaty, T.L. 1990. How to make a decision: The ana- oriented maintenance management. Journal of quality in
lytic hierarchy process. European Journal of Operational maintenance engineering.
Research.
Shu-Hsien Liao 2005. Expert system methodologies and
applications—-a decade review from 1995 to 2004.
Elselvier. Expert Systems with Applications 28 93–103.
695
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Two problems often encountered in uncertainty processing (and especially in safety studies)
are the following: modeling uncertainty when information is scarce or not fully reliable, and taking account
of dependencies between variables when propagating uncertainties. To solve the first problem, one can model
uncertainty by sets of probabilities rather than by single probabilities, resorting to imprecise probabilistic models.
Iman and Conover method is an efficient and practical means to solve the second problem when uncertainty is
modeled by single probabilities and when dependencies are monotonic. In this paper, we propose to combine
these two solutions, by studying how Iman and Conover method can be used with imprecise probabilistic
models.
697
Dubois 2006) and probability boxes (p-boxes for short) 2. Build a lower triangular N × N matrix G such that
(Ferson, Ginzburg, Kreinovich, Myers, and Sentz G C G = R with G the transpose of G. This
2003), the two practical probabilistic models we are can be done in the following way: use Cholesky
going to consider. More details can be found in the factorization procedure to decompose C and R
references. into C = C C and R = R R , with both
C , R lower triangular matrix (due to the fact that
2.1 Integrating monotonic dependencies correlation matrices C, R are, by definition, posi-
in sampling procedures tive definite and symmetric). Then, G is given by
G = R C− 1 and the transpose follows. Note that
The first problem we deal with is the integration of G is still a lower triangular matrix.
dependencies into sampling schemes. In the sequel, 3. Compute the M × N matrix W ∗ = W G .
Si,j denote the matrix element in the ith line and jth 4. In each column S·,j of the original sample matrix,
column of S, while Sj and Si respectively denote the re-order the sampled values so that they are ranked
jth column and ith line of S. as in the column W·,j∗ , thus obtaining a matrix S ∗
Suppose we consider two variables X , Y and a sam- whose rank correlation matrix R∗ is close to R (but
ple (xj , yj ) of size M of these two variables. Then, if we not forcefully equal, as for a given number M of
replace the values xj and yj by their respective ranks samples, rank correlations coefficients can only
(The lowest value among xj receive rank 1, second low- assume a finite number of distinct values).
est rank 2, . . . , and similarly for yj ), their spearman
rank correlation coefficient rs , which is equivalent This method allows to take account of mono-
to the Pearson correlation computed with ranks, is tonic dependencies between the variables in sampling
given by schemes (and, therefore, in the subsequent propa-
M 2 gation), without making any assumptions about the
6 j=1 dj shape of probability distributions and without chang-
rs = 1 −
M (M 2 − 1) ing the sampled value (it just rearranges their pairings
in the sample matrix). It is also mathematically sim-
with dj the difference of rank between xj and yj . ple and applying it do not require complex tools,
Spearman correlation rs have various advantages: as would other approaches involving, for example,
copulas (Nelsen 2005).
i it allows to measure or characterize monotonic (no
necessarily linear) dependencies between variables
ii it depends only on the ranks, not on the particular 2.2 Modeling uncertainty with sets of probabilities
values of the variables (i.e. it is distribution-free).
The second problem concerns situations where avail-
Although Spearman correlations rank are not able to able information is scarce, imprecise or not fully
capture all kinds of dependencies, they remain nowa- reliable. Such information can come, for instance,
days one of the best way to elicit dependency structures from experts, from few experimental data, from sen-
(Clemen, Fischer, and Winkler 2000). sors, etc. There are many arguments converging to
Given a sample matrix S and a N ×N target rank cor- the fact that, in such situations, a single probabil-
relation matrix R (e.g. elicited from experts), Iman and ity distribution is unable to account for the scarcity
Conover (Iman and Conover 1982) propose a method or imprecision present in the available information,
to transform the matrix S into a matrix S ∗ such that the and that such information would be better modeled by
rank correlation matrix R∗ of S ∗ is close to the target sets of probabilities (see (Walley 1991), Ch.1) for a
matrix R. This transformation consists in re-ordering summary and review of such arguments).
the elements in each column S·,j of S, without chang- Here, we consider two such models: p-boxes and
ing their values in S, so that the result is the matrix S ∗ . possibility distributions. They are both popular, simple
The transformation consists in the following steps: and are instrumental to represent or elicit informa-
1. Build a M ×N matrix W whose N columns are ran- tion from experts (for more general models and longer
dom re-orderings of the vector (a1 , . . . , aM ), where discussion, see (Destercke, Dubois, and Chojnacki
ai = φ −1 (i/(M + 1)), φ −1 being the inverse of a 2007)).
standard normal cumulative distribution, that is P-boxes (short name for probability boxes) are the
x 2 imprecise counterparts of cumulative distributions.
1 u They are defined by an upper (F) and a lower (F)
∀x, φ(x) = √ exp − du
2π −∞ 2 cumulative distributions forming a pair [F, F] describ-
ing the uncertainty: the information only allows us to
Let C be the N × N correlation matrix associ- state that the true cumulative distribution is between
ated to W . F and F, and any cumulative distribution F such that
698
F 1
1 0.9
0.5
F
0.1
0
500 K 600 K 700 K 800 K 900 K 1000 K
Figure 1. Illustration of a p-box. probabilities Pπ (Dubois and Prade 1992) such that
699
encountered in a same application, it would be inter- Also note that above sampling procedures have been
esting to blend these two tools. Such a blending is considered by Alvarez (Alvarez 2006) in the more
proposed in this section. general framework of random sets, of which p-boxes
and possibility distributions constitute two particular
instances. Let us now see how Iman and Conover
3.1 Sampling with imprecise probabilistic models
method can be extended to such models.
When uncertainty on a (random) variable X is mod-
eled by a precise cumulative distribution FX , then
simulating this variable X by sampling methods usu- 3.2 Extension of Iman and Conover method
ally consists of drawing values α coming from a We first recall some notions coming from order theory.
uniform law on [0, 1], and then to associate the (pre- Let P be a set and ≤ a relation on the elements of
cise) value F −1 (α) to each value α (see Figure 3.A). this set. Then, ≤ is a complete partial order if it is
In the case of a N -dimensional problem simulated reflexive, antisymmetric and transitive, that is if for all
by M samples, the j t h sample consists of a vector triplet a, b, c of elements in P
j j
(α1 , . . . , αN ), to which is associated the realization
(F (α )1 , . . . , F −1 (α j )N ) = (x1 , . . . , xN ). Let us
−1 j j j
a ≤ a (reflexivity) (1)
now detail what would be the result of such a sampling
with imprecise models.
P-boxes: since a p-box is described by (lower and if a ≤ b andb ≤ a, then a = b (antisymmetry) (2)
upper ) bounds on cumulative distributions, to each
value α do not longer correspond a unique inverse if a ≤ b and b ≤ c, then a ≤ c (transitivity) (3)
value, but a set of possible values. This set of possible
values correspond to the interval bounded by the upper
−1 and if for two elements a, b, neither a ≤ b nor b ≤ a,
(F ) and lower (F −1 ) pseudo inverses, defined, for then a and b are said to be incomparable. A partial
all α ∈ (0, 1] as follows: order ≤ is total, and is called an order (or a linear
−1
order), if for every pair a, b in P, we have either a ≤ b
F = sup{x ∈ R|F(x) < α} or b ≤ a.
−1
When uncertainty is modeled by precise probabili-
F = inf {x ∈ R|F(x) > α} ties, sampled values are precise, and the main reason
for being able to apply Iman and Conover method in
See Figure 3.B for an illustration. Thus, given a p- this case is that there is a natural complete ordering
box [F, F], to a sampled value α ∈ [0, 1] we associate between real numbers, and that to any set of values
the interval α such that corresponds a unique ranking. This is no longer the
−1
case when realizations are intervals, since in most
α := [F (α), F −1 (α)] cases only partial orderings can be defined on sets of
intervals (due to the fact that they can be overlapping,
Possibility distributions: In the case of a possibil- nested, disjoint,. . . ). Given two intervals [a, b], [c, d],
ity distributions, it is natural to associate to each value it is common to consider the partial ordering such that
α the corresponding α-cut (see Figure 3.C for illustra- [a, b] < [c, d] if and only if b < c, and to consider
tion). Anew, this α-cut πα is, in general, not a single that two intervals are incomparable as soon as they
value but an interval. overlap. This partial order is commonly called inter-
We can see that, by admitting imprecision in our val order. Adapting Iman and Conover method when
uncertainty representation, usual sampling methods do samples are general intervals thus seems difficult and
not longer provide precise values but intervals (which would result in a not very convenient tool, since one
are effectively the imprecise counterpart of single val- would have to consider every possible extension of the
ues). With such models, elements of matrix S can be partial ordering induced by the interval ordering.
intervals and propagating them through a model T will To circumvent this problem and to be able to apply
require to use interval analysis technics (Moore 1979). Iman and Conover method in an easy way on p-boxes
Although achieving such a propagation is more dif- and possibility distributions, we have to define a com-
ficult than single point propagation when the model plete ordering on the elements sampled from these two
T is complex, it can still remain tractable, even for representation.
high dimensional problems (see (Oberguggenberger, First, note that when uncertainty on a variable X is
King, and Schmelzer 2007) for example). Neverthe- modeled by a single (invertible) cumulative distribu-
less, propagation is not our main concern here, and tion FX , there is a one-to-one correspondence between
sampling scheme can be considered independently of the ranking of sampled values α j ∈ [0, 1] and the rank-
the subsequent problem of propagation. ing of corresponding values of X , in the sense that, for
700
1 F 1 F 1
F
0 1
0 1 1(
0
x= F ( ) F ( ) F )
Fig. 3.A: precise prob. Fig. 3.B: p-box Fig. 3.C: possibility dist.
Figure 3. Sampling from precise and imprecise probabilistic models: illustration.
701
a value with more precision means knowing another concerning these numerical technics (for instance, see
one with less precision (of which Heisenberg prin- (Sallaberry, Helton, and Hora 2006)).
ciple constitutes a famous example). Such kind of
dependencies has poor relation with monotonic depen-
dencies, meaning that using the proposed extension to REFERENCES
possibility distribution is NOT equivalent to assume
monotonic dependencies between variables, but rather Alvarez, D.A. (2006). On the calculation of the bounds of
to assume a dependency between the precision of probability of events using infinite random sets. I. J. of
the knowledge we have on variables. Nevertheless, Approximate Reasoning 43, 241–267.
if monotonic dependencies have to be integrated and Baudrit, C. and D. Dubois (2006). Practical representations
if information is modeled by possibility distributions, of incomplete probabilistic knowledge. Computational
it is always possible to extract a corresponding p-box Statistics and Data Analysis 51 (1), 86–108.
Baudrit, C., D. Guyonnet, and D. Dubois (2006). Joint
from a possibility distribution, and then to sample from propagation and exploitation of probabilistic and possi-
this corresponding p-box (see (Baudrit and Dubois bilistic information in risk assessment. IEEE Trans. Fuzzy
2006)). Systems 14, 593–608.
Clemen, R., G. Fischer, and R. Winkler (2000, August).
Assessing dependence : some experimental results. Man-
4 CONCLUSIONS agement Science 46 (8), 1100–1115.
Destercke, S., D. Dubois, and E. Chojnacki (2007). Relat-
Integrating known correlation between variables and ing practical representations of imprecise probabilities. In
dealing with scarce or imprecise information are Proc. 5th Int. Symp. on Imprecise Probabilities: Theories
and Applications.
two problems that coexist in many real applications. Dubois, D. and H. Prade (1992). On the relevance of non-
The use of rank correlation through the means of standard theories of uncertainty in modeling amd pool-
Iman and Conover method and the use of simple ing expert opinions. Reliability Engineering and System
imprecise probabilistic models are practical tools to Safety 36, 95–107.
solve these two problems. In this paper, we have Ferson, S., L. Ginzburg, V. Kreinovich, D. Myers, and
proposed an approach to blend these two solutions, K. Sentz (2003). Constructing probability boxes and
thus providing a practical tool to cope (at the same dempster-shafer structures. Technical report, Sandia
time) with monotonic dependencies between variables National Laboratories.
and with scarceness or imprecision in the informa- Ferson, S. and L.R. Ginzburg (1996). Different methods are
needed to propagate ignorance and variability. Reliability
tion. Engineering and System Safety 54, 133–144.
Sampling methods and complete orderings related Helton, J. and F. Davis (2002). Illustration of sampling-
to possibility distributions and p-boxes have been stud- based methods for uncertainty and sensitivity analysis.
ied and discussed. They allow to apply Iman and Risk Analysis 22 (3), 591–622.
Conover method to these two models without addi- Iman, R. and W. Conover (1982). A distribution-free
tional computational difficulties. We have argued that, approach to inducing rank correlation among input vari-
in the case of p-boxes, rank correlations can still be ables. Communications in Statistics 11 (3), 311–334.
interpreted in terms of monotonic dependencies, thus Moore, R. (1979). Methods and applications of Inter-
providing a direct extension of Iman and Conover val Analysis. SIAM Studies in Applied Mathematics.
Philadelphia: SIAM.
method, with the advantage that it can be interpreted Nelsen, R. (2005). Copulas and quasi-copulas: An introduc-
as an integrated robustness study. The interpretation tion to their properties and applications. In E. Klement
concerning possibility distributions is different, as it and R. Mesiar (Eds.), Logical, Algebraic, Analytic, and
is based on set inclusion, and describes some depen- Probabilistics Aspects of Triangular Norms, Chapter 14.
dencies between the precision of the knowledge we Elsevier.
can acquire on different variables. We suggest that Oberguggenberger, M., J. King, and B. Schmelzer (2007).
such correlation can be useful in some physical mod- Imprecise probability methods for sensitivity analysis in
els, or when sources of information (sensors, experts) engineering. In Proc. of the 5th Int. Symp. on Imprecise
are likely to be correlated. Probabilities: Theories and Applications, pp. 317–326.
Sallaberry, C., J. Helton, and S. Hora (2006). Extension
In our opinion, the prime interest of the suggested of latin hypercube samples with correlated variables.
extensions is practical, as they allow to use very pop- Tech. rep. sand2006- 6135, Sandia National Labora-
ular and efficient numerical technics such as Latin tories, Albuquerque. http://www.prod.sandia.gov/cgibin/
Hyper Cube Sampling and Iman and Conover method techlib/accesscontrol. pl/2006/066135.pdf.
with imprecise probabilistic models. Moreover, the Walley, P. (1991). Statistical reasoning with Imprecise
proposed extensions can benefits from all the results Probabilities. New York: Chapman and Hall.
702
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Enrico Zio
Energy Department, Politecnico di Milano, Milan, Italy
ABSTRACT: Monte Carlo simulation is used to investigate the impact of the maintenance strategy on the
production availability of offshore oil and gas plants. Various realistic preventive maintenance strategies and
operational scenarios are considered. The reason for resorting to Monte Carlo simulation is that it provides
the necessary flexibility to describe realistically the system behavior, which is not easily captured by analytical
models. A prototypical offshore production process is taken as the pilot model for the production availability
assessment by Monte Carlo simulation. The system consists of a separator, compressors, power generators,
pumps and dehydration units. A tailor-made computer program has been developed for the study, which enables
to account for the operational transitions of the system components as well as the preventive and corrective
maintenance strategies for both power generators and compressor systems.
703
Gas
Oil
Export Gas Compression Water
Electricity
Power Generation
Power Generation
Production Three-Phase
Export Oil Pumping Oil Export
Well Separation
The well produces at its maximum 30, 000 m3 /d of oil, Table 1. Transition rates of the components.
which is the amount of oil which the separator can han-
dle. The separated oil is exported by the export pump- Transition rate (1/hr)
ing unit, also with capacity of 30, 000 m3 /d of oil.
Component Failure Repair
Off-gas from the separator is routed to the main
compressor unit, with two compressors running and Dehydration 3.49 × 10−4 8.33 × 10−2
one standby a 2oo3 voting. Each compressor can Lift gas compressor 6.57 × 10−4 6.98 × 10−2
process a maximum of 3.0 MMscm/d. The nomi- Export oil pump 7.06 × 10−4 3.66 × 10−2
nal gas throughput for the system is assumed to be Injection water pump 2.27 × 10−4 1.33 × 10−2
6.0 MMscm/d, and the system performance will be Three-phase separator 4.25 × 10−4 19.6 × 10−2
evaluated at this rate. Gas dehydration is required Export gas compressor 6.69 × 10−4 4.29 × 10−2
for the lift gas, the export gas and the fuel gas. The Power generation 1.70 × 10−3 3.24 × 10−2
dehydration is performed by a 1 × 100% glycol con-
tactor on the total gas flowrate, based on gas saturated
with water at conditions downstream of the compres-
sor. The total maximum gas processing throughput
is assumed to be 6.0 MMscm/d, limited by the main The 25 MW power requirements on the production
compression and dehydration trains. system will be met by 2 × 17 MW gas turbine-driven
To ensure the nominal level of production of the power generation units.
well, the lift gas is supplied from the discharge of the
compression, after dehydration, and routed to the lift
2.2 Component failures and repair rates
gas risers under flow control on each riser.
An amount of 1.0 MMscm/d is compressed by the For simplicity, the study considers in details stochas-
compressor for lift gas and injected back into the tic failure and maintenance behaviors of only the 2oo3
production well. compressor system (one in standby) for the gas export
Water is injected into the producing reservoirs to and the 2oo2 power generation system; the other
enhance oil production and recovery. The water sepa- components have only two states ‘‘functioning’’ and
rated in the separator and treated seawater is injected ‘‘failed’’.
in the field. The capacity of water injection system is The transition rates of the components with only
assumed to be 5, 000 m3 /d. two transition states are given in Table 1.
704
Table 2. Summary of different production levels with the component failures.
Production Water
level (system Example of Oil Gas injection
capacity, %) failure events (km3 /d) (MMscm/d) (km3 /d)
100% None 30 6 5
70% Lift gas compressor 20 4 4
70% Water injection pump 20 4 0
50% Two export gas compressors 15 3 5
One power generator
Two export gas compressors
and one power generator
together
50% Two export gas compressors and 15 3 0
injection water pumping
30% Lift gas compressor and 10 2 0
injection water pump
0% Dehydration unit 0 0 0
All three export gas compressors
Both power generators
2μi
2.3 Production re-configuration
μtotal(3μi)
The failure of the components and systems are
assumed to have the following effects on the produc- Figure 2. State diagram of export compression system.
tion level:
705
λc Table 3. Schedule maintenance interval for compressors
and power generators.
2μi
Figure 3. State diagram of power generation system. Input the system configuration
and component information
706
Table 4. Estimation of transition time depending on initial Part list
state.
Step 1: Will the stock-out has
direct effect on the offshore No No spares holding
Initial state Transition time
production?
Corrective Time required for Yes
maintenance corrective maintenance
Preventive Time required for preventive Step 2: Can the part requirement Order parts before
No
maintenance maintenance (MTTR) be anticipated? a demand occurs
Normal (including To be estimated by the direct
partial load) Monte Carlo method Yes
707
installed in offshore platforms is expected to have As future study, it is of interest to formalize the pre-
a higher frequency of failures than others. And the ventive maintenance interval optimization and spare
failure effect of the compressor and power genera- parts optimization process with the Monte Carlo sim-
tion system on production is classified as significant. ulation. To this aim, it will be necessary to combine
With the consideration of frequencies and conse- the results of the availability assessment based on the
quences together, the effect of stock-out for such Monte Carlo simulation with the cost information.
systems on production availability should be estimated The optimization of preventive maintenance intervals
in priority during the determination of maintenance should be determined based on an iterative process
strategies. where the overall availability acceptance criteria and
costs fall within the optimal region; the spare parts
optimization will consider the cost of holding different
6 CONCLUSIONS numbers of spare parts and that of not holding any.
708
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: In this paper, the recently developed Subset Simulation method is considered for improving the
efficiency of Monte Carlo simulation. The method, originally developed to solve structural reliability problems,
is founded on the idea that a small failure probability can be expressed as a product of larger conditional failure
probabilities for some intermediate failure events: with a proper choice of the conditional events, the conditional
failure probabilities can be made sufficiently large to allow accurate estimation with a small number of samples.
The method is here applied on a system of discrete multi-state components in a series-parallel configuration.
709
the series-parallel, discrete multi-state system is illus- initial sample x 1 being distributed exactly as the mul-
trated. Finally, some conclusions are proposed in the tidimensional conditional PDF q(x|F), then so are the
last Section. subsequent samples and the Markov chain is always
stationary (Au & Beck 2001).
Furthermore, since in practical applications depen-
2 SUBSET SIMULATION dent random variables may often be generated by some
transformation of independent random variables, in
2.1 Basics of the method the following it is assumed without loss of general-
ity that the components of x are independent, that is,
For a given target failure event F of interest, let F1 ⊃ q(x) = nj=1 qj (xj ), where qj (xj ) denotes the one-
F2 ⊃ . . . ⊃ Fm be a sequence of intermediate fail-
dimensional PDF of xj , j = 1, 2, . . . , n (Au & Beck
ure events, so that Fk = ∩ki=1 Fi , k = 1, 2, . . ., m. By
2001).
sequentially conditioning on the event Fi , the failure
To illustrate the MCMC simulation algorithm with
probability P(F) can be written as
reference to a generic failure region Fi , let x u =
{x1u , x2u , . . ., xju , . . ., xnu } be the uth Markov chain sam-
m−1
ple drawn and let p∗j (ξj |xju ), j = 1, 2, . . ., n, be a
P(F) = P(Fm ) = P(F1 ) P(Fi+1 |Fi ) (2)
one-dimensional ‘proposal PDF’ for ξj , centered at
i=1
the value xju and satisfying the symmetry property
Notice that even if P(F) is small, the conditional p∗j (ξj |xju ) = p∗j (xju |ξj ). Such distribution, arbitrarily
probabilities involved in (1) can be made sufficiently chosen for each element xj of x, allows generating
large by appropriately choosing m and the intermediate a ‘precandidate value’ ξj based on the current sam-
failure events {Fi , i = 1, 2, . . ., m − 1}. ple value xju . The following algorithm is then applied
The original idea of SS is to estimate the to generate the next Markov chain sample x u+1 =
failure probability P(F) by estimating P(F1 ) and {x1u+1 , x2u+1 , . . ., xju+1 , . . ., xnu+1 }, u = 1, 2, . . ., Ns − 1
{P(Fi+1 |Fi ) : i = 1, 2, . . . , m − 1}. Considering for (Au and Back 2001):
example P(F) ≈ 10−5 and choosing m = 5 interme-
diate failure events such that P(F1 ) and {P(Fi+1 |Fi ) : 1. Generate a candidate sample x̃ u+1 = {x̃1u+1 , x̃2u+1 ,
i = 1, 2, 3, 4} ≈ 0.1, the conditional probabilities can . . ., x̃ju+1 , . . ., x̃nu+1 }: for each parameter xj , j =
be evaluated efficiently by simulation of the relatively 1, 2, . . ., n, sample a precandidate value ξju+1 from
frequent failure events (Au & Beck 2001).
Standard MCS can be used to estimate P(F1 ). On p∗j (·|xju ); compute the acceptance ratio rju+1 =
the contrary, computing the conditional failure prob- qj (ξ j u+1 )/qj (xju ); set x̃ju+1 = ξju+1 with probabil-
abilities in (1) by MCS entails the non-trivial task ity min(1, rju+1 ) and x̃ju+1 = xju with probability
of sampling from the conditional distributions of x
given that it lies in Fi , i = 1, 2, . . . , m − 1, i.e. from 1 − min(1, rju+1 ).
q(x|Fi ) = q(x)IF (x)/P(F). In this regard, Markov 2. Accept/reject the candidate sample vector x̃ u+1 :
Chain Monte Carlo (MCMC) simulation provides a if x̃ u+1 = x u (i.e., no precandidate values have
powerful method for generating samples conditional been accepted), set x u+1 = x u . Otherwise, check
on the failure region Fi , i = 1, 2, . . . , m − 1 (Au & whether x̃ u+1 is a system failure configuration, i.e.
Beck 2001). The related algorithm is presented in the x̃ u+1 ∈ Fi : if it is, then accept the candidate x̃ u+1
next Section 2.2.
as the next state, i.e., set x u+1 = x̃ u+1 ; other-
wise, reject the candidate x̃ u+1 and take the current
2.2 Markov Chain Monte Carlo (MCMC) sample as the next one, i.e., set x u+1 = x u .
simulation The proposal PDFs {p∗j : j = 1, 2, . . ., n} affect
Markov Chain Monte Carlo (MCMC) simulation com- the deviation of the candidate sample from the cur-
prises a number of powerful simulation techniques for rent one, thus controlling the efficiency of the Markov
generating samples according to any given probability chain samples in populating the failure region. In par-
distribution (Metropolis et al., 1953). ticular, the spreads of the proposal PDFs affect the
In the context of the reliability assessment of inter- size of the region covered by the Markov chain sam-
est in the present work, MCMC simulation provides an ples. Small spreads tend to increase the correlation
efficient way for generating samples from the multidi- between successive samples due to their proximity
mensional conditional PDF q(x|F). The distribution to the conditioning central value, thus slowing down
of the samples thereby generated tends to the multidi- the convergence of the failure probability estimators.
mensional conditional PDF q(x|F) as the length of the Indeed, it can be shown that the coefficient of variation
Markov chain increases. In the particular case of the (c.o.v.) of the failure probability estimates, defined as
710
the ratio of the standard deviation to the mean of the
estimate, increases as the correlation between the suc-
cessive Markov chain samples increases. On the other
hand, excessively large spreads may reduce the accep-
tance rate, increasing the number of repeated Markov
chain samples, still slowing down convergence (Au &
Beck 2003).
711
total of N conditional samples {x k2 : k = 1, 2, . . ., N } not reported for brevity; however, for clarity sake,
at ‘Conditional level 2’. This procedure is repeated the synthetic parameters of the performance distri-
for the remaining conditional levels until the samples butions (i.e., the mean vj and the standard deviation
at ‘Conditional level (m − 1)’ are generated to yield σvj , j = 1, 2, 3) are summarized in Table 1. Finally,
ym < y as the (1−p0 )N th value in the descending list of it is worth noting that the probability of the system
{Y (x km−1 ) : k = 1, 2, . . ., N }, so that there are enough having performance W equal to 0, i.e. being in state
samples for estimating P(Y < y) (Au et al., 2007). o∗ = {0, 0, 0}, is1.364 · 10−3 (this value has been ana-
lytically obtained by calculating the exact probabilities
of all the 1331 available system states).
3 APPLICATION TO A SERIES-PARALLEL
DISCRETE MULTI-STATE SYSTEM
3.2 Case 2: 21 discrete states for each component
In this Section, SS is applied for performing the relia-
For each component j = 1, 2, 3 there are now zj =
bility analysis of a series-parallel discrete multi-state
21 possible states each one corresponding to a dif-
system of literature (Zio & Podofillini 2003).
ferent hypothetical level of performance vj,o , o =
Let us consider a system made up of a series of η =
0, 1, . . ., 20; thus, the number of available system states
2 macro-components (nodes), each one performing a
is now 213 = 9261. For clarity sake, the synthetic
given function, e.g. the transmission of a given amount
parameters of the performance distributions (i.e., the
of gas, water or oil flow. Node 1 is constituted by
mean vj and the standard deviation σvj , j = 1, 2, 3) are
n1 = 2 components in parallel logic, whereas node
summarized in Table 2. Finally, in this case, the prob-
2 is constituted by a single component (n2 = 1) so
ability of the system having performance W equal to
that the overall number of components in the system
0, i.e. being in state o∗ = {0, 0, 0}, is 1.671 · 10−4 .
is n = 2b=1 nb = 3.
For each component j = 1, 2, 3 there are zj possible
states, each one corresponding to a different hypothet- 3.3 Subset simulation parameters
ical level of performance, vj,o , o = 0, 1, . . ., zj − 1. In the application of SS to both Case 1 and Case 2,
Each component can randomly occupy the discrete the conditional failure regions are chosen such that a
states, according to properly defined probabilities conditional failure probability of p0 = 0.1 is attained
qj,o , j = 1, 2, 3, o = 0, 1, . . ., zj − 1. at all conditional levels.
In all generality, the output performance Wo asso- In Case 1, the simulations are carried out for m =
ciated to the system state 0 = {o1 , o2 , . . ., oj , . . ., on } 3 conditional levels, thus covering the estimation of
is obtained on the basis of the performances vj,o of failure probabilities as small as 10−3 .
the components j = 1, 2, . . ., n constituting the sys-
tem. More precisely, we assume that the performance
of each node b constituted by nb elements in paral- Table 1. Parameters of the probability distributions of the
lel logic is the sum of the individual performances of components’ performances for Case 1.
the components and that the performance of the node
series system is that of the node with the lowest per- Performance distributions’
parameters
formance, which constitutes the ‘bottleneck’ of the
system (Levitin & Lisnianski 1999). Component, j Mean Standard deviation
The system is assumed to fail when its performance
W falls below some specified threshold value w, so 1 56.48 25.17
that its probability of failure P(F) can be expressed 2 58.97 23.11
as P(W < w). During simulation, the intermediate 3 92.24 11.15
failure events {Fi : i = 1, 2, . . . , m} are adaptively
generated as Fi = {W < wi }, where w1 > w2 > . . . >
wi > . . . > wm = w are the intermediate threshold
Table 2. Parameters of the probability distributions of the
values (see Section 2.3). components’ performances for Case 2.
Performance distributions’
3.1 Case 1: 11 discrete states for each component
parameters
For each component j = 1, 2, 3 there are zj =
11 possible states each one corresponding to a dif- Component, j Mean Standard deviation
ferent hypothetical level of performance vj,o , o =
1 58.17 24.35
0, 1, . . ., 10; thus, the number of available system states 2 60.66 22.32
is 113 = 1331. The probabilities qj,o associated to the 3 93.55 10.02
performances vj,o , j = 1, 2, 3, o = 0, 1, . . ., 10, are
712
At each conditional level, N = 300 samples are 3.4.1 Failure probability estimation
generated. The total number of samples is thus NT =
300+270+270 = 840, because p0 N = 30 conditional 3.4.1.1 Comparison with standard Monte Carlo
samples from one conditional level are used to start Simulation (MCS)
the next conditional level and generate the missing Figure 2 shows the failure probability estimates for
(1 − p0 )N = 270 samples at that level. different threshold levels w, obtained in a single simu-
The failure probability estimates corresponding to lation run, for both Case 1 (top) and Case 2 (bottom).
the intermediate thresholds {wi : i = 1, 2, 3}, i.e. The results produced by SS with a total of 840 sam-
10−1 , 10−2 and 10−3 , are computed using a total ples (i.e., three simulation levels, each with N = 300
number of samples equal to NT = 300, 570 and samples) and 1110 samples (i.e., four simulation lev-
840, respectively. It is worth noting that the number els, each with N = 300 samples) are shown in solid
of samples employed for estimating the probabili- lines. Note that a single SS run yields failure prob-
ties of failure of the system is about 2 times lower ability estimates for all threshold levels w up to the
than the total number of available system states, i.e. smallest one considered (i.e. 10−3 and 10−4 for Cases
1331 (Section 3.1); thus, the computational time 1 and 2, respectively). For comparison, the analyti-
required for estimating the failure probabilities by SS cal failure probabilities (dashed lines) and the results
is substantially lower than that necessary for analyt- using standard MCS with 840 and 1110 samples (dot-
ically computing them (i.e., for calculating the exact dashed lines) are shown in the same Figures for Cases
probabilities of all the 1331 system states). 1 (top) and 2 (bottom), respectively.
Differently, in Case 2, the simulations are carried
out for m = 4 conditional levels, thus covering the
estimation of failure probabilities as small as 10−4 .
Also in this case, at each conditional level, N = 300 10
0
Analytical
samples are generated such that the total number of
samples is now NT = 1110. The failure probability
SS (NT = 840)
-1
10
are computed using a total number of samples equal
to NT = 300, 570, 840 and 1110, respectively. Notice
that the number of SS samples used for estimating
the failure probabilities of the system is about 9 times 10
-2
lower than the total number of available system states,
i.e. 9261 (Section 3.2).
In both cases, for each component’s performance
vj,o , j = 1, 2, 3, o = 0, 1, . . ., zj − 1, the one- -3
dimensional discrete ‘proposal PDF’ p∗j,o (ξj,o |νj,o ) 10
0 20 40 60 80 100
Failure threshold,w
adopted to generate by MCMC simulation the random
‘pre-candidate value’ ξj,o based on the current sample 10
0
component νj,o (Section 2.2) is chosen as a symmetric Analytical
uniform distribution, that is, p∗j,o (ξj,o |νj,o ) = 1/(2lj + SS (NT = 1110)
j = 1, 2, 3, o = o − lj , o − lj + 1, . . ., o + lj − 1, o + lj .
Failure probability,P(F)
0 20 40 60 80 100
3.4 Discussion of the results Failure threshold,w
In this Section, the results of the application of SS to Figure 2. Analytical failure probabilities (dashed lines) and
the performance analysis of the system described in their corresponding estimates obtained by SS (solid lines) and
Section 3 are illustrated with reference to both Case 1 standard MCS (dot-dashed lines) in a single simulation run,
and Case 2. for Case 1 (top) and Case 2 (bottom).
713
Table 3. Mean relative absolute errors δ[P(F)] made Table 4. Mean relative absolute errors δ[P(F)] made by
by both SS and standard MCS with 840 samples in the both SS and standard MCS with 1110 samples in the esti-
estimation of the failure probability P(F) = 1.364 · mation of the failure probabilities P(F) = 1.942 · 10−3
10−3 (Case 1); these values have been computed for and P(F) = 1.671 · 10−4 (Case 2); these values have been
three batches of S = 200 simulations each. computed for three batches of S = 200 simulations each.
P(F) 1.364 · 10−3 1.364 · 10−3 P(F) 1.94·10−3 1.67·10−4 1.94·10−3 1.67·10−4
Batch 1 0.4327 0.7265 Batch 1 0.4181 0.6409 0.6983 1.6670
Batch 2 0.4611 0.7530 Batch 2 0.4425 0.5611 0.7793 1.8915
Batch 3 0.4821 0.6656 Batch 3 0.4960 0.6826 0.6112 1.6190
714
1.4 0
10
SS (NT = 840) (average 200 runs)
1.2 MCS
uncorrelated (lower limit)
Coefficien of variation (c.o.v)
NT = 840
Failure probability,P(F)
1 fully correlated (upper limit)
-1
10
0.8
0.6
-2
NT = 570 10
0.4 Analytical
SS (NT = 840) (average 200 runs)
0.2 NT = 300
-3
0 -3 10
-2 -1 0
10 10 10 10 0 10 20 30 40 50 60 70 80 90 100
Failure probability,P(F) Failure threshold,w
3.5 100
SS (NT = 1110) (average 200 runs)
3 N = 1110 MCS
T
uncorrelated (lower limit)
Coefficientof variation (c.o.v)
-1
10
2.5 fully correlated (upper limit)
Failure probability,P(F)
2
-2
10
1.5
NT = 840
1 Analytical
-3
10 SS (NT = 1110) (average 200 runs)
NT = 570
0.5
NT = 300
-4
0 10
-4 -3 -2 -1 0 0 10 20 30 40 50 60 70 80 90 100
10 10 10 10 10
Failure probability,P(F) Failure threshold,w
Figure 3. Coefficient of variation (c.o.v.) versus different Figure 4. Analytical failure probabilities (dashed lines) and
failure probability levels P(F) for Cases 1 (top) and 2 (bot- sample averages of the failure probability estimates over 200
tom). Solid line: sample average over 200 SS runs; dashed SS runs (solid lines) for Case 1 (top) and Case 2 (bottom).
lines: sample average of the lower bound over 200 SS runs;
dot-dashed lines: sample average of the upper bound over
200 SS runs; squares: standard MCS (i.i.d. samples). A quantitative indicator of the bias associated to the
estimate of a given failure probability P(F) can be
computed as the relative absolute deviation [P(F)]
3.4.1.2 SS estimates: Bias due to the correlation between the exact value of the failure probability, i.e.
among conditional failure samples P(F), and the sample average P(F) of the correspond-
To assess quantitatively the statistical properties of the ing estimates, [P(F)] = |P(F) − P(F)|/P(F).
failure probability estimates produced by SS, the sam- Table 5 reports the values of the sample means P(F)
ple mean of the failure probability estimates obtained and the corresponding biases [P(F)] produced by
in S = 200 independent runs have been computed. SS in the estimation of P(F) = 1.364 · 10−3 in Case 1
For a given failure probability level P(F) of interest, (Section 3.1); Table 6 presents the values of the same
the sample mean P(F) of the corresponding estimates indicators referred to the estimation of the failure prob-
P̃s (F), s = 1, 2, . . ., S, is P(F) = 1/S · Ss=1 P̃s (F). abilities P(F) = 1.942·10−3 and P(F) = 1.671·10−4
Figure 4 shows the sample means of the failure in Case 2 (Section 3.2). Only for illustration pur-
probability estimates obtained by SS, for both Case 1 poses, the results obtained in three batches of S = 200
(top) and Case 2 (bottom) (solid lines); a compari- simulations each are reported for both Cases 1 and 2.
son with the exact (i.e., analytically computed) failure It is evident from Table 6 that the bias of the esti-
probabilities is also given (dashed lines). mates significantly increases as the target probability
The sample means of the failure probability esti- of failure decreases: for instance, in Batch 2 the bias
mates almost coincide with the analytical results, associated to the estimate of P(F) = 1.942 · 10−3
except at small failure probabilities, near 10−3 and is 0.1865, whereas the one related to the estimate of
10−4 , where the estimates seem to be quite biased. P(F) = 1.671 · 10−4 is 0.2928. This leads to conclude
715
Table 5. Sample means P(F) of the failure probabil- states, discrete multi-state systems can only occupy a
ity estimates over 200 SS runs and the corresponding finite number of states; as a consequence, the genera-
biases [P(F)] produced by SS in the estimation of tion of repeated (thus, correlated) conditional failure
P(F) = 1.364 · 10−3 (Case 1); these values have been samples during MCMC simulation may be significant.
computed for three batches of S = 200 simulations
each.
4 CONCLUSIONS
Subset simulation
In this paper, SS has been applied for the reliability
P(F) = 1.364 · 10−3
assessment of a system of discrete multi-state compo-
nents connected into a logic structure. An example of
Sample mean Bias
a simple series-parallel system of literature has been
Batch 1 1.136·10−3 0.1672 taken for reference.
Batch 2 1.145·10−3 0.1606 The results of SS have been compared to those of
Batch 3 1.065·10−3 0.2192 standard Monte Carlo Simulation (MCS) in the esti-
mation of failure probabilities as small as 10−4 . The
results have demonstrated that as the target probabil-
Table 6. Sample means P(F) of the failure probability ity of failure gets smaller, SS becomes more and more
estimates over 200 SS runs and the corresponding biases efficient over standard MCS.
[P(F)] produced by SS in the estimation of P(F) = Finally, a word of caution is in order with respect to
1.942 · 10−3 and P(F) = 1.674 · 10−4 (Case 2); these values the fact that the estimates produced by SS when applied
have been computed for three batches of S = 200 simulations to discrete multi-state systems may be quite biased
each.
if the number of discrete states is low. This is due
Subset simulation to the correlation between the conditional probability
estimators at different levels: in fact, differently from
P(F) = 1.942·10−3 P(F) = 1.671·10−4 continuous-state systems whose stochastic evolution
is modeled in terms of an infinite set of continuous
Sample mean Bias Sample mean Bias states, discrete multi-state systems can only occupy a
finite number of states; as a consequence, the num-
Batch 1 1.714·10−3 0.1170 1.374·10−4 0.1769 ber of repeated (thus, correlated) conditional failure
Batch 2 1.579·10−3 0.1865 1.181·10−4 0.2928 samples generated during MCMC simulation may be
Batch 3 1.715·10−3 0.1164 1.347·10−4 0.1934 high. Further research is underway on attempting to
estimate the bias.
that the bias due to the correlation between the condi- REFERENCES
tional probability estimators at different levels is not
negligible (Au & Beck 2001). Au, S. K. & Beck, J. L. 2001. Estimation of small fail-
This finding is also confirmed by the analysis of ure probabilities in high dimensions by subset simulation.
the sample c.o.v. of the failure probability estimates Probabilist. Eng. Mech. 16(4): 263–277.
which are plotted versus different failure probability Au, S. K. & Beck, J. L. 2003. Subset Simulation and its
levels P(F) (solid line) in Figure 3, for both Case 1 application to seismic risk based on dynamic analysis.
(top) and Case 2 (bottom). In these Figures, the dashed J. Eng. Mech.-ASCE 129(8): 1–17.
lines show a lower bound on the c.o.v. which would Au, S. K., Wang, Z. & Lo, S. 2007. Compartment fire anal-
ysis by advanced Monte Carlo simulation. Eng. Struct.,
be obtained if the conditional probability estimates in press (doi: 10.1016/j.engstrct.2006.11.024).
at different simulation levels were uncorrelated; on Levitin, G. & Lisnianski, A. 1999. Importance and sensi-
the contrary, the dot-dashed lines provide an upper tivity analysis of multi-state systems using the universal
bound on the c.o.v. which would be obtained in case generating function method. Reliab. Eng. Syst. Safe. 65:
of full correlation among the conditional probability 271–282.
estimates. From these Figures, it can be seen that the Metropolis, N., Rosenbluth, A. W., Rosenbluth, M. N. &
trend of the actual c.o.v. estimated from 200 runs fol- Taller, A. H. 1953. Equations of state calculations by fast
lows more closely the upper bound, confirming that computing machines. J. Chem. Phys. 21(6): 1087–1092.
the conditional failure probability estimates are almost Schueller, G. I. 2007. On the treatment of uncertainties in
structural mechanics and analysis. Comput. Struct. 85:
completely correlated in both Case 1 and Case 2. The 235–243.
high correlation between conditional probability esti- Zio E. & Podofillini, L. 2003. Monte Carlo simulation anal-
mates may be explained as follows: differently from ysis of the effects of different system performance levels
continuous-state systems whose stochastic evolution on the importance of multi-state components. Reliab. Eng.
is modeled in terms of an infinite set of continuous Syst. Safe. 82: 63–73.
716
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: To reduce the cost of Monte Carlo (MC) simulations for time-consuming processes (like Finite
Elements), a Bayesian interpolation method is coupled with the Monte Carlo technique. It is, therefore, possible
to reduce the number of realizations in MC by interpolation. Besides, there is a possibility of thought about
priors. In other words, this study tries to speed up the Monte Carlo process by taking into the account the prior
knowledge about the problem and reduce the number of simulations. Moreover, the information of previous
simulations aids to judge accuracy of the prediction in every step. As a result, a narrower confidence interval
comes with a higher number of simulations. This paper shows the general methodology, algorithm, and result
of the suggested approach in the form of a numerical example.
717
following model, f , for an arbitrary pixel ui .
ui−1 + ui+1
ui = f (ui−1 , ui+1 ) = (4)
2
Figure 1. An illustration of the pixels which data points are
assigned to. Having the model defined, the error ei also is
implicitly defined by Equation 5.
1 1 ui−1 + ui+1 2
we need to define our likelihood function and the prior. = √ exp − 2 ui − (7)
The likelihood, or in this case more appropriate the 2πφ 2φ 2
PDF of the data (d) conditional on the pixels (u), is
constructed by making the standard assumptions of
noise. Therefore, according to the Bayesian interpo- Assuming that there is no logical dependence
lation technique, there are three main steps should be between the errors e1 , . . . , ev , the multivariate PDF
taken into account: of all the errors is a product of the univariate PDFs.
Then, by making the change of variable from ei to ui
1. All the pixels are connected to each other so each we find the following multivariate PDF for the pixels
pixel is defined as a function of its neighbor- u1 , . . . , uv .
ing pixels. This is the prior information which is
formulated in Section 4.
2. For the pixels which take the corresponding data P(u1 , . . . , uv |u0 , uv+1 , φ)
values, the data values are considered the best v
1 1 ui−1 + ui+1 2
estimates. This is described in Section 5. = exp − 2 ui −
3. Then the outcome of the previous steps are com- (2π)v/2 φ v 2φ i=1 2
bined so as to get an estimation of every pixel in
grid, based on the data. In this case, Equation 3 is (8)
used and the result is presented in Section 6.
The boundary pixels are treated separately. In fact,
these two pixels are assigned to the first and last posi-
4 THE PRIOR tion and presented as u0 = v1 and uv+1 = vv+2 . As
a result of using the principle of Maximum Entropy,
We expect some logical dependence between neigh- the PDF of the boundary pixel u0 is obtained in Equa-
boring pixels and this expectation is translated in the tion 9. And a similar equation can be established for
718
the pixel uv+1 . We have derived the above equation which provides
the PDF for the pixels u0 , . . . , uu+1 using the assumed
P(u0 |u1 , φ) prior model presented in Equation 4.
If φ = 0, we get to the conclusion that our model
1 1 (Equation 4) holds exactly. So setting φ = 0 produces
= √ exp − 2 [u0 − u1 ]2 (9)
2π φ 2φ an extremely informative prior which determines the
values of the pixels. On the other hand, if φ → inf
Combining Equations 8 and 7 using Bayes’ Theo- then the prior relaxes to an extremely uninformative
rem, the next equation will be obtained. This equation distribution which lets the values of the pixels totally
is written in a matrix form where u is vector of pixel free. So in a sense φ ‘regulates’ the freedom allowed
positions, to the pixels u0 , . . . , uv+1 .
Figure 2. An illustration of the pixels which data points are assigned to. The ’-’ is a representation of the evaluated values
in the pixels.
719
Substituting 11 into 12 and making a change of vari- ( Sivia 1996). Equation 19 presents the matrix form of
able from the error ec to the data dc , the likelihood this function.
function can be obtained according to Equation 13.
P(u|d, σ , φ) ∝ P(u|φ)P(d|u, σ )
P(dc |uc , σ ) = √
1 1
exp − 2 (dc − uc )2 1 (d − Su)T (d − Su) uT Ru
(13) = v+2 n exp − −
2π σ 2σ φ σ 2σ 2 2φ 2
(17)
Again by assuming logical independence between
the errors and making the appropriate substitutions and Equation 19 is conditional on unknown parameters
changes of variables, the following likelihood function φ and σ , but since we don’t know these parameters
can be obtained. we will want to integrate them eventually out as ’nuis-
sance’ parameters. We first assign Jeffery’s prior to
P(d1 , . . . , dn |u0 , u1 , . . . , u(v+1) , σ ) these unknow parameters:
1 1 1 1
= exp − 2 (dc − uc )2
(14) P(φ) = P(σ ) = (18)
(2π )n/2 σ n 2σ c∈c φ σ
(15) (19)
720
2. A random number is generated according to the to monitor the change of its PDF during Monte Carlo
PDF of the variable X , and according to its value, its process. In this figure, the measured (or observed) data
assigned to a certain location. This location which point is assigned to the first and last internal pixels.
is the jth pixel (as presented in Figure 1) is called uj . Before we proceed to the simulation process, we
3. According to the information of the other pixels and would like to present the probable values of pixel 210
our assumed model, the PDF of the uj is calculated or u210 with the suggested model. Therefore, we need
by Equation 20. to use Equation 20 in order to get the required PDF.
4. According to the accepted tolerance criteria, it is Nevertheless, this equation contains σ and φ. As a mat-
decided whether there is a need to calculate the ter of fact, σ can be integrated out of the equation, but
limit state equation for the jth point or the accuracy we need to estimate a value for the φ. In this case, we
is enough. define = φ1 which is called regularizer. Then we can
5. The calculations are iterated from step 3 and get the PDF of our regularizer to find its optimal value
continues to meet the simulation criteria. which leads to the most narrow PDF. The reader who
is interested in this process is referred to ( Bretthorst
1992). The most probable value of is estimated to be
8 NUMERICAL EXAMPLE 2.6 and we use this value during the rest of this work.
As a result, Equation 20 will lead to Equation 23 for
One of the important research topics in hydraulic engi- pixel number 210 given two data points: d1 and d2 .
neering focuses on the impact of water waves on walls
and other coastal structures, which create velocities P(uj=210 |d1 , d2 )
and pressure with magnitudes much larger than those
associated with the propagation of ordinary waves 0.3126 109
under gravity. The impact of a breaking wave can gen- =
0.5897 1010 + 0.5265 1010 uj + 0.1339 1010 uj 2
erate pressures of up to 1000 kN /m2 which is equal
to 100 meters of water head. Although many coastal (23)
structures are damaged by breaking waves, very little
is known about the mechanism of impacts. Insight into The PDF of u210 given d1 and d2 is depicted in
the wave impacts has been gained by investigating the Figure 3. This figure is a plot of Equation 23. The
role of entrained and trapped air in wave impacts. In mean value of this PDF is -1.97 by assuming a sym-
this case, a simplified model of maximum pressure of metrical PDF. Besides, the 95% accuracy by assuming
ocean waves on the coastal structures is presented by a symmetrical distribution leads to the values in the
Equation 21. interval of [-11.28, 7.35]. This interval was obtained
by solving the equation which defines the integration
p × k × u2 of a symmetrical area around mean value should be
Pmax = C × (21) equal to 0.95. It is a wide PDF and its tails are much
d
more informative than the Gaussian. In other words,
Where the ρ is density of water, k is the length we expect value of this pixel vary within the interval
of hypothetical piston, d is the thickness of air cush- having the prior information about the model and just
ion, u is the horizontal velocity of the advancing wave, 2 data points.
and C is a constant parameter and equal to 2.7 s2 /m. It is useful to compare this result with the traditional
Having this knowledge, we are willing to find the interpolation problem. In fact, by considering two data
probability of the event, when the maximum impact points, there is no other way than we assume a linear
pressure exceeds 5∗105 N /m2 for a specific case. relationship which leads to the value of -1.21 for this
The one dimensional limit state function (LSF) can be pixel while we do not have any estimation about the
defined by Equation 22, where the velocity parameter uncertainty. Now, the distinction between two meth-
is assumed to be normally distributed as N (1.5, 0.45). ods is obvious; the applied method enables us to get a
criterion for the uncertainty of the estimated value of
G(u)5 − 0.98280 × u2 (22) each pixel. This is an huge advantage in the simulation
process. This comparison is depicted in Figure 4. In
We consider the variation of the variable u in the this figure there are two data points called A and B.
interval of [μ − 3σ , μ + 3σ ] where μ is the mean These two points are the only information which pro-
value and σ is the standard deviation of variable u. vide point e using a linear interpolation for the pixel
This interval is divided to the finite pixels with an 210, where e = −1.21. This is not close to real value
equal distance of 0.01. As a result, there are totally 270 of the limit state function g = 0.0246. Nevertheless,
internal pixels defined in this interval. A schematic there is no information over the certainty of the esti-
view of the all pixels is presented in Figure 2. Pixel 210 mated point e from the interpolation. In the other hand,
is considered as a sample pixel in which we are going point f is the mean value of the PDF calculated by the
721
is assigned to a pixel uj , we check if it is necessary to
run the limit state equation, or we can assign its value
regarding our tolerance. To investigate the changes,
we monitor the u210 after 20 realizations of the LSE
(or 20 data points) which are assigned to their location.
As a result, the calculated PDF of u210 given 20 data
points is obtained and depicted in Figure 5. The mean
value of this PDF is 0.013 , and the 95% accuracy
by assuming a symmetrical distribution leads to the
values in the interval of [−0.16, 0.19]. This shows
that by implementing more data points, we get a more
precise PDF.
The difference of the results of linear and Bayesian
interpolation at this case is because of the value of
the regularizer(). In this case study its value is set
to be = 2.60. The effect of epsilon (or φ which
is inversely related to it) was previously described. In
fact, we can have two extreme situations when we con-
sider two extreme values for Φ. These extreme values
are 0 and infinity. In the first case we just stick to our
data values and in the second case we just consider
Figure 3. This figure presents the probability distribution our model assumption and leave the other informa-
function (PDF) of the u210 given 2 measured data points: d1 tion. Therefore, the difference between e and f should
and d270 . be related to the value of regularizer.
Since we are not satisfied with the accuracy we con-
tinue to generate more data points. Figure 6 presents
the PDF of u210 having 90 data points measured or
calculated. The mean value of this PDF is 0.025 , and
the 95% accuracy by assuming a symmetrical distri-
bution leads to the values in the interval of [0.014,
0.035]. This shows that by implementing more data
722
points, we get a more precise PDF. Since this inter- It is useful to compare the calculated PDFs in
val is small enough, we can assume that we have got another figure with the same scale. Figure 7 provides
the enough accuracy. Therefore, the simulation effort this comparison in which figure (a) presents the PDF
has been reduced by 67% for the presented numerical of the pixel at the beginning of simulation where there
example. are just two data points. Figure 7 (b) presents the PDF
In fact, the number of simulations in the Monte of the same pixel, u210 , when there are 20 data points
Carlo technique depends on several factors. The most randomly generated and assigned to the related pix-
important ones are the tolerance and the distance els. Figure 7(c) again presents the PDF of the same
between pixels defined for the analysis. In other words, pixel where the information of ninety pixels are imple-
to get a more precise result we need to implement more mented. In this figure, the same scale of axis is selected
data points. Meanwhile, a higher number of pixels lead to clarify the change of the PDF during the simulation
to a higher accuracy. process.
9 DISCUSSION
Figure 7. This figure shows the probability distribution function of variable which is assigned to the pixel j = 210. In
Figure (a) Just the information of 2 data points are considered while in Figure (b) and (c), the information of 20 and 90 pixels
are considered, respectively.
723
10 CONCLUSION Jaynes, E. T. (2003). Probability Theory, the Logic of Science.
Cambridge University Press.
The suggested procedure can speed up the Monte Carlo Rajabalincjad, M., P. H. A. J. M. van Gelder, and J. Vrijling
simulations integrated with finite elements or the other (2007). Dynamic limit boundaries coupled with monte
highly complicated and time consuming processes. carlo simulations. Submitted to the Journal of Structural
Safety.
However, in this paper we have limited ourselves into Rajabalincjad, M., P. H. A. J. M. van Gelder, J. K. Vri-
the finite number of pixels. The proposed method also jling, W. Kannüng, and S. van Baars (2007). Probabilistic
provides a tool for implementing informative priors Assessment of the Flood Wall at 17th Street Canal, New
regarding the considered model. The extension of this Orleans. In Risk, Reliability, and Social Safety, Volume
work with an arbitrary length and location of pixels III, pp. 2227.
can provide a more powerful tool and is recommended Sivia, D.S. (1996). Data Analysis: A Bayesian Tutorial.
for future research projects. Clarendon Press.
van Gelder, P. H. A. J. M. (1999). Risks and safety of flood
protection structures in the Netherlands. In Participation
of Young Scientists in the Forum Engelberg, pp. 55–60.
REFERENCES
724
Occupational safety
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Jokin Rubio, Benjamín Rubio, Celina Vaquero, Nekane Galarza, Alberto Pelaz & Jesús L. Ipiña
Industrial Safety Unit, Fundación LEIA CDT, Spain
Diego Sagasti
División de Realidad Virtual, EUVE- European Virtual Engineering, Spain
Lucía Jordá
Unidad de Ingeniería de Producto, AIMME-Instituto Tecnológico Metalmecánico, Spain
ABSTRACT: Virtual Reality (VR) is emerging as an important tool in the industry sector to simulate human-
machine interaction providing significant findings to improve occupational and industrial safety. In this paper
several VR applications and tools developed for industries in the manufacturing and chemical sector are presented.
These developments combine VR simulations, immersive 3D dynamic simulation and motion capture, addressing
risk assessments in the design process, in normal operation and training.
727
2 METHODOLOGY: IMMERSIVE VIRTUAL 3 RESULTS
REALITY SYSTEM
3.1 Workplace risk assessment
The Industrial Safety Unit (UDS) is provided with a
3D simulation technologies and immersive virtual
fully equipped virtual reality laboratory. The capabil-
reality are being used in UDS to assess processes
ities of this laboratory can be summarized as follows
and facility risks. In this sense, evaluations of safety
(see Figure 1).
machinery, tasks performance and ergonomics assess-
• Biomechanical Motion Analysis, provided with IR ments are being developed (Figure 2).
video cameras, optical markers, data glove, and Workers performing their tasks are simulated in
motion capture software tools. This system allows a Catia-Delmia software. Mainly safety distances and
movement optical capture and biomechanical anal- worker postures when performing tasks are analysed to
ysis of those movements and provides the virtual achieve an evaluation of the workplace, using the mod-
reality system with machine vision. ules of the software, that include several ergonomic
• CAD Design and Dynamic Simulation (IBM standards and tools.
Work Station + CATIA/DELMIA software tools).
CATIA/DELMIA work-station is connected to a
Virtual Reality Equipment (next item) and sup- 3.2 Industrial process design improvement
plies initial virtual environment in order to build
the Virtual Universe. Immersive VR is being used in the design phase of
• Immersive Virtual Reality, VirTools v4.0 software the industrial process to simulate labour tasks that
tool (virtual reality engine, the ‘‘brain’’ of the vir- imply safety and ergonomic risks. This is nowadays
tual reality system) and hardware elements, HMD being carried out in a collaborative project (TIES) with
helmet, data glove, projectors, screens, glasses. another two research centres, AIMME and EUVE.
A system based on CAD design, biomechanical
Moreover, as a result of R&D projects (made jointly motion analysis and immersive virtual reality has been
with the companies ABGAM and STT), this system developed (Figure 1). The basic approach being fol-
has been optimized with modules to export motion- lowed in this research is to ‘‘inmerse’’ final users
captures to DELMIA and to perform automatic risk in interactive virtual work scenarios developed from
ergonomic assessments. 3D machinery designs (Catia, Solid Edge). The user-
This virtual reality laboratory is being used by this virtual scenario interaction is analysed in order to
research group mainly for three safety related applica- identify the safety/ergonomic risks of those work
tions: workplace risk assessment, design improvement environment designs. In this way, designs can be mod-
and to develop education and training applications. ified prior to the real machinery prototypes/workplace
development, offering a great flexibility in the design
process.
A real example has been developed in order to test
the performance of this system. A specific workplace,
including a hydraulic press, has been modelled. Exper-
imental testing with users has provided preliminary
728
results regarding the usefulness of the system to
improve industrial processes design.
The specific scenario and machinery addressed in
this experience was selected attending to its extensive
use in the metallic transformation sector (key sector
in the TIES mentioned project) and the high risks
involved in the manipulation of this specific machin-
ery. Three main steps have been carried out in this
work: virtual scenarios development, ergonomic and
safety modules programming and initial testing.
As a first step, virtual scenarios were developed.
This activity implied mainly the programming of the
avatar and the machinery. The avatar was modelled
to move in the virtual word following the data from
the motion capture system, that is, following the real
movements of the user. User is provided with a Helmet
Mounted Display (HMD), so he can observe the virtual
world while moving within. User is also provided with
a data glove to monitor hand movements, allowing the
user to interact with the virtual world and to unleash
actions like catching and releasing a piece (manipula-
tion of workloads). On the other side, the machinery
(a hydraulic press) was imported to the graphical motor
from its original design in Solid Edge. The mechan-
ical behaviour was modelled according to the press
specifications (the scope of this project only focused
in the mechanical characteristics; other as electrical or
hydraulic where not considered because of the difficult
modelling in our virtual system). Different operating
modes and safety measures were programmed in order
to achieve different work scenarios (some examples
can be seen in Figure 3).
As a second step, software modules incorporating Figure 3. Operating modes and safety measures of the
ergonomic and safety requirements were developed modeled press.
and integrated in the virtual system. In the interaction
of the user with the virtual word, those developed mod-
ules provide with deviation from recommended stan-
dard values. Specifically, standard ergonomic meth-
ods RULA, REBA, NIOSH and Snook&Ciriello have
been implemented, allowing an automatic ergonomic
evaluation from the motion capture system data (see
Figure 4) . Similarly, safety standards with a focus on
the mechanical risks of the press were reviewed. The
standard UNE-EN294:1993 (Safety distances to pre-
vent danger zones being reached by the upper limbs)
has been programmed so distances among danger
zones, safety measures and user can be checked.
Finally, preliminary testing has been performed
with the developed system (Figures 5–6).
Users provided with input/output devices have been
‘‘immersed’’ in the virtual word, where they have per- Figure 4. Example of a result of an ergonomic evaluation.
formed their work tasks loading/unloading pieces and
operating the press. relevance and usefulness; these evaluations have been
The initial experiences showed that the system validated through comparison with standards method-
allows the identification of safety and ergonomic risks ologies (video recording plus application of ergonomic
of an industrial process in the design phase. Mainly, the standards). On the other side, the programming of
automatic ergonomic evaluation seems to be of special safety standards for mechanical risks into the virtual
729
Figure 7. Software tool for training.
4 FUTURE PERSPECTIVES
730
REFERENCES Marc J., Belkacem N., MArsot J. Virtual reality: a design
tool for enhanced consideration of usability ‘‘validation
Helin K. et al., Exploiting Virtual Environment Simulator elements’’. Safety Science 45 (2007) 589–601.
for the Mobile Working Machine User Interface Design. Määttä T. Virtual environments in machinery safety analysis.
VIRTSAFE Seminar. 04-06.07.2005, CIOP-PIB, Warsaw. VTT Industrial Systems, 2003.
Iriarte Goñi, X. et al., Simulador de carretillas elevadoras para López de Ipiña, J.M., Rubio J., Rubio B., Viteri A.,
la formación y disminución en riesgos laborales: motor Vaquero C., Pelaz A., Virtual Reality: A Tool for the
gráfico y simulación dinámica. 7◦ Congreso iberoamer- Disabled People Labour Integration. Challenges for Assis-
icano de ingenieria mecanica, México D.F., 12 al 14 de tive Technology AATE 07, European Conference for the
Octubre de 2005. Advancement of Assistive Technology, San Sebastián,
Monacelli G., Elasis S.C.P, VR Applications for reduc- 2007.
ing time and cost of Vehicle Development Process. 8th
Conference ATA on Vehicle Architecture: Products, Pro-
cesses and Future Developments, Florence, 2003.05.16.
731
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Applying the resilience concept in practice: A case study from the oil
and gas industry
Trond Kongsvik
NTNU Social Studies LTD, Norway
Gaute Solberg
StatoilHydro
ABSTRACT: This paper demonstrates how the resilience concept (Hollnagel et al., 2006) can be used as a
perspective for reducing occupational injuries. The empirical background for the paper is a case study on an
oil and gas installation in the North Sea that had a negative trend in LTI (Lost Time Injury) rates. The HSE
(Health, Safety, Environment) administration initiated a broad process that included the crew on the installation,
the onshore administration and a group of researchers to improve the situation. Instead of focusing the analysis
on incident reports, we applied a proactive view. Thus, we adapted a model for resilience that was used in a
development process. In the context of occupational accidents, we focused on the following factors: sufficient
time, knowledge and competence, resources and including working environment. These factors have been
identified as important for complexity and necessary for the organization to be able to anticipate, perceive and
respond to different constellation of conditions. This paper illustrates to what extent the concept of resilience
was fruitful analytically and as a reflection tool in the development of new HSE measures that are now being
implemented. The links between the resulting HSE measures and the qualities of the resilience concept are
discussed.
733
that make the organization prepared for the unex- The approach chosen for the case study was action
pected. This can be regarded as a proactive approach research combined with use of the resilience con-
to safety. In a proactive view individuals and organi- cept. In practice, this implied a mutual reflection in
zations must adjust to cope with current conditions. a search conference upon how to strengthen certain
These adjustments handle different constellations of qualities that could make Heidrun TLP more resilient
conditions that can produce accidents and also suc- as an organization. The negative safety results were not
cesses. Thus a resilient organization (or system) can addressed at all in the workshop. Instead we focused
adjust it’s functioning prior to or following changes on the positive aspects of the organization and on how
and disturbances to continue working in face of con- to strengthen these even further.
tinuous stresses or major mishap. Here, variability is In the next part of the paper the resilience concept
regarded as potentially positive for safety, in line with will be further explored, followed by a description of
what Hollnagel (2008) label ‘‘Theory Z’’. how the concept was used in our case. In part four,
The study is limited to one installation, and can be the results will be presented, while we in part five will
regarded as a case study. This implies the exploration give an overall discussion of the findings, followed by
of a ‘‘bounded system’’ over time involving several the conclusions.
data sources rich in context (Creswel 1998).
734
conditions. Therefore, the performance variability of
Environment
the sociotechnical systems is normal and necessary
Dynamic developments
resulting in both successes and failures. In the sys-
temic view, accidents and incidents are the result of
Learn
ting
unexpected combinations of normal performance vari- Anticipation Attention Response
Up d a
ing
ability. Accidents are prevented by monitoring and
System
damping variability. In this view, risks emerge from
non-linear combination of performance variability. Knowing Knowing Knowing
Hollnagel (2008) defines formally resilience engi- what to expect what to look for what to do
neering as the intrinsic ability of an organization (or
Knowledge Competence Resources
system) to adjust its functioning prior to or follow- Time
ing changes and disturbances to continue working in
face of continuous stresses or major mishaps. It is Figure 1. Required qualities of a resilient system
not a surprise that there is no unique way to define (Hollnagel, Woods and Leveson, 2006).
resilience. While the majority of definitions focused
on the capability to cope with failures providing a
reactive approach, resilience engineering focused on monitor the external conditions that may affect the
the ability to adjust prior to or following a failure. operation.
Resilience engineering explores ways that enhance the – Anticipate risk and opportunities. At this point it is
ability of the organizations to be robust and flexi- required to go beyond risk analysis and have imag-
ble and make the organizations prepared to cope with ination to see what may happen and see key aspects
the unexpected. This definition focused on variability, of the future (Westrum, 1993). Is is not only of iden-
adaptability and unpredictability tify single events but how the may be interact and
We explore resilience engineering and the premises affect each other.
for resilience engineering will have an influence on – Learn from experience implies from actual events
the understanding of the phenomena that we studied not only collection of data in databases.
and the solutions that we identified (Hollnagel, 2007).
These premises are: In resilience engineering safety is not seen as
the absence of an accident but a dynamic non-event
– Since it is not possible to describe in detail all (Weick and Sutcliffe, 2001) and the capability of the
operations and resources are limited, performance system to handle unexpected situations. Resilience
variability is necessary acknowledges that individuals and organizations must
– Many adverse events could contribute to a success adjust to cope with current conditions. These adjust-
or to a failure. These adverse events are the result ments are always approximate due to current working
of adaptations to cope with complexity conditions where there is a limited amount of infor-
– Safety management must be reactive and proac- mation, resources and time. Resilience Engineering
tive. Safety management shall take into account is about to increase the ability of the organisation to
both hindsight and the ability of the organisation make correct adjustments. The adjustments are influ-
(system) to make proper adjustments to anticipate enced by a number of condition, these conditions are
potential threats, monitor risk, revise risk models lack of time, lack of knowledge, lack of competence
and to use resources proactively. and lack of resources (Hollnagel and Woods, 2005).
These conditions will facilitate the system to cope with
In this context, the qualities required for a system the unexpected event.
to be resilient are illustrated in Figure 1. Unexpected events require more time to understand
These qualities are related to the ability to: the situation and decide the proper action. If unex-
pected events occur in several occasions, they will
– Respond to regular and irregular threats in a robust affect other activities and there is a possibility of loose
and flexible manner. This is the reactive part of of control. The focus in relation to time should be
safety management. The system is designed to a when time demands are real and have consequences
limited range of responses. There is still a necessity for individuals. Knowledge is required to understand
to adjust responses in a flexible way to unexpected the event and ‘‘what happened’’ and competence is
demands. related to ‘‘knowing what to do’’ even if the unexpected
– Monitor in a flexible way own performance and event has gone beyond design limits. An unexpected
external conditions. This monitoring focused on event will require the use of resources to regain control.
what it is essential to the operation. In a dynamic Finally, the experienced learned from the management
and unpredictable environment, it is required for the of the unexpected events need to go back to the system
system to be able to have internal monitoring and in order to augment response capacity.
735
The resilience engineering concept presented in this contracts’’, ‘‘organisational changes’’, ‘‘onshore sup-
section is adapted to the oil and gas case to analyse port’’ and last but not least ‘‘management’’.
the ability of the organisation to anticipate, monitor, All factors in the resilience model were discussed
respond and learn together with the conditions that through approximately 40 semi-structured interviews,
influence this ability mostly by offshore workers. All kind of positions
where covered; both internal StatoilHydro and con-
tractor employees. The main findings were extracted
3 METHOD: ADAPTATION AND USE from the interviews and sorted by the factors in the
OF THE RESILIENCE MODEL resilience model.
The findings from the interviews were the main
Based on the increasing number of occupational acci- input to the creative search conference, also gather-
dents, StatoilHydro initiated a project in cooperation ing around 40 persons. The participants represented
with SINTEF. The scope was to turn the negative both on and off shore personnel and internal and exter-
trend identifying safety measures dedicated to the pilot nal StatoilHydro personnel. The two day conference
Heidrun TLP. was arranged with a mix between plenum and group
The action research approach that was used on Hei- sessions to discuss and suggest safety measures. The
drun TLP is a part of an organizational development second day of the conference was dedicated to identi-
(OD) process (Greenwood & Levin 1998). The goal of fication of measures; i.e. how could Heidrun become
this process was to increase the quality of adjustments a more resilient organization.
and to improve occupational safety in the organization.
In the OD process we focused on working conditions
that influence the ability to make proper adjustments; 4 RESULTS
sufficient time, knowledge, competence and resources
(Hollnagel and Woods, 2005). In our early information The safety measures identified in the search confer-
gathering we saw that the psychosocial work environ- ence were sorted and defined as HSE activities. These
ment on Heidrun TLP also could have a significant were presented and prioritized in a management meet-
influence on the ability to make proper adjustments, ing in the Heidrun organization and the end result from
and therefore added this as a condition. the project was nine HSE activities;
With this background we developed a working • Safety conversations
model that was used to structure the interviews and • Buddy system
as a starting point for the discussions in the search • Collaboration in practise
conference. • The supervisor role
‘‘Knowledge and Competence’’ was merged in • Consistent management
the model due to pedagogical reasons (although the • Clarification of the concept ‘‘visible management’’
difference was explained orally) and the factor ‘‘psy- • Meeting/session for chiefs of operation
chosocial work environment’’ was added, resulting in • Risk comprehension course
four main factors as indicated in the Figure 2 below. • Visualisation of events
Based on initial discussions with the safety staff
some external factors where identified, anticipated to These activities are now put into action. ‘‘Safety
influence the safety level on Heidrun TLP. These exter- conversations’’ cover both formal and informal con-
nal factors are; ‘‘The safe behaviour programme’’ (a versation were safety is a topic either explicit or
large safety campaign), ‘‘open safety talk’’, ‘‘cost & indirectly. The aim of this measure is first of all to
enhance the quality of these conversations by observ-
ing good and less good practice and applying training
when necessary. In the ‘‘Buddy system’’ colleagues
are assigned to take care of new colleagues. This HSE
activity will contribute to an enhanced quality of this
system by observation of practice, exchange of expe-
rience and training. In the ‘‘Collaboration in practice’’
activity different work groups are brought together to
be more familiar with own work in relation to others
work. The aim is to clarify roles and responsibili-
ties in the common work processes and to increase
knowledge about each others work.
‘‘The supervisor role’’ is a role that needs to be
developed and clarified as this role has changed. The
Figure 2. The adapted resilience model. supervisor is the daily manager for the work force on
736
the installation and he has direct contact with the crew Table 1. Activities influencing anticipation, attention
and has a thorough knowledge about the operations. and response.
This activity will aim at clarifying this role and identify
need for enhanced competence. ‘‘Consistent manage- Anticipa- Resp-
tion Attention onse
ment’’ will help the managers to agree on common
practice on reactions to insecure behaviour. Safety conversation x x (x)
The crew onboard the installation request more Buddy system x (x) (x)
‘‘Visible management’’, but at the same time the man- Collaboration in practice x
agement claim that they have too little time to be The supervisor role x (x) (x)
visible. It is however rather diffuse what is meant by Consistent management x (x)
this expression and the activity will help to clarify this. Clarification of ‘‘visible
‘‘Meeting/session for the chiefs of operation’’ shall be management’’ (x)
Session for chiefs of
an arena for good and constructive discussions about
operation x
safety related topics. This activity will define top- Risk perception course (x) (x)
ics to be addressed and will contribute in design of Visualization (x) (x)
fruitful processes for these meetings. ‘‘Risk compre-
hensive course’’ shall develop different courses with
the aim to enhance the comprehensive of risk. Finally
the ‘‘Visualisation of events’’ activity will follow up safety issues are treated in a proper way they will
and extend visualisation of events through animations increase the knowledge about safety, and clarify antici-
and video and will also encourage the use of drawings pations and what to expect. Safety conversations can
in reporting of events. also influence attention, e.g. what to look for in terms
of hazards in their daily work. One purpose of safety
conversations between employees and managers is
5 DISCUSSION also to increase the awareness of how to respond to
critical situations.
Three main qualities are required for a resilient organi- The ‘‘Buddy system’’ will in itself contribute to
zation. These are anticipation, attention and response. make newcomers to the installation more familiar and
These qualities are described in a theoretical way in the increase the competence both about the installation
theory section but as an introduction to the discussion and how work is performed. Increasing the quality of
we will give a practical example related to occupation this system and giving the ‘‘buddies’’ support so that
accidents. they can be more prepared for this role may improve
If a group of people onboard an oil installation the newcomer‘s anticipation, attention and response.
shall install a heavy valve together, they need to be ‘‘Collaboration in practice’’ will especially give a
well coordinated. They need knowledge about how better clarification of what to expect (anticipation)
to carry out the operation including who is respon- regarding how the work that is carried out in a safe
sible for what. Competences on the risky situations manner.
they go through in this operation are also essential. The supervisors are close to the daily operations.
This knowledge represents ‘‘anticipation’’, knowing By increasing their knowledge and skills, this may
what to expect. When the operation proceeds they also have an important effect on anticipation. Indirectly and
need to have competence on how to interpret the sit- dependent on the skills the supervisors acquire, both
uation and what to look for to be aware of the risky attention and the quality of response may increase.
situation, ‘‘attention’’ is needed. When a risky sit- The goal of the activity ‘‘Consistent management’’
uation is observed it is crucial that they ‘‘respond’’ is to give managers a common understanding of how
to it and respond in a correct way. It is not unusual to respond to safe and non- safe behavior. Consistent
that an employee do not respond if he sees that an positive and negative feedback that is regarded fair can
employee in a higher position do not follow safety pro- potentially increase both anticipation and attention.
cedures. Trust is essential to secure response. Time and Response regarded as unfair can worsen the psychoso-
resources is also important to avoid that critical situa- cial working environment and thereby decreasing the
tion are not responded to because they like to ‘‘get the two qualities.
job done’’ in due time. A management that is visible to the employees in
How can the identified HSE activities potentially terms of safety issues can in itself have a positive effect
influence attention, anticipation and response? The on attention. The activity ‘‘Clarification of ‘‘visible
following Table 1 shows how we interpret this. management’’ will in the first stage only define the
The activity ‘‘Safety conversation’’ covers all con- meaning of the term and will thereby not contribute
versations where safety is an issue and the purpose is to resilience before something is done to make the
to enhance the quality of these conversations. When managers more visible.
737
Introducing safety issues in meetings for chiefs of offshore personnel liked to be associated with. One
operations in a positive way can increase the managers of the participants in the search conference, a safety
knowledge about safety - anticipation. delegate, expressed that this was the most interesting
Both ’’risk comprehension course’’ and ’’Visualiza- HSE meeting he had participated in during the last
tion of events’’ can increase knowledge about safety 25 years. The terms from the resilience model have
(anticipation) and also competence on how to be aware been adapted and used during daily safety work on the
of the risky situations (attention), but this effect is installation. We may conclude that it is more motivat-
dependent on a high quality and a proper use. ing to use the proactive approach in practical safety
We see that most of the activities can potentially improvement work.
improve the anticipation of risk and opportunities.
More uncertain are the influences on appropriate
responses to threats and also on attention; the mon-
itoring of performance and conditions. Attention and REFERENCES
response are the two qualities that are most difficult to
change or improve. Both attention and response can be Creswell, J.W. 1994. Research design: Qualitative & quan-
regarded as behavior. Thus a change in these two qual- titative approaches. Thousand Oaks, California: Sage
Publications.
ities require a behavioral change. Anticipation can be Greenwood, D.J. & Levin, M. 1998. Introduction to action
regarded as a cognitive process, and is as such easier to research: social research for social change. Thousand
change than behavior. Still, behavior change is crucial Oaks, California.: Sage Publications.
in the building of resilience. How the nine activities Heinrich, H.W. 1931. Industrial accident prevention: New
actually contribute to behavior change is still an open York: McGraw-Hill.
question, as the effects have not yet been evaluated. Hollnagel, E., Woods, D. 2005. Joint Cognitive Systems.
Foundations of Cognitive Systems Engineering. Taylor
and Francis, USA.
6 CONCLUSION Hollnagel, E., Leveson, N., Woods, D. 2006. Resilience
Engineering Concepts and Precepts, Aldershoot, Ashgate
The research question for this paper was how resilience Hollnagel, E. 2007a. Resilience Engineering: Why, What
can be built in practice in organizations. We have illus- and How. Viewgraphs of presented at Resilient Risk
trated that the use of an action research approach, using Management Course, Juan les Pins, France.
Hollnagel, E. 2007b. Principles of Safety Management
search conferences potentially could have a positive Systems: The Nature and Representation of Risk. View-
influence on qualities that are required for resilient graphs of presented at Resilient Risk Management Course,
organizations; anticipation, attention and response. Juan les Pins, France.
Our focus has been occupational injuries, but the Hollnagel, E. 2008. Why we need Resilience Engineering.
approach could be valid for safety work in general. Ecole des Mines de Paris, Sophia Antipolis, France
The approach and process used in the case study Reason, J., Hobbs, A. 2003. Managing Maintenance Error,
demonstrates that a proactive approach to safety issues Ashgate, Aldershot, USA.
is motivating for the personnel involved. Statistics and Weick, K., Sutcliffe, M. 2001. Managing the unexpected.
reports on accidents are widely used to improve safety. Assuring High Performance in the Age of Complexity.
University of Michigan Business School Management
Some fatigue can be observed among the personnel Series John Wiley & Sons, Inc. USA.
related to safety work using this approach. The feed- Westrum, R. 1993. Cultures with Requisite Imagination. In
back from this project was that the personnel had no Verification and Validation of Complex Systems: Human
difficulties dealing with the resilience concept as it was Factors Issues, ed. Wise, J, Hopkin, D and Stager, P.
used in the project. Resilience was a construct thatthe New York: Springer-Verlag, pp 401–416.
738
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: A model of OHS management was developed using the safe place, safe person and safe systems
framework. This model concentrates on OHS being a collective responsibility, and incorporates three different
perspectives—an operational level (safe place), an individual level (safe person) and a managerial level (safe
systems). This paper describes the qualitative methodology used in the development of the assessment tool,
including the lessons learnt from the pilot study and preliminary results. This research also promotes the use of a
new style of reporting that identifies areas of strengths as well as vulnerabilities, and uses discreet, non-emotive,
neutral language to encourage an objective, constructive approach to the way forward. The preliminary results
from the pilot study and peer review using the Nominal Group Technique were very encouraging suggesting
that this technique would be useful in directing a targeted approach to systematic OHS management, and that
the safe place, safe person, safe system framework was suitable to be taken to the next stage of wider case study
application.
739
data to understand the work processes and consider the current control measures fail (the ‘‘raw’’ hazard pro-
bigger picture in review activities. Included here are file); secondly, an assessment was to be made on the
provisions for safe design, safe supply and procure- risk remaining once existing prevention and control
ment; competent supervision; good communication; strategies had been applied (the residual risk profile).
use of consultation; incident management; and means This was to give an indication of the amount of risk
of self checking via specialist audits or system reviews. reduction that had been achieved and to help identify
The focus here is on management and systems to opportunities for improvement. This was performed
promote a safe working environment. by using a risk ranking matrix factoring in a combi-
In order to determine the usefulness of the above nation of both severity and likelihood and a resulting
approach, an assessment tool was developed so that allocation of either high, medium-high, medium or
the safe place, safe person, safe system framework low. It should be noted that the use of non-emotive lan-
could be applied to determine the hazard profile of an guage was deliberately selected for providing feedback
organisation. The assessment tool comprised of sup- about hazard profiles as this was considered an impor-
porting material for each framework element to allow tant step in breaking down barriers to the improvement
a risk ranking exercise to be conducted. This included process and avoiding blame. For example words such
a definition and scope for each element and risk out- as ‘‘catastrophic’’ or ‘‘extreme’’ were not used in risk
comes if the element was overlooked. The individual ranking labels. Where elements were handled with
assessments for each element were aided by the devel- expertise this was recognised and fed back to organisa-
opment of a series of prompts that considered possible tion by giving it a risk ranking of zero—or ‘‘well done’’.
risk factors and possible prevention and control strate- Also, an assessment was made on the level of for-
gies for each of the elements (see Figure 1 for elements mality applied to the systems invoked and whether
for ‘‘Electrical’’ and ‘‘Stress Awareness’’). or not all the elements proposed by the safe place,
The risk ranking exercise was conducted as a two safe person, safe system framework had in fact been
stage process: firstly without taking into account inter- addressed by the organisation. The level of formality
ventions that were already in place so that areas of was also assessed to recognize where informal systems
vulnerability could be identified should any of the were used to manage risks, but did not contain a high
Electrical
All electrical equipment should be handled appropriately by those who are suitably qualified and kept in good working order. Other electrical hazards include
electric shock; static electricity; stored electrical energy, the increased dangers of high voltage equipment and the potential for sparks in flammable/explosive
atmospheres. Where live testing is necessary, only appropriately trained and qualified personnel should do so in compliance with relevant legislation and codes.
The risk is that someone may be injured or fatally electrocuted or cause a fire/explosion by creating sparks in a flammable or explosive atmosphere.
Stress Awareness
Personal skills, personality, family arrangements, coverage of critical absences, resourcing levels and opportunities for employees to have some control over
work load are factored into ongoing work arrangements so as not to induce conditions that may be considered by that particular employee as stressful. Plans are
available for dealing with excessive emails and unwelcome contacts.
The risk is that the employee becomes overwhelmed by the particular work arrangements, and is unable to perform competently or safely due to the particular
circumstances.
Figure 1. Examples of supporting material and prompts for elements in the revised assessment tool.
740
level of documentation to record actions. This was Ultimately, the Nominal Group Method was
to explore whether there was a connection between selected over the Delphi Method for a number of
the level of risk reduction achieved and the use of reasons:
formal systems, as well as to highlight areas for further
growth. • the extensive nature of the literature review which
A pilot study was conducted with a prelimi- formed the primary source of input into the process;
nary assessment tool to trial the technique and case • the potential for the Delphi Method to become
study protocol. The methodology for this qualitative overly extended if difficulty is encountered reaching
approach was conducted according to Yin (1989). a consensus, or if the return of the reviewed material
A qualitative approach was selected because previous is delayed; and
research investigating means of assessing the effec- • the synergistic effect when working together in a
tiveness of OHS MS had shown that ‘‘one size did workshop setting whilst using the Nominal Group
not fit all’’ and there was a need for a more cus- Technique was thought not only to streamline the
tomised approach (Gallagher, 1997). Hence, there process, but also enrich the final outcome.
would be difficulty in evaluating the results of the
same tool being applied to different organisations The Nominal Group Technique is not without limi-
when each organisation has unique needs and an tations, namely the potential for domination of certain
unpredictable hazard profile. The qualitative method- members, and the possibility of groupthink (Petersen,
ology would allow the variables to be better under- 1975). In order to counteract this potential bias,
stood and addressed before undertaking a larger scale the guidelines offered by Delbeqc, Van de Ven and
quantitative study. Gustafson (1975a; b) for conflict resolution and the
constructive use of diverging opinions were observed.
After the Nominal Group Technique was selected
2 METHOD for internal validation by a panel of experts from
academia and industry, a letter of invitation was sent
The initial development of the assessment tool was out. The final panel members included representa-
based on an extensive review of the literature. Meth- tion by a manual handling expert; a psychologist; an
ods to provide internal construct validity such as the occupational hygienist; a dangerous goods expert; a
Delphi Method and the Nominal Group Method were human factors analyst; three members with chemical
considered as most appropriate for this particular engineering experience; an occupational toxicologist;
research as there were no studies known to the authors and industry representatives with experience in manu-
where a statistically significant quantitative approach facturing and design. Three academics were involved
had been used successfully, and so there were no stud- including the chairman of the Standards committee
ies available for comparison of results. Hence the for the development of AS/NZS 4804/4801: 2001
above mentioned methods were both indicated for the Occupational Health and Safety Management Systems
development of new knowledge where comparison (Standards Australia. 2001a, 2001b). All but two of the
with others studies was not available and success in invited members were able to attend on the day, but all
both cases hinged on a balanced and vigorous peer provided input to the process.
review process. The actual Nominal Group Technique session was
The Delphi Method involves the use of an expert conducted by assembling the members of the panel
panel, with each member receiving the document for together after the first stage of the pilot study was com-
review. The review is performed independently and pleted and the preliminary report on the pilot study
returned. This is to avoid the potential for domina- produced to demonstrate the application of the assess-
tion or influence from other members. Multiple rounds ment tool and findings of the risk ranking exercises
of the review then take place until convergence is (see Table 1, and Figures 2–4).
reached. The issue of convergence forms the criti- The members of the panel were each given a copy
cal point where the application of the Delphi Method of the assessment tool and the preliminary report one
is challenged. Without skillful determination of the month prior to the review date so there was ample
end point, there is the possibility of creating a very time to read through the information. The Nominal
long, drawn out process (Landetta, 2005; Linstone Group Technique was carried out in two stages—one
and Turoff, 1975). for brainstorming of ideas for improvements and the
The Nominal Group Technique is similar to the second for voting on the top five ideas from the
Delphi Method, although instead of the information improvements suggested. The brainstorming stages
for review being sent out with a questionnaire, the were split into four sessions so that equal time was
panel members are collected together and changes or allocated for each of the three sections—safe place,
improvements are brainstormed in workshop setting safe person and safe systems; as well as time to con-
(Delbeqc, 1975b). sider improvements to the format of the final report.
741
Table 1. Framework model used for OHS MS for pilot study.
Safe Person
29% Safe Person
33.3%
Figure 2. Examples of hazard distributions without interventions (left) and with interventions (right).
The top five ideas were voted upon using a weight- The external validation of the methodology was
ing system -five for the most important idea down to provided by the triangulation of data during the assess-
one for the least important of the five ideas selected. ment stage—seeking to find convergence of obser-
The votes were made in confidence and collected for vations; questionnaire and interview responses; and
counting. The purpose of having all of the members objective documentary evidence. The purpose of this
together was to provide synergy and the opportunity external validity was not for statistical inference or
for explanation by the authors of the assessment tool as to establish causation, but to ensure the coherence of
well as to share any lessons learnt from the pilot study. theoretical reasoning for the development of emergent
742
80
70
60
Risk Ranking
50
40
30
20
10
0
Safe Place Safe Person Safe Systems
Figure 3. An example of the risk reduction graph in the revised report (dark columns—without interventions; light
columns—with interventions).
Inductions- All visitors and contractors to the workplace are made aware of any hazards that they are likely to encounter
Contractors/Visitors and understand how to take the necessary precautions to avoid any adverse effects. Information regarding
the times of their presence at the workplace is recorded to allow accounting for all persons should an
emergency situation arise. Entry on site is subject to acceptance of site safety rules where this is applicable.
The risk is that people unfamiliar with the site may be injured because they were unaware of potential hazards.
Incident Management A system is in place to capture information regarding incidents that have occurred to avoid similar incidents from recurring
in the future. Attempts are made to address underlying causes, whilst also putting in place actions to enable a quick
recovery from the situation. Root causes are pursued to the point where they are within the organisations control or
influence. Reporting of incidents is encouraged with a view to improve rather than to blame. Near miss/ hits are also
reported and decisions to investigate based on likelihood or potential for more serious consequences. Investigations are
carried out by persons with the appropriate range of knowledge and skills.
The risk is that information that could prevent incidents from recurring is lost and employees and others at the workplace
continue to contract illnesses or be injured.
This isused more as a database for reporting rather than as a problem solving tool. Selective application of
root cause analysis, corrective action and evaluation may yield significant improvements in this area.
Figure 4. Excerpts from the preliminary report illustrating the style of reporting used (above).
themes and paradigm shifts. In this sense, the vali- authors. The final framework comprised of twenty ele-
dation process for qualitative research does not try to ments for each aspect of the model, making a sixty
achieve the same goals as quantitative research; the element matrix, three more than the original model.
aim is instead to provide multiple perspectives, and A Risk Reduction graph was added to the final report
in doing so overcome the potential for bias in each to increase clarity and assist in the interpretation of the
individual method. A collage is then formed to give final results (see Figure 3).
depth and breadth to the understanding of complex Three new elements were added: Receipt/Despatch
issues (Yin, 1989). to cover OHS issues associated with transportation of
materials to and from the workplace; Personal Protec-
tion Equipment to address issues related to the safe use
of PPE; and Contractor Management to ensure that all
3 RESULTS the lines of responsibility are well understood and that
all the information necessary has been exchanged.
After the peer review process a number of changes Details of changes within elements in the frame-
were made to the final framework which represented work model were:
the building blocks of systematic occupational health
and safety management, and there was a minor mod- • Training Needs Analysis was incorporated into
ification to the format of the final report. A letter Training.
was sent out to each of the panel members explaining • Work Organisation—Fatigue and Stress Awareness
the changes made and a copy of the final assessment was modified to remove stress awareness, which
tool. Whilst all the votes were carefully considered, became its own element.
the final decision on the layout was made by the • Noise included more information on vibration.
743
• Access/Egress included a reference to disabled The pilot study was then taken to a second stage that
access/egress. was completed after the Nominal Group Technique
• Risk Review was renamed Operational Risk review had been performed to investigate whether the
Review. risk ranking exercise could be used to make targeted
• Plant Inspections/Monitoring was renamed Inspec- improvements in the workplace. This was conducted
tions/Monitoring and the explanatory information by asking the organisation to select three elements that
modified to reflect the intention that this was not it would like to improve, then choosing three questions
the walk around inspections associated with house- about each element (making a total of nine) that would
keeping but more to do with understanding the be asked each month for a period of four months. The
process. questions were to be phrased so that they would gener-
• Storage/Handling/Disposal had Storage/Handling ate a simple yes or no answer, and one person was asked
removed so the element just refers to Disposal. to be responsible for the actions nominated. The pur-
• Ergonomic Assessment was renamed Ergonomic pose was to target visible outcomes that would improve
Evaluation and had any references to Occupational the final risk rating for the particular elements selected.
Hygiene removed from the explanatory material. To improve the objectivity of the controlled self assess-
ment exercise, these answers were to be independently
Not many changes were necessary to the format of spot checked each month. Only three elements were
the final report, although it was found that the two pie targeted in recognition of the time it takes to implement
charts in Figure 2 were difficult to interpret, so the bar changes to a safety program and the desire to keep the
graph in Figure 3 was added to illustrate the relative task manageable and hopefully to obtain some early
risk reduction that taken place. wins that might encourage management to continue
A number of other changes were incorporated into with the improvement program.
the format of the revised OHS assessment tool after The organisation in which the pilot assessment was
the pilot study was conducted. The most significant conducted was also asked to identify some means
of these was to merge the two assessments (one with- of measuring whether or not OHS performance was
out interventions and the other with interventions in improving during the implementation of the study.
place) into the one section. This was to enhance ease Guidance material was provided on the strengths and
of use and reduce the time taken to conduct the actual limitations of various commonly encountered mea-
assessments. Also, the tool was colour coded to assist surement indicators in the project field kit supplied
navigation of the information whilst on site. at the onset of the pilot study (Makin and Winder,
Once the changes to the revised OHS assessment 2007). The pilot organisation opted to continue mea-
tool were finalised, advertisements were placed in an suring injuries and incidents and the three elements
Australasian local OHS journal, an OHS email alert as targeted were: work organisation; access/egress and
well as on the home page for UNSW School of Safety incident management. At the end of the four months
Science’s website, to attract participants into the study. the organisation was asked to complete a short evalua-
A brochure was also produced to give details of the tion survey. The outcomes of this monitoring process
study to those interested in a hard copy and electronic are shown in Figure 5.
format. This ensured that all participants received the
same information. A total of eight organisations were
identified for the next phase of project with the revised 4 DISCUSSION
assessment tool and improved reporting format.
The size of the organisation to be used for the The use of the Nominal Group Technique was found
case studies was not specified in the advertisements to be of great benefit to the development of the OHS
as the authors were interested to find out what sized assessment tool by offering an opportunity for vig-
organisations would respond. The pilot study was con- orous peer review by a group of experts of varying
ducted successfully on a medium sized manufacturer backgrounds. Not only was this necessary to support
in the plastics industry. Of the eight organisations that the internal validity of the assessment tool developed,
responded and were eventually selected with the case but it was also found to greatly enrich the final version
studies, one was a small retail business; two were small of the tool for later use in the multiple case study exer-
to medium sized family businesses and the remainder cise. Further, each expert was able to bring in detailed
were larger organisations. Where larger organisations knowledge of their interpretation of the OHS elements,
were involved, it was considered that as the OHS and the final product could not be said to be a reflection
assessment tool was originally intended for use in of any one viewpoint.
small to medium sized enterprises the OHS assessment The difficulties encountered with the application
tool, it could be suitable if the scope of the assess- of the Nominal Group Technique were mainly related
ment was limited to a smaller, defined division of the to the logistical problems of availability of panel
organisation. members. As a result two of the members were unable
744
10
LTI's
Medical treatments
First Aid treatments
8 Reports
Numbers of Reports
0
Jun Jul Aug Sep Oct Nov Dec Jan
Month
Figure 5. Injury and incident results after completion of phase 2 of the pilot study.
to attend the workshop on the day, but were able to offer Furthermore, the success of the workshop would
their comments for review at a later date. Also this task not have been possible without the ability to feedback
was performed as an honorary role, so it was necessary the experience of the pilot study. This was found to be
to ensure that the half day was well organised. To assist crucial in terms of assessing the proposed framework’s
this process, agendas were sent out in advance and the initial viability and many lessons were learnt along
program steered and facilitated by an academic who the way so the development of the preliminary assess-
was not involved in the actual development of the tool ment tool was a very dynamic process. During the pilot
itself to maintain objectivity. The workshop was able study methods that did not appear to be workable or
to adhere to timelines suggested and the process was were too cumbersome were quickly modified from the
considered to run very smoothly. Although there were feedback received at the time. For example, the two
clearly differing views from some of the panel mem- stage assessments were taking too much time when
bers this was not unexpected as each brought their performed in isolation so they were combined in the
own perspective and experience and sharing this was final assessment tool. Furthermore, the triangulation
in itself a worthwhile exercise. Where differing opin- of data involving observation, interviews and a review
ions remained unresolved, the members were directed of documentation was found to produce the most fruit-
to express their views at the confidential voting stage, ful and reliable data when information was sought
and to cast their votes on the balance of information from layers of the organisation. It was found that it
available. Once the votes were tallied and the feed- was very important to collect the differing percep-
back worked into the final version of the assessment tions from management, operations personnel and the
tool, the panel members were given another opportu- individual workers and that these were all slightly dif-
nity to express any concern with the final outcome by ferent. Management’s opinions were found to be more
feeding information back to the authors within a rea- optimistic, whilst sometimes the individual workers
sonable time period. No changes were requested and were more skeptical (and perhaps more realistic) and
most panel members expressed satisfaction with the operations tended to be somewhere in-between. Where
final outcome. there was gross misalignment of opinions, these areas
Clearly the success of the Nominal Group Tech- were studied in more depth until a clearer picture of
nique would be heavily influenced by the range, the situation emerged. Sometimes this would involve
breadth and depth of the experience of the panel some external research to verify the facts, for example
members selected and this selection process was where this involved the use of hazardous substances
considered to be the most important stage. In this to ensure that the correct requirements were in fact
particular scenario, the process could have been being used.
enhanced by the inclusion of an electrical engineer and The proposed framework itself was found to be very
mechanical/structural engineer although a number of useful for the OHS management assessment and these
very experienced chemical engineers were present. findings are discussed in more detail in a previous
745
article (Makin and Winder, 2008). During the pilot 5 CONCLUSION
study the broader context offered by the safe place, safe
person and safe systems model was able to highlight The use of a pilot study and the Nominal Group Tech-
areas of vulnerability that had perhaps been disguised nique to trial the application of the safe place, safe
by a focus on production and hazards to do with the person, safe system model through the development
physical plant environment such as noise and man- of an assessment tool was found to be very reward-
ual handling. Prior to the study there were significant ing and worthwhile, and essential to the integrity
issues related to work organisation and the use of inap- of the research being undertaken. The results have
propriately long shifts that were unresolved. The pilot enabled this research to be taken to the next level—
study was able to highlight how this was potentially multiple case studies which are currently in progress
exposing workers to unnecessarily high levels of risk, and near completion. This qualitative approach is
and the longer shift hours were accentuating the prob- highly recommended for this particular field of
lems with noise, fatigue, manual handling as well as research and preliminary results from the case studies
solvent exposure. suggest that there is much scope for future develop-
The second stage of the pilot study involving a ment and further work, in particular for customising
monthly questionnaire was found to be more difficult the current OHS assessment tool for specific industry
to implement and depended on having someone within fields. Furthermore, the application of this tool was
the organisation who was highly motivated to see the not limited to small to medium enterprises as origi-
process through. Fortunately, the preliminary results nally thought, and may provide a useful benchmarking
of the OHS assessment on the pilot study were con- exercise across larger organisations where they are
sidered to be very worthwhile by the organisation and comprised of smaller subsidiary groups.
this generated enough enthusiasm to proceed to the
second stage. However, the organisation was undergo-
ing a period of flux and management turnover, so this ACKNOWLEDGEMENTS
second stage was delayed until the situation settled.
Although the OHS assessment was conducted with The authors gratefully acknowledge Dr. Carlo
the preliminary tool in March and April in 2007, the Caponecchia, who was facilitator of the nominal group
second stage wasn’t fully underway until the follow- session, and all contributors to the session.
ing October even though the agreed follow up actions
were decided in May. Despite these delays, a clear
improvement in OHS performance was observed (see
Figure 4), and it appeared that some time lag was REFERENCES
involved until the effects of the program came into
fruition—such as discussing the outcomes of two inci- Delbecq, A.L., Van de Ven, A., Gustafson, D. H. (1975a)
Profile of Small Group Decision Making. In: Group Tech-
dent investigations per month at regular, but informal, niques for Program Planning. Glenview Illinois: Scott,
operational meetings. Whilst no statistical correlation Foreman and Company. pp. 15–39.
was attempted due to the qualitative nature of the study, Delbeqc, A., Van de Ven, A., Gustafson, D. H. (1975b) Group
a further explanation of the improved trend was the Decision Making in Modern Organisations. In: Group
increased focus and attention on safety and health pro- Techniques for Program Planning. Glenview, Illinois:
moted by the study and the use of a targeted approach Scott, Foresman and Company. pp. 1–13.
that was realistic. The follow up actions had been set by Landeta, J. (2005) Current validity of the Delphi method
the organisation themselves and it was important that in social sciences. Technological Forecasting and Social
they were in full control of the process. The prelim- Change In press, corrected proof.
Linstone, H.A., Turoff, M. (1975) Introduction. In: The
inary assessment was also able to feedback positive Delphi Method: Techniques and Applications. Reading,
information in areas they had excelled, for example Massachusetts: Addison-Wesley Publishing Company.
in inductions for visitors and contractors, and this pp. 1–10.
was well received and helpful for encouraging their Gallagher, C. (1997) Health and Safety Management Sys-
co-operation with the study. tems: An Analysis of System Effectiveness. A Report to
Finally the reporting style utilised was very well the National Occupational Health and Safety Commis-
received and the report was able to be widely dis- sion: National Key Centre in Industrial Relations.
tributed. The pictorial representation of key infor- Makin, A.-M., Winder, C. (2006) A new conceptual frame-
mation and colour coding was found to be useful work to improve the application of occupational health
and safety management systems. In: Proceedings of
in the quick dissemination of main points and was the European Safety and Reliability Conference 2006
considered to facilitate the interpretation of mate- (ESREL 2006), Estoril, Portugal, Taylor and Francis
rial to a wider audience from individual workers in a Group, London.
safety committee setting, to operations personnel and Makin, A.-M., Winder, C. (2007) Measuring and evaluat-
management. ing safety performance. In: Proceedings of the European
746
Safety and Reliability Conference 2007 (ESREL 2007), Standards Australia. (2001b). AS/NZS 4804:2001 Occu-
Stavanger, Norway, Taylor and Francis Group, London. pational Health and Safety Management Systems—
Makin, A.-M., Winder, C. (2008) A new conceptual frame- General Guidelines on Principles, Systems and
work to improve the application of occupational health Supporting Techniques. Sydney: Standards Australia
and safety management systems. Safety Science. In press, International Ltd.
corrected proof doi:10.1016/j.ssci.2007.11.011 Yin, R. (1989) Case Study Research: Design and Methods.
Petersen, D. (1975) Coping with the Group. In: Safety Man- Newbury Park, US: Sage Publications.
agement: a Human Approach. Deer Park, New York:
Aloray. pp. 205–215.
Standards Australia. (2001a). AS/NZS 4801:2001 Occu-
pational Health and Safety Management Systems—
Specification with Guidance for Use. Sydney: Standards
Australia International Ltd.
747
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: The field of knowledge translation and exchange is growing, particularly in the area of health ser-
vices. Programs that advance ‘‘bench-to-bedside’’ approaches have found success in leveraging new research into
a number of medical fields through knowledge translation strategies. However, knowledge translation remains
an understudied area in the realm of occupational health, a factor that is interesting because workplace health
research is often directly applicable to risk reduction activities. This research project investigated knowledge
translation in one occupational setting, small machine shops, where workers are exposed to Metal Working
Fluids (MWF) which are well established dermal and respiratory irritants. Using the mental models approach,
influence diagrams were developed for both scientists and were compared with qualitative interview data from
workers. Initial results indicated that the sphere of influence diagrams would benefit from the inclusion of other
stakeholders, namely policy makers and product representatives. Overall, findings from this research suggest
that there is only minimal transfer of scientific knowledge regarding the health effects of metal working to
those at the machine shop level. A majority of workers did not perceive metal working fluids to be hazardous
to their health. Of note was the finding that MWF product representatives were rated highly as key sources
of risk information. The translation of scientific knowledge to this occupational setting was poor, which may
be due to varying perceptions and prioritizations of risk between stakeholders, lack of avenues through which
communication could occur, an absence of accessible risk information and the small size of the workplaces. The
mental models approach proved successful for eliciting information in this occupational context.
749
found machinists to be at higher levels of risk for were done over the phone. Each interview took approx-
lung problems than three other trade groups (Kennedy, imately 20-35 minutes. The respondents were asked
Chan-Yeung, Teschke, & Karlen, 1999). Using inter- open-ended questions that were created using guid-
view data from experts, workers and managers, this ance from the expert’s Mental Model (see 2.2). Work-
project aimed to identify knowledge gaps and mis- ers were queried about their work history and habits,
perceptions about metal working fluid exposure, to as well as their knowledge of MWF exposure and
determine socio-cultural and organization factors that the personal protection strategies they undertook in
influence how knowledge is transferred in an occupa- the workplace. They were also asked questions about
tional context and to determine preferred channels or health effects associated with MWFs, including where
pathways for health risk communication. they would look for information on health effects, and
what steps they would take to mitigate these effects.
These open-ended questions were often followed up
2 METHODS by probes designed to elicit more information on a
particular subject matter.
2.1 Data collection
Data was collected for this project using the Men-
tal Models methodology developed by Morgan et al 2.2 Mental model development
at Carnegie Mellon University (Morgan, 2002). This All interviews were audio-taped and transcribed and
method has been previously applied in an occupational entered into NVivo. To construct the expert model,
context (Cox et al., 2003; Niewohner, Cox, Gerrard, & transcripts from the expert interviews were coded
Pidgeon, 2004b). The data was collected in two phases, with a coding schema developed through an itera-
beginning with interviews with scientific experts in tive process of fitting the codes to the data, based
the field of MWF exposure and effects, followed by on grounded theory (Strauss & Corbin, 1998) and
interviews with workers employed in machine shops. informed by previous mental models work (Cox et al.,
2003; Niewohner, Cox, Gerrard, & Pidgeon, 2004a).
2.1.1 Expert interviews The coding schema was also informed by a litera-
A member of the study team who is an academic expert ture review of existing chemical information regarding
on the health effects of MWF compiled a list of experts MWFs, which aided in the development of the model
on MWF and health effects. The list was comprised categories included in the expert mental model (i.e.
primarily of academic researchers from the US and exposure processes, machine types, etc.). The ini-
Europe, but also included US government researchers tial coding schema was reviewed and validated by an
and occupational health professionals. Of this list of expert who was part of the research team.
experts, the study team was able to contact 16, and 10 The expert mental model covered five main
of these consented to participate. domains: shop health and safety factors, MWF
The interviews, which were carried out by a sin- exposure factors, regulatory and economic factors,
gle trained research assistant, were conducted over the health effects, and exposure modes. Within these five
phone and lasted for an average of 30 minutes. The broad categories, related topics, such as informa-
first two interviews were used to pilot test the survey tion sources, reactive behaviors, and physical safety
instrument and were therefore not included in the final barriers emerged as sub-categories.
analysis. The respondents were asked open-ended The transcripts from the worker interviews are
questions about exposures, health effects, and miti- currently being analyzed using a similar grounded
gation strategies relating to MWF in the workplace. theory-informed method. A worker mental model is
They were also asked about their attitudes and prac- currently under construction.
tices relating to the communication of their research
results to decision-makers in industry and regulatory
agencies.
2.3 Data analysis
2.1.2 Worker interviews For the health effects and information sources analy-
To recruit machinists, introductory letters were sent sis, data for each of these constructs was abstracted
to 130 machine shops in the province of British from NVivo and reviewed by two members of the
Columbia, Canada, and were followed up with at least research team who had expertise in the areas of health
one phone call. Twenty-nine workers from 15 different effects and risk communication. Data from the workers
machine shops agreed to participate in an interview. were compared and contrasted with the expert model
The interviews were conducted by four different and areas of both congruence and disconnect were
trained interviewers. Twenty of the interviews were identified. Results were entered into tables to present
done at a private location at the worksite, and nine comparisons.
750
3 RESULTS identify ‘‘the lungs’’ as potential site of health prob-
lems. Of note, nine of the workers (31%) described
3.1 Demographics having personal experience with either a lung effect
from MWF exposure or ‘‘feeling’’ MWF mists in their
Respondents from the 15 participating machine shops
lungs.
were all male, and represented a range of ages and
There was greater concurrence between experts’
levels of experience in the trade. The demographic
and workers’ awareness of specific dermal conditions
details of the machinist respondents can be found in
that can occur as a result of MWF exposure, including
Table 1.
rash, dry hands, itchy hands, dermatitis and eczema.
Sixty-two percent of workers could identify a specific
3.2 Knowledge and description of health effects dermal health effect such as eczema, although a further
31% were only able to identify ‘‘the skin’’ in general as
Differences were found between the experts’ and
a potential site for health effects. Forty percent of the
workers’ descriptions of the health effects that can
workers said that they had experienced adverse effects
be caused by MWF exposure in the workplace (see
on their hands from MWF exposure.
Table 2). In particular, only 28% of the workers were
Four of the experts (44%) discussed the associa-
able to describe symptoms that could occur in the
tion between cancer and MWF exposure, although
lungs as a result of MWF exposure (such as cough,
proportionally fewer (17%) of the workers described
asthma, bronchitis, difficulty breathing). The major-
MWFs as cancer-causing agents. Of the workers who
ity of the experts described respiratory issues in detail,
described cancer, there was a general tendency to men-
providing a description of symptoms and specific med-
tion smoking and its carcinogenic potential in the same
ical terminology of diseases associated with MWF
discussion.
exposure such as such as hypersensitivy pneumonitis
There were health effects that workers described
(HP), occupational asthma and decreased lung func-
that experts did not, particularly irritation that could
tion. Only two of the workers were able to describe
occur in eyes. Two workers also suggested that MWF
asthma as a potential condition from MWF exposure,
could affect blood.
one mentioned decreased lung function, and none
Within the cohort of workers, 21% stated that
mentioned HP.
MWFs were not harmful to health, even though in
While unable to provide any specific terms or symp-
some cases these workers did note that MWF expo-
toms, a further 45% percent of workers were able to
sure could cause skin problems. Finally, there were
two people in the worker group who stated that they
were unaware of any potential health effects of MWF
Table 1. Machinist demographics. exposure.
Characteristic # % 3.3 Sources of information
Age Experts and workers were asked slightly different
20–29 3 10% questions regarding sources of health and safety
30–39 10 34%
40–49 12 41%
50+ 2 7% Table 2. Description of health effects, experts and
Unknown 2 7% workers.
# of years in trade
5 to 10 7 24% Workers Experts
11 to 15 7 24% (n = 29) (n = 10)
16 to 20 6 21% Health effects % %
21 plus 7 25%
Unkown 2 7% Described specific health effects
Shop size that can occur in the lungs 28% 70%
<10 people 5 17% Described specific health effects
11–50 people 13 45% that can occur on the skin 62% 70%
50 plus 10 35% Described a relationship between
Unknown 1 3% MWF exposure and cancer 17% 40%
Types of machines Central nervous system depression 3% 10%
Manual 4 14% Eye Irritation 17% 0%
CNC 5 17% Problems with blood 7% 0%
Both 15 52% Poisonous 3% 0%
Unkown 4 14% Stated that MWFs do not
Other 1 3% cause health effects 21% 0%
751
information in the workplace. Table 3 presents Table 5. Workers’ trusted sources.
responses to the open ended questions ‘‘How do you
think that workers learn about new scientific advances Worker answer (n = 29) %
in MWFs? and ‘‘How about safety issues around
WorkSafeBC 31
MWFs?’’. While 40% of workers noted that occu-
Government 17
pational health and safety training was a source of MSDS 14
information, the same number of experts did not think Manufacturer/supplier 14
that workers received such information at all. Material Other workers 3
Safety Data Sheets (MSDS) were ranked fairly low as Union 3
information sources for workers amongst the scientific Researchers 3
experts. Don’t know 3
Table 4 shows the responses to the following open
ended question that was posed to workers: ‘‘If you
were going to learn about the health effects of metal
working fluid exposure, or maybe some of the hazards Table 6. Expert communication pathways.
that you are exposed to in your shop, where would you
Expert answer (n = 10) %
go for this sort of information?’’ Suppliers and manu-
facturers were the most referred to sources, followed Workplace management 70
by MSDSs, which is in sharp contrast to the responses Government health and safety agencies 60
of the experts. Other workers and the internet were Workers 50
also major sources for workers not described by the Industry/Suppliers 40
experts. Unions 40
Workers were also asked ‘‘what person, agency or Government (other than safety agency) 10
group would you trust the most for information on Physician 10
MWFs, either about the product or possible associ-
ated health effects?’’ The responses to this question,
shown in Table 5, indicate that most workers trust
WorkSafeBC, British Columbia’s workers compen- government were the next most trusted, followed by
sation board. Various levels and departments within MSDSs and manufacturers/suppliers.
Table 6 presents results of the questions asked to
experts on how they had attempted to communicate
Table 3. Expert answers to: How do workers learn about the results of their MWF research. Most had pro-
new health and safety issues and advances? (n = 10). vided information to either workplace management
or to a government health and safety agency. Half
Expert Answer % reported that they had talked to workers directly about
MWF health effects and only one reported talking to
‘‘They don’t’’ 40
Occupational health and safety training 40 physicians.
Trade media (magazines, pamphlets) 30
Union 30
General news media 10 4 DISCUSSION
MSDS 10
Gov’t agencies 10
4.1 Health effects
Good workplace risk communication requires that
workers receive information about the chemicals that
Table 4. Worker answers to question regarding main they use and that workers understand the potential
sources of information used. health effects that these chemicals can cause. As
Schulte et al. (Schulte et al., 2003) states ‘‘effec-
Worker Answer (n = 29) % tive transfer, receipt and utilization of occupational
health and safety information will only be realized to
Suppliers and manufacturers 86 the extent to which recipients actually can understand
MSDSs 69 the information transmitted’’ (p. 522). The results of
Managers or other workers 66 this research suggest that while workers are aware that
The internet 48
Health and safety committee 41
they are being exposed to MWFs during the course of
Government organizations 34 their jobs, most have only a generalized understand-
Container labels 28 ing of how these compounds may affect the body. Such
results are not unique to this research and have been
752
found in other occupational health research such as were at least aware of the correct areas of the body
that conducted by Sadhra (Sadhra, Petts, McAlpine, that MWFs could affect. Of particular interest from
Pattison & MacRae, 2002). the worker data was the issue of eye irritation. This
Of concern were the findings that three quarters of effect was not noted by any of the experts, even though
the workers queried were unable to provide any detail MSDSs for MWF list eye irritation as a potential health
about the effects that MWF might have on their respi- effect. In fact, a review of MSDS for metal working
ratory tract. In addition, they did not link symptoms fluids found that there was more information about
such as cough, difficulties breathing, phlegm, asthma, eye irritation on some sheets than potential respiratory
and bronchitis to MWF exposure. Researchers such effects. A review of the published literature revealed
as Nowak et al (Nowak & Angerer, 2007) indicate no research focused specifically on eye irritation and
that one of the problems of identifying occupational MWF exposure.
disease is that fact that the symptoms aren’t necessar-
ily correlated directly in time with an exposure and as
4.2 Information sources
such, may happen after a worker has left the workplace.
This mechanism, coupled with a lack of awareness on The flow or transfer of information between the
the part of the workers about the types of symptoms ‘‘expert’’ realm and the ‘‘workplace’’ realm appeared
that MWFs can cause, makes the correct diagnosis to be hampered by a number of barriers in this study.
of occupational respiratory disease very challenging. In particular, the responses from experts and work-
Gupta et al (Gupta & Rosenman, 2006) has suggested ers on the topic of where to find information on
that hypersensitivity pneumonitis (HP) rates in the US MWFs showed a significant disconnect between the
are most likely under-reported due to factors such as groups. None of the workers were ignorant of poten-
inadequate disease recognition. Without information tial sources of information on the health effects of
about workers’ occupational and environmental expo- MWFs, although 40% of experts believed that work-
sures, doctors may misdiagnose conditions like HP as ers did not learn about health and safety information.
atypical pneumonia. The review by Santos et al (San- Workers also identified MSDSs as important infor-
tos et al., 2007) of diagnostic factors for occupational mation sources, while only 10% of experts believed
asthma found that lack of awareness of the associa- that workers learned from MSDSs (this finding is in
tion between symptoms and workplace exposures was keeping with the earlier discussion of effects of MWF
one of the most significant factors contributing to on eyes). Suppliers and manufacturers were the most
diagnostic delays. commonly mentioned information source by workers,
The workers’ descriptions of dermal effects were with 86% of workers stating that they would go to sup-
markedly different from those of respiratory problems, pliers and manufacturers for information. In contrast,
with a majority of workers being able to describe dis- none of the experts mentioned suppliers and manu-
tinct symptoms of MWF exposure such as rash, itch- facturers. These results are consistent with a study
iness and dry hands. These results may be due to the by Sadhra et al (2002), which found considerable
fact that many of the workers had actually experienced differences between the information sources men-
these problems personally, or had known others who tioned by experts and by workers in the electroplating
had these types of skin problems. Indeed, occupational industry.
skin diseases are the most commonly reported work- These results suggest that many MWF experts
place related conditions (Lushniak, 2003). Research perceive knowledge translation processes as ‘‘bro-
by Sadhra et al (Sadhra et al., 2002) found that work- ken’’ or non-existent, even though experts did report
ers tended to talk more easily and automatically about efforts to communicate their research results to audi-
more common health problems rather than those that ences beyond the academic/scientific community. The
were considered more serious. Indeed, many work- majority of experts reported that they communicated
ers in this study noted that they had skin effects, yet research results to workplace management; however,
these weren’t necessarily considered serious, or even most experts were disillusioned about their communi-
real ‘‘health’’ effects, even though they were eligible cation efforts and the potential of these processes to
for compensation. For example, when asked about the be translated to those at risk. Experts expressed a vari-
effects of short-term exposure, one worker replied: ety of opinions as to why they felt that their efforts
to send risk messages to workers were ineffective.
A number of experts directed frustration at workplace
‘‘As far as sick . . . I wouldn’t call what I had being
managers and regulatory bodies for seemingly not
sick. It’s just, you know, you have a rash on your
heeding scientific advice:
hand and I did have time off because of that.’’
‘‘ . . . the communication [with workplace man-
There were relatively few workers who described agement] was unsuccessful in that I didn’t get any
health effects that were erroneous, indicating that most feedback [ . . . ] on what happened next.’’
753
‘‘I think we presented [the regulatory body] Expert: No. Being an academic, unless there
with what we thought were positive findings but, was funding, I wouldn’t know.’’
I think, since then we’ve been a little disap-
pointed that they haven’t really capitalized on the These comments demonstrate experts’ recognition
research as much as they might have done.’’ of their own role in the risk communication process
and their awareness that different communication tech-
‘‘I have to say that we have been very disap- niques are necessary to reach worker audiences. This
pointed with the way that the [regulatory agency] suggests a need for appropriate training, resources, and
have failed to publish the reports that we did in a incentives to participate in non-traditional knowledge
lot of this work.’’ translation efforts. Some funding agencies, such as
Canada’s Canadian Institutes for Health Research, are
This perceived lack of responsiveness from now actively promoting such efforts by requiring aca-
decision-makers who are actually in a position to demic proposals to have knowledge translation plans,
effect changes in the workplace was problematic for and by providing funding for research into effective
experts. This frustrating situation may cause them to knowledge translation practices (Canadian Institutes
abandon their efforts to communicate with decision- of Health Research, 2003).
makers. There is evidence that research dissemination
and uptake is hampered both by researchers’ imperfect
understanding of decision-making contexts, as well as 4.2.1 Trust in Information Sources
by the organizational and/or political pressures fac- The role of trust in mediating how risk messages are
ing decision-makers such as regulatory bodies. Lomas perceived, attended to, and acted upon has been widely
(Lomas, 1996) suggests that structures to support and acknowledged in risk perception and communication
improve ongoing knowledge translation and exchange research. Studies have found that distrust heightens lay
between researchers and decision-makers are needed concerns and responses to risk messages, and leads to
to speed the process of research dissemination and questioning of the actions of risk regulators and author-
uptake. He suggests a cultural shift involving new ities (Cvetkovich & Löfstedt, 1999). Lay perceptions
organizational models for both decision-makers and of trust and credibility in risk messengers are depen-
researchers, as well as enhanced funding to sup- dent on three factors: perceptions of knowledge and
port ongoing knowledge translation between both expertise; perceptions of openness and honesty; and
groups. perceptions of concern and care (Kasperson, Golding,
Other experts, when discussing their communica- & Tuler, 1992). These factors were evident in workers’
tion activities, expressed a level of discomfort with, or discussion of trusted information sources.
lack of knowledge of, appropriate lay communication Worker responses to the question about what per-
techniques. son, agency or group they would trust the most
for information on MWF reveal a further disconnect
‘‘I think [communication to workers] is some- between the most used sources of information and the
thing that scientists overall have to do a lot more most trusted sources of information. Manufacturers
of. They have to interest a lay audience in what and suppliers were mentioned most often as a source
they do, and it’s an area, I think, we all need to of information, yet the provincial workers’ compensa-
do a lot more in.’’ tion board was reported to be the most trusted source.
Indeed, many workers specifically noted that they
‘‘I’d like to know a way of getting [health and did not trust manufacturers and suppliers information
safety] information over to people so they actu- source even though they used it. The reason for this
ally took heed of advice before they actually got distrust is apparent in the comment of one worker that
problems.’’ ‘‘they’re just trying to sell you something.’’ Since trust
is seen as a prerequisite to effective risk communi-
‘‘Expert: I figure the way that I am doing it, I cation (Kasperson et al., 1992), this demonstration
would admit, is not the best. I think a program to of distrust in manufacturers is problematic. Although
directly give your results to the labourers would workers may receive information on MWFs and their
be an ideal pathway to go. It is not something that potential impacts on health from these sources, they
our department routinely does–if ever–except for may disregard recommendations or ignore precaution-
communities. Talking to the workers–that’s not ary steps due to a perception of dishonesty in the risk
something I have ever done and I’m not familiar messengers.
with that many people who have. Workers identified the provincial workers compen-
sation board as their most trusted source of infor-
Interviewer: I see. Do you have an idea of how mation. Workers described the board as ‘‘unbiased,’’
you would go about developing such a program? ‘‘independent,’’ and ‘‘non-profit.’’ Many workers
754
pointed out that it was in the board’s best (financial) how workers and experts understand the effects of
interest to prevent workers from becoming sick, and MWFs, particularly in the area of dermal exposure, but
thus it was also in their best interest to provide accu- that much more attention needs to be paid to providing
rate and balanced information. A number of workers workers with a more comprehensive understanding of
also mentioned that the board had resources to conduct the effects of MWF on the respiratory tract.
research and to make evidence-informed decisions. This study has also illuminated a number of impor-
Thus, the board fits the factors of expertise, honesty, tant disconnects between how workers do receive
and concern put forward by Peters et al (Peters, Cov- information as opposed to how they would like to
ello, & McCallum, 1997). These results suggest that receive information, an important distinction that may
risk messages delivered by the workers compensation be impeding the awareness and management of work-
board may be more likely to be trusted, and thus acted place risks. Additionally, this study uncovered a degree
upon. However, not one worker mentioned the Board of frustration on the part of experts in their attempts
as a source of information that they would use to learn to communicate their findings and a relatively bleak
about hazards associated with MWF. Thus, efforts view of the current workplace communication milieu
would need to be made in order to actively disseminate for the worker. Neither of these conditions, as they
information from this source to workers. stand, will enhance the communication and exchange
of MWF exposure data in the occupational context.
At the outset of this study, manufacturers and sup-
5 STRENGTHS AND LIMITATIONS
pliers were not expected to play such a key role in
the dissemination of health and safety information on
A strength of this mental models approach rests on the
MWFs. These unexpected findings have led to a third
ability to develop a detailed representations of occu-
phase of interviews with a selection of manufactur-
pational hazards from different perspectives. However,
ers and suppliers. The results of these interviews are
these representations rest on interview data that can-
expected to shed additional light onto the role that this
not be assumed to be a direct reflection of partici-
group plays in the communication of health and safety
pants’ conceptual understandings. Participants may
issues relating to MWF.
not mention implicit knowledge of hazards or work-
place behaviour, or may edit their comments based on
what they consider appropriate for a conversation with
ACKNOWLEDGEMENTS
a researcher.
This study benefited from interviews with a com-
The authors would like to thank Dr. Susan Kennedy,
prehensive range of experts who have studied MWFs
Emily Carpenter, Reid Chambers and Natasha
from various disciplinary angles, including occupa-
McCartney for their assistance with this paper. This
tional hygiene, respiratory medicine, environmental
project was funded in part by the Canadian Institute
toxicology, etc. The research community in this area
for Health Research.
is small, resulting in a small sample size drawn from
around the world.
In contrast, the sample of workers was relatively
REFERENCES
large, but was drawn only from the province of British
Columbia, Canada. Thus, the workers’ conceptual rep- Canadian Institutes of Health Research,. (2003). Knowl-
resentations of MWF regulation and use may differ edge translation overview. Retrieved June 29, 2006, from
from experts’ due to geographic specificities in regu- http://www.cihr-irsc.gc.ca/e/7518.html
lation, economics, and use. In addition, some of the Cox, P., Niewohmer, J., Pidgeon, N., Gerrard, S.,
workers were also participants in an ongoing study of Fischhoff, B. & Riley, D. (2003). The use of men-
respiratory health of tradespeople. Thus, these respon- tal models in chemical risk protection: Developing a
dents might have been more aware of the respiratory generic workplace methodology. Risk Analysis : An Offi-
health effects of MWF (although this hypothesis is not cial Publication of the Society for Risk Analysis, 23(2),
supported by the results of this study). 311–324.
Cvetkovich, G.T. & Löfstedt, R. (1999). In Cvetkovich G. T.,
Löfstedt R. (Eds.), Social trust and the management of
6 CONCLUSION risk. London: Earthscan.
Gupta, A. & Rosenman, K. D. (2006). Hypersensitivity pneu-
The results of this research have implications not monitis due to metal working fluids: Sporadic or under
reported? American Journal of Industrial Medicine, 49(6),
only for workers but also for the broader fields of 423–433.
occupational health and safety, occupational medicine Kasperson, R.E., Golding, D. & Tuler, S. (1992). Social
and disease surveillance, and occupational knowledge distrust as a factor in siting hazardous facilities and
translation. Through this Mental Models process we communicating risk. Journal of Social Issues, 48(4),
have determined that there is some overlap between 161–187.
755
Kennedy, S.M., Chan-Yeung, M., Teschke, K. & Karlen, B. Nowak, D. & Angerer, P. (2007). Work-related chronic
(1999). Change in airway responsiveness among appren- respiratory diseases–current diagnosis. [Arbeitsbedingte
tices exposed to metalworking fluids. American Jour- chronische Atemwegserkrankungen. ‘‘Bekommen Sie
nal of Respiratory and Critical Care Medicine, 159(1), am Wochenende besser Luft’’?] MMW Fortschritte Der
87–93. Medizin, 149(49–50), 37–40.
Lomas, J. (1996). Improving research dissemination and Peters, R.G., Covello, V.T., & McCallum, D.B. (1997). The
uptake in the health sector: Beyond the sound of one hand determinants of trust and credibility in environmental risk
clappingCentre for Health Economics and Policy Anal- communication: An empirical study. Risk Analysis, 17(1),
isys. Department of Clinical Epidemiology and Biostatics. 43–54.
McMaster University. Sadhra, S., Petts, J., McAlpine, S., Pattison, H. & MacRae, S.
Lushniak, B.D. (2003). The importance of occupational skin (2002). Workers’ understanding of chemical risks: Elec-
diseases in the united states. International Archives of troplating case study. Occupational and Environmental
Occupational and Environmental Health, 76(5), 325–330. Medicine, 59(10), 689–695.
Morgan, M.G. (2002). Risk communication: A mental Santos, M.S., Jung, H., Peyrovi, J., Lou, W., Liss, G.M. &
models approachCambridge University Press. Tarlo, S.M. (2007). Occupational asthma and work-
Niewohner, J., Cox, P., Gerrard, S. & Pidgeon, N. (2004a). exacerbated asthma: Factors associated with time to
Evaluating the efficacy of a mental models approach for diagnostic steps. Chest, 131(6), 1768–1775.
improving occupational chemical risk protection. Risk Schulte, P.A., Okun, A., Stephenson, C.M., Colligan, M.,
Analysis : An Official Publication of the Society for Risk Ahlers, H., Gjessing, C., et al. (2003). Information
Analysis, 24(2), 349–361. dissemination and use: Critical components in occupa-
Niewohner, J., Cox, P., Gerrard, S. & Pidgeon, N. (2004b). tional safety and health. American Journal of Industrial
Evaluating the efficacy of a mental models approach for Medicine, 44(5), 515–531.
improving occupational chemical risk protection. Risk Strauss, A.L. & Corbin, J.M. (1998). Basics of qualita-
Analysis : An Official Publication of the Society for Risk tive research: Techniques and procedures for developing
Analysis, 24(2), 349–361. grounded theorySage Publications.
756
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Work-related traffic accidents suppose an important economic and public health problem. In this
context, it is important to improve our knowledge on the main factors that influence these accidents, in order to
design better preventive activities. A data base coming from an insuring company is analyzed, in which infor-
mation regarding personal characteristics of the individual is contained, as well as labor situation characteristics.
Cox model is used in order to construct a predictive model of the risk of work- related traffic accident. From the
obtained model we study if personal or labor characteristics act like predicting factors of work-related traffic
accidents.
757
Table 1. Categorical variables. Table 2. Cox model.
758
Figure 1. Nomogram.
with respect to the situation of work centre belong- Calculate total points and find corresponding number
ing to the company. On the other hand, workers with on axis (Total Points). Draw vertical line down to axes
Pertemp = 3 have a risk 3.713 times the risk of work- to find the worker’s probabilities of remaining traffic
ers with Pertemp = 1. That is to say, the risk increases accident free for one and two years.
a lot if the work centre does not belong to the com- For example, a worker with Topap = 1, contributes
pany and the relationship is of company of temporary approximately 14 points. This is determined by com-
work. With respect to preventive organization, there is paring the location of the value 1 on the Topap axis
in this way some conclusion: the risk if the preventive to the points scale above and drawing a vertical line
organization is personally assumed by the employer is between the two axes. In a similar manner, the point
1.579 times the risk if the preventive organization is values for the rest of predictor variables are determined
not personally assumed by the employer. and are summed to arrive at a total points value. For
Of course, these and other conclusions that may be example, Pertemp = 1 would give 35 points, Sex = 2
extracted from the model are provisional, and further gives 14 points, Age = 35 gives about 71 points, what
analysis is necessary, by improving the model, or han- produces 134 points for a worker with these predic-
dling the information with another models, and also tors. This value is marked on the Total Points axis, and
looking for another data base. drawing a vertical line down we obtain a probability
of about 0.77 of being free of traffic accident the first
year, and about 0.66 the second year.
4 NOMOGRAM We assess the accuracy of the nomogram (and of the
model) using the concordance index (Harrell 2001),
The model may be represented by means of nomo- which is similar to an area under the receiver operating
grams. A nomogram is a graphic tool easily inter- characteristic curve, and applicable to time-until-event
pretable. So, it is an interesting tool to take advantage data. On a 0.5 to 1.0 scale c provides the probabil-
of the model. Figure 1 depicts a nomogram for predict- ity that, in a randomly selected pair of individuals in
ing probability of no occurrence of traffic work related which one of them suffers an accident before the other,
accident at one year and two years after the individual the individual who had the accident first had the worse
joins the company. Typographical reasons force us to predicted outcome from the nomogram. c = 0.5 repre-
rotate the figure, but the natural way of looking at it is sents agreement by chance; c = 1.0 represents perfect
obvious. discrimination. A total of 200 bootstrapping resamples
To read nomogram draw vertical line from each tick were used to reduce overfit bias and for internal val-
mark indicating predictor status to top axis (Points). idation (Harrell et al., 1982). We obtained c = 0.68.
759
These statistical analyses and the nomogram were per- Bomel 2004. Safety culture and work related road acci-
formed using S-Plus software (PC Version 2000 Pro- dents. Road Safety Research Report 51, Department for
fessional; Insightful Corp, Redmond, WA) with addi- Transport, London.
tional functions (called Design)(Harrell 2001) added. Boufous, S. & Williamson, A. 2006. Work-related traffic
crashes: A record linkage study. Accident Analysis and
Prevention 38 (1), 14–21.
5 DISCUSSION Cellier, J., Eyrolle, H. & Bertrand, A. 1995. Effects of age
and level of work experience on occurrence of accidents.
The presented approach might be improved if we get Perceptual and Motor Skills 80 (3, Pt 1), 931–940.
Clarke, D., Ward, P., Bartle, C. & Truman, W. 2005. An in-
richer data bases. The concordance index could go
depth study of work-related road traffic accidents. Road
up if we take account another features from individ- Safety Research Report 58, Department for Transport,
uals and companies. It would be very interesting, for London.
instance, to take account information about recurrent Cox, D. R. 1972. Regression models and life tables (with
traffic accidents in an individual. There are several discussion). Journal of the Royal Statistical Society Series
extensions of Cox model designed to deal with recur- B 34, 187–220.
rent events that have become popular (Andersen & Gill DfT 2003. Driving at Work: Managing work–related road
1982), (Prentice et al., 1981), (Wei et al., 1989), and safety. Department for Transport, HSE Books.
many other useful methods. Harrell, F. E. 2001. Regression Modeling Strategies. With
Aplications to Linear Models, Logistic Regression, and
The model includes one of the variables referred to
Survival Analysis. Springer.
the preventive organization of the company (Topap). Harrell, F. E., Califf, R. M. & Pryor, D. B. 1982. Evaluating
This suggest a connection between organizational the yield of medical tests. JAMA 247, 2543–2546.
safety culture of companies and work related traffic Híýjar, M., Carrillo, C. & Flores, M. 2000. Risk factors in
accidents. In fact, there are studies on this issue, see highway traffic accidents: a case control study. Accident
Bomel (2004) and references therein. It is pointed out Analysis & Prevention 32, 5, 703–709.
in Bomel (2004) that key components of organiza- Lawton, R. & Parker, D. 1998. Individual differences in acci-
tional safety culture are training, procedures, planning, dent liability: A review and integrative approach. Human
incident feedback, management and communications. Factors 40, 655–671.
Lewin, I. 1982. Driver training: a perceptual motor skill
Among reached conclusions it is founded out that the
approach. Ergonomics 25, 917–925.
most critical factors for management of car driver López-Araujo, B. & Osca, A. 2007. Factores explica-
occupational road risk (ORR) are fatigue, pressure, tivos de la accidentalidad en jóvenes: un análisis de la
training, incident management and communications. investigación. Revista de Estudios de Juventud 79.
It would be interesting to explore this and related Prentice, R. L., Williams, B. J. & Peterson, A. V. 1981. On
factors within time-to-event framework. the regression analysis of multivariate failure time data.
Biometrika 68, 373–389.
Wei, L. J., Lin, D. Y. & Weissfeld, L. 1989. Regression
REFERENCES analysis of multivariate incomplete failure time data by
modeling marginal distributions. Journal of the American
Andersen, P. K. & Gill, R. D. 1982. Cox’s regression model Statistical Association 84, 1065–1073.
for counting processes: a large sample study. Annals of WRSTG 2001. Reducing at–work road traffic incidents.
Statistics 10, 1100–20. Work Related Road Safety Task Group, HSE Books.
760
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Given the need of organisations to express their performance in the Health and Safety domain
by positive indicators, such as the gains within that domain and proactive actions carried out to improve work
conditions, a research effort has been carried out in order to respond to this particular need, or at least to have a
valid contribute for that purpose. As a result of this effort, a performance scorecard on occupational Health and
Safety was developed and is briefly presented in this paper.
761
continuous and systematic search, since it implies the to reflect the major carriers operating in this area, to
development of an original idea, strongly based on promote a consistent diagnosis of the target fields of
mechanisms of ownership, adaptation (or adjustment), the analysis, in order to provide the identification of
optimization and development, but also a technique real performance improvements, and, simultaneously,
for data collection and for knowledge generation. be applicable to the largest number of organizations.
Benchmarking is, actually, a very successful Some of the aspects that confirm the need for oper-
methodology in organizational contexts, but it requires ational ability come from the fact that the structured
a definition of critical factors of success that empha- matrix contains:
sise the organisation strategy and mission for improv- – critical success factors and key elements that can,
ing some key indicators. Based on this assumption and naturally, evolve into a more minimalist matrix and
on the relevance to have H&S performance indicators with a broader scope;
that complies with the contemporary organizational – extremely strategic elements, both for the H&S
needs, an inventory of the H&S critical factors of suc- domain and for the success of the organization as a
cess found in the literature (technical, scientific and whole, leading to the possibility to be integrated in
normative documents) was developed, after this some an overall performance matrix, such as the Balanced
factors identified by the performance indicators listed Scorecard;
used to monitor and/or measure was collected. Finally, – a great operational flexibility, leading to a model
a systematization of the selected elements through a that is adaptable to different organizations and/or
structured matrix of performance indicators was car- temporalities, i.e., that allows to be used entirely, or
ried out. This matrix will allow establishing a proposal segmented according to users needs;
for a performance scorecard. – the main principles of scorecarding, as well as the
The scorecarding is one of the contemporary main requirements of Performance Benchmarking.
archetypes of management that are clearly framed
by the principles of continuous improvement. Its Due to some restraints associated with the dimension
aim is the development of systematic organizational of this paper, it will be not possible to explain here the
processes of monitoring and measuring that provide entire conceptual model and the operational consid-
continuous information and allows the implementa- erations previewed by the SafetyCard. Therefore, we
tion of a continuous improvement process (Armitage will try to identify, the main elements of the model,
& Scholey, 2004). This improvement will be reached and to synthesize them in a few points, such as:
because it favours a reporting based in key indicators, – Organizational design – considers aspects related
which will be (or at least, might be) representative of to the H&S services organisation model, the cover-
the performance on critical factors of success for one, age assured by technical elements and the systemic
or more, of the organisational domains. approach of the carried out activities. Accordingly,
the used indicators are related to the type of techni-
cal coverage and the systemic focus regarding H&S
2.2 Performance Scorecard for H&S Management
operation and management;
Systems
– Organizational culture – considers aspects related
The need to establish a matrix of performance results to the beliefs, the rules and standards of behaviour
that considers both proactive and reactive practices, set by the organization on H&S matter. Therefore,
and that fit within the Portuguese and European stan- it considers indicators that refer to organisation and
dards, led to a proposal for a structured matrix of individual values, rules and codes of conduct and to
performance results to be used in the scope of a H&S the basic assumptions, description and evaluation
management systems. The international vision, which of the H&S services performance;
was supposed to be the basis of this proposal, was – Occupational health services – considers aspects
considered not only because the references arising related to the surveillance and health promotion,
from the technical and scientific world framework, thus, it contemplates performance indicators struc-
but also due to the requirements imposed at an Euro- tured on the basis of the two considered segments:
pean and international level regarding H&S regulatory health surveillance and promotion;
and legal framework. This international vision is also – Operational service of occupational hygiene &
stated in the designation selection for the proposal, safety – consider indicators related to the work acci-
SafetyCard—Performance Scorecard for Occupa- dents statistical control, the development and design
tional Safety and Health Management Systems. of training programmes, the planning and imple-
However, this was not the only challenge that we mentation of prevention and protection measures.
have tried to address, many others were considered in Therefore, the segments of analysis refer to the field
this the attempt to structure a performance scorecard of the organization and operability of the Hygiene
of this type. The complexity and multidisciplinarity of & Safety services, accidents control and analysis,
the H&S domain, meant that the developed model had training and prevention and protection actions;
762
– Internal emergency plan – the definition of a implementation of the SafetyCard (Neto, 2007). The
functional organisation, based on the structural used organization operate in the Construction branch,
planning, accountability, selection, preparation and specifically on the Construction of Buildings, and
testing of means and devices that should be able had 134 employees, 6 of them are H&S practitioners
to respond to emergency situations, assumes here a (4 technicians of level V and 2 of level III).
role as the main vector of performance. Therefore, As some indicators had to be standardised to inte-
the performance indicators were organized accord- grate the matrix of performance results and consider-
ing to three analytical segments: (i) Planning, (ii) ing that we had not any reference or Benchmarking
Attributes and Responsibilities and (iii) Devices. partner, it was used a previous period (past year) to
– Monitoring and/or measurement services – con- allow the comparison. The SafetyCard was not applied
siders analytical segments, such as the (i) control entirely, since 6 performance indicators were not appli-
of workplace environmental conditions, (ii) the cable to the considered organization and 2 did not have
mechanisms of monitoring and/or measurement the data for the needed computation. However, taking
and (iii) the implementation of corrective actions. into account the flexibility of the model, the results’
Therefore, the selection of performance indicators matrix of performance has been modelled to that spe-
intends to evaluate the organisation practices in the cific company, without losing quality or empirical
field of environmental control, monitoring and/or relevance. For illustrating this exercise, an xample of
measurement; the scorecard for the considere company is presented
– Work safety equipments – considers issues related in table 1. As it is possible to see in this table, the over-
to organizational practices in what concerns the all performance result was of 0,740, which according
integration of H&S requirements into the process to the scale considered, reflects a good performance.
of selection, acquisition and maintenance of work Thus, we conclude that this organization had a good
safety equipments. performance in matter of H&S at Work.
The previous results would be the overall assess-
2.3 Performances Weighting and Classification ment of performance, but we can use this analysis and
One of the objectives of the analytic model was to detail the evaluation. Accordingly, and based in the
encourage a global, but also partial, screening of analytical domains previously stated, we can mention
the H&S performance level, hence that has assumed the following aspects:
both a quantitative and qualitatively character. It was
intended to establish a normalized system of perfor- – Organizational design – consistent organizational
mance indicator, so that all performance measures structure, in part this is a result of excellent tech-
could be compared. This process of normalization is nique coverage. The point less strong is the reduced
grounded in a numerical basis, where each indicator systemic approach, but that is due to the fact of
always assumes a result between zero and one, and the H&S management system is being prepared
in some cases they assume a traditional binary score and implemented. This system is being prepared
(zero or one). under the guidelines of OHSAS 18011:1999/NP
Since the entire structure of weights is made on 4397:2001, which certainly will bring, in the short
this basis, from the application of the first coefficients term, benefits to the organization, both in terms of
of importance on the first level of the structure, all performance and at a practical level.
the scores assume a continuous distribution between – Organizational culture – characteristic traits of
the limits associated with each analytic element. The institutional values, norms and standards of
maximum amount possible in each of the stages will behaviour and basic assumptions of description and
be equivalent to the value of the multiplier (M), orig- evaluation in matter of H&S have been identified,
inating that each stage may vary always between zero which are transposed into a strong organizational
and one, even the final classification. The sum of the culture focused to the protection and maintenance
scores obtained in each domain represents a total value of the acceptable working conditions.
of performance, both in quantitative terms and in qual- – Occupational health services – great operational
itative terms, since there is the possibility to analyse and structuring sense. The organization assures all
the final numerical value through a traditional discrete the procedures to promote health in the workplaces
scale of classification ( Very good, good, . . .). and implement a few mechanisms for monitoring
workers’ health.
– Operational service of occupational health &
3 SAFETYCARD: RESULTS OF A CASE safety – inadequate monitoring and documentation
STUDY at the risk prevention level. The organization had
to pay strong fines, both in monetary terms, and
At this point, the aim will be to make a presentation in terms of severity and absenteeism induced by
of the most important obtained results from a pilot accidents.
763
Table 1. Example of the Performance Benchmaring Scorecard (summary) for the case study.
(a) The letter M represents the multiplier associated with the baseline weight and with the maximum score that can be obatined
in a specific segment. (b) The letter M represents the multiplier associated with the segment and with the maximum score that
can be obtained in a specific domain.
– Internal emergency plan – excellent basis of struc- and to the prescription of elements relating to
turing and planning, with the organization ensuring the work safety equipments. This was the critical
the main procedural mechanisms of response to success area where the organization obtained the
emergencies (plans, responsibilities and devices). best score.
However, there is an operational weakness, because
the organization does not have evidences of its oper-
ational ability (for example, no fire drills were
carried out). 4 CONCLUSIONS
– Monitoring and/or measurement service – low level
of monitoring of the environmental conditions aris- The best way to conclude one ‘‘journey’’ is go back to
ing from the adopted processes. The organization the starting point. From the literature review, it seems
acknowledged the existence of some ergonomic consensual that organizations need a structured matrix
nature risk factors and occupational exposure to of positive indicators that go beyond the assessment
harmful agents, like noise. However, have not devel- of some organization’s attributes that do not favour the
oped specific procedures for evaluating the expo- idea of a set, and does not fully reflect the overall H&S
sure levels of the workers. This points as become a performance. So it is important to have a scorecard that
critical segment, due to the fact that it penalizes the can be able to reflect the structural H&S performance
organization. of an organization, and to allow internal and external
– Work safety equipments – great strategic importance comparisons (Benchmarking in the various possible
is given both to the acquisition and maintenance, scenarios).
764
The performance scorecard that has been devel- Camp, R. 1993. Benchmarking: O Caminho da Quali-
oped and implemented reflects applicability and show dade Total—Identificando, Analisando e Adaptando as
technical-scientific relevance, allowing the diagnosis Melhores Práticas da Administração Que Levam à Maxi-
of a structural H&S Management System. This mização da Performance Empresarial. São Paulo: Livraria
diagnosis could be carried out both in terms of work Pioneira Editora (in Portuguese).
Neto, H.V. 2007. Novos Indicadores de Desempenho em
conditions and organizational values, and in H&S Matéria de Higiene e Segurança no Trabalho: perspec-
performance monitoring and/or measurement. tiva de utilização em Benchmarking, Dissertation thesis of
Finally, it is also necessary to highlight that there is the MSc. in Human Engineering, School of Engineering.
some work to be done, but it is expected that the pre- Guimaraes: University of Minho (in Portuguese).
sented tools could be improved and refined in order Pinto, A. 2005. Sistemas de Gestão da Segurança e Saúde
to have a reliable and useful tool for performance no Trabalho—Guia para a sua implementação, 1a Edição.
assessment. Lisbon: Edições Sílabo (in Portuguese).
REFERENCES
765
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
I.A. Papazoglou
TU Delft, Safety Science Group, Delft, The Netherlands
M. Mud
RPS Advies BV, Delft, The Netherlands
M. Damen
RIGO, Amsterdam, The Netherlands
J. Kuiper
Consumer Safety Institute, Amsterdam, The Netherlands
H. Baksteen
Rondas Safety Consultancy, The Netherlands
L.J. Bellamy
WhiteQueen, The Netherlands
J.G. Post
NIFV NIBRA, Arnhem, The Netherlands
J. Oh
Ministry Social Affairs & Employment, The Hague, The Netherlands
ABSTRACT: A general logic model for fall from height has been developed under the Workgroup Occupa-
tional Model (WORM) project, financed by the Dutch government and is presented. Risk has been quantified
risk for the specific cases of fall from placement ladders, fixed ladders, step ladders, fixed scaffolds mobile
scaffolds, (dis) assembling scaffolds, roofs, floor openings, fixed platforms, holes, moveable platforms and
non moving vehicles. A sensitivity analysis assessing the relative importance of measures affecting risk is pre-
sented and risk increase and risk decrease measures are assessed. The most important measures in order to
decrease fatality risk owing to falls from fixed ladders is the way of climbing, for step ladders their location,
for roofs, floors and platforms not to work on them while being demolished, for mobile scaffolds the existence
of safety lines, for fixed scaffolds protection against hanging objects, for work near holes and (de) installing
scaffolds the use of fall arrest and for moveable platforms and non moving vehicles the existence of edge
protection.
767
report on falls from scaffolds (OSHA 1979), OSHA
report on falls from elevated platforms (OSHA 1991),
the study of McCann (2003) for deaths in construction
related to personnel lifts and the study of HSE (2003)
for falls from height in various industrial sectors.
The Dutch government has chosen the quantitative
risk approach in order to determine the most impor-
tant paths of occupational accidents and optimize the
risk reduction efforts. It has embarked the Work-
group Occupational Risk Model (WORM) project, as
presented by Ale et al., (2008). Major part of the
WORM project is the quantification of occupational
risk, according to the bowtie methodology developed
within the project and presented by Papazoglou & Ale
(2007).
Of the 9000 analyzed GISAI (2005) occupational
accidents, which have occurred in the Netherlands
between 1998 and 2004, 805 have been classified as
falls from placement ladders, 70 from fixed ladders,
187 from step ladders, 245 from mobile scaffolds, 229
from fixed scaffolds, 78 falls while installing or de-
installing scaffolds, 430 falls from roofs, 415 from
floors, 235 from fixed platforms, 74 falls in holes,
205 from moveable platforms and 206 from non mov-
ing vehicles. Logical models for fall from height have
been presented by Aneziris et al (2008).
This paper presents the overall quantified risk, the
specific causes and their prioritization for the fol-
lowing occupational hazards: a) fall from placement
ladders, b) fall from fixed ladders, c) fall from step
ladders d) fall from fixed scaffolds e) fall from mobile
scaffolds e) fall while (dis) assembling scaffolds, f) Figure 1. General bowtie for fall from height.
fall from roofs g) fall from floor openings h) fall from
fixed platforms i) fall in holes j) fall from moveable into the initiating event and the safety measures aim-
platforms k) fall from non moving vehicles. ing at preventing a fall. The initiating event represents
The paper is organized as follows. After the intro- working on the high structure, while the primary safety
duction of section 1, section 2 presents a general logic measures preventing a fall are strength and stability of
model for fall from height and risk results for all fall structure, user stability and the edge protection.
from height cases. Section 3 presents the ranking of the Strength of structure: The structure should be able
various working conditions and/or safety measures in to support the imposed load by the user and the asso-
terms of their contribution to the risk. Finally section ciated loads (persons or equipment). It is applicable
4 offers a summary and the conclusions. to all fall from height cases, with the exception of
fall in hole. It is defined as a two state event with the
following cases: success or loss of strength
Stability of structure: The structure itself through
2 LOGICAL MODEL FOR FALL its design and material provides the necessary stability
FROM HEIGHT so that it does not tip over. It is applicable to all fall
from height cases, with the exception of fall from roof,
In this section a general model for fall from height floor, platform and fall in a hole. It is defined as a two
is presented, which may be applied in all fall from state event with the following cases: success or loss of
height cases, while more detailed models for fall from structure stability
ladders, scaffolds, roofs, holes, moveable platforms Use stability: Given a strong and stable structure,
and non moving vehicles, are described by Aneziris the user should be able to remain on the structure with-
et al (2008). Figure 1 presents the fall from height out losing his stability. This measure is applicable to
bowtie. The Center event represents a fall or not from all fall from height cases. It is defined as a two state
the structure (ladder, scaffold, roof, hole, moving plat- event with the following cases: success or loss of user
form, or non moving vehicle) and it is decomposed stability.
768
Table 1. Support safety barriers affecting primary safety barriers, for all fall from height
accidents.
STRENGTH
LADDER • Type or condition of ladder
SCAFFOLD • Structural Design Construction
ROOF/FLOOR/FIXED • Roof Surface Condition
PLATFORM
MOVEABLE PLATFORM • Condition of Lift/Support
NON MOVING VEHICLE • Loading
STRUCTURE STABILITY
LADDER • Placement and Protection
• Type or condition of ladder
SCAFFOLD • Anchoring
• Foundation
• Scaffold Protection
MOVEABLE PLATFORM • Foundation/Anchoring
• Position of Machinery/ weight
NON MOVING VEHICLE • Foundation
• Load Handling
USER STABILITY
LADDER • User Ability
HOLE IN GROUND • User Ability
ROOF/FLOOR/FIXED PLATFORM • User Ability
SCAFFOLD • User Ability
• Floor Condition
MOVEABLE PLATFORM • User Ability
• External Conditions
• Movement Control
• Position of Machinery or
weight on platform
NON MOVING VEHICLE • Ability
• Load Handling
• Working Surface
Edge Protection: This measure includes the provi- Measures that affect the stability of the structure
sion of guardrails that enhance the stability of user. It is are structure specific and are presented in Table 1.
applicable to all fall from height cases with the excep- Foundation is a measure affecting all structures with
tion of ladders and non moving vehicles. It can be in the exception of ladders. Ladder stability is affected
one of the following states: present, failed or absent. by its condition, placement and protection.
User Ability is a measure affecting user stability
in all fall accidents. Other measures, such as working
2.1 Support safety barriers surface, depend on the type of fall accident and are
A Support Safety Barrier (SSB) contributes to the presented in Table 1.
adequate function of the Primary Safety Barriers and
2.2 Probability influencing entities (PIEs)
influence the probability with which the primary safety
barrier-states occur. There are three types of support In several instances the safety barriers of the model
barriers, those affecting structure strength, structure are simple enough to link directly to easily under-
stability and user stability. stood working conditions and measures as in the
Measures that affect strength are structure specific barrier ‘‘Anchoring’’, which affects the stability of a
and are presented in Table 1. Condition of the struc- fixed scaffold. Assessing the frequency with which
ture surface affects the strength of ladder, roof and anchoring exists is straightforward.
moveable platform. Structural design and construction In other instances, however, this is not possible.
affects scaffold strength and loading affects non mov- For example, the support barrier ‘‘Floor surface con-
ing vehicles. dition’’ may be analysed into more detailed and more
769
Table 2. PIES characteristics and frequencies.
Barrier
PIEs success
Barrier PIEs frequency probability
concrete measures that affect its quality. Such specific a support barrier to be in one of its possible states is
measures are: (i) floor which is being demolished; (ii) given by the weighted sum of the frequencies of the
floor not able to support weight. Similarly the bar- influencing factors (RIVM 2008).
rier ‘‘Fall Arrest’’ may be analysed into the following PIEs and their frequencies as well as the failure
measures: i) Use of Collective Fall arrest; ii) Mainte- probability for the barriers they influence for fall from
nance of Collective Fall arrest; iii) Use of Personal Fall roofs are presented in Table 2. All other PIEs for fall
arrest; iv) Maintenance of Personal Fall arrest. Such from height models are presented in RIVM (2008).
factors have the name of Probability Influencing Enti- Frequencies of PIEs have been assessed through sur-
ties (PIEs). Each influencing factor (PIE) is assumed veys of the working condition in the Dutch working
to have two possible levels, ‘‘Adequate’’ and Inade- population and reflect the Dutch National Average
quate’’. The quality of an influencing factor is then set RIVM (2008).
equal to the frequency with which this factor is at the
adequate level in the working places. Then the quality
2.3 Right hand side (RHS)
of the barrier is given by a weighted sum of the influ-
encing factor qualities. The weights reflect the relative The right hand side of the fall bowties in combination
importance of each factor and are assessed by the ana- with the outcome of the centre event determine the
lyst on the basis of expert judgement. Currently equal consequences of the falls. Four levels of consequences
weights have been used. This way the probability of are used: C1: No consequence; C2: Recoverable
770
1,00E-05 PLACEMENT LADDER
Moveable
Installing
ladder or
platform
platform
scaffold
scaffold
scaffold
moving
ground
vehicle
Mobile
Hole in
ladder
ladder
Fixed
Fixed
Fixed
steps
Floor
Non-
Roof
Step
injury; C3: Permanent injury; C4: Death. Events of Figure 3. Risk fatality increase and risk decrease for fall
the RHS are the Height of the fall, the type of the sur- from placement ladder bowtie, for various working condi-
face and the medical attention. More details on these tions (PIEs).
events are presented by Aneziris et al (2008).
Individual risk of death, permanent injury and
recoverable injury per hour have been assessed accord- FIXED LADDER
ing to the methodology presented by Aneziris (2008),
Substandard movements
Papazoglou et al (2008) and are presented in Figure 2.
Fall from roof has the higher fatality risk 2.2 × External force exerted on the
2. Risk increase: This measure gives the relative RISK DECREASE RISK INCREASE
increase of risk, with respect to the present state,
if the barrier (or PIE) achieves its failed state with
probability equal to unity. Figure 4. Risk fatality increase and decrease for fall from
fixed ladder bowtie, for various working conditions (PIEs).
Risk decrease prioritizes the various elements of the
model for the purposes of possible improvements.
It is more risk—effective to try to improve first a
3.1 Fall from height-ladders
barrier with higher risk decrease effect than another
with lower risk decrease. Placement ladder: The most important measure in
Risk increase provides a measure of the importance order to decrease fatality risk is the location of signs to
of each element in the model to be maintained at its prevent impact and the use of the right type of ladder
present level of quality. It is more important to con- which, if used 100% of the time a placement ladder is
centrate on the maintenance of a barrier with high risk used, will decrease risk by 21% and 20% respectively.
increase importance than one with a lesser one. The The most important measure in order to maintain risk
effect each PIE has on the overall risk is presented in is to keep the ladder in good condition. If this is not
Figures 3–14. done risk increases by 54%.
771
Fixed ladder: The most important measure in FIXED SCAFFOLD
order to decrease fatality risk is to use both hands Fall arrestors, safety nets
for climbing, and to be in the right position (not Protection of scaffold against being struck by a
vehicle
on top and not overreaching). If these measures are Health checks based on clear criteria for people
working on heights
used 100% a fixed ladder is used, risk decreases No ladder placed on top of a scaffold
by 34% and 21% respectively. The most impor-
Safe access of scaffold
tant measure to maintain risk is the good physical
Protection against hanging/swinging objects
condition of the worker and avoidance of exter-
Footings capable of supporting the loaded scaffold
nal force to be exerted on him. If this is not without displacement.
Location of ladder
Figure 7. Risk fatality increase and risk decrease for fall
Step ladder is in good condition
from fixed scaffold bowtie, for various working conditions
Surface conditon of steps (PIEs).
Dimension
0 20 40 60 80 100
RISK INCREASE
RISK DECREASE percentage %
(DE) INSTALLING SCAFFOLD
772
FALL FROM ROOF FALL FROM PLATFORM
State of Maintenance
Anchorpoints FA State of Maintenance
Personal fall arrest Anchor points FA
Condition of CFA Personal fall arrest
Collective fall arrest (CFA) Collective fall arrest
Slope Weather
Weather Outside edge protection
Outside edge protection Substandard movement (slip, trip)
Substandard movement (slip, trip)
Overstretching
Overstretching
Hands not free
Hands not free
Unfit
Unfit
Walking backwards
Walking backwards
Capacity to keep balance on floor
Capacity to keep balance on roof
Roof not intended to support exerted Platform overloaded
weight
Platform being built or demolished
Roof being built or torn down
No EP next to non-supporting parts EP absent
EP absent 0 20 40 60 80 100
0 10 20 30 40 50 60 70 80
RISK DECREASE RISK INCREASE percentage %
RISK DECREASE RISK INCREASE percentage (%)
Figure 11. Risk fatality increase and risk decrease for fall
Figure 9. Risk fatality increase and risk decrease for fall from platform, for various working conditions (PIEs).
roof, for various working conditions (PIEs).
FALL IN HOLE
FALL FROM FLOOR
Anchor points FA
Personal fall arrest Anchorpoints FA
Weather
Illumination
Outside edge protection
Substandard movement
Substandard movement
Overstretching (slip, trip)
Figure 10. Risk fatality increase and risk decrease for fall Figure 12. Risk fatality increase and risk decrease for fall
from floor, for various working conditions (PIEs). in hole, for various working conditions (PIEs).
done fatality risk increases by 116% and 108% that it is fully extended. If this is not done risk increases
respectively. risk by 85%.
Step ladder: The most important measure in order
to decrease fatality risk is the location of ladder, so
3.2 Fall from height- Scaffolds
that it cannot be hit by falling object. This measure
increases risk by 26%, if used 100% of time a step Mobile scaffolds: The most important measure in order
ladder is used. The most important measure in order to decrease fatality risk is the use of a safety line or
to maintain risk is the placement of the step ladder, so a harness belt, which decrease risk by 60%, if used
773
FALL FROM MOVEABLE PLATFORM 100% of time a mobile scaffold is used. In case they
Fixation of temp. Platform do not exist risk will increase by 88%.
Outside the platform
Substandard movement (slip, trip) Fixed scaffolds: The most important measure in
Overstretching
Hands not free
order to decrease fatality risk is the existence of
Unfit protection against hanging/swinging objects, which
Self induced external force by machinery or
equipment
Anchoring
decreases risk by 75%, if used 100% of time a fixed
Foundation: stabilisatoren scaffold is used. In case it does not exist fatality risk
Foundation: ondergrond
Position of the beams
increases by 122%.
Position of load
Moveable height hit by vehicle or hanging/swinging
(De) Installing scaffolds: The most important mea-
load
User hit by rolling, sliding, swinging or hanging object sure in order to decrease fatality risk is the use of fall
Heavy wind
Control failure (operator or machine induced)
arrestors and safety nets, which decrease risk by 48%,
Load blocks movement if used 100% of time a scaffold is installed or dein-
Unclear control panel
Malfunction (of transmission of movement)
stalled. In case they do not exist risk will be increased
Substandard lifting/hoisting mechanism by 93%.
Substandard brake
Metal fatigue and corrosion of structural/support parts
Wear and tear of structural/support parts
PFA condition/state
PFA anchoring
3.3 Fall from roofs
Personal Fall Arrest
Collective Fall Arrest lifts The most important measure in order to decrease
Edge Protection Absent
fatality risk is to avoid work on a roof that is being
RISK DECREASE RISK INCREASE
0 100 200 300 400 500 600 700 800 900 1000
percentage %
demolished, which decreases risk by 58% if used 100%
of time while working on a roof. The most important
measures to maintain risk is not to walk on weak spots
Figure 13. Risk fatality increase and risk decrease for fall
from moveable platform, for various working conditions
of roofs and to maintain roof edge protection. If they
(PIEs). are not followed risk will increase risk by 70%.
Unknown surface
3.5 Fall from fixed platforms
Slope
The most important measure in order to decrease fatal-
No grip
ity risk is avoid working on a platform that is being
Round/rolling parts
demolished, which decreases risk by 23% if used 100%
Unbalanced loading of time while working on affixed platform. The most
Unsecured load important measures to maintain risk is to maintain the
Loading and stabilising edge protection of platforms. If this is not done risk
Position of the road
increases by 70%.
Corrosion
774
3.7 Fall from moveable platform Aneziris O.N, Papazoglou I.A., Baksteen H., Mud M.L., Ale
B.J.M, Bellamy L.J., Hale A.R., Bloemhoff A., Post J.,
The most important measure in order to decrease fatal- Oh J.I.H., 2008. Quantified risk assessment for fall from
ity risk is the existence of edge protection, which height. Safety Science, Volume 46, Issue 2: 198-220.
decreases risk by 65% if used 100% of time while GISAI, 2005. Geintegreerd Informatie Systeem Arbeids
working near on a moveable platform. The most impor- Inspectie: Integrated Information System of the Labor
tant measure in order to maintain risk is the fixation Inspection in the Netherlands.
of the platform, since its absence will increase risk 9 HSE (2003). Fall from Height—Prevention and risk control
times. effectiveness, ISBN 07176221 5, http://www.hse.gov.uk/
research/rrpdf/rr116.pdf.
McCAnn M. (2003) ‘‘Deaths in construction related to per-
3.8 Fall from non moving vehicle sonnel lifts, 1992-1999’’, Journal of Safety Research,34,
507–514.
The most important measure in order to decrease fatal- NIOSH, (2000). ‘‘Worker Death by Falls’’, US department
ity risk is the existence of edge protection which of Health and Human Services, www.cdc.gov/elcosh/
decreases risk by 39% if used 100% of time while docs/d0100/d000057/d000057.html.
climbing on a non moving vehicle. The most impor- OSHA (1979). ‘‘Occupational fatalities related to scaf-
tant measure in order to maintain risk is securing and folds as found in reports of OSHA fatality/catastrophe
balancing load, since their absence will increase risk investigations’’, Washington DC.
by 139% and 137% respectively. OSHA (1991). ‘‘Selected occupational fatalities related to
vehicle—mounted elevating and rotating work platforms
as found in reports of OSHA fatality/ catastrophe investi-
gations’’ , Washington DC.
4 CONCLUSIONS Papazoglou I.A., Ale B.J.M., 2007. A logical model for quan-
tification of occupational risk, Reliability Engineering &
A general logical model has been presented for quanti- System Safety 92 (6): 785-803.
fying the probability of fall from height and the various Papazoglou I.A, L.J. Bellamy, K.C.M. Leidelmeijer, M.
types of consequences following all fall from height Damen, A. Bloemhoff, J. Kuiper, BJ.M. Ale, J.I.H.
accidents. The model has been used for risk reducing Oh, 2008, ‘‘Quantification of Occupational Risk from
measures prioritization, through the calculation of two Accidents’’, submitted in PSAM 9.
RIVM 2008 WORM Metamorphosis Consortium. The Quan-
risk importance measures: the risk decrease and the tification of Occupational Risk. The development of
risk increase. The calculations were made for fatality a risk assessment model and software. RIVM Report
risk. 620801001/2007 The Hague.
REFERENCES
775
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
I.A. Papazoglou
TU Delft, Safety Science Group, Delft, The Netherlands
M. Mud
RPS Advies BV, Delft, The Netherlands
M. Damen
RIGO, Amsterdam, The Netherlands
H. Baksteen
Rondas Safety Consultancy, The Netherlands
L.J. Bellamy
White Queen, The Netherlands
J.G. Post
NIFV NIBRA, Arnhem, The Netherlands
J. Oh
Ministry Social Affairs & Employment, The Hague, The Netherlands
ABSTRACT: Chemical explosions pose a serious threat for personnel in sites producing or storing dangerous
substances. The Workgroup Occupational Risk Model (WORM) project financed by the Dutch government
aims at the development and quantification of models for a full range of potential risks from accidents in
the workspace. Sixty-three logical models have been developed each coupling working conditions with the
consequences of accidents owing to sixty-three specific hazards. The logical model for vapour/gas chemical
explosions is presented in this paper. A vapour/gas chemical explosion resulting in a reportable-under the Dutch
law-consequence constitutes the centre event of the model. The left hand side (LHS) of the model comprises
specific safety barriers, that prevent the initiation of an explosion and specific support barriers that influence the
adequate functioning of the primary barriers. The right hand side (RHS) of the model includes the consequences
of the chemical explosion. The model is quantified and the probability of three types of consequences of an
accident (fatality, permanent injury, recoverable injury) is assessed. A sensitivity analysis assessing the relative
importance of each element or working conditions to the risk is also presented.
777
The Workgroup Occupational Risk Model (WORM) familiar with logical models this influence diagram is
project has been launched by the Dutch government in called, within the WORM project, bowtie model.
order to manage and reduce occupational risk. The The logical model provides a way for organising
aim of the project is the quantification of occupational various events from a root cause via the centre event,
risk through logical models for a full range of poten- ending up with a reportable damage to the health of
tial risks from accidents in the workspace (Ale et al., the worker. The use of such a model is twofold. On the
2008). Data for the development of these models are one hand it provides the accident sequences, that is, the
derived from the GISAI database (GISAI 2005) of the sequences of events that lead from a fundamental or
Netherlands Ministry of Work which includes approxi- root cause to the final consequence. On the other hand,
mately 12500 accident cases reported between January it provides a way for quantifying the risk (Papazoglou
1998 and February 2004. 2007).
Of the analysed GISAI accident cases, 126 cases The structure of the paper is as follows: Sections 2
have been classified as vapour/gas chemical explo- and 3 illustrate the general concept of the logical model
sions accidents with reportable consequences. The for vapour/gas chemical explosions along with spe-
modelling and the quantification of these cases are cific details. Section 4 presents the quantification of
described in this paper. Quantification for other types the Bowtie. The results and the ranking of the various
of occupational accidents such as falls from ladders working conditions and/or safety measures in terms of
(Aneziris et al., 2008a), or crane activities occupa- their contribution to the risk are presented in section 5.
tional accidents (Aneziris et al., 2008b) has already Finally section 6 concludes the paper.
been performed within the WORM project. An overall
assessment of the risk from 63 specific occupational
hazards is given in Papazoglou et al (2008). 2 LOGICAL MODEL FOR VAPOUR/GAS
From the observed accident cases scenario-models CHEMICAL EXPLOSIONS
have been firstly developed to capture the sequence of
events leading to the accident (Bellamy et al., 2007). Occupational explosion accidents are accidents where
The scenario-model is the basis for the logical mod- the injuries are the result of the effects of an explo-
elling in the WORM project (Papazoglou 2007). This sion. For the purpose of modelling explosions are
logical model consists in successive decomposition of characterised by pressure (wave) effects and some-
the overall accident consequence into simpler and sim- times the launching of fragments. A distinction has
pler events until a final level of event resolution is been made between physical explosions and chemical
achieved. Each level of events is logically intercon- explosions. Physical explosions are explosions which
nected with the more general events of the immediately are caused by an over-pressurisation of containment
upper level. The events of the lower level of decom- for any reason other than a chemical explosion inside
position form an influence diagram consisting of two the containment. Chemical explosions are explosions
parts connected by a main event called the Centre caused by a) vapour or gas mixtures; b) dust; c)
Event (CE) and representing the occurrence of an acci- the ignition of (solid) explosives and d) explosive
dent resulting in a reportable consequence (here a reactions (explosive run-away reactions, auto-ignition
vapour/gas explosion). This is a very important char- reactions, combustion reactions).
acteristic of the model. Owing to the nature of the Four different models have been developed to
available data that correspond to joint events of explo- include those four types of explosions.
sions resulting in reportable consequences, the Centre This paper presents the model and its quantification
Event refers to events that either result in a reportable for vapour/gas chemical explosions.
consequence or not (i.e. no explosion or an explosion
without reportable consequences). Usually all events
to the left of this event represent events aiming at pre- 2.1 Left hand side of the model (LHS)
venting the CE from occurring and the corresponding The left hand side of the model consists of an initiating
part of the diagram is called Left Hand Side (LHS). event and corresponding safety measures (techni-
All events to the right of the CE correspond to events cal or procedural) aiming at preventing a vapour/gas
aiming at mitigating the consequences of the CE and explosion with reportable consequences.
this part of the model is called Right Hand Side (RHS)
(Papazoglou 2007). In the core of the WORM project,
however, the events to the left are events that influence 2.1.1 Initiating events
the probability of the Centre Event occurring, the lat- The initiating event represents activities where work-
ter being an accident with reportable consequence. ers are adding substances to a containment (filling,
The events to the right of the Centre Event, simply feeding, pressurising); venting, discharging, releas-
condition the severity of the reportable consequence. ing, emptying of a containment/substance; opening a
For communication purposes with safety engineers not containment (e.g. a valve of an oxygen gas cylinder);
778
closing a containment; working with chemicals an ignition source and pose an explosion hazard for the
(performing experiments, surface treating, putting operator are distinguished:
objects in galvanic baths); working with explosives;
using an ignition source (heating, hot work activities, 1. Working (at locations) with systems with enclosed
switching on equipment); manual moving a contain- flammable substances.
ment; cleaning a containment; disconnecting a battery 2. Working (at locations) where ventilation is the
and fighting a fire. suitable measure for preventing the creation of
explosive vapours/gases.
3. Working (at locations) in which explosive atmo-
2.1.2 Primary and support safety barriers spheres are normally present.
A safety barrier is a physical entity, a technical, 4. Working (at locations) with flammable substances
hardware, procedural or organisational element in which can vaporize resulting in explosive vapour
the working environment that aims either at prevent- mixtures.
ing something from happening (e.g. the CE) or at
mitigating the consequences of something that has Chemical explosions from vapour/gas mixtures
happened. Safety Barriers can be distinguished in were modelled according to the model shown in
Primary and Support Barriers. A Primary Safety Figure 1. First block in the model is the ‘‘Mission
Barrier (PSB) either alone or in combination with split’’. This block splits the initial mission to four
other PSBs may prevent the initiation of an explo- mutually exclusive working environments each with
sion. A Support Safety Barrier (SSB) sustains the the potential of one of the four types of explosion. The
adequate function of the PSB and influence the prob- mission split values are {48%, 25%, 15%, and 12%}
ability with which the primary safety barrier-states for the four explosion types respectively. The meaning
occur. of these values is twofold: either they express the per-
centage of time a worker spends in activities related
with each explosion type (for single worker assess-
2.2 Right hand side (RHS) ment) or in a multi-worker assessment they express
The right hand side of the chemical explosions model the percentage of workers working exclusively in the
in combination with the outcome of the centre event environment related to each explosion type.
determines the consequences of the chemical explo- Safety barriers to prevent the four different types of
sions. Four levels of consequences are used: C1: No a vapour/gas explosion are presented in the following
consequence; C2: Recoverable injury; C3: Permanent sections.
injury; C4: Death. The quantification of occupa-
tional risk for chemical explosions will be presented 3.1 Prevention of uncontrolled substance release
in form of probabilities for the three levels of possible
consequence severity. This barrier (PSB1 in figure 1) models explosions tak-
ing place due to uncontrolled flammable substance
release and the introduction or existence of ignition
sources in the same space. This barrier belongs to
3 SAFETY BARRIERS FOR VAPOUR/GAS type 1 explosion safety barriers and has one success
EXPLOSIONS state and three failure states:
A vapour/gas explosion occurs when an ‘‘explosive State 1: Success state corresponding to no explosion
mixture’’ is formed and this mixture comes into con- since substance release has been prevented (no release
tact with an ignition source. Consequently the general of flammable substance).
objective of the safety functions in relevant situations State 2: Failure state that models the release of fla-
is to avoid the simultaneous occurrence of ‘‘ignition mmable substance and subsequent explosion given
sources’’ and ‘‘explosive mixtures’’. This can be done that an ignition source will be introduced by a human
by preventing the formation of an ‘‘explosive mixture’’ activity.
and if this is not possible either by keeping the ‘‘explo- State 3: Failure state that models the release of fla-
sive mixture’’ isolated from the space where ignition mmable substance and subsequent explosion due to
sources exist (or it is likely to exist), or by keeping igni- ignition source introduced by an equipment malfunc-
tion sources isolated from spaces where an explosive tion. This state models the joint event of flammable
mixture exists. substance release and the introduction of ignition sou-
Based on the physicochemical characteristics of rce because of equipment malfunction (e.g. sparks,
explosive mixtures and the process industry expe- shorts).
rience along with information from the accidents State 4: Failure state that models the release of fla-
occurred in the Netherlands, four different situations mmable substance and subsequent explosion due to
where an explosive mixture can come into contact with failure to separate the released flammable vapour from
779
Figure 1. Logical model for vapour or gas explosions.
(normally) existing ignition sources. This state mod- possible to turn it off, electrical defect, missing insu-
els the joint event of flammable substance release and lation) or which is the wrong type of equipment (use
the failure to isolate this vapour from existing ignition of non-explosion proof equipment).
sources. State 4: Explosion takes place given normally pre-
When this barrier is in any of the three failure states sent ignition sources. Flammable vapours are gen-
an explosion of type 1 may occur. erated and remained undetected because no pro-
visions or possibilities for the indication/detection
3.2 Prevention of explosion of flammable of the presence of explosive mixtures have been
atmosphere in closed space taken.
State 5: Explosion takes place given normally pre-
This barrier (PSB2 in figure 1) models explosions tak-
sent ignition sources. Indication/detection provisions
ing place in closed spaces where flammable vapours
are present but failed or diagnosis/response has failed
are produced and are supposed to be removed by a
so flammable vapours have been generated.
ventilation system. Absence or failure of the ventila-
State 6: Explosion takes place given normally pre-
tion system allows the built-up of the explosive vapour
sent ignition sources. Flammable vapours are intro-
and the explosion takes place either because of the
duced where the ignition sources are from other areas
erroneous introduction of ignition source (by human
through the removal of barriers.
activity or equipment malfunction) or failure to detect
When this barrier is in any of the states 2–5 above
the presence of the vapour and the separation from nor-
an explosion of type 2 may occur if flammable vapours
mally present ignition sources. This barrier prevents
are created.
type 2 explosions and has six states (1 success state
and 5 failure states) as follows:
3.3 Prevention of explosion of flammable
State 1: Success state resulting in no explosion since
atmosphere in or near a system
no ignition sources have been introduced or separation
that normally produces such atmosphere
barriers are in full function.
State 2: Explosion takes place given that flammable This barrier (PSB4 in Figure 1) models explosions
vapours exist and an ignition source is introduced by where the explosive atmosphere is always present due
human activity. to badly designed process. Explosion occurs where
State 3: Explosion takes place given that flammable an ignition source is introduced. No separation of the
vapours exist and an ignition source is introduced flammable atmosphere from the ignition source is pos-
owing to equipment failure. This involves equipment sible in this case. This barrier models explosions of
which fails and forms an ignition source (e.g. not type 3 and has one success and two failure states:
780
State 1: Success state resulting in no explosion bec- atmosphere’’ barriers in state 2 (e.g. PSB6 with PSB1,
ause process is designed in a way that no explosive PSB8 with PSB4 and PSB9 with PSB5 in Figure 1).
atmosphere is generated. Introduction of ignition sources due to equipment
State 2: Failure state corresponding to genera- malfunction is included in the states of the safety
tion of ;explosive atmosphere and subsequent explo- barriers (see sections 3.1–3.4 above).
sion given that an ignition source will be introduced
by a human activity.
State 3: Failure state corresponding to generation of 3.6 Ventilation systems
explosive atmosphere and subsequent explosion due Adequate ventilation systems ensure that explosive
to an ignition source introduced by an equipment atmosphere will not be created in confined spaces.
malfunction. This support barrier has two states: ‘Exists’ and
When this barrier is in any of the two failure states ‘Absent’. ‘Exists’ means that ventilation system exists
an explosion of type 3 may occur. in the working place but an explosion still may occur
because the existing ventilation system either fails or is
inadequate and an explosive atmosphere has been cre-
3.4 Prevention of explosion of a flammable ated. ‘Absent’ means that no ventilation system exists
atmosphere created by evaporation so an explosive atmosphere may be created.
of flammable material This barrier is influencing barrier ‘‘Prevention of
explosion of flammable atmosphere in closed space’’
This barrier (PSB5 in Figure 1) models explosions
as it is shown in Figure 1. Existence of a ventilation
at locations with flammable substances which can
system implies a lower probability of chemical explo-
vaporize suddenly resulting in explosive vapour mix-
sion due to prevention failure in closed spaces than
tures—explosion type 4. This barrier has one success
when a ventilation system is ‘absent’.
and three failure states.
State 1: Success state resulting in no explosion since
no explosive atmosphere is generated. 3.7 Personal protective equipment (PPE),
State 2: Failure state that models the generation of protection other than PPE and emergency
explosive atmosphere and a subsequent explosion response
given that an ignition source will be introduced by Personal Protective equipment (e.g. helmets and safety
a human activity. glasses to protect from fragments and ear muffs
State 3: Failure state that models the generation of to avoid drum rupture), Protective barriers (such
explosive atmosphere and a subsequent explosion due as explosion proof areas or doors) and Emergency
to an ignition source introduced by an equipment response and prompt medical attention in the work-
malfunction. place may mitigate the effects of an explosion. Those
State 4: Failure state that models the generation of barriers have two states: ‘Exists’ and ‘Absent’ meaning
explosive atmosphere and a subsequent explosion due that either the barrier exists or does not exist (absent) or
to failure to separate the explosive atmosphere from not used in the working place. ‘‘PPE’’, ‘‘Other protec-
existing (normally) ignition sources. tion than PPE’’ and ‘‘Emergency response’’ influence
When this barrier is in any of the three failure states all prevention barriers (see also quantification issues
an explosion of type 5 may occur. in section 4).
781
ventilation systems exist in the working environment is PIES and their values as well as the failure proba-
straightforward since either those systems exist or not. bility for the barrier they influence for the logic model
In other instances, however, this is not possible. of vapour/gas chemical explosions are presented in
For example, the support barrier ‘‘Other protection Table 1.
than PPE’’ may be analysed into more detailed and
more concrete measures that affect its quality. Such
specific measures are: (i) explosion suppression sys- 4 QUANTIFICATION PROCESS
tems (explosion proof areas such as control rooms or
explosion resistant doors); (ii) the distance between In general the level of resolution of a logical model
the explosion point and the location of the worker. used in ORM was driven by the available data. A
Similarly the barrier ‘‘Emergency response’’ may be logic model provides a collection of event outcomes
analysed into the following measures: i) supervision or barrier states which may lead to an accident when
or monitoring at the workplace; ii) emergency team they coexist in particular states. These accidents have
which is always present or standby; iii) first aid and specific consequences. The general form of such a
decompression facilities; iv) multiple rescue possi- sequence is:
bilities (direct access); and v) professional medical
assistance. Such factors have the name of Proba-
C = {S1 , S2 , .....Sn , B1 , B2 , . . .Bm } (1)
bility Influencing Entity (PIEs). Each influencing
factor (PIE) is assumed to have two possible lev-
els, ‘‘Adequate’’ and ‘‘Inadequate’’. The quality of an Analysis of available accident data allowed the
influencing factor is then set equal to the frequency assessment of the number of times such accident
with which this factor is at the adequate level in the sequences occurred during a given period of time. Sur-
working places. Then the quality of the barrier is given veys of the Dutch working population assessed the
by a weighted sum of the influencing factor qualities. exposure of the workers to the specific hazards over
The weights reflect the relative importance of each the same period of time. Consequently it was possible
factor and are assessed by the analyst on the basis of to assess the probability P(C) of the various accident
expert judgement. Currently equal weights have been sequences. Surveys of the Dutch working places and of
used. This way the probability of a barrier to be in one the corresponding conditions allowed the assessment
of its possible states is given by the weighted sum of the of the overall probability of some individual barriers
frequencies of the influencing factors (RIVM 2008). (e.g. see Table 1). If such assessment is made then
PIE Barrier
Barrier PIE PIE characteristics value failure
782
probabilities of the form P(S1 , S2 , . . ., B1 , . . .Bi , . . .) 5.1 Importance analysis
can be estimated where (S1 , S2 , . . ., B1 , . . ., Bi , . . .)
To assess the relative importance of each factor influ-
are the barriers that can be quantified independently
encing the risk from vapour/gas chemical explosions
of the accident data. Then equation (1) can be
two importance measures have been calculated.
written as:
Table 2. Risk rates per type of explosion and Overall risk decrease for each safety barrier.
783
Table 3. Risk rates per type of explosion and Overall risk increase for each safety barrier.
section 3. For this specific case the most effective mea- Risk importance measures can be calculated not
sure for reducing risk is the increase in the percentage only with respect to the probability of an explosion
of time that PPEs are used. with reportable consequences but with respect to spe-
This conclusion might change if a different mission cific type of consequence, as shown in Tables 4 and 5.
split is considered or if an explosion type is considered As it can be seen from Table 4 (last column) ‘‘Ventila-
in isolation. For explosion type 2, for example, pres- tion Systems’’ ‘‘Personal Protective Equipment’’ and
ence of ‘‘Ventilation systems’’ at 100% of the cases ‘‘Other protection measures’’ are practically equally
decreases the risk rate by 65.5%, whereas the ‘‘PPE’’ important in terms of their improvement with respect
and ‘‘Other protection’’ by 28.5% and 33.5% respec- to fatalities. This is due to the fact that the conditional
tively. Thus the risk of a type 2 explosion is reduced probability of a fatal injury given a type 2 explosion
more by the increase–from the present level- of the is much higher than for the other types of explosions.
use of ventilation systems rather than the PPE or other Thus even if type 2 explosions participate only by 25%
protective measures. in the mission split the increase in the presence of ven-
784
tilation systems is very important for decreasing the REFERENCES
risk of fatality.
As for the risk increase results of Table 5: In all Ale B.J.M., Baksteen H., Bellamy L.J., Bloemhof A.,
consequences levels ‘‘Ventilation systems’’ have the Goossens L., Hale A.R., Mud M.L., Oh J.I.H., Papazoglou
greater risk increase percentages, while ‘‘Other pro- I.A., Post J., and Whiston J.Y., 2008. Quantifying occu-
tection than PPE’’ is second in ranking for recoverable pational risk: The development of an occupational risk
model. Safety Science, Volume 46, Issue 2: 176–185.
and lethal injuries, and ‘‘Prevention of introduction Aneziris O.N. Papazoglou I.A., Baksteen H., Mud M.L., Ale
of ignition sources for type 3 explosion’’ is second B.J.M, Bellamy L.J., Hale A.R., Bloemhoff A., Post J.,
for permanent injuries. Third barrier in risk increase Oh J.I.H., 2008a. Quantified risk assessment for fall from
ranking is ‘‘PPE’’ for lethal and recoverable injuries height. Safety Science, Volume 46, Issue 2: 198–220.
and ‘‘Other protection than PPE’’ for the permanent Aneziris O.N., Papazoglou I.A., Mud M.L., Damen M.,
ones. Kuiper J., Baksteen H., Ale B.J.M., Bellamy L.J.,
In this way all safety barriers can be ranked accord- Hale A.R., Bloemhoff A., Post J.G., Oh J.I.H, 2008b.
ing to the effect they induce in the overall risk as well as Towards risk assessment for crane activities Safety Sci-
in the risk of lethal, permanent or recoverable injuries. ence. doi:10.1016/j.ssci.2007.11.012
Baksteen, H., Samwe, M., Mud, M., Bellamy, L., Papa-
zoglou, I.A., Aneziris, O., Konstandinidou, M., 2008
6 CONCLUSIONS Scenario—Bowtie modeling BT 27 explosions, WORM
Metamorphosis Report.
Bellamy L.J., Ale B.J.M., Geyer T.A.W., Goossens L.H.J.,
A logical model has been presented for quantifying the Hale A.R., Oh J.I.H., Mud M.L., Bloemhoff A, Papa-
probability of vapour/gas chemical explosions and the zoglou I.A., Whiston J.Y., 2007. Storybuilder—A tool for
various types of consequences following these types the analysis of accident reports, Reliability Engineering
of accidents. The model includes primary and support and System Safety 92: 735–744.
safety barriers aiming at preventing chemical explo- GISAI, 2005. Geintegreerd Informatie Systeem Arbeids
sions. For the quantification of the model the exposure Inspectie: Integrated Information System of the Labor
rates (total time spent in an activity involving each haz- Inspection in the Netherlands.
ard per hour) have been used which was estimated with OSHA 2008. Bureau of Labor statistics http://data.bls.gov/
GQT/servlet/InitialPage.
user (operators) surveys and real accident data com- Papazoglou I.A., Ale B.J.M., 2007. A logical model for quan-
ing from the reported accident database GISAI. The tification of occupational risk, Reliability Engineering &
probability of the consequences of such accidents is System Safety 92 (6): 785–803.
presented in three levels: fatalities, permanent injury Papazoglou I.A, L.J. Bellamy, K.C.M. Leidelmeijerc, M.
and non-permanent injury. Surveys also provided data Damenc, A. Bloemhoffd, J. Kuiperd, BJ.M. Alea, J.I.H.
for the working places and the corresponding condi- Oh, ‘‘Quantification of Occupational Risk from Acci-
tions allowing in this way the assessment of the overall dents’’, submitted in PSAM 9.
probability of some individual barriers. The model RIVM 2008 WORM Metamorphosis Consortium. The Quan-
has been used for risk reducing measures prioritiza- tification of Occupational Risk. The development of
a risk assessment model and software. RIVM Report
tion through the calculation of two risk importance 620801001/2007 The Hague.
measures: the risk decrease and the risk increase. The
calculations were made for the overall risk and the
risk in three levels of consequence severity. ‘‘Personal
Protective Equipment’’ and ‘‘Ventilation Systems’’ are
the barriers with the most important risk values in the
overall risk ranking analysis.
785
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
O. Doudakmani
Center for Prevention of Occupational Risk, Hellenic Ministry of Employment and Social Affairs, Thessaloniki, Greece
ABSTRACT: This paper presents the quantification of occupational risk in an aluminium plant producing
profiles, located in Northern Greece. Risk assessment is based on the Workgroup Occupational Risk Model
(WORM) project, developed in the Netherlands. This model can assess occupational risk at hazard level, activity
level, job level and overall company risk. Twenty six job positions have been identified for this plant, such as
operators of press extruders, forklift operators, crane operators, painters, and various other workers across the
process units. All risk profiles of workers have been quantified and jobs have been ranked according to their
risk. Occupational risk has also been assessed for all plant units and the overall company.
2 OCCUPATIONAL RISK
787
The third level of the tree describes for each Then
position-type the activities required to perform the cor-
responding job along with the respective frequencies.
Nm
This means that a particular job is described in terms P1,m = p1,n
of a number of activities each one of which is per- n=1
formed a specific number of times over a given period.
Thus the nth job position is characterized by Mi activi-
Nm
n−1
P2,m = p2,n p1,r
ties A(n, 1), . . ., A(n, m), .., A(n, Mn ) each performed
n=1 r=1
with annual frequency f(n,m).
Finally, performance of a specific activity is asso-
Nm
n−1
ciated with a number of single hazards (out of P3,m = p3,n p1,r
the sixty three single hazards) and a correspond- n=1 r=1
ing duration of exposure to each and every haz-
ard. Thus activity A(n,m) is associated with hazards
Nm
n−1
P4,m = p4,n p1,r (1)
h(n, m, 1), h(n, m, 2), . . ., h(n, m, K nm ). Risk is calcu-
n=1 r=1
lated as a combination of the contributions of Jobs,
activities and Bowties.
Where it has been assumed that any consequence
2.1 Calculation at the hazard Level (recoverable injury, permanent injury, death) happen-
ing in the kth hazard interrupts the activity and hence
WORM has assessed the risk per hour of exposure for successful completion of the Activity requires suc-
63 hazards on the basis of the characteristics of the cessful (no consequences) completion of the preceding
average Dutch worker. These characteristics express (k-1) dangers. Any other consequence interrupts the
the working conditions and are quantified as percent- stream of dangers and the activity results in this
age of the time that the worker is working under consequence.
specified levels or types of those conditions. Case-
-specific analyses can be made by adjusting these
characteristics to the specific conditions. These cal- 2.3 Calculation at the job level
culations provide the risk as the probability of one of
three possible consequences (recoverable injuries, per- A worker job in a given period of time undertakes a
manent injuries, and fatalities) for the duration of the number of activities, where each activity consists of a
exposure, as presented by Papazoglou et al., (2009) number of dangers (Bowties).
and Ale et al., (2008). There are M activities Am m = 1, 2, 3, . . ., M . Each
activity consists of Nm Dangers, dn n = 1, 2, . . ., Nm.
Each activity is repeated fm times a year m =
2.2 Calculation at activity level 1, 2, . . ., M (frequencies). Then the risk for the period
of interest (year) will be calculated as follows:
Next the risk at the activity level is calculated. A gen-
For each activity (m) we calculate risk per activity
eral assumption is that if during one of the actions an
as in section 2.2
accident occurs resulting in a consequence (recover-
Assumption: recoverable injury, permanent injury &
able injury, permanent injury or death) the Activity is
fatality interrupt the activity and no additional expo-
interrupted and the overall consequence of the activity
sure is possible.
is the same. That is no more exposure to the same or
For each Activity (m) given the annual frequency
additional hazards is possible.
fm we calculate the annual risk per activity
Let
Assumption: recoverable injury during the f th
n = 1, 2, . . ., Nm is an index over all the dangers of undertaking of the activity does not preclude under-
the mth activity. taking of the same activity again for the f + 1, .. up to
p1,k : Probability of No-Consequence in the kth the fm time.
hazard
p2,k : Probability of recoverable Injury in the kth aP1,m = (P1,m) )fm
hazard
p3,k : Probability of permanent injury in the kth aP2,m = 1 − aP1,m − aP3,m − aP4,m
hazard
1 − (1 − P3,m − P4,m )fm
p4,k : Probability of death in the kth hazard aP3,m = P3,m
p1,m : Probability of No consequence for activity m P3,m + P4,m
p2,m : Probability of recoverable injury for activity m
1 − (1 − P3,m − P4,m )fm
p3,m : Probability of permanent injury for activity m aP4,m = P4,m (2)
p4,m : Probability of death for activity m P3,m + P4,m
788
where: aP1,m, aP2,m, aP3,m, aP4,m annual probability of the plant consists of six major units, which are the
no consequence, recoverable injury, permanent injury following: extrusion, surface treatment, die, storage,
and of death of activity m. packaging and mechanical.
For the M activities we calculate the total annual
risk as follows: a) Extrusion unit: Aluminium billets are the starting
stock for the extrusion process. They are introduced
M into furnaces and heated up to 450◦ C, cut at the
R1 = aP1,m required length and inserted in a press, where extru-
m=1 sion takes place. Pressure is exerted on the billet
which is crushed against a die. The newly formed
R2 = 1 − R1 − R3 − R4 extrusion is supported on a conveyor as it leaves
M
m−1 the press. Depending on the alloy, the extrusion is
R3 = aP3,m (aP1,m + aP2,m ) cooled after emerging from the die, so as to obtain
m=1 r=1 sufficient metallurgical properties. The profile is
then stretched, since it is placed in a traction to
M
m−1
obtain the exact geometrical shape. It is then con-
R4 = aP4,m (aP1,m + aP2,m ) (3) veyed to a saw, where it is cut in order to obtain the
m=1 r=1 required commercial length, and transported with
cranes to the ageing treatment. This is performed
where: R1, R2, R3, R4 total annual probability of no con- in furnaces where aluminium profiles are heated at
sequence, recoverable injury, permanent injury and 185◦ C for 6-7 hours. Figure 2 presents the block
death. diagram of the plant.
Again the assumption is made that recoverable b) Surface treatment consists of the cleaning, anodiz-
injury during activity (m) does not preclude under- ing and coating sections. In the cleaning section
taking of the remaining activities during the year.
BILLET
2.4 Overall risk
STORAGE
Given a company with N jobs and Tn workers perform-
ing the nth job, the overall risk is approximated by the
FURNACE 450
expected number of workers to suffer each of the three
sequences.
BILLET CUT-
R2,o = R2 T2 DIES
n EXTRUDING
R3,o = R3 T3
STRETCHING
n
R4,o = R4 T4 (4)
PROFILE
n
where: R2,0 , R3,0 , R4,0 overall risk of recoverable injury, AGEING FURNACE
permanent injury and death.
SURFACE TREATMENT
3 PLANT DESCRIPTION
ANODIZING PAINTING
The aluminium plant produces profiles for various
applications in the industry and building construc-
tion. The heart of this industry is the extrusion press
PACKAGING TOOLS
section, where raw material arriving in the form of bil-
lets, are transformed to aluminium profiles. Next they
are transferred to the surface treatment section, so as
to acquire the required aesthetical and anti corrosion PROFILE STORAGE
properties. Four additional sections are required to .
support profile production, which are the die section,
storage, packaging and mechanical support. Therefore Figure 2. Plant block diagram.
789
profiles are immersed in a bath of NAOH where of press extruder, forklift operator, painter etc., which
they are cleaned from oils and treated for painting. are described in this section, along with the associated
In anodizing the metal is covered with a layer of activities and hazards.
protective oxide which adds anti corrosion proper-
ties, by an electrolytic process. Aluminium profiles
are transported to the painting unit where they are 4.1 Extrusion
hanged either horizontally or vertically and painted.
Painting with powder in either horizontal or verti- There are four job positions in this unit: extruder
cal units provides good aesthetic result of the final press operator, extruder worker, stretching and cutting
product. operators.
c) Die section: In this section dies, which are a) Press extruder operator: He is responsible for
required in the extrusion press unit for the pro- the cut of the billets to the required length, their load-
duction of profiles, are treated either mechanically ing and unloading on the press extruder, the operation
or chemically, in order to remove traces of metal of the press and completing the required documents.
which have remained on them. Clean and well Therefore his job is decomposed into four activities
maintained dies influence the quality of the final (cut of the billets, loading/unloading billets on press,
product. press operation and completing documents), as pre-
d) Packaging unit: after surface treatment the profiles sented in Figure 3 and Table 1. While cutting billets,
are moved into other areas where they are packed which occurs every day for two hours, he is exposed
and prepared for transportation to customers. The to the following hazards: fall on same level (for 2
plant is equipped with an automatic packaging unit hours), contact with falling object from crane (for 0.2
and profiles are palletized so as to be protected from hours), contact with hanging or swinging objects (for
surface damage and twisting. 0.2 hours), contact with moving parts of machine (for
e) Storage areas for aluminium billets and profiles. 0.5 hours), trapped between objects (for 0.6 hours) and
Aluminium billets, which is the starting material of contact with hot surface (for 2 hours). Figure 2 presents
the plant, are stored in an area close to the extrusion the decomposition of this job into activities and their
process and transported by forklifts. Packed alu- associated hazards, while Table 1 presents also the fre-
minium profiles are transported either by forklifts quency and duration of the activities and the exposure
or by cranes to the storage area. to hazards. Similar Tables are provided for all jobs
f) The machinery section consists of various opera- described in this section and presented by (Doudak-
tions supporting the production of profiles. mani 2007). There are 6 press extruder operators in
this plant working on an eight hour shift basis.
b) extruder worker: His activities are to heat the
4 COMPANY POSITIONS dies, install them in the press extruder, and transport
them either by crane or by trolley to the die section.
This plant has seventy seven workers distributed along He is exposed to the same hazards as the extruder
the six units, described in the previous section. There press operator, but with different durations. There are 6
are twenty six different types of jobs, such as operator extruder workers working on an eight hour shift basis.
COMPANY
790
Table 1. Activities and associated hazards of press extruder operator.
c) stretching operator: He checks the profiles arriv- There are 4 workers with the same job description in
ing to the stretching press, is responsible for the press this unit.
operation and the transportation of the profiles to the c) crane operator. He operates the crane that trans-
cutting machines. He is exposed to the same hazards ports profiles to the anodizing baths. He is exposed
as the extruder press operator but with different dura- to the following hazards: fall on the same level, hit
tion. There are 6 stretching operators working on an by falling object, trapped between object and contact
eight hour shift basis. with chemicals.
d) cutting operator: He operates the saw and cuts d) forklift operator. His job is to transport pro-
the profiles to the required length. He manually moves files from the anodizing to the painting section. He is
the cut profiles and arranges them on special cases, exposed to the following hazards: hit by falling object,
which are transported by crane to the ageing furnace. hit by rolling object and struck by moving vehicle.
He is exposed to the following hazards: fall on same e) workers at the horizontal (or vertical) painting
level, contact with falling object from crane, contact unit. The worker’s activity is to hang alloys on the
with hanging or swinging objects, contact with moving painting unit. He is exposed to the following hazards:
parts of machine, trapped between, contact with falling fall on the same level, fall from height, falling object,
object during manual operation. There are 6 cutting flying object, trapped between object, move into object
operators working on an eight hour shift basis. and contact with hot surface. There are 5 workers with
the same job description in this unit.
f ) painter. He either paints the profiles himself, or
4.2 Surface treatment prepares the painting powder and operates the auto-
There are seven different job positions in this unit: matic machine. He is exposed to the following hazards:
worker at the entrance (or exit) of the anodizing unit, fall on the same level, falling object from crane,
crane operator, worker at anodizing unit, workers at the trapped between object, move into object and contact
horizontal or vertical painting units, painter, cleaner with chemicals.
and forklift operator. g) cleaner. His main activity is to clean the paint-
a) worker at anodizing unit. His activity is to trans- ing unit. He is exposed to the following hazards:
port profiles by trolleys to this unit. He is exposed fall on the same level, hit by falling object, trapped
to the following hazards: fall on the same level, hit between objects, move into object and contact with
by falling object, trapped between object, contact hot chemicals.
surface and move into object.
b) worker at the entrance (or exit) of the anodizing
4.3 Die section
unit. The worker in the entrance carries profiles from
trolleys and ties them on vertical poles, where they There are five job positions in this section, where dies
will be anodized. At the exit of this unit, when anodiz- are treated either chemically or mechanically. These
ing has been performed, profiles are stored on pallets. are the following: operators installing, sandblasting,
He is exposed to the following hazards: hit by falling cleaning chemically and hardening dies and also
object, trapped between object and move into object. operators using machine tools.
791
a) operator installing dies on the press excluder. His a) forklift operator transporting alloys: his activities
main activity is to install the dies on the press extruder, are unloading alloys from trucks, arranging them in the
but he also transports them by a crane or by trolley. He storage area, transporting them to the process area and
is exposed to the following hazards: fall on same level, emptying bins with aluminium scrap. The hazards to
hit by falling object from- crane, contact by hanging or which the operator is exposed are: hit by falling object,
swinging objects, contact with falling object manually hit by rolling object, fall from height and struck by
transported and trapped between objects. moving vehicle. There are 2 forklift operators with the
b) operator sandblasting dies. Apart from his main same job description in this unit.
activity which is die sandblasting he is involved in b) forklift operator transporting profiles: his activ-
material handling. He is exposed to the following haz- ities are transporting profiles, loading and unloading
ards: fall on same level, contact with falling object, trucks, piling profiles and transporting bins of scrap.
contact with hanging or swinging objects, trapped The hazards to which the operator is exposed are hit by
between objects, contact with moving parts of machine falling object, fall from height and struck by moving
and contact with flying objects. vehicle. There are 6 forklift operators with the same
c) operator cleaning chemically dies. Apart from job description in this unit.
his main activity, which is cleaning dies, he is involved c) worker of storage area: his activities are crane
in material handling. He is exposed to the following operation, arrangement, transportation and labeling of
hazards: fall on same level, contact with falling object, profiles and also checking documents. The hazards to
contact with hanging or swinging objects, trapped which the operator is exposed are hit by falling object
between objects and contact with chemicals. from crane, hit by hanging or swinging object, fall
d) operator hardening dies. Apart from his main from height, fall on the same level, move on object,
activity, which is hardening dies he is involved in mate- trapped between objects and struck by moving vehicle.
rial handling. He is exposed to the same hazards as the There are 10 workers with the same job description in
operator who cleans dies. this unit.
e) worker using machine tools. His activities ate to
use tools and to handle materials. He is exposed to the 4.6 Machinery section
same hazards as the operator sandblasting the die.
This section consists of a press operator, an operator
of machine tools, an insulation fitter and a carpenter.
4.4 Packaging a) press operator: his activities are press operation
and material handling. The hazards he is exposed to are
There are three job positions for packaging profiles
hit by falling object, move on object, trapped between
which are the operator of the automatic packaging
objects and contact with moving parts of machine.
machine, a worker manually packaging and a helper.
b) operator of machine tools: his activities are
a) operator of packaging machine: His activities
operation machine tools and material handling. The
are transporting profiles by trolleys, feeding the pack-
hazards he is exposed to are hit by falling object, hit by
aging machine and operating it. He is exposed to the
flying object, move on object, trapped between objects
following hazards: hit by falling objects, contact with
and contact with moving parts of machine.
moving parts, trapped between objects, move into
c) insulation fitter: his activities are fitting insula-
an object, contact handheld tool and stuck by mov-
tion and material handling. The hazards to which he
ing vehicle. There are 2 operators with the same job
is exposed are the same as the press operator, but with
description in this unit.
different duration of exposure.
b) a workermanually packages alloys and transports
d) carpenter: his activities are operation with saws
them by trolleys. He is exposed to the following haz-
and tools for cutting and also packaging. The haz-
ards: hit by falling objects, trapped between objects,
ards to which he is exposed are hit by falling object,
move into an object, contact handheld tool and stuck
trapped between objects and contact with moving parts
by moving vehicle. There are 2 workers with the same
of machine and contact with handheld tools.
job description in this unit.
c) a helper cuts with a saw and packages manually.
He is exposed to the same hazards as the operator of 5 RESULTS AND CONCLUSIONS
the packaging machine. There are 2 workers with the
same job description in this unit. Occupational risk has been calculated for all job posi-
tion of the plant and is presented in Figures 4 and 5
and Table 2. Figure 4 presents present annual risk
4.5 Storage areas
of death and Figure 5 annual permanent and recov-
There are three job positions in the storage area, which erable injury for all job positions in this plant. The
are: forklift operators transporting alloys and profiles operator at the entrance of the painting unit has the
and a worker. highest probability of death (3.25×10−5 /yr) followed
792
in the storage area (1.92 × 10−4 /yr) and the worker
3,10E-05
manual handling, at the painting unit (1.85×10−4 /yr).
The helper at the packaging unit has the highest prob-
2,60E-05
ability of permanent injury (2.22 × 10−4 /yr) followed
2,10E-05
by the operator at the entrance of the painting unit
1,60E-05 (2.03 × 10−4 /yr) and the worker performing sand-
1,10E-05
blasting of the dies (1.85 × 10−4 /yr). The operators at
the entrance of the painting unit and the worker in the
6,00E-06
storage area have are the most dangerous jobs owing
1,00E-06 to the high probability of death and recoverable injury,
manual handling painting
operator entrance painting unit
insulation fitter
die installation
crane operator-anodizing
extruder worker
helper packaging
cutting operator
stretching opertaor
extruder operator
cleaner
forklift operator -profiles
worker packaging
worker in storage
die chemical
carpenter
operator of press for tools
while the helper at the packaging unit is also regarded
as a dangerous job, owing to the high probability of
permanent injury. High fatality risk of workers at the
entrance of the painting unit, at the storage area and
the worker performing sandblasting of the dies can
be further analyzed in order to obtain the most seri-
ous hazards, these workers are exposed to. Figure 6
presents these results and it appears that all three work-
ers are exposed to high hazard of contact with falling
object from cranes.
Risk has also been calculated for the six units
Figure 4. Probability of fatality of worker in the plant of the plant. This quantification is performed as
(/year). described in section 2.4 for each unit. The storage
area has the higher expected number of deaths (2.8 ×
10−4 /year) and recoverable injury (2.76×10−3 /year),
2,50E-04
followed by the surface treatment (2.54 × 10−4 /year
and 1.97 × 10−3 /year respectively). The extruder area
has the higher expected number permanent injury
2,00E-04 (2.4 × 10−3 /year), followed by the surface treatment
(1.76 × 10−3 ). It should be marked that the extruder
unit, the storage and surface treatments areas have
1,50E-04
most of workers in the plant, which are 24, 18 and
14 respectively.
The overall annual company risk is equal to
8.44 × 10−4 /year for fatality risk, 8.66 × 10−3 /year
1,00E-04
insulation fitter
die installation
crane operator-anodizing
extruder worker
die hardening
helper packaging
extruder operator
cutting operator
stretching opertaor
cleaner
forklift operator -profiles
worker in storage
worker packaging
die chemical
carpenter
operator of press for tools
793
Table 2. Occupational risk of the aluminium plant (/year).
3,50E-05
3,00E-05
2,50E-05
3,00E-03
2,00E-05
2,50E-03
1,50E-05
1,00E-05 2,00E-03
Death
5,00E-06 1,50E-03 Permanent Injury
0,00E+00 Recoverable Injury
1,00E-03
worker in storage operator entrance die sandblasting
painting unit 5,00E-04
0,00E+00
Fall from height Struck by moving Vehicle
E
Y
R
G
TR
IE
G
ER
DE
IN
G
CE
N
R
U
HI
O
TR
CK
FA
R
ST
A
R
PA
M
SU
794
3,50E-01
occupational risk in the plant and therefore the most
3,00E-01 dangerous job and units can be identified.
2,50E-01
2,00E-01
1,50E-01
1,00E-01
5,00E-02 REFERENCES
0,00E+00
Y
.
IE
R
G
E
TR
ER
AG
DE
IN
D
G
CE
IN
U
KA
TR
H
FA
AC
R
C
EX
ST
PA
I.A., Post J., and Whiston J.Y., 2008. Quantifying occu-
M
SU
795
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
K. Kangur
King’s College London, Department of Geography, London, UK
Estonian University for Life Sciences, Tartu, Estonia
ABSTRACT: The objective of the research presented in this paper is to improve understanding of risk regulation
regimes in new European Union member states. In order to do so, the research focuses on drinking water safety
regulation in Estonia. This paper tests the importance of rules, cultures, capacities and design of regulatory
bureaucracies in determining the processes and outcomes of a risk regulation regime. The effect of fragmented
nature of the regime, deep-rooted dominating pressures, institutional capacities, and regulatory actors present
in Estonian drinking water regulation are discussed in this paper.
797
utilities were transformed into public limited compa- Europeanisation processes and the functioning of risk
nies. Public water supply companies serving larger bureaucracies in new EU accession states.
settlements belong to the Association of Water Works.
Some smaller municipalities have joined in a munici-
pal syndicate in order to be able to cope with expensive
development of the water supply systems. 2.1 Functionality of the risk bureaucracy
This article tries to find explanations for current The functioning of the core of government is crucial
functioning of the drinking water safety regulation. in order to be able to organise measures for miti-
The risk regulation regime approach will be applied in gating environmental health risks. The dynamics of
order to address the mechanics and dynamics as well adopting EU regulation into Estonian national legal
as the outcomes of the regulation. system will be analysed. Looking at the information-
gathering component of regulation should show the
systems in place for identifying where the weaknesses
might lie in putting the regulations to work. The
2 RISK REGULATION REGIME APPROACH transfer of rules into institutions and practices of rule-
enforcement needs to be observed as a crucial step
The risk regulation regime (RRR) framework looks at of risk regulation. The influence of regulatory design,
the governance of risk as a holistic system to anal- bureaucratic cultures, and the availability of knowl-
yse why and in which stages new regulation might edge, finances and administrative capacities will be
fail (Hood et al., 2004). The RRR perspective encom- assessed as possible determinants of the functioning
passes the complexity of institutional geography, rules, of risk bureaucracy (Fig. 2).
practices and animating ideas related to regulation of
a particular hazard.
The RRR approach ambitiously brings out system-
2.1.1 The nature of rules
atic interaction of regime components of information-
gathering, standard-setting, and behaviour modifica- Safety rules apply in order to protect the public from
tion. The nature of the risk, the lay and expert under- environmental health hazards. The rules for regula-
standings of the risk and its salience, but also interest tion have to balance the regulatory intervention by the
groups’ reactions to the division of costs and bene- state (the degree of regulatory bureaucracy) and mar-
fits of risk regulation may influence its functioning as ket forces, but also set the threshold of risk tolerance.
forces from the context of regulation (Fig. 1). The feasibility analysis behind the rules determines
Risk regulation as a whole is under-explored in their workability. The basis of many EU environmen-
new member states of the European Union, let alone tal health directives stems from the time before the
though any comparative perspectives in the Baltic 1990s. At that time, attention was focused on the
States region. The next section draws on some of policy formulation, with little regard to the issues
the theoretical knowledge that is available on the of integration and implementation outcomes (Weale
et al., 2000). Little consideration of the national con-
text when adopting the rules in state regulation may
hinder proper implementation of safety requirements.
Organised Public
pressure groupso salience
Bureaucratic Nature of
cultures rules
RISK REGULATION
BUREAUCRACY Standard-setting
Functionality of
haviour-modification Risk
Bureuaucracy
ormation gathering
Knowledge
controversies Capacities Regulatory
design
Figure 1. External pressures of risk bureaucracy. Figure 2. Internal drivers of risk bureaucracy.
798
2.1.2 Bureaucratic cultures local and regional administrations of accession coun-
Regulatory cultures, operating conventions, attitudes tries .(Weale et al., 2000; Homeyer 2004; Kramer
of those involved in regulation, and the formal and 2004). The bureaucratic overload and the rushing for
informal processes influence the functioning of risk adoption of EU policies has been described as one of
bureaucracies. The negotiations associated with the the main reasons for insufficient policy analysis and
EU accession demonstrated that in the accession states the poor quality of legislation in Estonia (Raik 2004).
a general political passivity did not encourage major Due to the disproportionate development of differ-
discussions about the suitability of EU regulations in ent scientific agendas in the past, (Massa and Tynkky-
accessions states (Kramer 2004; Pavlinek and Pickles nen 2001), environmental health impact assessments
2004). In contrast, the national political elites were are often lacking or incomplete in Eastern Europe.
proactive in shifting their loyalties, expectations and Inadequate scientific capacities on national level
political activities toward a new pan-European centre encourage regulators in smaller countries to copy the
(Raik 2004). research and policy innovations of larger countries
It is argued that whereas long-established, more (Hoberg 1999).
populous EU member states are unlikely to rely so Above sections demonstrate the importance of reg-
heavily on compliance for their legitimacy, standing ulatory design, embedded cultures and capacities in
and reputation, EU newcomers would naturally make determining the functioning of regulation in EU acces-
greater efforts to implement faithfully any environ- sion countries. The next section will look at how the
mental directives and thus, prove their credentials as importance of these determinants was assessed in case
cooperative, reliable and committed member states of Estonia.
.(Perkins and Neumayer 2007). By publicising and
exchanging information about different practices and
reports on progress of enforcing the EU laws, it is 3 ESTONIAN EXPERIENCES WITH
hoped that reputation, mutual learning and compe- ADOPTING THE EU DRINKING
tition mechanisms are being set in motion among WATER SAFETY REGULATION
member states (Heritier 2001).
One of the big changes in procedural norms of For information gathering on drinking water safety
regulation is the post-soviet countries’ shift from regulation in Estonia, the study involved an interac-
command-and-control regulation to more discursive, tion between documentary study and a snowballing
non-hierarchical modes of guidance (Swyngedouw programme of interviews to locate relevant docu-
2002; Skjaerseth and Wettestad 2006). An analysis of mentary material and elicit attitudes and practice not
Central and Eastern European (CEE) environmental contained in documents. Much of the information
policies after 1989, however, reveals strong influ- required was found in documents detailing doctrine
ences of state socialist legacies in determining the and practice of regulators, legal and statutory materi-
content and practices of regulatory reform (Pavlinek als from Estonian re-independence time, EU directives
and Pickles 2004). and scientific literature. The open-textured analysis
of these materials was followed by identifying and
2.1.3 Regulatory architecture filling in the gaps through semi-structured interview
programme with 22 Estonian key actors from regu-
The regulatory structure entails the ways in which latory components’ key institutions (ministerial level,
institutional arrangements are adopted for comprehen- regional and local administrations and inspectorates)
sive and robust regulation. Rather than the nation-state and representatives of dominant actors in the context
setting their own regulatory agenda as before, in more of regulation (scientific experts, water suppliers and
recent times regulatory decision-making has shifted organised interest groups). The fieldwork conducted
either upwards to the European Commission and from June 2007 to March 2008 revealed complex
Council (or beyond) or alternatively downwards to the insights of the motivations, objectives and expecta-
regional or local level (Swyngedouw 2002; Löfstedt tions of different governance actors with regard to
and Anderson 2003). Introduced extensive complex- drinking water safety and its new regulations.
ity, rivalries and overlaps of competencies may inhibit
proper scrutiny of regulatory implementation (Hood
1986), and enforcing regulations can become rigid and 3.1 Bureaucracies and the standard-setting
non-reflexive (Baldwin and Cave 1999). component of drinking water regulation
Estonian Ministry of Social Affairs Order on drinking
2.1.4 Regulatory capacity water (2001) applies to all the water supplies pro-
Despite massive EU financial support and long dura- viding drinking water for communities larger than 50
tion of transitional periods, meeting the EU require- people. In the process of adopting the DWD for Esto-
ments is hindered by the inherent inefficiencies in both nian regulation, national provisions and even stricter
799
safety requirements could have been added to make the rural population not being under surveillance simply
regulation more protective of the Estonian public. A because there might have not been enough pressure
derogation period until 2010 was set for smaller oper- from the lower levels of regulatory regime (munic-
ators (serving up to 5000 people) to meet the drinking ipalities, local inspectors) to explain the need for
water quality requirements, to allow for renovation of changing the rules. An understanding of the problems
water purification and supply systems. on the ground could easily become obfuscated within
A group consisting of scientists, representatives of the hierarchical regulatory structure. This was espe-
the larger water companies and the Ministry of Social cially the case during the accession period, when the
Affairs officials was formed as an expert group, in regulatory cadres were changing rapidly.
order to draft the drinking water quality laws. Neither
consumer protection groups nor representatives of the
3.2 Bureaucracies and information gathering on
municipalities were present at the regulation drafting
the change of states in drinking water safety
round-table. The scientists advocated the inclusion of
more restrictions of hazardous substances (e.g., bar- Having adopted the new regulations, there was a need
ium) and the setting of minimum values for water to obtain information about the change of states in
hardness. Water suppliers argued for more risk-based drinking water safety. Regular monitoring of drinking
monitoring schemes. After the group negotiations, the water quality by operator companies should follow the
Ministry of Social Affairs made the decision simply Health Inspectorate’s prescriptions. The frequency of
to adopt the DWD, with no modifications. Three main how often water suppliers are obliged to take full tests
factors can be considered as influential for why no (covering 42 quality requirements) and minimal num-
Estonian national modifications were considered. ber of tests (18 quality parameters) depends on the
Firstly, the DWD adoption negotiations in Estonia size of the company’s clientele. All economic water
were rushed because of the fast pace of EU acces- suppliers (providing water from 100 to over 100 000
sion. There was a situation in 2000-2004 where EU people) are expected to test four times a year for a
accession countries such as Estonia, Latvia, Lithuania, minimum monitoring program. Companies providing
Slovakia, Slovenia, Malta and Cyprus were compet- water to less than 10 000 people only have to take
ing with each other for faster integration into the EU one full test per year. Companies serving 10,000 to
regulatory system. Thus, there was little time for con- 100,000 people take full tests three times a year and
sideration for any alternative policies from that of the operators with over 100,000 clients as often as over
established EU requirements. As a result, the need 10 times a year. After every five years, the European
for inclusion of additional safety parameters or the Commission checks on the monitoring results of espe-
applicability of the EU directive’s requirements was cially larger water companies (serving more than 5000
not analysed. people).
Secondly, as the Estonian bureaucratic system has In reality, neither the operators nor the Health
a long tradition of elite-centred decision-making, its Inspectorates test water as often as expected, as the rep-
bureaucrats have had little experience in carrying resentative of Inspectorate commented in interview.
out consultations with other relevant parties in the Tests conducted by smaller companies are sporadic;
decision-making process. Skills for interacting with and there are very few records on the drinking water
outside expertise and knowledge about how to make quality provided through private wells. This means that
use of the information gathered from parties that were in addition to the uncontrolled drinking water sources
present in the national regulation design were missing. from private wells (23% of population), the water
This did not allow for proper addressing of local exper- delivered by smaller operators (providing for 13% of
tise regarding the drinking water issues. A motive population) is also not under systematic surveillance
for not acknowledging national drinking water related for any potential health risks.
studies may stem from the bureaucrats’ educational There are regional differences in water quality. At
background, as the interviewed scientists claimed. The the time of adoption, the representatives of water
general neglect of education on environmental health companies and the scientists pressured for more site-
issues has contributed to bureaucrats’ low awareness specific risk-based monitoring requirements. Con-
about the drinking water issues in Estonia. Thus, the centrating more frequent testing on those hazardous
Ministry officials might not have been capable of substances found in the area and carrying out fewer
appreciating the scientific contributions to drinking testing of the other substances could have allevi-
water regulation design. ated monitoring pressure on water companies. The
The third aspect that may have driven the policy- rationale for site-specific monitoring programme was
makers to neglect any national modifications was the not considered in designing monitoring guidelines,
poor extent of communication with other levels of though.
regulatory regime. The Ministry of Social Affairs There are some reasons that might explain why the
may have overlooked issues such as 23% of mostly Inspectorates check smaller companies less frequently.
800
Firstly, there is insufficient financial and personnel the clients of smaller water suppliers has been com-
capacity for controlling the large number of water sup- promised due to negligence of health priorities that
pliers. The representative of the Health Inspectorate should be promoted by the Ministry of Social Affairs.
recently interviewed stressed that the inspectors are Another set of enforcement problems is related
under a heavy workload and the finances to conduct to the way regulation works. Investing regulatory
full analyses are scarce. attention into the larger companies may be explained
Secondly, the Inspectorate may not be completely through the Estonian bureaucratic culture, which pri-
aware of or simply not give full consideration to the oritizes good performance with respect to the Euro-
risks that non-surveillance may pose to the people pean Commission. As the records that interest the
obtaining uncontrolled drinking water from smaller European Commission most (those on larger company
operators. The European Commission demands infor- compliance) show conformity with EU requirements,
mation only about the larger water companies from the the Inspectorates are seen by Brussels to be efficient.
Estonian Health Inspectorate. Therefore, Inspectors Thus, credibility among the public seem to be a less
have no incentives for pushing for wider control. important driver for the Inspectorates. This is espe-
cially as they are used to top-down decision-making
traditions.
One could presume that if those smallest suppliers
3.3 The functioning of behaviour-modification
and private wells were not monitored, there would be a
according to the drinking water regulations
system for informing the individual well users to take
The records on behaviour modification according to protective measures. Yet, there have not been any infor-
the drinking water regulations show that larger com- mation campaigns nor has there been any demand for
panies are now using modern purification techniques more information regarding the drinking water from
and are for the most part following the set quality the users. A consideration that the private wells are
requirements (Sadikova 2005). The scientific stud- something that the owners have to manage themselves
ies and Inspectorate’s data, which is available on the is prevailing. The support schemes and information
water supplies in the rural areas, however, shows that dissemination for addressing the drinking water qual-
many risk parameters exceed the defined health lim- ity in individual wells has not been institutionalized
its. For example, northern Estonian drinking water through the Ministry orders either.
sources are affected by a radioactive bedrock zone
(Lust et al., 2005), the north-eastern part of Estonia has
excessive sulphates, and high fluoride levels are prob- 4 CONCLUSIONS
lematic in western areas of Estonia (Karro et al., 2006).
Shallow individual wells are generally subject to nitro- Aligning national safety standards with the Euro-
gen compounds from fertilizers and microbiological pean Union rules requires from bureaucracies careful
contamination (Sadikova 2005). These contaminants decisions about the organisation of regulatory respon-
have been associated with gastrointestinal, circula- sibilities, about the approaches for attaining their
tory and/or nervous system diseases. There are still objectives, as well as choices about practical allocation
relatively poor water infrastructure and purification of ever-scarce capacities to employ these strategies.
systems in parts of Estonia. This, together with the This paper focused on the bureaucratic determi-
poor information about drinking water quality, puts up nants of drinking water safety regulation efficiency
to 36% of the public (customers of smaller companies in Estonia. The standard-setting, monitoring and
and users of private wells) at risk with their health. enforcement activities associated with drinking water
The enforcement of the drinking water regula- regulation in Estonia may be described as an EU alle-
tions may be achieved through investments or strict giance striving process. Search for power, patronage
regulation. Due to the structure of the bureaucratic and reputation are the main compliance-driving forces
enforcement system, the Ministry of Environment has of inspectors on national level, but may also determine
the power and control over allocation of finances with the state bureaucracies behaviour on European level.
respect to water. Thus, environmental concerns have Deeply rooted bureaucratic cultures may function
prevailed above those concerned with public health. as gatekeepers for the take-up or neglect of more
The Ministry of Environment with minimal consulta- innovative non-hierarchical modes of enforcement.
tion with the Ministry of Social Affairs designed the National scientific incapacities have carried over to
holistic water management plans. Priority given for poor bureaucrat’s awareness on drinking water safety
larger communities’ drinking water supplies and sew- issues leading to insufficient local policy analysis and
erage system updating has been cost-beneficial from simply application of preset rules. Available financial
the larger environmental and public health points of and administrative capacities have led to a reinterpre-
view, as the larger communities are safeguarded. How- tation of the set standards and some neglect of smaller
ever, the safety of inhabitants of large rural areas and operators’ quality control. Allocating scarce resources
801
and controls to the larger companies has benefited the Hood, C., Rothstein, H. & Baldwin, R. 2004. The Govern-
viability of larger communities, but smaller and rural ment of Risk. Understanding Risk Regulation Regimes.
communities appear to have been ignored. Oxford: Oxford University Press.
The complexity of the regulatory structure, span Karro, E., Indermitte, E., Saava A., Haamer, K. & Marandi,
through the EU expert committees, national levels of A. 2006. Fluoride occurrence in publicly supplied drink-
ing water in Estonia. Environmental Geology 50(3):
government, and their sub-departments, may create 389–396.
an illusion of regulatory control, yet the real drinking Kramer, J.M. 2004. EU enlargement and the environment:
water safety issues may remain unattended. six challenges. Environmental Politics 13(1): 290–311.
Lust, M., Pesur E., Lepasson, M., Rajamäe, R. & Realo, E.
2005. Assessment of Health Risk caused by Radioactivity
ACKNOWLEDGMENTS in Drinking Water. Tallinn: Radiation Protection Centre.
Löfstedt, R.E. & Anderson, E.L. 2003. European risk policy
This article presents some of the findings of author’s issues. Risk Analysis 23(2): 379.
PhD research at King’s College London that is Massa, I. & Tynkkynen, V.P. 2001. The Struggle for Russian
Environmental Policy. Helsinki: Kikimora Publications.
financed by Estonian Academic Mobility Founda- Ministry of Social Affairs. 2001. Requirements for Drinking
tion and Ministry of Science and Education grant SF Water Quality and Control, and Analysis Methods. In RTL
0170006s08. 2001, 100, 1369. Riigi Teataja: Tallinn.
Pavlinek, P. & Pickles, J. 2004. Environmental pasts & envi-
ronmental futures in post-socialist Europe. Environmental
REFERENCES Politics 13(1): 237–265.
Perkins, R. & Neumayer, E. 2007. Implementing multilateral
Baldwin, R. & Cave, M. 1999. Understanding Regulation: environmental agreements: an analysis of EU Directives.
Theory, Strategy and Practice. Oxford: Oxford University Global Environmental Politics 7(3): 13–41.
Press. Raik, K. 2004. EU accession of Central and Eastern European
Directive. 1998. Directive 98/83/EC of the European Par- countries: democracy and integration as conflicting logics.
liament and of the council of 3 November 1998 on the East European Politics & Societies 18(4): 567–594.
quality of water intended for human consumption. Official Rothstein, H., Huber, M. &, Gaskell, G. 2006. A theory
Journal of the European Communities: OJ L 330. of risk colonization: The spiralling regulatory logics of
Heritier, A. 2001. New Models of Governance in Europe: societal and institutional risk. Economy and Society 35:
Policy-Making without Legislating. Vienna: Renner 91–112.
Institute. Sadikova, O. 2005. Overview of Estonian Drinking Water
Hoberg, G. 1999. Sleeping with an elephant: the Ameri- Safety. Tallinn: Health Inspectorate.
can influence on Canadian environmental regulation. In Skjaerseth, J.B. & Wettestad, J. 2006. EU Enlargement
B. Hutter (ed), A Reader in Environmental Law: 337–363. and Environmental Policy: The Bright Side. FNI Report
Oxford: Oxford University Press. 14/2006. Lysaker: The Fritjof Nansen Institute.
Homeyer, V.I. 2004. Differential effects of enlargement on Swyngedouw, E. 2002. Governance, Water, and Global-
EU environmental governance. Environmental Politics isation: a Political-Ecological Perspective. Meaningful
13(1): 52–76. Interdisciplinarity: Challenges and Opportunities for
Hood, C. 1986. Administrative Analysis: An introduction to Water Research. Oxford: Oxford University Press.
Rules, Enforcement, and Organizations. Sussex: Wheat-
sheaf Books.
802
Organization learning
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
S.O. Johnsen
NTNU, IO Centre, Norway
S. Håbrekke
SINTEF, Norway
ABSTRACT: We have explored accident data from British Rail in the period from 1946 through 2005. Our
hypothesis has been that safety is improved through learning from experience. Based on a quantitative analysis
this hypothesis is tested for the data using a simple regression model. We have discussed the model and its
limitations, benefits and possible improvements. We have also explored our findings based on qualitative theory
from the field of organisational learning, and have suggested key issues to be explored to improve safety and
resilience during changes, such as safety cases, standardisation of training, unambiguous communication and
sharing of incidents and mitigating actions.
805
1994 and their consequences on safety have also been 2.3 Short term perturbations
explored.
A more complex model could take into account the
We would expect an increase in accidents after 1994
short term effects of the dynamics of learning and
due the large scale changes, but increased scrutiny of
focus on experience. Learning could be influenced by
the effects and an increased focus on accidents could
the increased alertness after an accident and the com-
moderate the negative effect of deregulation.
placency setting in when no accidents are happening.
The increased alertness should lead to fewer accidents,
while the increased complacency could lead to more
2 MODEL DESCRIPTION accidents. This dynamic behaviour could be modelled
as some sort of a sinus curve interposed on the expo-
2.1 Individual and organisational learning nential model. We have not established such a model
We are using a definition by Weick (1991) to define yet, but we anticipate that the accident data would
learning, .i.e.: ‘‘..to become able to respond to task- show such a relationship if plotted in a logarithmic
demand or an environmental pressure in a different scale.
way as a result of earlier response to the same task
(practice) or as a result of other intervening relevant
experience’’. 2.4 Benefits and limitations
Based on this definition of learning the actors that The simplicity of the model in (1) is the major argu-
learn must sense what is going on, assess the response ment for the examination of the railway data for
based on earlier response or experience and respond learning by experience.
with a different behaviour. But such a simple model has its limitation, espe-
Related to organisational learning we are focusing cially when analysing the results. Accidents are spon-
on the result of organisational learning, in that we are taneous and discrete, and should best be modelled by a
observing what the actors in the organisation is actu- Poisson distribution. Also a prediction of the numbers
ally doing and the results of their actions related to the of accidents in the future must be done in carefulness.
level of accidents. Due to learning, we are assuming However the regression line approximation illustrates
that the new and safer practice is carried out regularly, the accident trend over a rather long time period. Our
that it is present in the behaviour of several individuals purpose is to present the shape of a trend line rather
engaged in similar tasks, included in procedures and than specified values (such as number of accident a
that new members in the organisation are instructed certain year). Another benefit of the model in (1), is the
in the new practice. This description is based on the various possibilities of exploration of learning. This
definition of organisational learning as described by can be quantified in different ways and not only by the
Schøn (1983). number of accidents alone. This is further discussed
in section 3.1.
2.2 Development of accidents based on experience Equation (1) can be simplified in a logarithmic
system as a linear model instead of exponential:
Based on the preceding discussion our proposed null-
hypothesis is: In the long run accidents follow an
exponential decreasing regression line based on expe- ln A(t) = ln a − b · t (2)
rience, where experience is expressed by time.
In our quantitative analysis we have elaborated the This representation makes it possible to fit a linear
hypotheses, see section 2.6. regression line.
In our proposed quantitative model the level of his-
torical accidents at time t (years after 1946), A(t) is
following a regression line on the form 2.5 Model improvements
Further exploration of a model from an accident anal-
A(t) = a · e−bt (1) yses or statistic analysis point of view can be done by
more detailed regression analysis, life time analysis or
Here a and b are the parameters in the model. Note that time series modelling.
the model considers t as a continuous variable while Evans (2007) uses Generalised Linear Models
we in practice only consider t for the distinct integral (GLMs) to analyse the train data. Here the num-
years. This is a weakness of the model. bers of accidents during one year are assumed to
Examining accident data from year to year may be be Poisson distributed. In such a model the failure
challenging due to the stochastic nature of accidents rate as a function of time can be presented, i.e. a
and especially the variation in number of fatalities model with only one parameter. Also different types
from year to year. of GLMs can be compared in order to achieve a model
806
which gives the best explanation of the variation in 5. R 2 (indicates how well the regression line fits the
the data. data) is less than 0.801 .
The accident data can also be treated as life time
data, where a life time is the time until an acci- If our analysis shows none of the above, we cannot
dent appears. Here NHPP (Non-Homogenous Poisson reject the hypothesis that the accident level follows
Process) or Cox proportional hazard regression are an exponential decreasing trend, and the hypothesis is
suitable alternatives. accepted.
Experience related to transportation could be
defined not only as time, but as accumulated travel
length as well. Experience in a production envi- 3 DATA ANALYSIS
ronment could be defined as time or accumulated
produced equipment. Both GLMs and Cox regression 3.1 Presentation of data
can take into account as many explanatory variables
This analysis is based on data of all railway accidents
as desired, and tests to check the significance of the
where the major part is movement and non-movement
variables in the model can be executed. Thus accu-
accidents. Collisions, derailments, overruns and colli-
mulated travel length (l) could be an explanatory
sions between train and road vehicles are also classes
variable in addition to time, e.g. for the exponential
of accidents included in the study. Train fires and other
regression:
train accidents are not included.
The data represents both fatal accidents and the total
A(t) = a · e−(b1 t+b2 l) . number of fatalities in each accident. Every fatal acci-
dent registered has at least one fatality. In addition
Another alternative for analysing the train data is the number of million train km per year is part of the
by time series modelling. In the data analysis we will data, and accidents pr million train km is a natural
see that the observations seem to oscillate around the expression for the accident level.
regression line. Thus e.g. an ARIMA model could be In our model, the sum of accidents and fatalities pr
relevant to estimate and explore. million train km is used. As fatal accidents are the
numbers of events in which the fatalities occurred,
this may seem rather odd. However experience and
2.6 Hypothesis testing learning is most probable achieved both through high
frequency of accidents and severe consequences of
The quantitative null-hypothesis proposed in section accidents from which organisations learn. We have
2.2, that the accidents follow an exponential decreas- chosen an equal weighting of both accidents and fatal-
ing trend, is b is significantly different from 0 in the ities pr million train km as the quantitative measure of
regression line described by (1). accidents. Both frequency and consequences are taken
To decide whether the values follow an exponen- into account. It is most likely that learning increases
tial expansion; i.e. if our hypothesis is not rejected, due to the number of accidents and the number of
we evaluate different measures. If the residuals show fatalities in an accident. If we were only consider-
independency and seem to be sampled from a normal ing the number of accidents, years with few accidents
distribution, we also check if the P-value, Con- but many fatalities would give a wrong impression of
fidence interval and Standard deviation of b, the the learning level. Analysing fatalities only, do not
T-statistic and the R 2 -value give reasons to reject the take into account the learning due to the number of
hypothesis. If one of the following criteria (all out- accidents with few fatalities.
put from the analysis) is fulfilled we will reject the Alternatively a different weighting of the numbers
null-hypothesis: of accidents and fatalities, respectively, may give a
more appropriate picture of the accident levels. How-
1. The T-statistic for b is in absolute value below 2.0;
ever, an exploration of different weighting shows that
i.e. b is not a significant parameter (considered as 0)
this does not make any significant influence on the
and our model reduces to A(t) = a.
analysis with respect to our hypothesis.
2. Standard deviation of b is great compared to the
parameter value; the values scatter.
3. P-values (probability of an accident level being
totally independent of the particular year) is greater 1 The value of 0.80 should not be considered as a norma-
than 0.05. tive value. It is just a value in order to explore the goodness
4. Dependent residuals, i.e. the residuals are not of fit in addition to what can be seen from the plotted esti-
independent and normally distributed and show mated regression line together with the observed data.
certain trend; i.e. the model does not fit the data In this case we are satisfied with 80 percent or more
rather well. explanation of the data variation in the model.
807
It is worth mentioning that the data reported was ten years all values are above the estimated line,
in 1991 changed from calendar year to fiscal year followed by a period in the 90’s where the values
(1 April to 31 March) and in 2005 changed back again. are all below the estimated line. The last ten years
This means that there may be some data missing/ with observed data again seems to give independent
overwritten during the two transitions for the data used residual.
in this analysis. However, the accidents/fatalities and 5. R 2 equals 0.91.
the train-km data have been collected over the same
intervals, such that the transitions have very restricted Based on the ANOVA results, the null-hypothesis
influence on our analysis. cannot be rejected and are thus is accepted. The
estimated regression line from (1) is:
1,6 0,5
1,4 0
1,2 -0,5
-1
1
-1,5
0,8
-2
0,6
-2,5
0,4
-3
0,2
-3,5
808
This can be illustrated using the British Rail data, technology. An example is the implementation of elec-
e.g. by dividing the period in two, i.e. one period tric motors replacing steam engines. At first the large
from 1946 to 1975 and the other from 1976 to 2005. steam engines were replaced by large electric motors
Analysing these two separately, gives the following in factories, using long chain drives to distribute the
distinctions: power in the factory. Later small electrical motors were
distributed directly in the production process as they
– The first period fits the data better than the last. were needed. This removed the danger from the long
– The first period has a greater b value, and hence chain drives. Thus the efficient and safe use of new
indicates stronger learning than the last. technology was based on exploration and learning in a
We have also established a model based on cumu- period that could take years. This is discussed further
lative distances travelled as a basis for experience, and in Utterback (1996).
have also identified a good fit. Improvements in working procedures and safety
The following two remarks must be considered thus usually take place after some years of experiences
under examination of data with respect to accidents with new technology.
and learning:
1. The period (time and length) of analysis: What 4.2 Consequences of our model of learning
period in the history of the industry is considered? from accidents
It is probable more likely that learning and devel-
opment are happening initially. Also the length of We have proposed a hypothesis, suggesting a model
the period plays an important role, due to increased where the levels of accidents are dependent on experi-
validity of a large sample size. For a huge dataset ence; more precisely the levels of accidents per year fit
will for instance outliers (observed values rather an exponential trend. We have based our model on the
distinct from estimated values) have less influence experiences from the Railways in Great Britain. Our
on the regression line (both establishing and evalu- simple model of accidents at time t, is A(t) = a · e−bt .
ating). A small dataset without any particular trend The hypothesis indicates that experience and the
will often result in a regression line rather similar level of learning is a key element in reducing accidents.
to the horizontal/constant mean value line. Hence, If we are using the iceberg theory from Hein-
it is important to consider a data sample of an rich (1959) we are assuming that accidents, near
appropriate sample size. accidents/incidents and slips are attributed to the same
2. The number of accidents: If few accidents are factors. The distribution between these categories was
observed, the model does not fit very well. This suggested by Heinrich to be:
could be interpreted as the stochastic character of – 1 Major accident
accidents. – 29 Minor accidents
In the analysis, we have considered the total number – 300 incidents, no-injury accidents
of both accidents and fatalities for all types of acci- – 3000(?) slips, unsafe conditions or practices.
dents. However, dealing with accidents and fatalities
separately do not impact the acceptance of the hypoth- The result of more recent studies contradict this
esis test. As expected the accidents fit the model better hypothesis, one issue is that severity is dependent on
than the fatalities, as fatalities naturally vary more. For the energy involved and the distribution of incidents
the different types of accidents it is only the class for differ between different types of workplace. How-
movement and non-movement accidents which fits the ever, our point is to focus on learning from minor
model. This accident type also makes the greatest con- accidents or incidents in order to avoid major acci-
tribution to all accidents. The other two classes, train dents. Both accidents and deviations are of interest
collisions and collisions between trains and road vehi- related to learning. If we manage to focus and doc-
cles, probably due to few accidents (the model do not ument minor accidents, incidents and slips in order
handle 0-values) and large variation in the data, do not to establish organisational learning; and succeed with
fit the model. this learning, it should imply that major and minor
accidents should decrease.
A ‘‘Heinrich pyramid’’ with few major accidents
but documentation, exploration and learning of many
4 DISCUSSIONS OF SOME RELEVANT
slips could be an indication of a learning and resilient
ISSUES
organisation.
However, if we do not focus, document and explore
4.1 Use of technology to improve safety
minor accidents, incidents and slips—it could lead
Technology could be an important factor in safety, to more serious accidents due to less learning from
but often new technology initially is mimicking old experience. Thus in en environment of less learning
809
we should find a ‘‘Heinrich pyramid’’ with more major (e.g. transport) as the response measures must be equal
accidents but few slips. (e.g. accidents per million transport kilometre).
At the 2007 HRO conference, in Deauville, May
28–30 examples of this were mentioned from aviation
in USA. Airlines that had explored minor accidents, 4.4 How to increase safety further?
incidents and slips had none serous accidents. Airlines If improved safety is due to experience and learning
that had documented few minor accidents, incidents from accidents as suggested by our model, safety may
and slips had several serous accidents. This could indi- be improved by focusing more on exploring organisa-
cate poor learning. Since this is comparison between tional learning and organisational inquiry as discussed
companies in the same industry with same energy by Schøn (1983). This means that we should explore
level, this could indicate different order of learning. what has gone wrong based on using actual data in an
open and testable manner. We should try to explore
double-loop learning, doing reflection in a learning
4.3 Level of analysis—Industry comparisons arena among relevant actors from both inside and
outside the organisation.
We can use the suggested model and perform an anal- Some consequences of that could be an improved
ysis on different organisational levels and of different focus on:
industries.
By different organisational levels we mean either: – Common training to ensure clear communication
(1) within an organisation, looking on accident data and common understanding of what has happened.
from different parts of the organisation analysing – Exploring known incidents more thoroughly and
which part having the better organisational learning ensure that the employees are aware of what can go
and thus safer practices, (2) comparing same type wrong and why. This must involve key actors in the
of organisations within a country—identifying what organisation to ensure that organisational learning is
organisations having the better organisational learning taking place. A systematic analysis of several inci-
system and (3) comparing same type of organisations dents together could help identify common errors
between countries—trying to identify what countries and thus increase learning.
having the better organisational learning systems. – Improve and focus on scenario training by dis-
Organisations could be compared to discuss which cussing and reflections on what can go wrong in
kind of organisation has the better accident learning the future, especially with a cross functional team
system. As an example, within aviation you could involving actors from outside the organisational
identify the airlines having the better accident learning boundary.
system.
Different industries (e.g. aviation and shipping)
could be compared to discuss which kind of industries 4.5 What should be done in an environment
has the better accident learning system. with no accidents?
In a system with better organisational learning, the
consequences should be that the whole system is learn- In an environment with almost no accidents, it
ing faster and accidents are decreasing faster, e.g. a becomes more important to analyse minor accidents,
greater value of b. Improved organisational learning incidents and slips in an open manner. Sharing of
in this context should mean more information sharing incidents must be performed, in order to improve learn-
among the involved actors in the whole system and ing. The use of narratives or story-telling could be
better understanding of the causes of accidents. used to create understanding and support of a learning
In a system with initially safer technology, the initial environment.
value of a should be lower, meaning that the levels of Scenario training should also be explored to
accidents are initially lower. increase and sustain organisational learning.
In the airway industry there is international shar-
ing of incidents and accidents—a system that seems
4.6 Effect of the deregulation of BR in 1994
to have improved organisational learning, due to more
incidents and more learning experiences across coun- When we look at accident data from 1994, we do not
tries and different organisations. Thus it should be find serious deviation from our model and hypothesis.
checked if the airway industry is learning faster and There were no large scale increases of accidents, thus
accidents are decreasing faster, e.g. a greater value of indicating that mitigation of the changes were taking
b in the same period than other industries. places such as learning and sharing of experience. One
Note that the values of a and b from the regression argument to support this was the increased focus on
results analysing different industries are only com- safety in the railway system due to the deregulation and
parable when considering the same type of industry increased public scrutiny of accidents and incidents.
810
The increased focus, information and discussion may We have structured the responses based on how
have sustained the low level of accidents after 1994. learning is taking place, e.g. issues related to sens-
Other issues that has been mentioned, from Evans, ing what is going on based on communication and
has been that the greatest number of fatal accidents are common training, who has responsibility to act, and
movement and non-movement accidents. Two particu- how to assess the response based on earlier response
lar things that will have contributed to the fall in these or experience. The main practices we have identified
are: (1) A major reduction in the number of trains are in accordance with our hypothesis related to learn-
without centrally-locked doors (they have now gone ing, e.g. a strong focus on practices supporting and
completely). The doors of trains without central lock- enabling organisational learning that is a focus on:
ing could be opened while the train was in motion,
and there were fatalities due to passengers falling from – Sense what is going on—based on unambiguous
trains, usually because they opened a door. Such events communication, and common training;
are now virtually non-existent. – Unambiguous responsibility:
(2) Fewer track workers and better management – Respond based on earlier experience—unambiguous
of track maintenance work, leading to fewer fatal procedures:
accidents to staff working on the track. – Support learning based on experiences and incident
reporting across organisations:
– Organisational learning—common procedures and
4.7 Further exploration of the model perceptions.
In this paper we discuss neither the use of the model
in prediction nor the uncertainty/confidence bounds. This is explored in the following.
Data from a restricted period were the latest years are 1. Sense what is going on—unambiguous commu-
excluded, are fitted to a model which can be used to nication: The use of protocols or formalised commu-
predict the data (most likely in the future). The pre- nication templates is essential when communicating
dicted value can then be compared with the actual cross interfaces. Pre-determined protocols and forms
historical value to see whether or not they are inside reduce difficulties in understanding and learning and
the confidence bounds and then verifies the property should be mandatory.
of prediction of the model. 2. Sense what is going on based on common
training—Standardised training for operators, focus-
ing on communication and handling of deviations. It
4.8 Objectivity, reliability and validity is especially important to establish common models or
perceptions of how incidents happen as described by
The proposed hypothesis can be tested on different Schøn (1983). It is also important to share an under-
industries, and there are clear objective criteria to be standing of ‘‘culture’’ e.g. perceptions, knowledge
used to check if the hypothesis is correct as described and behaviour between the different companies. Good
in 4.1. We do propose that the result is objective. experience has been obtained by the use of scenario
We are proposing that the result is reliable, due to training and simulators in addition to normal training.
the quantitative approach we have used. In a simulator—scenarios including deviations from
Validity is difficult to ascertain, the hypothesis normal operations can be tested, and the other side of
should be explored in different industries and on dif- the interface can be included.
ferent data to be assured of validity. In Duffey (2002) 3. Unambiguous responsibility: Unambiguous or
there are several examples validating these issues. unclear responsibility (e.g. ‘‘grey areas’’ of responsi-
bility) should not be tolerated. It is essential to have a
perfect clarity in tasks definition and responsibilities
5 PRACTICES FROM THE RAILWAY cross interfaces, especially if learning and exploration
INDUSTRY should be done.
4. Respond based on earlier experience—
We have discussed some organisational learning issues unambiguous procedures: It is essential that different
with the railway industry related to changes both parties harmonise their procedures so that operators
locally and changes involving international railway adopt the same behaviour both during normal opera-
traffic. Key issues identified during interviews and tions and exceptions. Based on our hypothesis, learn-
workshops have been related to new practices related to ing is based on incidents and accidents. To improve
communication, procedures, responsibility, incident learning across boundaries it should be important to
reporting, training and common risk perceptions. decide on one set of rules cross boundaries, and ensure
The changes have been related to the changes in that both the basic rules are the same and also that the
British Rail but also related to railway traffic from common understanding of the rules is the same. Trans-
Britain to France. lation of a rule from English to French and then back to
811
English could be one way of exploring possible differ- learning it should be important to establish proactive
ences in understanding and increase learning in cross and common risk perception and understanding: It
border cooperation between Great Britain and France. would be helpful for two different organisations or
Rules and procedures that are actually used should be actors to agree on a common model (‘‘common men-
kept as ‘‘living documents’’, meaning that the docu- tal model’’) for identifying and managing risks and
ments should be updated by the working professionals the resources to control risks. Some of the most dif-
themselves. ficult issues to resolve are due to differences in the
5. Support learning based on experiences and inci- conceptualisation of risks and risk management.
dent reporting across organisations: It should be a
clear obligation to report any condition that could
imply a risk for other companies. All parties must share
their databases regarding events that could improve or REFERENCES
degrade safety, and also share the resulting recommen-
dations. This would ensure a possibility for common Duffey, R. and Saull, J. 2002, ‘‘Know the Risk: Learn-
learning and an increased level of safety for all opera- ing from Errors and Accidents: Safety and Risk in
tors. Both interfacing organisations will benefit from Today’s Technology’’ Butterworth-Heinemann ISBN-13:
978-0750675963.
the ability to admit that they are different without infer- Evans, A.W. 2007. ‘‘Rail safety and rail privatization in
ring value or preference. One partner’s solution is not Britain’’, Accident Analysis & Prevention 39: pages
necessary the only right solution, one should share 510–523.
experiences (both from accidents, fatalities and good Heinrich, H.W. 1959. ‘‘Industrial accident prevention—
practices) to provide an opportunity to learn from each A scientific approach’’ Mc Graw Hill, New York.
other. Schøn, D.A. 1983 ‘‘Organisational Learning’’ in Morgan
6. Organisational learning—common procedures G (1983) ‘‘Beyond Method’’ Sage, Beverly Hills, pages
and perceptions: Harmonisation of procedures by 114–129.
project teams cross organisational boundaries should Utterback, J.M. 1996 ‘‘Mastering the Dynamics of Innova-
tion’’ HBS, Boston.
be done. Experience shows that groups with repre- Weick, K.E (1991). ‘‘The non-traditional quality of organi-
sentatives from each of the companies (or countries) zational learning,’’ Organization Science.
involved in operations should be established and meet Yelle, L.E. 1979. ‘‘The Learning Curve: Historical Review
face to face, to create confidence, common under- and Comprehensive Survey’’, Decision Sciences 10:
standing and a good learning environment, and estab- 302–328.
lish harmonised procedures. As part of organisational
812
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Berit Moltu
SINTEF Technology and Society, Trondheim, Norway
Geir Guttormsen
SINTEF Technology and Society, Trondheim, Norway
ABSTRACT: In this article we argue that consequence analysis is about organisational change and thereby
methodologically should be treated as part of that. Traditionally methods of consequence analysis is not sufficient
or enough. HSE (Health, Safety and Environment) is also about Organisational Development (OD). Both in
information and data gathering, in decision and participation, and in safe and secure implementation of suggested
changes, we consider this argument to be important.
The article is based on R&D projects done in the Norwegian oil company StatoilHydro ASA under the heading
of Integrated Operations (IO). The strategy was to choose several pilot projects in one asset to be analysed by
consequences as far as HSE was concerned. The idea was further to spread the successfully pilots to other assets
after a successful Consequence Analysis (CA).
Our approach to understand organizations is inspired by Science and Technology Studies (STS) and sees
organisations as complex seamless networks of human and nonhuman actants (Actor Network Theory, (ANT)
(Latour 1986)). We understand organisations as the ongoing process created by the interests of different actants
like ICT, rooms, work processes, new ways to work, being organised and managed. This in addition to an
understanding of communities of practice (Levy & Venge 1989) is the point of starting to discuss CA as part of
OD. Another used method is based on the risk analysis tool HAZID (Hazard Identification) witch is used in the
Norwegian offshore industry as a planning tool to identify hazardous factors and to evaluate risk related to future
operations. HAZID were used as a basis for collecting qualitative data in our concept of consequence analysis.
Different method was used to identify positive and negative consequences related to implementation of (IO) in
two cases, the steering of smart wells from onshore, and a new operation model on an offshore installation.
We observed that the methods had qualities beyond just evaluation of consequences. During the interviews
on smart well different groups of actants started to mobilize according to the change process from pilot to
broad implementation, new routines and improvements of the pilot were suggested by the production engineers
even though they have been operating along these lines for years. But now as the pilot might go to broad
implementation, different interests initiated a change of the pilot from the process engineers.
During the interviews and the search conferences on the case of a new operational model, we observed that
the discussions generated a new common understanding among the informants about the pilot, the whole change
process. The method helped to clarify what the changes would mean in day to day operation, how they were
going to work and what the potential consequences could be. It also generated a new understanding of why
changes were proposed.
All these questions are important issues in change management and elements that can be discussed related to
organisational learning. Consequence analysis can be a useful change management and organisational learning
tool, if the traditional design and use of such analysis can be changed.
813
organisational or professional—to efficient use of an mentation strategy and adequate tools and methods.
organisation’s expertise knowledge in decision making A method that facilitate analysis and prediction across
(Kaminski, D. 2004; Lauche, Sawaryn & Thorogood, a broad range of consequences categories are deemed
2006; Ringstad & Andersen, 2008). particularly useful.
Descriptions of the new approaches exist elsewhere However, many traditional consequence analysis
(e.g. Upstream technology 2007), and will not be methodologies are concerned with one consequence
repeated here. The approaches can be subsumed under category (e.g. safety or cost) and/or are based on one
the heading Integrated Operations (IO). Numerous particular approach to data collection and analysis.
definitions of IO exist in the industry. In StatoilHydro Although it would be possible to utilise a number
(2007) IO is defined as: of different consequence analyses prior to any IO
New work processes which use real time data to implementation, it was decided to develop a new
improve the collaboration between disciplines, organ- methodology for consequence analysis particularly
isations, companies and locations to achieve safer, suited for the purpose.
better and faster decisions. The new method should:
It is generally assumed that improved decision mak-
– Be suited for analysis of a broad range of conse-
ing processes in turn will lead to increased production,
quence categories
less downtime, fewer irregularities, a reduced num-
– Be flexible (i.e. allow the analyst to use different
ber of HSE-related incidents, and in general a more
types of data and data collection methods, and the
efficient and streamlined operation.
method should be flexible across analyses objects
The fundamental changes in work execution as a
(e.g. a refinery and an offshore installation)
result of IO are illustrated in Figure 1 and are briefly
– Involve personnel affected by IO in the analysis to
described below:
ensure participation in the change process.
– The old assembly line work mode is seriously chal-
The IO-program of StatoilHydro has chosen a strat-
lenged by IO. More tasks can be performed in a
egy from pilot to broad implementation in the efforts
parallel fashion, thereby reducing total time con-
of achieving the visions of IO. A special exemplary
sumption. From a decision making perspective,
practice due to the IO characteristics in one of the
parallel work execution means a more iterative and
assets are chosen as a pilot. This practice is first eval-
relational process.
uated to be defined a pilot. Then a CA is carried out
– Multidisciplinary teamwork becomes more critical
with conclusions and recommendations for a broader
as the availability of real time data increases, and
implementation or not. The decision is to be taken by
work is performed in a parallel fashion more or less
the process owners.
independently of physical location.
This paper comprises two case studies exemplifying
– Real time data at different locations make it pos-
the new method in use, and a general discussion of pros
sible for personnel at these locations to cooperate
and cons of the new method based on several analyses
based on a shared and up-to-date description of the
performed in StatoilHydro in 2007. This discussion
operational situation.
gives an especial emphasis on how CA and OD might
– Videoconferencing and readily access to data and
be seen together, as two sides of the same process.
software tools reduce the need for specialists to be
on location. This increases the availability of expert
knowledge for operational units, and reduces the
2 METHODS IN CONSEQUENCE ANALYSIS
time it takes to muster the experts.
The diverse and fundamental changes associated In the following we present both a theoretically
with IO require a careful and deliberate imple- approach or an attitude underlying the method e.g.
Actor Network Theory, the consequence categories
Serial Parallel used as a basis for the CA, the structure of the method
and the practical data techniques used. This method is
developed and used in two pilot cases in the IO pro-
Single discipline Multidiscipline
teams
gram of StatoilHydro, ‘‘Steering of smart wells from
onshore’’ at Snorre B, and ‘‘New operation model’’ at
Dependent of Independent of
Huldra Veslefrikk).
physicallocation
physical location physicallocation
physical location
Decisionsbased
Decisions based Decisionsbased
Decisions based
onexperience
on experience onrealtime
on realtimedata
data
2.1 Actor network theory-identifying of actants
data and controversies
In the IO-case or IO-pilot of ‘‘Steering of smart wells
Figure 1. Changes in work execution as a result of IO. from onshore’’ from the field Snorre B in StatoilHydro
814
ASA, SINTEF used a new approach to a CA method, 2. Qualitative data collection, interviews and search
named Actor Network Theory (Latour, 1986), based conference.
on Science and Technology studies (STS), since this 3. Use of a ‘‘consequence matrix’’ to help sort raw
pilot is very much about the development of a new data based on the factor categories ‘‘organization
complex technology, where as we will see, there might and management’’ , ‘‘personnel and competence’’,
be a lot of different technologically solutions to this ‘‘operations and regularities’’, ‘‘HSE’’, ‘‘economy’’
issue of smart wells. and ‘‘company reputation’’.
This pilot was also about the complex interplay 4. Analysis of data—using ‘‘ANT-analysis’’, ‘‘cluster
between technology and organization, ‘‘a seamless analysis’’, chains of argumentations.
web’’ (Callone, 1986) of how to use and operate this 5. Evaluation of risk related to the found negative
technology e.g. a network of different actants human consequences vs. positive consequences.
and nonhuman and how they chain in different ‘‘het- 6. Conclusions and suggestions.
erogeneous engineering’’ (Callone, 1986). To study
the local community of practice, (Levy and Venge,
1985), their interactions, negotiations and struggles 2.3 Data collection—interviews and search
more in depth where this technology is in use, gives conferences
an important input to the understanding of the pro et SINTEF further developed the CA method in
contras of the pilot, and the potential broader HSE order to evaluate a new integrated operation model
consequences of such a pilot. The case showed that (IO-model) to be implemented in StatoilHydro ASA’
technology was not yet frozen as the CA started. In ‘‘Huldra Veslefrikk organisation’’. The method aimed
opposite the work on the CA makes it develops further. to identify potential positive and negative conse-
quences related to implementation of the new oper-
2.2 CA method—visualization of consequence ation model according to the five consequence cate-
categories gories mentioned above (fig. 2).
In both cases qualitative data were collected through
A basis was also to identify both positive and negative document studies, thirty individual interviews (Smart
consequences related to the categories ‘‘organiza- wells, Snorre B), seven individual interviews (New
tion and management’’, ‘‘personnel and competence’’, operation model, Huldra Veslefrikk) and one search
‘‘operations and regularity’’, ‘‘HSE’’, ‘‘economy’’ and conference (Huldra Veslefrikk), (e.g. Emery & Purser,
‘‘company reputation’’, which are a broader set of 1996) with relevant personnel form the Huldra Vesle-
categories than normally in CA. frikk organization. Search conferences were not effec-
This figure illustrates a linearity or a cause and tuated in the Smart Well case due to the initially high
effect chain between the main factors used as an ana- controversy about this pilot.
lytically tool. In studying the communities of practices The interviews could be performed either with indi-
or ‘‘real life’’ in these cases, we see this is of course vidual informants or in groups of people. The choice
more a messy matter (Law, 2004). One of the main depends on how important are the controversies, and
activities of researchers is to tidy up the mess, and lin- how complex is the understanding of the operational
earity in-between categories might be one way to tidy practice and the communities of practice that follows
up. The linearity was the basis for the method’s further that. A combination might also be a good solution.
procedure. But first as a starting point to identify the
different aspects of potentially consequences within
these categories, it is important to identify the most
important groups of actants (Bijker & Pinch, 1985)
participating in the pilot studied. Then the most obvi-
ous controversies are important to identify. A quick
visualisation of these is often useful to make as a draft
to be changed as the analysis goes on. The usefulness
of identifying the controversies at an early stage is also
to early be able to investigate whether there is a con-
nection between the controversy and the risk level of
the potentially consequences.
The further methods follows a well known phase
divided, linear, stepwise procedure known in many
analysis, evaluations and change programs.
1. Identification of groups of actants and main con- Figure 2. Visualization of the consequence categories as a
troversies. basis for the analysis.
815
IO-project reports and descriptions of the new pro- and the consequence matrix to also start the analysis.
posed IO-models in was the basis for the document Here is the point where employees often feel the par-
studies in both cases. As a basis for the interviews and ticipation ends, which creates a situation of resistance
the search conferences we used the proposed change at the time of implementation.
measures needed to implement the new model as an
interview guide. In addition we initially ask for the
2.5 Analysing data
history of the initialisation of the pilot to get access to
the main actants and controversies, and to get in touch To analyse data, one of the methodologically start-
with the most important arguments. ing points was to find the controversies and paradoxes
The group interviews have the basic aim to gather about the smart well technology, and to identify the
information, and might be less time-consuming than different groups of actants that are involved in the
individual interviews, but might get access to more controversies. By identifying the different controver-
supervision information. The search conference as sies one also identifies the interests that are connected
such is more a technique to create an arena for a to the controversies, and the constellations of inter-
common dialogue on especial issues. A combina- ests that the different actants are chained in. Interests
tion of these techniques is often been seen to be are to be seen as the ‘‘driving forces’’ for changes.
fruitful. Interests are what makes things happen both in a pos-
In the IO change processes we have seen conflict- itive and a negative way, e.g. interests are also what
ing interests between management representatives and make things not happen. If one wants to understand
trade unions. The search conference can be a use- the OD aspects of a CA, one has to understand the
ful tool in order to overcome these ‘‘change process main interests. And if one want to do Organizational
barriers’’. The search conference can create open- Change one has to be able to play with the main inter-
ness among the participants (show that things are ests or to be able to play the game, to chain in with the
what they appear to be); create an understanding of a different interests in different enrolements and trans-
shared field (the people present can see they are in the lations (Latour, 1986) to make a strong enough chain
same world/situation); create psychological similarity to be able to do Change Management, if not it is all in
among the representatives; and it can generate a mutual vane.
trust between parties. All these elements are found to Part of the analysis was also to describe which
be important in order to achieve effective communica- presumptions underlying the positive consequences
tion within and between groups (Asch, 1952), and in found, and to suggest compensating actions to the
this case to bring the planned change process forward challenges found. The main stakeholder in the anal-
in a constructive direction. ysis is in these cases SINTEF. Consequence analysis
is something in-between an evaluation and scenario
thinking, and trained skilled methodological and ana-
2.4 Use of consequence matrix
lytical skills are of course required. But a higher degree
In order to sort hypothetical negative and positive con- of participation in the analysis, and to test out the
sequences after implementation of the suggested pilot, analysis might be a fruitful idea, and with the search
we used a matrix to help us sort the informant’s state- conference as a tool, a possibility that is not so far away.
ments within the categories ‘‘organization and man- But the last responsibility for the analysis should be the
agement’’, ‘‘personnel and competence’’, ‘‘operations action researchers.
and regularity’’, ‘‘HSE’’, ‘‘economy’’ and ‘‘company In addition to identify the different aspects of poten-
reputation’’. To the positive consequences we tried to tially consequences of the pilot mentioned above,
describe which presumptions underlying these state- positive as negative, the CA has to do a ranging of
ments, and to the challenges found we tried to suggest the different arguments by importance. E.g. by risk
compensating actions. level or sometimes by interests (As seen in figure 4).
New ICT (Information and Communication Tech- One way might be to find what argumentations and
nology), with the use of large screens gives new chain of argumentations that are used by visualizing
possibilities for search conferences. In group inter- the arguments by ‘‘cluster analysis’’. We often end up
views and in the search conferences these matrixes with only a few central arguments, as the basis for
might be collective created, showed on a large screen, conclusion.
which might give a good enthusiasm, participation The ‘‘cluster analysis’’ aimed to find clusters in
and founding of the results. In a case like this there statements regarding proposed negative consequences
will be many arguments and the matrixes gives a nice related to one or several IO-model measures. As
way to ‘‘tidy the messy arguments’’ and easily give an a result it was easier to see how several IO-model
overview. The concurrent production of this matrix in measures could cause interaction effects (e.g. severe
a search conference might in addition be timesaving. negative consequences) within the different categories
A further step might be to use the search conference shown in figure 2.
816
The clusters of the negative consequences were then 1. Administrative work tasks offshore to be transferred
risk evaluated, based on the risk analysis tool HAZID to the onshore organization
(Hazard Identification). The HAZID tool defines risk 2. To make the onshore support organization more
as probability multiplied with consequence. A risk operative (e.g. manning the onshore support team
level for each consequence cluster was established with offshore personnel in rotation)
by a qualitative evaluation of how probably it was 3. To make the offshore organization more opera-
for each cluster to occur, and how critical it would tive (e.g. more time spent on operations, less on
be, e.g. how large the interests are concerned to this administrative tasks)
consequence. 4. To enhance handovers between shifts offshore by
All steps in this design, except for the risk eval- improved planning onshore
uation of clusters, were carried out in close coop-
The OD-process was carried out by using a
eration with our informants and the StatoilHydro
method called ‘‘CORD-MTO’’ (Coordinated Off-
IO-development team.
shore operation and maintenance Research and
The extended focus on employee involvement
Development—Man-Technology-Organization) as a
through interviews and search conferences must be
basis. The process leading up to a proposed IO-model
characterized as a relatively new approach within
turned out to be filled with conflicts between the
CA-designs. Also the focus on analysing conse-
project management group and labour union represen-
quences in a broader perspective than just HSE must
tatives. This was mostly due to change management
be characterized as new, as definitively the approach
issues and what the labour unions characterized as
of ANT is CA. The effects of this kind of approach
an unfair OD process. We, as an independent part
will be discussed further in this paper.
of the process, also observed a kind of uncertainty
The method as so contains of well known elements,
among employees about how the new organization
but the newness in the method is in the combination of
would look like, and what consequences the structural
these well known elements as ANT, interviews, matrix,
changes would have for each individual employee. We
search conference, cluster analysis, etc.
have observed this kind of ‘‘change anxiety’’ in many
change processes, but in this case we observed that
the process of carrying out a CA, we believe had an
3 THE USE OF CONSEQUENCE ANALYSIS unexpected effect upon this ‘‘change anxiety’’.
(CA) DATA IN ORGANIZATIONAL We observed that the CA method used had quali-
DEVELOPMENT (OD), IN STATOILHYDRO’S ties beyond just evaluation of consequences. During
IO PROGRAM the search conferences we observed that the discus-
sions generated a new common understanding among
In the following we describe two different cases based the informants (employees) about the whole change
on the methodology we described in chapter 2. process and the new proposed operation model. The
method helped to clarify what the changes would
mean in day to day operation, how they were going
3.1 Case 1: ‘‘Implementation of a new integrated to work and what the potential consequences could
operation model in StatoilHydro ASA’ Huldra be. It also generated a new understanding of why
Veslefrikk organization’’ changes were proposed. All these issues are important
in change management, and they are elements that can
The StatoilHydro installations Huldra and Veslefrikk
be discussed related to organisational learning. CA can
were classified as ‘‘tail production installations’’,
therefore be seen as a useful change management and
meaning they were in the last phase of production
organizational learning tool if the traditional design
initiated to prolong the economic lifetime of a field.
and use of such analysis can be changed.
This situation can represent rising production costs
and potential lower profitability. In order to obtain the
profitability, the Huldra Veslefrik organization had to
3.2 Case 2: The pilot ‘‘Steering of smart wells
increase the efficiency of the operations and to cut
from onshore’’ in StatoilHydro ASA
administrative costs. Implementation of IO was then
seen as a solution, and the organization became a part A meeting in the W& D (well and srilling) network
of StatoilHydro’s pilot program for implementation of 19.11.04 decided that with planning of new fields it
IO-models. should be prepared for the implementation of down
An organizational development (OD) process was whole equipment or DIACS valve, e.g. smart wells.
started to find a suitable IO-model for the orga- For existing fields the same policy is decided for
nization. As a basis for the model design, they planning of new wells. Deviations from this should
emphasized the following design criteria for the new be followed by economically calculations. This pilot
IO-model: is about a potential implementation of smart wells
817
as a part of an IO strategy from pilot to broad
participation, in existing wells in former StatoilHy-
dro. The pilot is named ‘‘Steering of smart wells from
onshore’’. The pilot takes place in the field Snorre B,
which came from former Hydro into StatoilHydro.
Originally Snorre B with it’s technologically inven-
tions came from the former small oil company Saga.
Through performance of a Consequence analysis
SINTEF should help StatoilHydro in take good deci-
sions whether the pilot should be recommended for a
broader implementation or not.
StatoilHydro had about 10–15% of the smart wells
worldwide. In December 2006 we found 48 comple-
tions of smart wells with altogether 147 DIACS valves.
There is an increasing trend in smart well completion
in the company, and about 100 smart wells with 320
valves over 25 fields were anticipated in 2010.
One of the conclusions of our CA was that there are
no safety consequences because the DIACS vales are Figure 3. Overview of the main alternatives for smart wells
not part of the barrier system. The main consequences by existing assets in StatoilHydro.
are of potential economically gains in production opti-
malisation, and potentially changes for the production
engineers if they are changing from today’s reactive
operation to a more proactive operation with the use
of realtime data. More personnel resources of the pro-
duction controllers are needed and it might be a more
24 hrs operation in one or a way.
We mapped the present practice in 6 different assets
(Heidrun, Veslefrikk, Gullfaks hovudfelt, Snorre A,
Gullfaks satelitter and Visund) to see the gap between
the pilot and the present practice in these assets. To
main way of operating smart wells was identified, e.g.
a manual way of operating as we see it in Gullfaks hov-
udfelt, Snorre A, Veslefrikk, Heidrun. In this solution Figure 4. Main controversies in the analysis of the smart
the production engineers and the supplier has to travel well pilot.
offshore to operate the DIACS physically. There is a
common understanding that this is not a good solu-
tion. The main controversies are between the pilot of controversy is the question of choosing and developing
Snorre B or the solution as they have in Norne, Visund, of technology, which solution to choose. Different
Gullfaks. technology might support different operational solu-
In the analysis of all the potential consequences tion e.g. who can push the buttons for operating the
we soon realised that we need to make a distinction smart wells.
between operations (who is pushing the button) vs. And when it goes from a single autonomous case
steering (who is planning and initializing the process) to a pilot with possible consequences for other assets
due to an unclear linking between language or term the chain of interests are getting larger. The two main
and practice, and to thereby avoid misunderstandings. technologically alternatives are between to digital vari-
As a premise for the further analysis it is given as a pre- ants, one with the integration in the OS (operation
sumption that onshore is always steering anyhow, the station) system and operation from SCR. Many of the
competence for that is onshore in Drilling & Well and assets want to go in this direction. The alternative of
in Petroleumtechnology. The controversy is weather the pilot is to have a separate operation system which
SCR (Sentral Controle Room) or the productions engi- is used now for the pilot. Operation today is done by
neers/production controllers onshore is the one who the supplier Well dynamics which has to travel from
should operate the DIACS valves or if it should done their office to StatoilHydro to operate the valves which
by a supplier onshore as in the pilot of Snorre B. influenced the time of reaction from decision to oper-
Their largest controversy in this pilot is who shall ation if that is important. One of the most important
operate the DIACS valves, who shall push the but- consequences against an integration in OS is the poten-
ton, SCR offshore or onshore. And connotated to that tial possibilities for external hacking which one avoids
818
with a separate control system as in the pilot. But secu- potential opponents as a political argument against the
rity is said to be well handled at the statoil@plant. planned changes and not an argument that is based in
It also involves larger development cost to integrate professional discussions.
than the separate solution of the pilot. The pilot has a
script that makes an operation from onshore preferred.
An integration in OS opens for a symmetry between 5 CONCLUSIONS
on and offshore operations, and thereby might con-
serve status quoe, as far as todays situation on who In this paper we argue that consequence analysis is to
should operate the valves, whether the pilot might push be seen as a part of a planned organizational change
a change. process. In fact the organizational change process
As the CA started a discussion within the pilot starts when the CA starts. Thereby CA and OU should
weather the pilot initially was good enough evaluated not be seen as separate parts.
to become a pilot or not. While the interviews came Objective analyses of consequences do not exist. At
about the production engineers then starts to create the time one starts interviewing about potential con-
suggestions of what can be changed in the pilot as sequences of an action, different groups of actants are
they realize that this might be the reality for many col- starting to chain and to mobilize their common inter-
leagues in other assets, and that theirs practice might ests, as we see it in the smart well case, and the change
be the standardized proactive, even tough they have process starts.
not done anything to improve this or to come with the The CA might better be seen as a part of a planned
same suggestions the two three years in-between now organisational change program, and with trying to
and after the pilot was evaluated. achieve a good dialogue and a collaborate atmosphere
among the parts. It is as we see in the Huldra Veslefrikk
case not easy to achieve a good change process if the
4 FROM PILOT TO BROAD process of analysis in advanced (CORD analysis) has
IMPLEMENTATION AS A CHANGE not followed a good participated process in advance;
STRATEGY it is very hard to achieve that later.
The best advice is to use the energy for change that
One of the main strategies to achieve their aims of IO is to be found in the mobilizing and chaining of inter-
in StatoilHydro has been to define different locally ests. One has to enroll important actants and chains
existing practices which contains good ‘‘IO character- of important interests if not the OD program will be
istics’’ as a pilot to be considerer a broad implantation in vain.
in the other assets after first an evaluation and an then To succeed one has to understand the concrete oper-
a broader consequence analysis. The pilot of smart ational challenges in the pilot, and the seamless web
wells in Snorre B was a locally initiative and a con- of technology and organization and thus these needs
cept that was decided when the field was developed, to be described and understood. The CA has one large
that we can see from the choice of concept of plat- advantage dealing with this that OD programme rarely
form. Here we see a ‘‘top down’’ strategy, e.g. the IO interfere with. CA might contribute to make OD more
initiative meets a locally ‘‘bottom up’’ initiative devel- successful.
oped in Snorre B. There is a huge variety in practices
among the assets due to local autonomy and different
history, different field caracteristics. When making REFERENCES
such connections with local and more global change
strategies it is important to well inform the pilot about Asch, S. (1952). Social psychology. Englewood Cliffs, NJ.:
Prentice-Hall.
its chosen status so that everybody knows, to avoid Bijker, W.E., Hughes, T.P. Pinch, T. (1987). The Social
the killing of locally commitment. This is also impor- Construction of Technological Systems, The MIT Press,
tant to avoid that the local people don’t fell they are Cambridge, Massachusetts.
hostages for larger organizational changes in other Callone, M. (1986). Some elements of a sociology of trans-
assets, into practices that might work well for them, lation: domestication of the scallops and the fisherman,
but they might anyhow create large resistance to these John Law (ed.) pp. 196–229.
changes in other fields, they are just not invented here Emery, M. & Purser, R.E. (1996). The search conference—a
and does thereby not fit in, and might demand some method for planning organizational change and commu-
trouble to change locally even though they might have nity action. San Francisco: Jossey-Bass Publishers.
Latour, B. (1986). Science in Action, Harvard University
been a successful and smooth practice elsewhere. If Press, Massachusetts.
the pilot is not locally enough anchored, the questions Lauche, K., Sawaryn, S.J. & Thorogood, J.L. (2006). Capa-
will be posed if it is good enough evaluated locally bility development with remote drilling operations. Paper
and thereby any argumentation to support a broad presented at the SPE Intelligent Energy Conference and
implementation might be effect fully be stopped by Exhibition, Amsterdam, The Netherlands.
819
Lave, J. & Wenger, E. (1991). Situated Learning. Legitimate Ringstad, A.J. & Andersen, K. (2007). Integrated operations
peripheral participation. Cambridge University Press. and the need for a balanced development of peo-
Law, J. (2004). After Method. Mess in social Science ple, technology and organization. Paper presented at
Research. London, Routledge. the International Petroleum Technology Conference,
Kaminski, D. (2004). Remote real time operations centre for Dubai, UA.
geologically optimised productivity. Paper presented at StatoilHydro (2007). Integrated operations in StatoilHydro.
the AAPG International Conference, Cancun, Mexico. Monthly Newsletter, May 2007.
Moltu, B. (2003). PhD Thesis, ‘‘BPR in Norwegian! The Upstream technology, Feb. 2007, pp. 36–37. Interview
mangementconcept og Business Process Reengineering with Adolfo Henriquez, Manager—Corporate Initiative
(BPR) as a culturally praxis, (Nr 2004:81) NTNU, Trond- Integrated Operations, StatoilHydro.
heim, Norway.
820
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: This paper aims to discuss how the use of advanced information and communication technology
impacts leadership practice. The paper is based on a research study accomplished at the Kristin asset on the
Norwegian continental shelf. The technology we explore is Integrated Operations (IO), and how organizations
can benefit from using this kind of technology. We discuss the results of our study, focusing on virtual cooperation
among leadership teams located onshore and offshore in the Kristin organization. To date, some research on how
to succeed in virtual teams exists, but few studies explore leadership in virtual teams. The strength of this study
is the in-depth insight of how and why IO shapes the work practice of leaders and operators/technicians. So far,
few empirical research studies shed light on how IO functions and is experienced by the people involved. The
research has mostly focused on the theoretical models of IO.
821
the Kristin organization, focusing on work practices Olsen & Olsen (2000) describe which elements
concerning operation and maintenance at the platform are crucial for success in virtual team work, such
with onshore operational support. In addition, the as: the sharing of knowledge, coupling in work, the
purpose has been working with organizational devel- need for collaboration to solve tasks, and the need for
opment, focusing on which organizational capabilities technology that effectively supports communication
Kristin ought to develop. and decision-making. We explore how these elements
The Kristin asset, operated by StatoilHydro, is a affect cooperation and outcomes in the organization
condensate and gas field on the Norwegian continen- we study.
tal shelf. The platform is located 240 km offshore
from Trondheim, Norway, and production started in
November 2005. The Kristin organization wanted to 2 METHOD
develop an IO mindset in order to be able to operate
the platform with a minimum of people on board for The empirical data for this study is comprised of obser-
safety reasons and maximize production and opera- vations and interviews. We have interviewed managers
tional efficiency, as well as keeping the platform in both onshore and offshore, operators offshore within
optimal technical condition. Compared to large off- all functions, and disciplines represented at the plat-
shore installations having an operation crew of 200 form (electro, mechanic, automation, instrument,
employees, there are only 31 employees working on process, among others) and technical lead engineers
the Kristin platform during any shift period. This lean onshore within most of the disciplines. The collected
organization influences the communication on board, material comprises semi-structured interviews with a
and the communication between offshore and onshore total of 69 informants, as well as extensive participat-
personnel. ing observations both onshore and offshore. Analyses
The Kristin organization has two management of interviews were conducted based on the principles
teams, one onshore and one offshore, each located in a of grounded methodology (Strauss and Corbin, 1998)
collaboration room. There are continuous video links with qualitative coding techniques. Examples of par-
onshore and offshore, so both management teams can ticipating observations are being present at formal and
see each other at all times during the day. informal meetings in the collaboration rooms both
onshore and offshore, as well as following the work
1.3 Virtual leadership teams of the operators when they were out in the process
plant doing maintenance and operation tasks.
How to succeed in virtual teams has been quite well The research approach has been co-generative
described in the literature, but there are few studies learning (Elden & Levin, 1991). The basic idea is
exploring leadership in virtual teams. As with tra- that practitioners and researchers create new practices
ditional team work, research on virtual teams has together and parallel to developing a deeper under-
demonstrated the importance of effective communi- standing of the research question in focus. Examples
cation and coordination within virtual teams (Lipnack of this close interaction between practitioners and
and Stamps, 1997). Virtual teams are often charac- researcher in our study are as follows:
terized by high levels of autonomy rather than direct
control, which will affect leadership practice. • During the project period, the researchers and key
Lipnack & Stamps (1997) define a virtual team as: practitioners met on a regular basis (every month)
‘‘A group of people who interact through interdepen- for working sessions. This was central to the devel-
dent tasks guided by a common purpose that works opment of the analysis of the IO work practice. At
across space, time and organizational boundaries with work sessions, difficult issues could be discussed,
links strengthened by webs of communication tech- misunderstandings were sorted out, and findings
nologies’’. IO is about how members of a geographi- that needed interpretation were discussed.
cally distributed organization (offshore and onshore), • By holding informal meetings, being embedded
participate, communicate and coordinate their work during data collection, etc., the project contributed
through information technology. to co-learning and reflection on work practices
In this paper, we focus on two types of virtual between researchers and practitioners. A set of
management concerning the cooperation between the shared notions and concepts was developed, and
onshore and offshore organization at Kristin. First, thus also a higher awareness of critical organiza-
this paper explores how the use of IO technology by tional aspects.
virtual management teams influences the cooperation
and communication between the offshore and onshore In addition, the researchers presented and discussed
management teams. Second, we explore the virtual the project results closely with all people involved in
cooperation between the onshore technical engineers the project—offshore operators, onshore and offshore
and the offshore operators. management, and onshore technical lead discipline
822
engineers. This had the effect of the researcher gaining According to Bass (1990), transformational leader-
deep insight into people’s work practices. ship means that a leader communicates a vision, which
In terms of methodology, project execution fol- is a reflection of how he or she defines an organi-
lowed these steps: zation’s goals and the values which will support it.
Transformational leaders know their employees and
1. Provisional mapping of functions, arenas and inspire and motivate them to view the organization’s
relations. Prioritization of the most important vision as their own (Bass and Avioli, 1994). Such
functions/arenas/relations. (Tools: Workshop with leadership occurs when one or more persons engage
stakeholders). with others in such a way that leaders and follow-
2. Collection of data. Information on arenas and rela- ers lift each other to higher levels of motivation. At
tion used as collection guide. Evolving focus with Kristin, the concept of integrated operations—what it
new information. (Tools: Observations, conversa- really means for this organization—involved defining
tions, interviews). a vision and values concerning how the work ought
3. Analysis of data for key findings and observations. to be performed—on board, and between the offshore
Conducted simultaneously with data collection. and onshore personnel. Kristin has a lean and compe-
4. Identification of important themes in the material, tent organization, where the operators/technicians in
using stakeholders to sound the importance and the Operation & Maintenance (O&M) team offshore
secure ownership (Tools: Work meetings). possess expertise not necessarily found among their
5. Suggesting short-term and long-term actions. Pri- superiors. The motivation at Kristin has been empow-
oritizing actions together with management and erment, which has affected the autonomous work of
stakeholders. Presenting findings and actions for the operators and the delegating leadership style.
management, stakeholders, and employees. (Tools: Another leadership characteristic found at Kristin is
Facilitating workshops). situational leadership, which means that leaders allow
for flexible solutions and actions adapted to the spe-
cial conditions and situations in the organization. The
3 DISCUSSION: INTEGRATED OPERATIONS lean offshore organization at Kristin with few persons
AND LEADERSHIP PRACTICE within each discipline necessitates flexible problem-
solving, which includes cooperation across disciplines
Certain characteristics of an organization’s leadership to support each other’s work. Situational leadership is
practice will have an impact on the outcomes of virtual the opposite of trying to generalize or standardize work
cooperation. This will influence the quality of rela- practices and routines. Situational leadership theories
tions between the offshore and onshore organization. in organization studies presume that different leader-
Below we begin by describing the characteristics of the ship styles are better in different situations, and that
leadership practice in the organization of study. Next, leaders must be flexible enough to adapt their style to
we discuss the virtual cooperation and work practice the situation in which they find themselves. A good
between the offshore and onshore organization: i) the situational leader is one who can quickly adapt his or
virtual management team, ii) the virtual support from her leadership style as the situation changes. Hersey
the onshore technical engineers. and Blanchard (1977) developed situational leadership
theory. They categorize leadership style according to
the amount of control exerted and support given in
3.1 Characteristics of leadership practice
terms of task and relationship behaviours; persuasive,
We have explored the leadership at Kristin from a instructive, participating, and delegating behaviour.
relational perspective, and find that leadership is Instructive behaviour means giving precise instruc-
characterized by a transformational and situational tions and controlling execution. Persuasive behaviour
leadership style. involves defining tasks, but seeking ideas and sug-
Leadership philosophy and style will impact how gestions from the workers. A participating leadership
the offshore operators conduct their work, particularly style is when the leader facilitates and takes part in
the way in which they are expected to lead them- decisions. A delegating behaviour means that lead-
selves and take responsibility for the operations both ers delegate the responsibility for decision-making and
individually and collectively as a team. According to execution.
Wadel (2005), organizational restructuring into flat The level of competence among workers will influ-
organizations and autonomous work teams means that ence whether a supportive or controlling leadership
co-workers to a larger extent have to lead and support behaviour is adopted. To lead personnel with low
each other. This change in roles and practice among degree of competence, a manager will define tasks
workers also changes the role of leadership. To explore and supervise the employees closely. On the other
this, we have to understand leadership from a relational hand, leading highly skilled workers involves delegat-
perspective as well as from a situational perspective. ing tasks and responsibility, and the control lies with
823
the employees. High levels of expertise do not require technical units onshore attend to be informed about
as much control from the manager. At the Kristin the situation on the platform, and to give advice if
platform, the leadership style is adaptive. Depending needed.
on the situation and discipline, it is primarily char- So, what are the benefits of this close, but still
acterized by a participating, persuasive, or delegating virtual cooperation? First of all, StatoilHydro has esti-
management style. This is because of the highly skilled mated huge savings in operation costs over the first
personnel working at the platform. The O&M-crew is year from integrated operations. This is a statement
directed primarily by the Operation supervisor, who from one of the platform managers at Kristin: ‘‘Half
is their line manager, but they are also directed by of the saving was due to the way we work. The other
the technical lead engineers onshore. This is further half was due to having a quality process plant’’. Thus,
discussed in Chapters 3.2 and 3.3. the reliability of and uptime at Kristin has been very
profitable.
The successful use of collaboration rooms has
affected the economic outcomes. One important
3.2 Virtual cooperation between the offshore
assumption is that everyone using the collaboration
and onshore management teams
rooms both offshore and onshore know each other well.
We have examined which kinds of work practices, ben- They meet in person at informal and formal meetings
efits, and outcomes the Kristin leadership teams, both onshore quite often, which strengthens the quality of
offshore and onshore, have achieved by the use of inte- the virtual work. The random personal contact and the
grated operations. First, we present and discuss how fact that people know each other makes the distance
the management teams actually work in the collabo- leadership more close (Maznevski & Chudoba, 2000).
ration rooms. Then we discuss the benefits and how This is an important criterion for success in virtual
they are achieved. cooperation.
At Kristin, the management is organized as follows: Next, we find that peripheral awareness has devel-
There are two management teams, one onshore and oped at Kristin, which means that you develop a deep
one offshore, each located in a collaboration room. understanding of what is going on at the platform.
The collaboration is supported by the use of video The condition of peripheral awareness improves the
conferencing and data sharing facilities, where both organization’s capability to achieve rapid responses,
management teams can see each other at all times which in turn allows for more effective problem-
during the workday. Also, process data is online and solving and decision-making processes. One example
available at both locations and can be shared. is the low number of backlog activities concerning
The offshore management team at Kristin is com- operations, maintenance, and HSE work. Compared
prised of four managers: a Platform Manager, an Oper- to large installations on the Norwegian continental
ation Supervisor (O&M), an Operations Engineer, and shelf, which have a high number of backlog activities,
a Hotel & Administration Supervisor (H&A). The at Kristin they have managed to handle these issues
management team offshore manages maintenance and effectively as a team.
operations in close collaboration with the manage- The contextual differences (different work atmos-
ment onshore. The onshore management is comprised pheres, weather conditions, etc.) offshore and onshore
of a Platform Manager, an Operation Supervisor, an become less important by the use of collaboration
Operation Engineer, and a Technical Support Super- rooms. In the onshore collaboration room there are
visor. They share the collaboration room with some several video walls showing pictures/video of the plat-
technical engineers, who support operations and mod- form, the technical equipment, and the people working
ifications offshore. Both the offshore and onshore there.
management uses the collaboration room on a perma- This daily and close communication creates a sit-
nent basis, as their office, and not as a meeting room uation of shared situational awareness between the
like several other assets on the Norwegian continental onshore and offshore managers. Rosseau et al. (2004:
shelf do. 14–15), Artman (2000), and Patrick and James (2004)
The onshore management team is responsible for argue that there is an increasing interest in studying
giving day-to-day operational support to the offshore team cognition, based on the fact that teamwork, or
organization, and for the planning of maintenance working towards a shared goal, requires information
programs and tasks on a long-term basis. This takes sharing and coordination. Shared situational aware-
place through formal daily meetings and through ness represents the overlap between team members, or
informal and ad-hoc dialogue during the day. Each the degree to which team members possess the same
morning the offshore and onshore management teams situational awareness or shared mental models. Shared
have shared virtual meetings to inform and dis- mental models are ‘‘ . . . knowledge structures held by
cuss the last 24 hours of operation and the next 24 members of a team that enable them to form accu-
hours to come. Here, representatives from different rate explanations and expectations for the task, and
824
Figure 1. Different levels of integration.
in turn, to coordinate their actions and adapt their a management team, and not only as individuals.’’
behaviour to demands of the task and other team mem- (Manager)
bers’’ (Cannon-Bowers et al 1993: 228 in French et al ‘‘One important aspect with integrated operations
2004). at Kristin is the informal communication that happens
Figure 1 above illustrates different levels of integra- 16 hours every day. In the operation room I receive a
tion in the virtual communication. The highest level lot of useful information from the other managers who
of interaction is the social level. are sharing this room with me.’’ (Manager)
The challenge is to enable human and technical The platform management at Kristin expresses that
elements to work together as integrated units. Com- they aim at behaving as one management team, mean-
munication through the use of technology means ing that they want to co-ordinate problem-solving and
more than the transfer of knowledge and informa- decision-making between shifts. Once a week, even
tion. Interoperability must be present in each of the in their time off, the platform managers arrange a
four domains: physical, information, cognitive, and telephone meeting to discuss and share opinions con-
social (Alberts & Hayes, 2005). Videoconferencing cerning operation plans and their execution. In this way
requires interoperability on many levels; from the they develop hands-on knowledge regarding what’s
physical (technological) level to the social (organi- going on at the Kristin platform, where tasks are being
zational) level. At Kristin, the integration between followed up on and rapidly solved.
the onshore and offshore organizations has reached ‘‘We [the management] is quite co-ordinated across
the social level. This means that the organization has the shifts. We organize a telephone meeting every
gained organizational improvements, such as situa- Thursday: 1) a meeting among the platform managers,
tional awareness or shared understanding and efficient and 2) a meeting among platform managers and the
decision-making processes. O&M-supervisor. This is very special I think, I have
Shared understanding/shared situational awareness never experienced this leadership practice at other
has a significant impact on the ability of teams to offshore installations’’. (Manager)
coordinate their work and perform well. Shared under- Performing as an integrated management team, has
standing affects performance in several ways, such as influenced the sharing of common values and philos-
predicting the behaviors of team members, increas- ophy concerning how to organize and run the plat-
ing satisfaction and motivation, and taking actions form. This has been beneficial in terms of operational
that benefit the team and the outcomes (Hinds & efficiency.
Weisband, 2003). In the absence of shared understand- ‘‘I find that values, norms and philosophy at
ing, frustrations, conflicts and distrust can develop. Kristin are common and shared between the platform
In virtual teams, shared understanding is more dif- managers’’. (Manager)
ficult to generate. At Kristin, the IO mindset and ‘‘The way we work must not be dependent on who’s
technology has improved the ability to obtain shared at work. It matters how we work as a team’’. (Manager)
understanding.
Below are some statements which illustrate the Their goals are consistent leadership behaviors and
benefits of integrated operations: to obtain co-ordinated management solutions across
shifts. Nevertheless, this can be challenging to achieve
‘‘The collaboration room enables access to impor- across different shift periods. For example, there
tant information, where we get to know about each are situations where the management team forgets to
other tasks and an overall impression of the work inform the next shift about all the decisions taken, but
onshore and offshore. Thus, we perform the work as these are not critical decisions.
825
In summary, these are the capabilities or benefits they manage. One of the technical engineers put it this
developed through management use of collaboration way: ‘‘For some of us, the collaboration room becomes
rooms both offshore and onshore: like a drug’’. What he means is that you become depen-
dent on being present and available in the collaboration
• Efficient problem-solving and decision-making room. If you are not present, you may miss impor-
processes tant issues and discussions of what is going on during
• Common ground: shared situational awareness the day.
• Shared leadership practices
• Shared values
3.3 Virtual cooperation between the technical
In the above we have focused on the benefits of management onshore and the operators
virtual cooperation among leadership teams onshore offshore
and offshore. We have also examined whether the At Kristin, the operation and maintenance tasks per-
collaboration rooms can represent a barrier concern- formed by offshore operators are based on remote sup-
ing leadership practice at the platform. The operators port from technical engineers onshore. Their function
working in the O&M-team offshore are located in an is not the management of people, but the management
office landscape next to the collaboration room. We of technical tasks within operation and maintenance.
asked the operators if the co-location of managers For example, there is one domain engineer within
hampers or increases a manager’s availability. the electro discipline who is planning and support-
We found that the managers themselves wish and ing the work of the electricians on the platform. This
try to be available for the operators at any time during engineer is a domain expert and system responsible.
the working day, as this statement illustrates: A similar situation exists for the other disciplines on
‘‘My concern is that the management team should board (mechanics, automation among others). He/she
be available at all times during the day, even though we remotely assists the operations performed on the plat-
are located in the collaboration room. I understand if form on a daily and long term basis, such as the
some of the operators find that it makes us less avail- planning and prioritizing of operation and mainte-
able, but my wish is to be available as a manager.’’ nance tasks. The crew on the platform is very much
(Manager) dependent on the skills and knowledge of these system
Most of the operators are of the opinion that the responsible engineers, and on their availability in the
offshore management team is available, and feel free daily decision-making and task-solving processes.
to contact their managers whenever they need to. The The work practice and virtual cooperation between
reasons for contacting management during a workday technical engineers onshore and operators offshore is
mostly involve the need for signatures and approvals characterized by telephone meetings, telephone con-
of work orders (WO) and working permits (AT). The versations, e-mails, and face-to-face cooperation on
operators find that management responds quickly. the platform. Meetings rarely take place in the col-
‘‘Personally, I have no problems with the managers laboration rooms. For example, the electricians and
sitting in the collaboration room. The managers have mechanics on the platform have weekly telephone
told us that if the door is locked they are busy. If not, meetings with their technical engineers onshore. In
we are welcome.’’ (Operator) addition, the technical engineers go offshore to Kristin
Nevertheless, some operators find that the co- 2–3 times a year, on average. This results in person-
localization of managers may be a barrier for calling nel onshore and offshore knowing each other well,
upon the manager’s attention. In some situations, they and they develop a shared situational awareness of the
are unsure of whether or not they are disturbing them. operation and maintenance conditions.
This is when the managers are in contact with the man- We find a lot of shared characteristics between
agement team onshore, or if one of the mangers is the different disciplines, such as the close coopera-
having a telephone conversation. The managers say tion between operators within different disciplines and
that they try to invite people in when they notice them technical engineers. The relation is characterized by
standing outside the room waiting. mutual trust, and they refer to each other as good col-
Another challenge concerning virtual management leagues:
is that some of the managers spend more and more ‘‘I have a close cooperation with the operators
time in virtual space (collaboration room). This influ- on Kristin. They are highly skilled, work indepen-
ences how much time the managers offshore spend dently, and know the platform very well. I’m in daily
out in the process plant where the workers spend most dialogue with them, and we have weekly telephone
of their time. This then influences the amount of time meetings. Together we discuss technical challenges
spent together with the operators. Similarly, the leaders and problems.’’ (Technical engineer)
onshore spend much time in the collaboration room, ‘‘We are very satisfied with the technical support
and becomes less present and available to the workers from our discipline expert. We appreciate it when he
826
comes offshore. It creates a common understanding of that some tasks offshore require more instruction than
the technical problems that we are facing.’’ (Operator) others, such as well control, which is managed and
The operators trust the technical engineers’ abil- decided onshore by a production engineer. On the other
ity, experience, and knowledge to support their work hand, tasks within electro are managed by close coop-
offshore. The engineers have demonstrated compe- eration with onshore personnel and are characterized
tency with the quality of work and behavior necessary by a participating behavior.
to accomplish production at the platform. According The overall impression is a qualified support from
to Jarvenpaa and Leidner (1999), teams that highly the technical engineers onshore, but there are some
trust each another tend to perform better. If trust challenges. One challenge is that there is a delay in
exists in the relationships it means that much of the bringing support to the platform, because of the vast
work involved in monitoring and controlling others number of jobs these engineers have to deal with, both
becomes less important (McEvily, 2003, pp. 92–93), on Kristin and on others platforms they are support-
and this reduces the transaction costs associated with ing. In addition, they are involved in many discussions
operations. ‘‘ . . . trust is the willingness to accept with contractors and suppliers about how to solve
vulnerability based on positive expectations about technical issues. Nevertheless, problems that are not
another’s intention or behaviors . . . trust represents a critical can wait, while some problems need observa-
positive assumption about the motives and intentions tion and evaluation across shifts. The operators express
of another party, it allows people to economize on an understanding for the discipline expert’s situation,
information processing and safeguarding behaviors’’. and, similarly, the discipline experts express a wish to
It can be difficult to manage and support people be able to respond more rapidly, so that the operators
you do not see. The daily and close relation between are able to accomplish their tasks efficiently. This is an
the operators and the technical engineers encourage example of how they mutually trust each other in their
positive trust relations. Their relation is character- efforts to obtain confident results regarding operation
ized by a social level of interaction, (ref. Figure 1). and maintenance at Kristin.
They know each other quite well (they have met Another challenge is that the technical support from
each other in person), and the technical engineers the onshore organization is very dependent on who
are highly committed to the work they are supposed is performing it, because it is based on one person’s
to manage and support on the platform. These good expertise. If the technical engineer does not manage to
relations lead to efficient problem-solving and high- provide the necessary support to the platform, this role
quality performance of operations and maintenance on or function does not work. So, the system is fragile and
board. Trusting relations between management and is dependent on extrovert, available, co-operative, and
workers lead to increased responsibility and power highly skilled engineers.
to autonomous workgroups (Skarholt & Finnestrand, We have asked the technical engineers onshore how
2007). Mac Evily (2003) argues that the tie sustaining they experience the availability and involvement of
trust becomes stronger because there are additional the management team onshore, located in operation
dimensions and relational contents. In addition to rooms. We find that the co-localization of managers in
exchanging information and advice, friendships are some situations impedes involvement from the techni-
also developed. Thus, the trust element is the glue, or cal engineers. The close cooperation between offshore
the foundation for a flexible structure of communica- and onshore management in some situations leads to
tion and enrolment realized through virtual and bound- quick decisions where the engineers are not includes
ary work (Hepsø, in Jemielniak & Kociatkiewicz (ed) as part of the decision-making loop. Thus, the col-
(2008). laboration room can be a barrier for involving the
We find that the technical management onshore experts. This is similar to what the operators offshore
is characterized by a situational leadership style. experienced. Nevertheless, we find that in critical situ-
Examples of situational leadership are as follows: ations, when their expertise is necessary, the engineers
actively take part in discussions and solutions together
• Electro: Instructive on strategy, hands-on problem- with the management team.
solving using a participating style
• Programmed maintenance: Instructive on strategy,
participating in execution 4 CONCLUSIONS
• Well control: Instructive in steering, participating
in POG-activities (production optimizing goals) This paper explore on how integrated operations
have an impact on leadership practice, and how
The level of complexity concerning the execution of virtual collaboration create integration among man-
tasks will influence leadership style; whether the style agement teams and personnel onshore and offshore.
is delegating, participating, persuasive, or instruc- At Kristin, the concept of integrated operations and
tive. The reason behind different management styles is the use of collaboration rooms have created shared
827
situational awareness, which is crucial for obtain- Hinds, P.J. and Weisband, S.P. (2003), Knowledge Sharing
ing efficient problem-solving and decision-making and Shared Understanding. In Gibson, C.B., Cohen, S.G.
concerning safety, production and maintenance. (ed) (2003): Virtual Teams that Work, Creating Conditions
In our study, we find that IO enhances the for Virtual Team Effectiveness, Jossey Bass.
experience of integration and common understand- Henriques, A. et al. (2007), Integrated Operations: how Sta-
toil is managing the challenge of change. Management
ing between the onshore and offshore organizations, focus, vol. 25.
where the virtual contact through the use of collabora- Hepsø, V. (2008), Boundary-spanning practices and para-
tion is experienced as ‘‘being in the same room’’. This doxes related to trust among people and machines in a
results in better and faster decisions, because both the high-tech oil and gas environment. In: Jemielniak, D. &
onshore and the offshore managements have in-depth Kociatkiewicz (ed), Management Practices in High-Tech
knowledge about the situations/problems. Environments.
The challenging aspects with the use of collabora- Hersey, P. and Blanchard, K.H. (1977), Management of orga-
tion rooms is that it can impede the managers’ hands- nization behavior: utilizing human resources. (3rd ed.),
on relationships with people outside this room, such Prentice-Hall, Englewood Cliffs, NJ.
Jarvenpaa, S.L. and Leidner, D.E. Communication and trust
as the relations with the operators/technicians offshore in Virtual Teams. Organization Science, 1999, 10(6),
and the technical engineers onshore. Both groups have 791–815.
expressed a wish for more involvement from their Maznevski, M.L. and Chudoba, K.M. (2000), Bridging
management onshore and offshore in problem-solving Space over Time: Global Virtual Team Dynamics and
tasks. Effectiveness, Organization Science, 11(5), 473–492.
Our focus has been on how organizations can ben- Mayer, R.C., Davis, J.H. and Schoorman, F.D. (1995), ‘‘An
efit from the use of new and advanced technology. Integrative Model of Organizational Trust. The Academy
The challenge is not the technology itself, but the of Management Review; 20,3.
organizational aspects, such as developing hands-on McEvily, B., Perrone, V. and Zaheer, A. (2003), Trust as
an Organizing Principle. Organization Science. 14(1),
leadership practices, clear roles and tasks, common 99–103.
goals, trust, and knowledge and skills. These elements Patrick, J. and James, N., (2004), A Task-Oriented Perspec-
are essential for developing an efficient organization tive of Situation Awareness in Banbury, S. and Tremblay
with motivated and skilled employees and managers. (ed), A Cognitive Approach to Situation Awareness:
theory and application, Ashgate Publishing Company,
Burlington VT, USA.
REFERENCES Rousseau, R., Trembley, S. and Breton, R. (2004), Defining
and Modelling Situation Aeareness: A critical Review in:
Alberts, D.S. and Hayes, R.E. (2005), Power to the Edge, Banbury, S. and Tremblay (ed), A Cognitive Approach
Command and Control in the Information Age, CCRP to Situation Awareness: theory and application, Ashgate
Publication Series. Publishing Company, Burling.
Artman, H. (2000), Team Situation Assessment and Infor- Skarholt, K. and Finnestrand, H.O. (2007), The influence
mation Distribution, Ergonomics, 43, 1111–1128. of trust in an industrial team organization: How dif-
Bass, B.M. (1990), From transactional to transformational ferent organizational cultures affect trust building and
leadership: Learning to share the vision. Organizational maintenance. Paper for the 23rd EGOS Colloquium,
Dynamics, (Winter), 19–31. Vienna.
Bass, B.M. and Avolio, B. (1994), Improving Organiza- Steuer, J. (1992), Defining Virtual Reality: Dimensions
tional Effectiveness Through Transformational Leader- Determining Telepresence, Journal of Communications,
ship. Thousand Oaks, Calif.: Sage, 1994. 42(4), 73–93.
Eldon, M. and Levin, M. (1991), Co-generative learn- Strauss, A.L. and Corbin, J. (1998), Basics of qualita-
ing: Bringing participation into action research. In tive research: Techniques and procedures for developing
William Foote Whyte (Ed.), Participatory action research grounded theory (2nd ed.). Thousands Oaks, CA: Sage.
(pp.127–142). Newbury Park, CA: Sage. Wadel, Carl Cato (2005), Når medarbeidere må lede hveran-
French, H.T., Matthew, M.D. and Redden, E.S. Infantry dre—organisasjonsendring mot mer medarbeiderledelse.
Situation awareness. In Banbury, S. and Temblay (ed) Tidsskrift for Arbejdsliv, 7. årg, nr. 4.
(2004), A Cognitive Approach to Situation Awareness;
theory and application, Ashgate Publishing Company,
Burlington VT, USA.
828
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: This paper presents a framework about management in maintenance outsourcing in a service
provider company. It proposes key aspects for taking decisions in a well-established and controlled organization.
Cost is not the most important aspect to consider in outsourcing, the decision has to be a global and strategic
idea inside the company. Of course, not only the directors must take part, but also the technical personnel of
maintenance. We are trying to offer a basic guide to establish an outsourcing service, with guidelines and possible
evolution. It is based on a practical view of knowledge management over ten years of professional experience
focused in networks. Below there is a case study which demonstrates a methodology for decision-making and
shows how to optimize the organization without losing differing levels of knowledge. For this, we employ
quantitative and qualitative criteria to obtain a wide consensus and acceptance.
1 INTRODUCTION 2 OUTSOURCING
The outsourcing in maintenance is a practice being Outsourcing is defined as the delegation of business
increasingly used (Elfing & Duening 1994), espe- functions totally or partially to another company along
cially with services providers. Although the decision with part of the administrative and operational control.
to outsource is not a simple decision, it is a strategic Therefore, it is established between two companies,
decision (Click & Duening 2005) for an organiza- a supplier and a customer, a contractual relationship
tion, and as such, it should align itself with the governed by service agreements.
business to impact positively on the objectives of the Mainly, with a process of outsourcing we are look-
organization. ing for the specialization in activities, not keys for
There are different strategic reasons for which peo- the organization (Elfing & Duening 1994), such as
ple decide to execute processes of outsourcing. For systems, accounting, buildings, human resources,
example many managers who are making a process call centres, engineering, logistics, etc. For which,
of outsourcing, believe that it is an assignment car- it can transfer resources which bore those functions
ried out of responsibility to manage a part of the formerly.
business with the supplier. Other motives are primar- The decision of outsourcing is a strategic decision
ily economic, issues which endanger the control of (Earl 1996), aimed at improving the objectives of the
outsourcing. organization:
Faced with this, it is advisable to continue the pro-
cess guided by decision making-steps, to ensure the • Improving Quality
outcome of outsourcing is properly reached in main- • Improving Security
tenance. In this document we will attempt to provide • Reducing Cost
a framework for guiding implantations of outsourcing • Optimizing Resources
in service providers companies.
For this, we have structured this document in five Therefore, the organization should focus its efforts
parts. In the first two paragraphs, points 2 and 3, we in improving those functions that are a source of com-
begin with a base revision on outsourcing and main- petitive advantages and more profitable to the core
tenance in suppliers of services. After, in point 4 we business.
will develop the reference model that is proposed and Outsourcings have several advantages and disad-
finish with a case study and conclusion. vantages (Alexander & Young 1996, Halvey & Melby
829
2005, Jharkharia & Shankarb 2005, Tho 2005), and a stable situation where the organization is controlled,
within the advantages we can list: and avoid a difficult management of change.
The maintenance outsourcing could be an advan-
• Reduction costs, at the same quality to employ a tage as in other businesses, with the order to devote
supplier more specialized most of the internal efforts in the core processes, and
• Restructuring costs, changing fixed costs by vari- seek the specialization of external agents. Although, it
able costs in terms of services provided should be guided by three types of criteria: strategic,
• Stimulates the local employment through contracts technical and economic.
with local firms Organizations often outsource those activities
• Obtaining rapid budget by selling assets which have work patterns that are fluctuating in their
• Improvement of quality, for higher specialization burden and performance, and then the maintenance
• Access to outside expert knowledge and especially within distribution networks that meet
• Standardization and access to scale economies this requirement.
• Flushes resources for other purposes Below, we describe the nature of maintenance in
• Improves company focus companies of distribution services and consider them
• Improving management of difficult functions to for the decision of outsourcing.
handle
• Optimizing routine tasks
• Share the risk by flexibility of demand with the 3 MAINTENANCE IN SERVICES PROVIDERS
supplier company
• Provides legal guarantee for services Maintenance is characterized as a highly complex
• Relationships developed between financial aspects field inside business and involves various disciplines:
and levels of service management, human resources, company economy,
• Starting point for changes in the organization security, and knowledge of the whole production
• Speed through reengineering chain. Another consideration is that maintenance
activities are all times under pressure to reduce costs
We also have to consider potential risks and disad-
more than valuing the benefits or damages that it
vantages which affect any outsourcing plan:
avoids (Carter 2001, Mitchell et al. 2002) to the
• Unfulfilled or questionable expectations, for a company. Show of this importance, it is the weight
scenario developed to generate the process of of O&M activities in GDP, 9.4% in Spain (AEM
outsourcing. 2005), and other international studies put it among
• Changes in the quality for breach of agreements on the 15%–40% depending on sector (Mulcahy 1999,
services, either by the knowledge or capabilities of Mobley 2002).
the supplier company, or by errors in the definition The concurrence of these disciplines implies that it
of the same company. can be difficult to determine the appropriate decision
• Loss of knowledge or skills through transfer to the every time.
supplier, where it is more difficult to retain and On the other hand, we can define a service provider
improve, this happens frequently. company as those that provide clients certain ser-
• Loss of control over the externalized functions, vices that are supported and distributed by a network
source of learning for the internal staff. infrastructure, such as gas companies, water, elec-
• Dependence by the supplier could cause adverse tricity, telecommunications, etc. This infrastructure is
consequences for the client (investments extraordi- often organized and composed of elements prepared in
nary). hierarchical structures and replicated by areas of distri-
• Loss of security by transferred staff to the supplier, bution (Fig. 1). These companies fulfill the following
by hoax and illegal transmission of knowledge and characteristics:
information to the competence. 1. Elements geographically dispersed and in condi-
• Public and internal opinion for outsource jobs to tions of environment not optimal
another company. 2. High number of interconnected elements
• Loss of motivation for staff involved in the service, 3. High number and classes customers
because it can create a feeling of alienation within 4. Hierarchical structure in networks with levels of
the client company and result in the staff feeling aggregation of customer service
their jobs are valueless. 5. The network is dynamic and suffers configurational
and operational changes
Although, the decision about which activities are to
6. High needs of human resources and spares
be outsourced, it is often described as the beginning of
the process, however, really the process should begin In these types of enterprises, maintenance is a key
much earlier, defining the mechanisms to start from department (Earl 1994), by its contribution to look
830
SOURCE
Primary
Connections
Secundary
Connections
Tertiary
Connections
Customer
Link
831
outsourcing and maintenance, in search of efficiency,
1º MISSION AND
OBJECTIVES through a balance between quality and cost. The imple-
mentation of a complete management system can
reduce between 10–30% of the annual budget of main-
2º DEPARTMENT tenance (Crain 2003, PMRC 2004), highlighting the
STRATEGY
main improvements upon cost and task control, vital
5º CHANGE in the control of outsourcing.
MANAGEMENT
In addition, based on Campbell and Jardine
3º PROCESSES (2001) and standards, we can consider that the min-
AND ACTIVITIES
imum support systems for a Computerized System
Maintenance Management System (CMMS), also
4º CONTROL called (MMIS) Maintenance Management Informa-
SYSTEM tion System (Pintelon & Gelders 1992) are six (Fig. 3):
832
• CRM, Customer Relationship Management 4.6 Management of changes
• Documentary management system
Planning correct transition is important, it is a learn-
• Knowledge management system.
ing phase oriented to the supplier for fulfilling agreed
service levels. On the other hand, to ensure business
4.4.5 Balance scorecard in maintenance continuity in outsourcing, it should also be considered
and with other systems a transitional phase and, a possible reversion distin-
The balance scorecard is a pillar in evaluation and con- guishing if it occurs in the transitional phase, at any
trol of compliance with the department objectives. Its time, or at the end of contract.
aims are alignment of the department with company To work with an outsourcing model of these char-
strategy; relates all activities, processes, systems and acteristics implies important changes for everyone,
resources all with the operational objectives and strate- especially those teams responsible that have to take
gic (UNE 66174 2003, UNE 66175 2003, Kaplan & a much more participatory role in management.
Norton 1996).
To this end, it collects a coherent set of indicators,
financial, about business, customer relationship and 5 A CASE STUDY IN A
continuous improvement. TELECOMMUNICATIONS COMPANY
4.4.6 Expert support system for taking decisions As an example, to simplify, we will only focus on
This system gives support to take decision with max- the outsourcing decision in a telecommunications
imum information, to facilitate the achievement of provider to evaluate importance of each activity by
objectives (Davis 1988). The recommendation is to its contribution towards the maintenance goals and to
be formed as a module that integrates: decide that activities could be outsourced.
From a strategic point of view, (Kaplan & Norton
1. Decision Support System for decision making 1996, Campbell & Jardine 2001, EFQM 2006), it
(DSS) (Turban 1988, Bui & Jarke 1984) through must abide by basic maintenance objectives, which
scientific models based on all the information from summarize in the following six categories:
the systems.
2. Expert System (ESs) (Shu-Hsien 2005) to emulate 1. Management
through artificial intelligence, human reasoning 2. Economical
like an expert. 3. Production or business
4. Quality or related to customers
Thismoduleappliesboth, informationmanagement, 5. Security, environmental and ethics
as statistical models (Marple 1987) and simulations 6. Evolution and Improvement
to submit patterns and solutions to facilitate deci- On the other hand, from a tactical point of view
sion making in maintenance (Iserman 1984, Jardine & processes of the department should also be taken into
Banjevic 2006). account: corrective, preventive, predictive, proactive
and perfective.
4.5 Supplier selection From an operational point of view, it has to consider
maintenance activities. to simplify the study, within
Once the reach of outsourcing is defined, from a stable these activities, only the most important activities are
situation, it proceeds to supplier selection and the plan- considered.
ning of outsourcing implementation. There are many
considerations to take into account during this negoti- 1. To manage incidents, all kinds of incidences
ation to avoid the risks listed above, but the main point 2. Monitoring alarms and status of network and
is that it is a collaborative negotiation or win-to-win services
process, with the supplier as a strategic partner. It is 3. On demand activities, to support other internal
advisable to guide suppliers to offer services based on departments in field
levels of their knowledge, and thus avoid the approach 4. Preventive activities
to only reducing cost. 5. Predictive activities, analysis to avoid or minimize
Aspects most favoured to select a supplier are: future impacts
6. Perfective activities. Improvement plans or tasks
• Experience in a sector to optimize infrastructure and services
• Flexibility on demand for services 7. Logistics. Stores management and spares
• Confidence 8. Budget and human resources. To control of bud-
• Technical and economic solvency get, resources, tools, staff, vehicles, etc. . .
• Will of collaboration oriented to services as strategic 9. Security. Tocontrolsecurity, healthandsafetyrisks
support 10. Documentation and compilation of processes,
• Transparency of suitable pricing procedures, reports, etc. . .
833
Table 1. Relative Importance between variables. Saaty scales.
geometric mean (3.086) of the six individual values
(3 + 4 + 3 + 2 + 4 + 3) by the sum of the second
1 3 5 7 9 column in the figure 4 (14.5), and at the same manner
with the rest of the matrix.
Same Weak Strong Proven Absolute Successive matrixes from activities compared
1/3 1/5 1/7 1/9 according to each strategic objective were developed
Slightly less Less Much less Absolute less (with indices RC all less than 0.06, valid), with the
(1/2, 1/4, 1/6, 1/8, 2, 4, 6, 8) Intermediate values if it is exception of cost, where we employ the activity budget
necessary rate (quantitative criteria). These matrixes are multi-
plied by their respective eigenvector (W) to obtain in
one column this contribution (Tab. 3).
Table 2. Index of comparisons randomly generated. In short, it obtains the weights for activities in the
Table 4, multiplying each cell of the Table 3 by the
ICrandom 0 0,58 0,9 1,12 1,24 1,32 1,41 1,45 respective cell in the same column of the W vector
of the Figure 5. Then activities are ranked depending
n 2 3 4 5 6 7 8 9 on their importance in relation with the objectives of
maintenance:
1. Budget and Human Resources 17.70%
For decision-making, we rely on properties of the 2. Documentation 13.96%
AHP method (Saaty 1977, 1980, 1990) for decisions in 3. Predictive 13.58%
group (Dyer & Forman 1992) of selected maintenance 4. Perfective 12.15%
experts from several hierarchical levels. The Analytic 5. Monitoring 10.87%
Hierarchy Process ‘‘AHP’’ is a methodology to synthe- 6. Preventive 10.31%
size a solution (a matrix) of a complex problem through Activities less valued are:
a breakdown in parts ordered hierarchically, quantify-
7. Security 7.00%
ing and comparing variables in pair with a normalized
8. Manage Incident 6.84%
and reciprocal scale of relative importance (Tab. 1).
9. Logistic 5.11%
In the use of this method, it can use subjective val-
ues, which implies a degree of uncertainty or lack of
reliability. To measure reliability coefficient ‘‘RC’’ is Produc- Man age- Secu- Imp ro-
wij Quality Cost
used ratio between rate of consistency IC of a com- tion ment rity vement
parisons array into pairs and value of the same index Quality 1 3.09 0.50 2.40 0.46 1.12
of a comparisons array into pairs randomly generated Cost 0.32 1 0.30 1.51 0.22 0.55
(Tab. 2). The reliability is sufficient if RC is smaller Production 1.99 3.37 1 3.36 0.93 1.70
than or equal to 0.10; otherwise, it must be reviewed Man agement 0.42 0.66 0.30 1 0.17 0.46
IC
RC = ≤ 0.1 (1) 6.8 14.5 3.8 16.2 3.6 6.1
ICrandom
Figure 4. Matrix completed with the average of six individ-
λmax − n
IC = (2) ual comparisons.
n−1
So, the problem is hierarchically structuring with Table 3. Matrix of activities rates to each objective.
criteria and alternatives, in three levels:
Quality Cost Production Management Security Improvement
1. Goal
Manage Incident 0.117 0.058 0.076 0.057 0.056 0.040
2. Maintenance objectives as criteria Monitoring 0.094 0.104 0.107 0.068 0.109 0.145
3. Activities as alternatives On demand
activities 0.026 0.022 0.021 0.028 0.0266 0.027
For valuing objectives, it is used an expert group Preventive 0.074 0.085 0.099 0.074 0.122 0.125
poll with qualitative criteria depending on their strate- Predictive 0.166 0.109 0.121 0.121 0.115 0.185
Perfective 0.126 0.112 0.122 0.148 0.093 0.162
gic importance. Each technician of a six group com- Logistics 0.039 0.069 0.072 0.031 0.039 0.050
pares them employing table 1 and after, the resulting Budget and 1
matrix (Fig. 5) is built weighing the average of indi- Human R. 0.147 0.310 0.27 0.285 0.110 0.073
Security 0.064 0.048 0.037 0.040 0.115 0.069
vidual values (Fig. 4), e.g. 0.21 (in the second cell Documentation 0.148 0.083 0.074 0.149 0.214 0.123
of the first row in the figure 5 is calculated dividing
834
Table 4. Matrix of activities rates according to their impor- knowledge in maintenance thanks to information
tance in relation with strategic objectives. systems facilities, ‘‘e-maintenance’’ (Yua et al. 2003,
IMSCENTER 2007):
Qual- Cost Produc- Manag- Secu- Improv-
ity tion ement rity ement
• Facilitate manage agreements on service levels
and delivery service reports. Then IT contributes
Manage to effectiveness and efficiency.
incident 0.019 0.004 0.019 0.004 0.016 0.006 • Orientation towards services more than elements of
Monitoring 0.015 0.008 0.027 0.004 0.032 0.023 infrastructure, searching for continuous improve-
On demand ment in services and processes to reduce costs and
activities 0.004 0.002 0.005 0.002 0.008 0.004 times, and to improve value and quality.
Preventive 0.012 0.006 0.025 0.005 0.036 0.019
The aim with this model is to increase decision
Predictive 0.026 0.008 0.031 0.008 0.034 0.029 reliability with experience, and in accordance with
Perfective 0.020 0.008 0.031 0.009 0.027 0.025 department strategy:
Logistics 0.006 0.005 0.019 0.002 0.012 0.008
Budget and
1. Improved organization and structure
Human R. 0.023 0.023 0.070 0.018 0.032 0.011 2. Using a rational and logical analysis, it seeks a
Security 0.010 0.004 0.009 0.002 0.034 0.011
solution for a complex problem with various alter-
Documen- natives in conflict and in conditions of uncertainty
tation 0.023 0.006 0.019 0.009 0.063 0.019 [DIXON66]
3. Aligned with company strategy, it considers pro-
cesses, objectives and activities
Produc- Manage- Secu- Impro-
4. Employment qualitative criteria, to rationalize
wij Quality Cost
tion ment rity vement intangible quality and value judgments from
Quality 0,15 0,21 0,13 0,15 0,13 0,18 experts to extract specialists knowledge
Cost 0,05 0,07 0,08 0,09 0,06 0,09
5. Promote positive attitudes towards improving
Production 0,29 0,23 0,27 0,21 0,26 0,28
maintenance
6. Consensus in groups with different interests
Management 0,06 0,05 0,08 0,06 0,05 0,08
7. Categorize alternatives
Security 0,32 0,31 0,28 0,35 0,28 0,21
8. Improve interactively
Improvement 0,13 0,13 0,16 0,13 0,22 0,16 9. Report processes for future developments
10. Easy to use and flexible with information available
W 0,159 0,073 0,257 0,062 0,294 0,156
This method reduces time in decision making,
increases quality and security of the final decision,
Figure 5. Weights in strategic criteria (RC = 0.01579,
acceptable). and produces motivation and satisfaction with goals
and team work.
In conclusion, according to maintenance outsourc-
10. On demand activities 2.49% ing in a service provider, it suggests that to compose
levels of externalisation progressively in time, increas-
This situation conducts processes of externalization
ing internal knowledge and control about activities
towards these last four routine and repetitive activi-
before to recruit once. That is, to make a partial
ties with not crucial importance to the core business.
outsourcing:
The expert group feels motivated with this decision
for participating, and it is suggested to advance more • with a flexible contract
in outsourcing after a stable period externalizing: • guarantee business productivity through service
level agreement
• Monitoring, at least first attention level
• devoting staff to manage contractual relationship
• Preventive maintenance, guiding planning inter-
and monitor services
nally by predictive and perfective maintenance
• outsourcing should be guided primarily by strategic
criteria
6 CONCLUSION But it should carry out the analysis with caution,
because in the case of outsourcing the level beyond
This reference model has been implemented in at the norm, there is a point of Irreversibility of decision
least two companies in distribution of telecommuni- where it would be impossible to react, this point
cations services, and as such can be developed in a is where the procedure to prevent consequences
high depth and customization for certain scenarios. expressed would be unacceptable to act upon due to
In addition, it is possible to increase control and time and resources.
835
REFERENCES European Foundation for Quality Management. 2006. EFQM
Framework for Management of External Resources. By
AEM, Asociación Española de Mantenimiento. 2005. El EIPM—EFQM.
Mantenimiento en España: Encuesta sobre su situación Gelders L. & Pintelon L. 1988. ‘‘Reliability and mainte-
en las empresas españolas. nance’’ in: Doff, R.C. and Nof, S.J. (ed.), International
Alexander M. & Young D. 1996. Strategic outsourcing. Long Encyclopedia of Robotics, Application and Automation,
Range Planning 29 (1): 116–119. Wiley, New York.
Benoît Iung 2006. CRAN Laboratory Research Team Goldratt E. 1997. Cadena Crítica. Ediciones Diaz de Santos.
PRODEMAS in Innovative Maintenance and Depend- Grossman G.M. & Helpman E. 2002. Integration ver-
ability. Nancy University—Nancy Research Centre sus Outsourcing in Industry Equilibrium. The Quarterly
for Automatic Control (CRAN). CNRS UMR 7039 Journal.
(http://www.cran.uhp-nancy.fr). Halvey J.K. & Melby B.M. 2005. Information Technol-
Bourne M. & Neely A. 2003. Performance measurement ogy Outsourcing Transactions: process, strategies and
system interventions: the impact of parent company ini- contracts. John Wiley & Sons, Inc.
tiatives on success and failure. Journal of Operation and Hammer & Champy 1993. Reengineering the Corporation.
Management. Harper Business.
Campbell J.D. & Jardine A. 2001. Maintenance excellence. Hammer M. 1990. Reengineering Work: Don’t Automate
New York: Marcel Dekker. 2001. Obliterate. Harvard Business Review.
Carter, Russell A. 2001. Shovel maintenance gains from Ian Tho 2005. Managing the Risks of IT Outsourcing.
improved designs, tools and techniques. Elsevier Engi- Elsevier Butterworth-Heinemann.
neering Information. Intelligent Maintenance Centre 2007. www.imscenter.net.
Click R.L. & Duening T.N. 2005. Business Process Iserman R. 1984. Process fault detection based on modelling
Outsourcing: The competitive Adventage. John Wiley & and estimation methods. Automatica.
Sons, Inc. ITSMF, IT Service Management Forum 2007. ITIL v3.
CMMI Product Team. Software Engineering Institute 2007. Information Technology Infrastructure Library. ITIL v2.
CMMI® for Development, Version 1. CMMI-DEV, V1.2, Information Technology Infrastructure.
CMU/SEI-2006-TR-008, ESC-TR-2006-008. Jardine A.K.S., Lin D. & Banjevic D. 2006. A review
COBIT [Control Objectives for Information and related Tech- on machinery diagnostics and prognostics implement-
nology] 1992. Objetivos de Control para la información ing condition based maintenance. Mech, Syst. Signal
y Tecnologías relacionadas. Asociación para la Auditoría Process.
y Control de Sistemas de Información, (ISACA, Informa- Jharkharia S. & Shankarb R. 2005. Selection of logistics
tion Systems Audit and Control Association), y el Instituto service provider: An analytic network process (ANP)
de Administración de las Tecnologías de la Información approach. International Journal of Management Sciente,
(ITGI, IT Governance Institute). Omega 35 (2007) 274–289.
Crespo M.A., Moreu de L.P. & Sanchez H.A. 2004. Inge- Kaplan, Robert S. & David P. Norton 1996. The Balanced
niería de Mantenimiento. Técnicas y Métodos de Apli- Scorecard: Translating Strategy Into Action. Boston, MA:
cación a la Fase Operativa de los Equipos. Aenor, Harvard Business School Press.
España. Kent Allen 1990. Encyclopedia of Computer Science and
Crespo M.A. 2007. The Maintenance Management Frame- Technology. CRC Press.
work. Models and Methods for Complex Systems Mainte- Klein, M.M. 1994. The most fatal reengineering mis-
nance. Londres, Reino Unido. Springer. takes. Information strategy: The Executive’s J. 10(4)
Davenport T. 1993. Process innovation: Reengineering 21–28.
work through Information Technology. Harvard Business Lee J. 1995. Machine perfomance monitoring and proac-
School Press. tive maintenance in computer-integrated manufacturing:
Dixon J.R. 1966. Design engineering: inventiveness, anal- review and perspective. International Journal of Computer
ysis, and decision making. New York, McGraw-Hill, Integrating Manufacturing.
Inc. Lee J. 2004. Infotronics-based intelligent maintenance
Dyer R.F. & Forman E.H. 1992. Group decision support with system and its impacts to close-loop product life cycle sys-
the Analytic Hierarch Process. Decision Support Systems. tems. Proceedings of de IMS’2004 International Confer-
Earl M.J. 1994. The New and the Old of Business Pro- ence on Intelligent Maintenance Systems, Arles, France.
cess Redesign. Journal of Strategic Information Systems, Levitt Joel. 2003. Complete Guide to Preventive and Predic-
vol. 3. tive Maintenance. Industrial Press.
Earl M.J. 1996. The Risks of Outsourcing IT. Sloan Manage- M. Davis. 1988. Applied Decision Support. Prentice Hall,
ment Review. 37. 26–32. Englewood Cliffs.
Elfing T. & Baven G. 1994. Outsourcing technical services: Marple S.L. 1987. Digital Spectra Analysis. Prentice
stages of development. Long Range Planning 27 (5): Hall.
42–51. Mike Crain 2003. The Role of CMMS. Industrial Technolo-
EN 13306:2001. Maintenance Terminology. European Stan- gies Northern Digital, Inc.
dard. CEN (European Committee for Standardization), Mitchell Ed., Robson Andrew, Prabhu Vas B. 2002. The
Brussels. Impact of Maintenance Practices on Operational and
Fixler D.J. & Siegel D. 1999. Outsourcing and Productiv- Business Performance. Managerial Auditing Journal.
ity Growth in Services. Structural Change and Economic Mobley Keith 2002. An Introduction to Predictive Mainte-
Dynamics. nance. Elsevier.
836
Mulcahy R. 1999. The CMMS technology revolution—why Tanenbaum, Andrew S. 1991. Computer Networks. Ed.
‘‘Best-of Breed’’ wil still be best. International Journal of Prentice-Hall.
Maintenance and Asset Management. The Institute of Electrical and Electronics Engineers. Inc.
Nakajima Seiichi 1992. Introduccion al TPM (Manten- 1993. IEEE 1219. Standard for Software Maintenance.
imiento Productivo Total). Productivity Press. The Plant Maintenance Resource Center 2004. CMMS Imple-
Neely A.D., Gregory M. & Platts, K. 1995. Performance mentation Survey Results—2004. The Plant Maintenance
Measurement System Design—A Literature Review and Resource Center.
Research Agenda. International Journal of Operations and Tung Bui & Matthias Jarke 1984. A DSS for cooperative
Production Management. multiple criteria group decision making. STERN School
Peters T. & Waterman H.R. Jr. 1982. ‘‘In Search of Excel- of Business, Working Paper Series IS-84-45.
lence’’. Turban E. 1988. Decision Support and Expert Systems:
Pintelon L.M. & Gelders L.F. 1992. Maintenance manage- Managerial Perspectives. New York: Macmillan.
ment decision making. European Journal of Operational UNE 66174 2003. Guide for the assessment of quality man-
Research. agement system according to UNE-EN ISO 9004:2000
Ren Yua, Benoit Iung, Herv!e Panetto 2003. A multi-agents standard. Tools and plans for improvement. UNE.
based E-maintenance system with case-based reasoning UNE 66175 2003. Systems of Indicators. UNE.
decision support. Engineering Applications of Artificial UNE-EN ISO 9001:2000. Quality management systems—
Intelligence 16: 321–333. Requirements. International Organization for Standard-
Saaty T.L. 1977. A Scaling Method for Priorities in Hier- ization.
archical Structures. Journal of Mathematical Psychology, Wireman T. 1991. Total Productive Maintenance. Industrial
15: 234–281, 1977. Press.
Saaty T.L. 1980. The Analytic Hierarchy Process. McGraw Yan S.K. 2003. A condition-based failure prediction and
Hill. processing-scheme for preventive maintenance. IEEE
Saaty T.L. 1990. How to make a decision: The analytic Transaction on Reliability.
hierarchy process. European Journal of Operational Zhu G., Gelders L. & Pintelon L. 2002. Object/objective-
Research. oriented maintenance management. Journal of quality in
Shu-Hsien Liao 2005. Expert system methodologies and maintenance engineering.
applications—a decade review from 1995 to 2004.
Elselvier. Expert Systems with Applications 28: 93–103.
837
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
J. Hovden
Department of Industrial Economics and Technology Management,
Norwegian University of Science and Technology (NTNU), Trondheim, Norway
ABSTRACT: This paper presents and discusses four safety rule modification processes in the Norwegian
railway system. It focuses upon the impact from the processes upon railway knowledge and in particular the
ambitions to change from predominantly experience based prescriptive rules towards risk based outcome oriented
rules, i.e. a deductive top-down approach to rule development.
The cases met this challenge with an inductive bottom-up approach to rule development, a strategy given the
name ‘‘reverse invention’’. Discussions about the new approach and the processes of reverse invention stimulated
inquiries into railway knowledge that revived this knowledge. It remained uncertain whether the inquires resulted
in actual new knowledge. The new approach also stimulated a reduction of relational and contextual elements
of the railway knowledge. According to theory these elements are important for the ability to decode theoretical
knowledge and to judge its relevance for future use.
839
a dynamic hierarchy of safety rules, see for instance new fundamentals each time. They only build upon
Hale & al. (1997), Hovden (1998). Risk assessment is the past when experiences are embodied in a theory.
often required to decide upon the necessity of rules. The decision-makers are always prepared to start from
Such an approach to the development of safety rules the ground up, i.e. from scratch.
can be seen as a deductive and risk based top-down Seen together, this theory indicates that to change
approach to rule development (Hovden, 1998). an experience based, prescriptive safety rule tradition
The change from experience based prescriptive towards outcome oriented rules based on risk analy-
rules towards rules for safety management and out- ses will require a change in attention and knowledge
comes based on risk assessments represents a change tradition of the rules.
in the knowledge base for the rules. This implies a
change in the attention and selection of knowledge
1.2 Safety rules and knowledge in the Norwegian
that will be considered relevant and expressed through
railway system
the rules, i.e. from knowledge about what to do under
certain conditions towards knowledge about intended The Norwegian railway system has a tradition of pre-
outcomes. scriptive rules directed at the operative staff at the
The new approach to rule modification can be lower levels of organizational hierarchies. The rules
seen as change in the dominating type of rationality has been developed with growing knowledge of the
and knowledge. As the tradition has been that rules system’s technology, activities and interactions and
have been developed in accordance with rule develop- with experiences of unwanted events or accidents
ers’ current understanding of the actual situation, the (Gulowsen & Ryggvik, 2004; Ryggvik, 2004). Much
logic of appropriateness has played an important role of the knowledge has been derived from practice and
(March, 1994). The knowledge base here is familiar- consisted of collective tacit and explicit knowledge.
ity and experience. This knowledge is rather implicit, This knowledge was shared through an internal educa-
i.e. tacit, and the information treatment is intuitively. tional system, practice oriented trainee programs and
Ellström (1996) labels the knowledge perspective of socialization. Here the rules served an important role
this tradition ‘‘intuitively-contextual’’. for the structure of the education and as knowledge
The increased emphasis upon goals in outcome ori- carriers.
ented rules requires rule makers to identify possible In 1996, steps were taken to open the Norwegian
alternatives and choose between them in accordance railway system to new traffic operators. The Norwegian
with their contribution to preset goals of the rules. This state owned railway company (NSB) was divided
approach is linked to another type of rationality that into the National Railway Administration, which was
March (1994) calls rationalistic choice based decision responsible for infrastructure management, and NSB
making. This form of decision making is preference BA, a state owned traffic operator. An independent
based and supposed to apply the logic of consequence. regulatory body, the Norwegian Railway Inspectorate,
March argues that the logic of consequence makes was established.
great demands on the abilities of individuals and insti- The railway sector, and in particular the Norwegian
tutions to anticipate the future and to form useful Railway Inspectorate, has been influenced by the
preferences. safety management traditions of the Norwegian oil
The introduction of risk analyses represents an addi- industry (Ryggvik 2004). This tradition has empha-
tional move in this direction. Perrow (1999) argues sized internal control principles with extensive use of
that such a development represents a strengthening risk analyses and outcome oriented rules. The devel-
of the tradition of absolute rationality. This is a form opment has resulted in initiatives, especially from the
of rationality wherein calculations can be made about Norwegian Railway Inspectorate, to change the tradi-
risks and benefits, clearly showing which activities we tion of experience based, prescriptive rules towards
should prefer. Risk analyses thus serve as support for outcome oriented rules based on results from risk
choice based decision-making as described by March analyses.
(1994). The intentions of a development towards a deduc-
The scientific nature of the outcome oriented rules tive and risk based top-down approach to safety-rule
and risk analyses also resemble the highest level modifications was evident in two different projects.
of technical rationality described by Schön (1991). One project was established for modification of the
Here the strategy is ‘‘First thinking and then acting’’. ‘‘traffic safety rules’’. In general, these rules were
Ellström (1996) labels the knowledge perspective of detailed prescriptive action rules that coordinated
this tradition ‘‘rationalistic’’. The dominating knowl- the activities of the operative staff involved in traffic
edge base of this knowledge tradition is theoretical operations. The management of this project encour-
and explicit and the treatment of information is ana- aged the rule developers to ‘‘think new’’ and develop
lytical. Lindblom (1959) argues that the rationalistic outcome-oriented rules formulated as goals and to
strategy implies that decisions have to start from base these upon risk analyses. From the beginning, the
840
rule-imposers were the Norwegian Railway Adminis- hereafter called the ‘‘Traffic-rule case’’ was chosen
tration. Later this responsibility was transferred to the to represent one case in the study. This case was fol-
Norwegian Railway Inspectorate. lowed until the work was transferred to the Norwegian
The other project had as purpose to improve Railway Inspectorate.
the management of infrastructure maintenance. One Among the subprojects of the Maintenance project,
element in this project was to modify the ‘‘main- three cases were chosen for the study. These were the
tenance rules’’. These rules were organized in dif- projects modifying rules for the signal-, power supply-
ferent sets for each subsystem of the infrastructure. and superstructure-infrastructure. These cases were
They were mainly detailed prescriptive action or state followed until the rules were approved.
rules directed at the operative staff that served both The information for the study was collected by
safety and other purposes. The different subsystems interviews of 41 people that had been involved in
had varying characteristics regarding time sequencing the modification processes, studies of selected project
of activities, communication and coordination. The documents and participation in 4 different meetings.
project organized subprojects for the modification of The analyses were performed as an iterative pro-
each rule set. cess inspired by Grounded theory (Strauss & Corbin,
Also, in this project the management encouraged 1998). The analytic tools and results influenced further
the rule developers to ‘‘think new’’. This meant to data collection and further data-collection developed
increase the use of triggering requirements and to the analytic tools. For further presentation of the
base the rules on risk analyses. The triggering method, see Blakstad (2006).
requirements should define conditions in the
infrastructures that should trigger off maintenance
3 FINDINGS: REVIVAL AND CONSERVATION
activities, i.e. define outcomes for maintenance activ-
OF RAILWAY KNOWLEDGE
ities. The rule-imposers were the Norwegian Railway
Administration.
3.1 A strategy of reverse invention
On this background, the Norwegian railway system
represented an opportunity to study implementation of In all cases the participants of the modification pro-
the ongoing changes in rule traditions and its impact cesses tried to ‘‘think new’’ and to use the intended
upon knowledge about operations of the system and deductive top-down approach to rule development, i.e.
associated dangers. to start with the development of higher order outcome
In this paper the term ‘‘railway knowledge’’ refers oriented rules based on knowledge from risk analy-
to the individual and collective understanding of func- ses. The chosen methods for the risk analyses used
tions and interactions of the railway system. This experienced top events as outset for the analyses. The
includes knowledge of the system itself, its activities core attention was directed at the operative level of the
and their interactions, the inherent risks and preventive railway system.
means. However, the cases critically judged outcome ori-
ented rule solutions and risk analytic results through
inquiries into experience based railway knowledge.
2 RESEARCH QUESTION AND APPROACH This reflected a precautionary concern for safety
(Blakstad, 2006). For example, one of the persons
This study looks at how the intended changes of involved in the Traffic-rule case explained how one
regulatory mode and knowledge base were handled of the railway professionals of the work group always
in practical life. The research question is: How did expressed his worries for safety. He did this even when
ambitions to change the safety rule tradition of the he was not able to express why he was worried. These
Norwegian railway system (from predominantly expe- expressed worries led to inquiries and discussions that
rience based prescriptive rules towards risk based revealed the foundations for these worries. In this way
outcome oriented rules) influence railway knowledge? experience based railway knowledge, even when it was
The question is based on the hypothesis that the tacit, served as reference for safe solutions.
described change in the safety rule tradition will The cases soon abandoned the deductive and risk
change railway knowledge. The study will also explore based top-down strategy to the rule development.
possible explanations for the identified changes in Instead, all cases used a bottom-up approach where
railway knowledge and discuss practical implica- existing low level prescriptive rules and associated
tions. This calls for an explorative and qualitative knowledge were used as outset for the development
approach and a case study design was chosen (Miles & of outcome-oriented rules. This strategy is given the
Huberman, 1994; Yin, 1994). name ‘‘reverse invention’’ in this study.
Four cases of safety rule modifications in the Nor- When the cases changed into processes of reverse
wegian railway system were chosen for the study. The invention the work built upon the railway knowledge of
project for modification of the traffic safety rules, the existing rules, i.e. knowledge directly expressed in
841
the rules themselves and knowledge about their history All cases compared the risk analyses with railway
and intended function. It was necessary to inquire knowledge. The expressed purpose of the compari-
into the intentions and rationale behind the existing son was to control that known risk was included in the
prescriptive rules, a knowledge that was sometimes analyses. Accordingly, the cases revealed a higher trust
difficult to retrieve. In this way existing knowledge in existing experience-based railway knowledge than
associated with the pre-existing prescriptive rules was in the results of the risk analyses and railway knowl-
brought forth. edge served as reference for good quality of the risk
Also, none of the cases found that outcome oriented analyses.
rules gave sufficient control of known risks. The Traf- Usually the risk analyses and the railway knowl-
fic rule case stayed with the prescriptive rule solution edge provided the same conclusions. When this hap-
and intended to use and develop their outcome oriented pened, the confidence in both railway knowledge
formulations for educational purposes. However, the and risk analyses increased among the participants
plan for such a textbook was abandoned of econom- of the work and they experienced it as a validation
ical reasons. The Maintenance-rule cases developed of both knowledge sources. The interviewees also
outcome oriented triggering requirements. These were gave some examples where the conclusions from risk
supplemented with explanatory texts and subordinated analyses and railway knowledge came in conflict. In
prescriptive rules. With safety as an important argu- such instances the reason for the different results was
ment, the cases included more prescriptive rules than questioned and inquiries initiated. The interviewees
intended. expressed less trust in risk analytic results than the
The main explanations the cases gave for the devel- experience based railway knowledge. Therefore, the
opment towards reverse invention and the chosen rule most common strategy for the inquiries was to review
solutions were that existing lower order rules and asso- the risk analyses. The major concern was whether
ciated knowledge was highly trusted and necessary for the analyses had excluded important railway knowl-
safe performance. Therefore, it was experienced as a edge. When weaknesses in the analyses were revealed,
waste to start from scratch without taking advantage the analyses were adjusted to conform to the railway
of the knowledge associated with these rules. Refer- knowledge. Through this strategy the risk analyses
ence was also made to the important function the rules were brought in accordance with the railway knowl-
had in the educational system for railway personnel; edge and agreement was established. When consensus
a change would require a new way of teaching. Out- was reached, the participants experienced this as if the
come oriented formulations were also welcomed as a risk analyses and the railway knowledge validated each
means to illustrate the purpose of prescriptive rules in other. Accordingly, also conflicting initial conclusions
the educational settings. resulted in increased confidence in both.
842
involved to achieve feedback. However, differences differences between the cases regarding available time
in the organization of the Maintenance-rule cases and for reflection.
their tasks created different conditions for using those The Traffic-rule case had the best conditions of
people directly involved in maintenance performance the cases for interaction and access to knowledge
for feedback. The cases participated in a joint hearing resources. The work group was located together and
process of the modified rules and the risk analyses. had dedicated time for the work. It worked as an
Also these cases looked into new statistics and acci- interactive team where also the different tasks inter-
dent reports. At the end, the Maintenance-rule project acted in iterative processes. Furthermore, this case
organized a joint two-step hearing process. had a formalized organization that included many
actors, required communication and written reports
and agenda papers. Thus knowledge from different
3.4 Systematizing and storing knowledge
sources became articulated and combined and to a
The descriptions above reveal that the existing pre- great extent transferred into a written form.
scriptive rules served as an important knowledge base Among the Maintenance-rule cases, only the work
for the rule development. group of the Superstructure case was located together
The descriptions also illustrates that the processes and had continuity in their work. This case also had
of the cases can be seen as a revival of railway a formalized Board of the branch that it included.
knowledge. Railway knowledge was spread around The Signal case that had the role as a pilot, had
the organization. It was sometimes difficult to retrieve more available economic resources and dedicated time
because some of it had a more or less individual and to organize meetings about the risk analyses. The
tacit form. Therefore the inquiries and the following Maintenance-rule cases were also less formalized than
work with the achieved knowledge implied an artic- the Traffic-rule case. Therefore they did not com-
ulation of this knowledge and that more people had municate with others and did not produce written
access to it. It remained uncertain whether the inquiries documentation to the same extent.
contributed with actually new knowledge. However, when it came to the rule solutions,
The knowledge retrieved from the inquiries were the Traffic-rule case only expressed knowledge in
combined and sorted out, discussed, systematized and prescriptive rules while the Maintenance-rule cases
to some extent documented. This implied a direction expressed it in three ways: In triggering requirements,
of attention where some knowledge became more in their explanatory texts and in prescriptive rules.
focus than others and therefore included in the work.
The processes were governed by a combination of the
incitements to the rule solutions, the frameworks that 4 DISCUSSION
the risk analytic methods provided and the risk percep-
tion of the participants. For instance, the final report The results above reveal that the cases used rail-
of the Traffic-rule case comments that the risk analy- way knowledge as the core knowledge base for the
ses did not contribute with any particular unknown rule modification process. The rule modification pro-
conditions. However, it had a systematizing func- cess revived railway knowledge by making formerly
tion, contributed with an overview and drew attention tacit knowledge explicit. The processes increased the
to conditions known from before. An interviewee of confidence in this knowledge.
the Maintenance-rule cases made some of the same
reflections:
4.1 The strong position of railway knowledge
‘‘At least the systematizing of it [the risk analy- The cases did not adopt the rationalistic, deductive top-
ses, authors’ comment] forces one to evaluate and down strategy that was intended for the modification
document what one does.’’ And he continues: ‘‘ . . . work. The main explanation was that existing experi-
before it was very much based on individuals—the ence based railway knowledge, and in particular the
experience one had within the areas.’’ knowledge associated with existing prescriptive rules,
was seen as too valuable for safety to be abandoned.
The interviewees were asked who the core contrib- Hence, they are on line with Lindblom’s critic of the
utors to the work were. Their answers revealed that rationalistic strategy (Lindblom, 1959).
those performing the rule development and the risk Furthermore, Reason (1997) argues that the stage
analyses were the main contributors. Their networks reached in an organization’s life history will influence
contributed as important supplements. However, there the opportunities for feed forward and feedback con-
were differences between the cases. The organizing of trol of activities. The Norwegian railway system was
the cases and the tasks differed and influenced how old enough to have the necessary experience to develop
much the knowledge of these actors became articu- prescriptive rules in accordance with feed forward
lated, made collective and combined. There were also control principles.
843
An additional argument was that the prescriptive Accordingly, the inductive bottom-up strategy
rules were perceived as important and valuable ele- created a transition period when higher order rules
ments in the Norwegian railway system’s organiza- were developed from lower level rules. The process
tional memory of safe performance, such as discussed led to inquiries that activated intuitively-contextual
by Stein (1995). railway knowledge and made it more explicit. Further-
Instead, the cases decided to apply another type more, attempts to formulate intended outcomes based
of rationality in their developmental work than the on the experiences behind the existing rules made the
rationalistic rationality of the deductive top-down intentions of their prescriptions more explicit. Bau-
approach. This was based on an inductive bottom-up mard (1999) argues that to make knowledge more
strategy where the existing prescriptive rules were used explicit might be an advantage when a system has to
as the starting point for rule development. This made handle organizational transformations. The ongoing
it possible to build upon the accumulated knowledge deregulation process of the Norwegian railway system
associated with the prescriptive rules and in particu- can be seen as a transformation period. Accordingly,
lar knowledge about their former and existing context, processes that stimulate articulation of knowledge
their intended function and the experiences of their might be an advantage for the safety of the system.
efficiency to fulfil their intention. In March’s termi- All together, this reveals that the predominantly
nology, the rationality that the rule developers applied intuitively-contextual railway knowledge of differ-
in the modification processes became dominated by ent sources became revived and integrated into the
a rule- and identity based type of decision-making form of the higher order outcome oriented rules and
(March, 1994). The existing rules and associated the forms of the chosen risk analytic method. Fur-
knowledge describing safe actions and states served thermore, the revived knowledge became selected in
as a fundament to judge what was considered to be accordance with the rule developers’ perception of risk
appropriate outcomes of the regulated activities. In and transformed into the more abstract and context-
this way, knowledge associated with existing rules free forms of outcomes and the structure and schema
was brought forth into the new descriptions of wanted of the chosen risk analytic methods. Such knowledge
outcomes and the work did not have to start from can be labelled rationalistic knowledge (Schön, 1991;
scratch. This can be seen as a conservative and precau- Ellström, 1996). In this way the system developed the
tionary strategy to fulfil the requirement of outcome- ability to take advantage of railway knowledge in both
oriented rules and a rule hierarchy in a prescriptive intuitively-contextual and rationalistic forms in its
rule tradition. safety work. However, the inherent conservatism of the
Furthermore, the inquiries that the cases made into processes might make it difficult to foresee new and
railway knowledge made them cautious to replace unexpected dangers, such as Turner & Pidgeon (1997)
existing prescriptive rules with outcome-oriented rules discuss. The ongoing transition period of the system
or change them. creates changes from which it might be difficult to
Accordingly, the processes got a conservative touch foresee all consequences for safety.
and prescriptive rules appeared to be more persistent
than expected. The inductive bottom-up approach of
4.2 Is the revived railway knowledge endangered?
reverse invention made the cases able to build upon
existing knowledge of the prescriptive rules’ con- The fact that some of the revived railway knowledge,
text and function and rule specific knowledge, i.e. and mainly the rationalistic elements, is transformed
knowledge that resembles Ellström’s descriptions of into the written form and stored in rules and documents
intuitively-contextual knowledge (Ellström, 1996). does not mean that the knowledge is stored in orga-
One can say that the decision strategy of the cases nizational memory. As knowledge is relational and
resembled that of ‘‘Mixed scanning’’ presented by context specific, data and information that is trans-
Etzioni (1967). Building upon his metaphor, pre- ferred into written form is not the same as knowledge
dominantly intuitively-contextual railway knowledge for the reader of the written documentation (Bau-
represented a broad angled camera. This was used to mard, 1999; Nonaka & Takeuchi, 1995; Stein, 1995).
scan the situation or in other words to get an overview Written documentation cannot communicate the rich
of railway activities, related risks and experiences with mental maps that might be necessary to decode writ-
existing means to prevent accidents, including safety ten texts and to understand the complex dynamics of
rules. Then rule- and identity based rationality, apply- reality. Also, written texts stored in databases require
ing the same knowledge, was used to zero in on those that its storing can be located and that access is
areas that required more in-depth examination. The given to it when it is necessary or useful to retrieve
risk analyses contributed to this work. Like Kørte et al. it (Stein, 1995). In addition, mental maps are also
(2002) discuss, the operational environments provided often important to foresee consequences of different
updated process knowledge and experience data that actions and choices that are necessary for accident
served as input to the analytic process. prevention (Perrow, 1984/1999; Rasmussen, 1997;
844
Rasmussen & Svedung, 2000). The results of the study Reason, 1997). Therefore it might be useful to search
also revealed that such knowledge was experienced as for the inclusion of alternative approaches to the tradi-
being important for the understanding of the rules and tional railway knowledge. In the framework for safety
their intended function, for judging their relevance and rule development that is applied for the SAMRAIL
for rule-followers’ motivation for compliance. research (European Commission. 2004a), this might
Accordingly, to keep the revived railway knowl- imply to increase investments in the first step of this
edge alive for the future, the written text has to be framework. This step requires that the rule developers
retrievable. Furthermore, it has to be supplemented define the processes to be regulated, related accident
with elements of social interaction and context. There- scenarios and means to control the activities.
fore, it is essential that intuitively-contextual railway Seen together, if the rich intuitively-contextual rail-
knowledge is stored in organizational memory. way knowledge is not stored in organizational memory
The differences between the cases in their orga- by other means than those revealed in the study, the
nizing regarding participation, communication and benefit of revived knowledge might be lost in the
interaction imply that they differed regarding degree future. Also, the ongoing changes of the Norwegian
of social interaction and relation to the rules’ con- railway system require judgements of relevance of the
text. This created differences regarding articulation of experience based railway knowledge for the current
knowledge and how this knowledge was distributed context and organizational learning.
among the involved actors. However, the cases did not There are already ongoing discussions in European
provide examples of systematic storing of intuitively- railways about establishing learning agencies to fur-
contextual railway knowledge. ther the development of organizational knowledge
Furthermore, the increased emphasis upon risk and its storing in organizational memory (European
analyses as the fundament for rule development and Commission, 2004b). With reference to the differ-
intentions of increased use of outcome oriented rules ences in the organizing of the studied cases the
might strengthen this development. In addition, ratio- organization of rule modifications can either be given
nalistic knowledge generally holds a higher status than the status as a learning agency or be linked to such
intuitively-contextual knowledge (Perby, 1995; Schön, agencies. Also, the inquiries into railway knowledge
1991). Therefore, the status of the most intuitively con- revealed that there are existing communities of prac-
textual elements of railway knowledge might become tice within the Norwegian railway system that can be
reduced in the future. The status of knowledge might stimulated such as Wenger (1998) has discussed. Fur-
also influence the motivation to retrieve information thermore, there might be a potential for establishing
(Stein, 1995). useful communities of practice within the system, such
The ongoing deregulation of the Norwegian railway as revealed in the Dutch railways (European Commis-
system might weaken the conditions for developing sion, 2004b). However, the results and discussions
railway knowledge that holds an extensive overview of reveal that it is important to further elaborate solutions
the complex interactions of the system. The deregula- for storing and evaluation of railway knowledge.
tion process may also weaken the system’s traditional
conditions for socialization and existing communities
of practice that were considered particularly impor- 5 CONCLUSIONS AND PRACTICAL
tant for transfer of tacit knowledge (Baumard, 1999; IMPLICATIONS
Lave & Wenger, 1991; Nonaka & Takeuchi, 1995;
Wenger, 1998). The deregulation processes has also The study reveals that the cases met the challenge
caused a work force reduction. Baumard (1999) warns of the deductive and risk based top-down approach
against the danger that the need to renew knowledge to safety rule development with a strategy given the
might lead the firm to remove the representatives of name ‘‘reverse invention’’. This strategy can be seen as
the old knowledge. By doing this, they remove the tacit an inductive bottom-up approach to rule development
knowledge of the firm. where existing prescriptive rules and railway knowl-
The deregulation process also implies increased edge served as the core fundament for the development
complexity, uncertainty and ambiguity. Etzioni (1967) of the outcome oriented rules.
argues that under such conditions it might be required The introduction of the deductive and risk based
to increase investments in thorough studies of the situ- top-down approach and the revealed process of reverse
ation. Accordingly, rich intuitively-contextual railway invention raised questions that initiated inquiries
knowledge will be necessary to provide a good picture. into railway knowledge. These inquiries made tacit
However, with reference to the discussions of knowledge more explicit and knowledge became
Turner and Reason of disaster incubation or latent gathered and systematized, i.e. railway knowledge
conditions, there is a danger that even such railway became revived. However, the revived knowledge
knowledge is not sufficient to check for dangers that became reduced into lean rationalistic forms. It
can not be easily discovered (Turner & Pidgeon, 1997; remained uncertain whether the potential of inquires
845
for organizational learning resulted in actual new Gullowsen & Ryggvik, 2004. Jernbanen i Norge 1854–2004.
knowledge. Nye tider og gamle spor. Bergen: Vigmostad og Bjørke
The results and discussions of the study have AS. (In Norwegian)
practical implications: Hale, A.R. 1990. Safety rules O.K.? Journal of Occupational
Accidents 12, 3–20.
◦ Safety rules can serve an important function as Hale, A.R., Heming, B.H.J., Carthey, J. & Kirwan, B. 1997.
knowledge carriers about operations of a system and Modelling of safety management systems. Safety Science
associated dangers. This function should be taken 26(1/2), 121–140.
into consideration when modifying such rules. Hale, A.R., Heijer, F. & Koornneef, F. 2003. Management of
◦ Traditional prescriptive safety rules and associated safety rules: The case of railways. Safety Science Monitor
7, Article III-2, 1–11.
knowledge can serve as knowledge base for a trans- Hovden, J. 1998. Models of Organizations versus Safety
formation of rules into outcome oriented rules, Management Approaches: A Discussion Based on Stud-
i.e. from rules expressing knowledge about what ies of the ‘‘Internal control of SHE’’ Reform in Norway.
to do under certain conditions towards knowledge In: Hale, A.R. & Baram, M. (Eds.). Safety management:
expressing intended outcomes. However, this strat- the challenge of change. Oxford: Pergamon.
egy should take ongoing changes with potential for Kørte, J., Aven, T. & Rosness, R. 2002. On the use of risk
new and unexpected dangers into consideration. analyses in different decision settings. Paper presented at
◦ Introduction of a deductive and risk based approach ESREL 2002. Lyon. March 19–21, 2002.
in an experience based, prescriptive rule tradition Lave, J. & Wenger, E. 1991. Situated Learning. Legiti-
mate peripheral participation. Cambridge: Cambridge
can stimulate inquiries into existing knowledge. The University Press.
inquiries can contribute to a revival and validation of Lindblom, C. 1959. The Science of ‘‘Muddling Through’’.
this knowledge. However, the approach might also Public Administration Review 19, 79–88.
exclude knowledge that does not fit into the frame- March, J.G. 1994. A Primer on Decision Making. New York:
works of chosen rule solutions and risk analytic The Free Press.
methods. Miles, M.B. & Huberman, A.M. 1994. Qualitative Data
◦ Accordingly, organizations should judge the need Analysis. London: Sage Publications Ltd.
for measures to protect safety relevant, endangered Nonaka, I., Takeuchi, H. 1995. The Knowledge-Creating
knowledge. Company. New York: Oxford University Press.
Perby, M.L. 1995. Konsten att bemästra en process. Om att
These practical implications are based on only a förvalta yrkeskunnande. Hedemora: Gidlunds Förlag. (In
few cases in one particular context. Accordingly, they Swedish)
should be critically judged before applied to other Perrow, C. 1999. Normal Accidents. Living with High-
contexts. To extend the generalizability, studies of Risk Technologies. Princeton: Princeton University Press.
(First issued in 1984)
modification processes in other contexts are required. Rasmussen, J. 1997. Risk management in a dynamic society:
The authors want to thank The Research Council of A modelling problem. Safety Science 27(2/3), 183–213.
Norway that financed the work. Rasmussen, J. & Svedung, I. 2000. Proactive Risk Manage-
ment in a Dynamic Society. Karlstad: Räddningsverket.
Reason, J. 1997. Managing the risks of organizational
REFERENCES accidents. Aldershot: Ashgate Publishing Limited.
Reason, J., Parker, D. & Lawton, R. 1998. Organiza-
Baumard, P. 1999. Tacit Knowledge in Organizations. tional controls and safety: The varieties of rule-related
London: Sage Publications Ltd. behaviour. Journal of Occupational and Organizational
Blakstad, H.C. 2006. Revising Rules and Reviving Knowl- Psychology 71, 189–304.
edge. Adapting hierarchical and risk-based approaches Ryggvik, H. 2004. Jernbanen, oljen, sikkerheten og historien.
to safety rule modifications in the Norwegian railway In: Lydersen, S. (Ed.). Fra flis i fingeren til ragnarok.
system. Trondheim: Doctoral thesis for the degree of Trondheim: Tapir Akademisk Forlag. (In Norwegian)
doctor ingeniør. Norwegian University of Science and Schön, D. 1991. The Reflective Practitioner. Aldershot:
Technology (NTNU). Arena, Ashgate Publishing Limited. (First issued in 1983)
Ellström, P.E. 1996. Report: Operatörkompetans—vad den Stein, E.W. 1995. Organizational Memory: Review of
er och hur den kan utvecklas. DUP-resultat. Stockholm: Concepts and Recommendations for Management. Inter-
NUTEK. (In Swedish) national Journal of Information Management. Vol. 15,
European Commission. 2003a. Safety culture in nuclear and No. 2, 17–32.
process control. Fifth Framework Program SAMRAIL. Strauss, A. & Corbin, J. 1998. Basics of Qualitative Research.
Appendix 10: WP 2.1.9. August 5, 2003. California: Sage Publications, Inc.
European Commission. 2003b. SAMNET Glossary. Fifth Turner, B.A., Pidgeon, N.F. 1997. Man-made disasters.
Framework Program SAMNET thematic Network. April Oxford: Butterworth-Heinemann.
09, 2003. Wenger, E. 1998. Communities of Practice: Learning as a
Etzioni, A. 1967. Mixed-Scanning: A ‘‘Third’’ Approach Social System. Systems Thinker. Vol. 9, No. 5, 1–5.
To Decision-Making. Public Administration Review Yin, R.K. 1994. Case Study Research. California: Sage
385–392. December 1967. Publications, Inc.
846
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
E. Guillaume
Safety Science Group, Technological University of Delft, The Netherlands
ABSTRACT: The prevention of Major Accidents is the core of high hazard industries activities. Despite
the increasing safety level, industrial sites are asking for innovative tools. The notion of weak signals will
enable the industries to anticipate danger and improve their safety management. Our preliminary results show
the huge interest and relevance of the weak signals but also the difficulty to, concretely, treat them within
the Safety Management. We found out that organizational features are ‘‘weak signals blockers’’: Bureaucratic
management of Safety, linear and bottom-up communication, and a reactive Safety Management. In order to
favor weak signals treatment, we should act on these organizational factors. This is the main objective of this
PhD research.
1 INTRODUCTION and taking the weak signals into account would favor
proactive approaches and better accidents prevention.
Accident prevention is a central issue in high-risk This research is a partnership agreed with a petro-
industries such as nuclear power plants, aircrafts and chemical company and a steel company, both situated
petrochemical plants. These industries have set up in France. To collect data, case studies will be car-
safer equipments, technical safety barriers but also ried out in both sites. First, failure scenarios will be
organizational and human barriers in order to man- carefully studied. By looking from the end point of the
age risk and improve their capacity to prevent the accident, we will try to identify what weak signals were
accidents. Some researches admit that industries’ picked up by operational crew/shifts, the actions taken
capacities to learn from their own experiences will to take them into account (technical and organizational
enable them to improve accident prevention. Report- responses). Then, normal functioning will provide
ing systems such as Learning from Experience (Retour data on the human and technical tools, methodology
d’Expérience in French) aim at learning from fail- and procedures used to manage, everyday, risk in both
ures and negative experiences. They are implanted sites.
to collect, analyze and share data on the accidents This document is composed of two sections. The
which occurred on sites. Despite the high relevance of first will expose the main definitions of the weak sig-
Rex System, many researchers (Bourrier, 2002, Dien, nals. The second one will try to describe the first data
2006 and Amalberti and Barriquault, 1999) showed collected in Arcelor site.
two main weaknesses: the limits—Rex would provide
mainly technical and direct causes of the accidents,
and biases—Rex would be more used as an enormous 2 DEFINITION
data base than an opportunity to share the lessons
learnt from the accidents. The goal of this research 2.1 Strategic management
is trying to overcome these limits by exploring new The notion of weak signals has already been studied
research areas. The issue of weak signals is emerg- in several disciplines: history, geology and medicine
ing in industrial companies like EDF (Electricité de (the later uses more frequently the notion of ‘‘fore-
France1 ) and academic researches might provide rele- runners’’). Among these works, strategic management
vant ideas. Defined as accidents precursors, the weak provides interesting views that are described here.
signals would enable to identify unsafe situations and Several studies have tried to define the nature
degradation of the system. In that respect, identifying and the role of the weak signals. In literature deal-
ing with ‘‘strategic surveillance’’, weak signals are
more ‘‘qualitative than quantitative, uncertain, frag-
1 mented and ambiguous’’ (Mevel, 2004, p. 20–21).
847
The interest of weak signals lies in the role they play in Then, in the context of Safety Management, two
strategic management. Derived from Ansoff and Dow- theoretical ‘‘schools’’ disagree. The first one—Turner,
ell (1975), Lesca and Castagnos (2004), and Lesca Vaughan- explain the occurrence of accidents with
and Blanco’s (2002), researches argue that, threatened the existence of precursors. The second one, Perrow,
by an uncertain and changing environment, compa- considers the accidents as a normal consequence of
nies have to remain competitive and to capture early complex and ‘‘coupled’’ systems. This PhD research
warning signals like weak signals. The more a com- fits in the first stream, which brings us to underline
pany develops surveillance, the more it will be able to the following statement: weak signals emerge before
detect these signals and anticipate changes, ruptures the accident meaning that they could be captured and
or unexpected events. In that respect, weak signals are could avoid the accident. Many authors attempted to
defined as ‘‘anticipation information’’ (Caron-Fasan, describe the ‘appearance’ or the emergence of the weak
2001). signals. B. Turner and N. Pidgeon (1997) proposed the
We would like to discuss the adjective ‘‘weak’’ notion of ‘‘incubation period’’ (taken from the medical
which is the conventional term always used. ‘‘Weak’’ field) defined as ‘‘a chain of discrepant events develop
implies that ‘‘strong’’ signals exist and emerge inside and accumulate unnoticed’’ (B. Turner, 1997, p. 381).
and outside organizations. Ansoff and Mc Donell2 During this period, many alarming signs are emerging
(1975) propose the following definition: weak sig- but not detected by the members of the organization.
nals are ‘‘imprecise early indications about impending Some other authors use notions similar to the idea of
impactful events ( . . . ). Such signals mature over ‘‘incubation’’. Roux-Dufort (2000) writes that a crisis
time and become strong signals.’’ (p. 20–21). The is the product of a long gestation, during which orga-
most appropriate adjective would actually be ‘‘early’’ nizational dysfunctions accumulate. Dien and Perlot
signals. In fact, as we will see later, a weak signal (2006) state that an accident is not a fortuitous event,
is a signal which is emerging long before an acci- but would be the last stage of a process of damage to
dent occurs. Despite its uncertainty, its fuzziness, the safety.
challenge is to detect them early in order to imple- Despite the interest of these signals—the possibil-
ment a strategic response. Over time, weak signals ity to prevent an accident thanks to those accident
become strong signals and the strategy will be too precursors- many studies have pointed out the dif-
late to response correctly to the threat. Therefore, ficulty to treat them. Turner and Pigdeon, (1997)
we assume that the nature of the weak signals is less Vaughan (2003) and Llory (1996) underline the real
important than ‘‘time evolution’’ aspect. We will try to difficulty to treat weak signals in time, and there-
develop this idea later on. fore to prevent a disaster. In the chapter entitled ‘‘the
The following section is an uncompleted study of Bhopal precursors’’ Llory (1996) stresses the role of
the main studies dealing with the weak signals in whistleblowers, Bhopal industry’s workers, who com-
Safety Management. plained about very bad safety condition (e.g. damaged
defenses barriers). These workers tried to warn the
management and Madhya Pradesh, Bhopal state cap-
2.2 The main definitions in safety management field ital. But these whistleblowers were not listened; they
messages were not taken into account by the manage-
This document presents the main contributions and ment. D. Vaughan (2003) underlined the role of the
tries to set a—temporary- definition of the weak sig- Thiokol engineer who tried to warn NASA. She quotes
nals. The following section is composed of three parts: the engineer ‘‘we shouldn’t ship anymore rocket until
the nature of weak signals, the way they emerge and we got it fixed (O-ring)’’ (2003, p. 254). Although
the way they are detected and treated. engineers sent ‘‘memos’’ to warn Challenger launch
First of all, D. Vaughan (2003) defines a weak sig- deciders, these messages were ignored. At that time,
nal as a subjective, intuitive argument, and mainly NASA believed more in formal and quantitative pro-
ambiguous information. It is supported by informal cedures than messages based on intuition, qualitative
information, which means that the threat to safety is and informal (which was the nature of memos). She
not really clear for the members of the organization. writes ‘‘the context of these memos made them weak
According to M. Llory (1996) a weak signal is a fore- signals to insiders at that time’’ (2003, p. 255). These
runner, and a repetitive precursor warning of ‘‘serious’’ initiatives are often described as failures. The detec-
danger. tors, or whistleblowers, did not send the message
to the right person or suffered from ‘‘communica-
tion pathology’’ (M. Llory used a concept described
by C. Desjours) which means that the communi-
2 They devoted an entire chapter to the weak signals enti- cation between workers and deciders, and in that
tled ‘Using weak signals’ in which they describe how to respect the amplification of the warning messages, is
respond to the issue of weak signals. blocked.
848
We assume that the weak signals emerge before The following section deals with the factors which
the accident, during the incubation period. They are may block or amplify the treatment of weak signals,
detected (by people we call whistleblowers) but not the main assumption of this PhD research.
treated and taken into account. The PhD research
assumes that, in the pathway ‘‘detection-treatment’’,
some factors do not allow the treatment of these sig-
3.2 Cognitive and organizational frames: Weak
nals. In fact, the organization would not accept or
signals blockers and amplifiers
recognize the relevance of these signals and the legit-
imacy of the members who decided to support and Based on several accident analyses, Turner (Weick,
amplify them. My PhD research will focus on the iden- 1998) pointed out several features to explain why
tification of these factors to understand the difficulty the signals emerging during the incubation period
in treating them. were—mostly- ignored. The rigidities in perception
The weak signals, in the field of Safety Manage- and beliefs in organizational settings are the first fea-
ment, are obviously accident precursors (if we admit tures. It means that the possibility to detect disasters
that such signals exist before an accident). Detected can be inhibited by cultural and organizational factors.
on time, they could prevent and even stop an accident. Culture can lead in this case to a collective blind-
The studies quoted previously exposed the interest- ness to important issues. Then, in the same book, B.
ing role of the whistleblowers. Despite their actions, Turner mentions ‘‘organizational exclusivity’’ which
their messages were, in the cases quoted, ignored. means that organization can disregard non members
Thus, the authors acknowledge how difficult the treat- who try to amplify warning information. Finally, he
ment of such signals within the organizations is. The points out the capacity to minimize the emergent dan-
next section will focus on the treatment of the weak gers. The organizational features seem important to
signals. understand why such events are unnoticed. A num-
ber of French studies point out the communication
system underlying its cognitive aspect. Bourrier and
Laroche (2000) describe a similar phenomenon. They
3 TREATING THE WEAK SIGNALS
state that organizations have some difficulties to treat
correctly information because of cognitive categories
3.1 Communication channels
set ‘a priori’. These filters can lead the organization
The issue of weak signals reveals new issues related to blindness. Finally, Vaughan observed that culture
to the interpretation of the information emerging could be a factor of weak signals ignorance. Based on
from outside and inside the organization. Turner and the analysis of Challenger accident (2003) Vaughan
Pidgeon (1997) propose to go back to the general prop- writes that NASA tended to accept anomalies as the
erties of information by paying attention to the manner normal functioning leading to a process of ‘‘deviance
in which the information is dealt with in ‘‘theory normalization’’.
communication’’. To the authors, if the information After describing the phenomenon and trying to
transmitted falls into the available sets of categories, identify the main reasons for weak signals ‘blocking’
then the information will be received. If the message in an organizational context, some authors attempt to
falls outside these recognized categories, this infor- explore solutions in order to amplify them.
mation will be regarded as ‘error’. We assume that The main improvements proposed by the researchers
the weak signals, regarding their nature (ambiguous, deal with on organization’s capacity to be surprised.
uncertain) and their discontinuous way of emerging, Ansoff and Mc Donnell (1975) emphasize environ-
are ignored, partly because they are incompatible with mental surveillance, awareness, and internal flexibil-
a closed communication system. No category is avail- ity. Roux-Dufort (2000) asserts that weak signals do
able to interpret these signals. In other words, three not fit in any preconceived coding process. To capture
options can be taken into account. First, the weak such precursor signals, he writes that the organiza-
signals are ignored because people have got no tools tions should accept information or events which do
to interpret them. The signals are merely seen as not fit in the knowledge and technology which is
irrelevant information. Then, the signals can be inten- already implanted. As Bourrier and Laroche (2000)
tionally ignored because they increase uncertainty and agree on the fact that these categories ‘a priori’ have
unsafe work conditions. Turner and Pidgeon (1997) to be reviewed to treat correctly the information and
write ‘‘we may thus regard this kind of event, which to be able to capture the ‘unexpected events’ (Turner
was not assigned a place in the relevant system of and Pidgeon, 1997). Finally, Östberg (2006) argues
classes’’ (p. ). This is highly relevant for understanding that human intelligence would be a way to take the
the issue of weak signals. Finally, these signals were weak signals into account. He writes that intelligence
ignored because of the difficulty to pick the relevant ‘‘refers to have a bearing on the dealing with sur-
ones up. prise’’ (p. 19) He writes ‘‘obviously, on the one hand
849
human qualifications for intelligent performance are These case studies provided interesting findings on
decisive for the outcome of efforts to cope with sur- these four items. The following section will try to
prises and, on the other hand, the preparedness for describe these first results.
surprising events by intelligence activities enhances
the proper reaction in the prevailing circumstances.’’
(p. 19). 4.2 From a generic definition to a more
The previous section is an attempt to define weak specific definition
signals in academic literature. Although based on Weak signals could be theoretically defined as acci-
empirical works, the quoted studies reveal generic dent precursors alerting of an imminent event. The
definitions: relevance and use to studying weak sig- case studies appeared as an important step in the PhD
nals. But what are, concretely, the weak signals? research. As a matter of fact, we came up with a more
What do they refer to? What do they say about the specific and practical- definition of weak signals. They
system studied (technical and social), risks and acci- are defined in a specific context (an organization, a
dents? These points will be discussed in the following site), related to specific activity (steel making) and
section. specific risks.
The main findings concern three items: the dif-
ficulty to pick the weak signals on time, signals
4 PRELIMINARY RESULTS: WEAK interpretation and the channels of communication used
SIGNALS AND TREATMENT, EXAMPLES by people trying to transmit them. Lessons learnt
IN A STEEL PLANT AND A REFINERY
The research project planned to collect data on weak The scenarios investigated refer to standard operations
signals by carrying out case studies on failure scenar- but the events described appeared as real surprises.
ios, success stories and normal functioning. Consequently, the signal emerging before the accident
This research aims at studying weak signals of (during the incubation period as Turner showed) were
major accidents. INES scale defines major accidents detected but not interpreted as ‘‘accidents precursors’’.
as ‘‘events with major effects outside the site, implying The difficulty of weak signals lies in the capacity of
consequences on environment and health’’. Fortu- people to combine several pieces of information dis-
nately, these events are very rare. The scenarios patched in the organization and give sense to them.
investigated would more concern ‘‘near-misses’’ it is As Turner wrote, the information were already in the
to say events that could have been more serious in other organization but not interpreted. Then, the scenarios
circumstances. investigated showed that the accident was the result
We carried out five case studies on ‘‘failure’’ sce- of a long process of safety degradation. During this
narios. These accidents occurred in three operational period, many signals had been detected, recorded in
departments: cooking plant, steel making plant and reporting systems but rarely connected.
energy dispatching department. The objective of these Example 1: Explosion of a calcium carbide bunker
case studies was to look from the end point of the acci- Steelmaking plant uses calcium carbide. It is meant to
dent, and trying to identify whether weak signals were take sulphur away from pig iron. Acetylene, produced
picked up by operational crew/shifts on operational by a contact between calcium carbide and water, is a
shop floor? What actions were taken to take them well known risk and the site is preventing the bunker
into account (technical and organizational responses)? against water filtering. However, 16th of Decem-
Why they did not take any actions? What lessons were ber 2005, the bunker exploded. A presence of water
learnt from these weak signals afterwards? explained clearly the accident. People involved in the
Then, some observations on normal functioning investigation discovered (thanks to an external expert)
have been carried. They provided data on the tools that the roof of the bunker was corroded. In fact,
(learning processes like Learning from Experience, the roof had been painted for maintenance reasons,
risk analysis, audits), safety barriers (technical and except in an unreachable part of it. Birds were living
organizational), but also management, implanted in there, attacking and scaring maintenance operators.
both sites to manage risk. Finally, we came up against Dirt favored the corrosion and degraded, little by little
the difficulty to investigate success stories. In fact, the roof and enabled water to soak in the bunker.
success stories are not, by that very fact, based on Signals appeared obvious and relevant to people
critical events. They are not recorded in reporting sys- after the event. Indeed, analysis revealed a long process
tems and, regarding to accidents prevention, they do of safety degradation which led to the bunker explo-
not deserve any further analysis. This idea must be sion: maintenance problems (corrosion), mal-adjusted
deepen in petrochemical plant. roof (liable to rust) and the possibility that water
850
seeps through bunker’s roof. Though these pieces are experts and give advises to management), their
of information were detected, known and recorded, knowledge and their experience. But obviously, their
the combination between them were not taken into message was ignored. At that stage of the research, we
account. The objective is now to understand what can only suppose that the signals they tried to trans-
factors blocked the possibility to give sense to these mit were more based on their intuition and qualitative
signals. The PhD research is still in the data collection data than on formal and quantitative data. Although
stage, and these factors have not been identified yet. these signals were already considered as strong for
Signals interpretation the whistleblowers, they remain weak for the receivers
The scenarios investigated refer to standard operations because on an organizational culture based tangible
but the events described appeared as real surprises. proves. Consequently, their message was not taken into
Consequently, the signal emerging before the accident account.
(during the incubation period as Turner showed) were
detected but not interpreted as ‘‘accidents precursors’’. 5 LESSONS LEARNT FROM WEAK SIGNALS
The difficulty of weak signals lies in the capacity of
people to combine several pieces of information dis- As we mentioned previously, weak signals are obvi-
patched in the organization and give sense to them. ous after the accident. Once identified, people learnt
As Turner wrote, the information were already in the lessons from weak signals, particularly in the new
organization but not interpreted. Then, the scenarios design of damaged installations. For instance, Design
investigated showed that the accident was the result Department, in charge of the bunker building, took
of a long process of safety degradation. During this Expert recommendations into account for implant-
period, many signals had been detected, recorded in ing new safety barriers and better detection systems
reporting systems but rarely connected. (acetylene and temperature). However, we must admit
that weak signals are still ignored before they lead to
4.4 Channels of signals transmission an accident. The explanation seems to be found on the
organizational playing a role of blockers. This hypoth-
The case studies showed clearly that weak signals esis will be tested in the last case studies period we will
were detected but not taken into account. We believe carry out (from April 2008).
that the problem lies in the translation of the signals
detected and transmission to the right person/target.
Some academic studies have tried to identify ways to CONCLUSION
bring the relevant information to the organization (and
particularly people in position to make decision on its As a conclusion, weak signals seem to have a practical
base). relevance in such a site and considered as difficult to
We identified three ways to transmit the signals pick up. This difficulty does not lie on detection but
detected in the organization on the capacity to give sense to several pieces of infor-
mation and possibility to transmit them. We found out
• Whistleblowers that weak signals were indeed detected, and identified
• Safety and health committees channels which enable to bring the information to rele-
• Operational visits vant people. However, factors would block this process
and impede the opportunities to learn. The next stage
This paper will stress the first ‘‘whistleblowers’’
of the research will be precisely to analyze the data and
because pieces of data on the others are still missing.
reveal what factors (organizational, cultural, individ-
Whistleblowers are considered as a channel to transmit
ual) block the opportunities to prevent the accidents
information related to safety [16]. In failure scenarios,
investigated.
whistleblowers obviously failed.
Example 2: Explosion of an oxygen pipe
Fluids expert of the Energy dispatching department ACKNOWLEDGEMENTS
explained in the interview that in 2005 he advised
department manager to train operators about the dan- I grandly thank the French Foundation for a Safety
gers of oxygen. His alert was ignored and, in February Culture (FonCSI) which provides financial sponsors
2005, few months later, an oxygen pipe exploded. and fieldwork.
The issue of whistleblowers is interesting. On the
basis of the interviews carried out, the whistleblowers REFERENCES
would be experts. They are educated (PhD, trainings,
master graduation) and have knowledge on techniques Amalberti R. et Barriquault C., 1999, ‘‘Fondements et lim-
and safety. The resources they used to detect dan- ites du Retour d’Expérience, in Annales des Ponts et
gerous situations are based on their role (they work Chaussées: Retours d’Expérience, n. 91, pp. 67–75.
851
Ansoff I. and Mc Donnell E., 1990, Implanting strategic Llory M., 1996, Accidents industriels, le coût du silence,
management, Second edition, Prentice Hall International, L’Harmattan, Paris.
United Kingdom. Mevel O., 2004, ‘‘Du rôle des signaux faibles sur la
Bourrier M. et Laroche H., 2000, ‘‘Risques de défaillance: reconfiguration des processus de la chaîne de valeur
les approches organisationnelles’’, in Risques, erreurs et de l’organisation : l’exemple d’une centrale d‘achats de
défaillances, Actes de la première séance du Séminaire la grande distribution française’’, Thèse de doctorat en
‘Le risque de défaillance et son contrôle par les indi- sciences de gestion, Ecole doctorale Lettres, Langues,
vidus et les organisations dans les activités à hauts risques, Société et Gestion et Ecole Nationale Supérieure des
publications MSH Alpes, pp. 15–51. Télécommunications de Bretagne.
Bourrier M., 2002, ‘‘Bridging research and practice: the chal- Ostberg G., 2006, ‘‘An unassorted collection of remarks on
lenge of ‘normal operations’’’, in Journal of Contingencies aspects, perspectives and dimensions of weak signals’’,
and Crisis Management, vol.10, n.4, pp 173–180. University of Lund, Sweden.
Caron-Fasan ML., 2001, ‘‘Une méthode de gestion Roux Dufort C., 2000, ‘‘Aspects socio et culturels des signaux
de l’attention des signaux faibles’’, in Systèmes faibles dans les organisations’’, Association ECRIN, 18
d’Information et Management, vol. 6, n. 4. mai, Paris.
Chateauraynaud F., 1999, Les sombres précurseurs. Une Turner A.B. and Pidgeon N.F., 1997, Man-Made disasters,
sociologie pragmatique de l’alerte et du risque, Editions Second edition, Wycheham Publications, London.
EHESS, Paris. Vaughan D., 1996, The Challenger launch decision risky
Dien Y. et Perlot S., 2006, ‘‘Cassandre au pays des risques technology, culture and deviance at NASA, University of
modernes’’, 29ième Congrès National de Médecine et Chicago Press, United States.
Santé au Travail, Lyon. Weick K.E, 1998, ‘‘Foresights and failure: an appreciation
Lesca H. and Blanco S., 2002, ‘‘Contribution à la capacité of Barry Turner’’, in Journal of Contingencies and Crisis
des entreprises par la sensibilisation aux signaux faibles’’, Management, vol. 6, n. 2, pp. 72–75.
6eme Congrès International Francophone sur la PME,
HEC Montréal.
Lesca H. and Castagnos J-C., 2004, ‘‘Capter les signaux
faibles: comment amorcer le processus?’’, Economica e
Gestao, Brésil, vol. 4, n. 7, pp. 15–34.
852
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Author index
853
Cabarbaye, A. 2185, 2217 Costescu, M. 99 Dutfoy, A. 2093
Cabrera, E. 2447 Coulibaly, A. 1001 Dutta, B.B. 3323
Cadini, F. 477 Courage, W.M.G. 2807 Dutuit, Y. 1173
Calixto, E. 957, 1273 Cozzani, V. 1147, 1199, Dvořák, J. 2613
Calle, E.O.F. 2807 2345, 2397, 2749, 3153 Dwight, R.W. 423
Camargo Jr, J.B. 2207 Craveirinha, J. 2627
Campedel, M. 2749 Crespo Márquez, A. 669, Ebrahimipour, V. 1125,
Campos, J. 1217 929 2379
Cañamón, I. 163 Crespo, A. 687, 829 Egidi, D. 2397
Carbone, V.I. 1621 Cugnasca, P.S. 1503 Eide, K.A. 1747, 2029
Carfagna, E. 3217 Eisinger, S. 365, 2937
Carlé, B. 89 D’Auria, F. 2899 El-Koujok, M. 191
Carlos, S. 2827, 2837 Damaso, V.C. 497 Engen, O.A. 1423
Carr, M.J. 523 Damen, M. 767, 777 Erdos, G. 291
Carrión, A. 2447 Dandache, A. 2549 Eriksson, K. 83, 3061
Carvalho, M. 587 da Silva, S.A. 243 Esch, S. 1705
Casal, J. 1073, 1119 David, J.-F. 981 Escriche, I. 2275, 2289
Castanier, B. 469, 3171 David, P. 2259 Escrig, A. 2743
Castillo, C. 2473 de Almeida, A.T. 627, 1165 Esperón, J. 3, 121
Castillo, E. 2473, 2689 De Ambroggi, M. 1431 Espié, E. 2609
Castro, I.T. 463 De Carlo, F. 211 Espluga, J. 1301, 1371,
Cauffriez, L. 3245 de M. Brito, A.J. 1165 2867
Cavalcante, C.A.V. 423, De Minicis, M. 1495 Eusgeld, I. 2541
627, 1165 De Souza, D.I. 919 Eustáquio Beraldo, J. 1273
Chang, D. 703 De Valk, H. 2609 Expósito, A. 3, 121
Chang, K.P. 703 de Wit, M.S. 1585 Eymard, R. 155
Charpentier, D. 2003 Debón, A. 2447
Chatelet, E. 1731, 3093 Debray, B. 3191 Faber, M.H. 1567
Chen, J.R. 2757 Dehghanbaghi, M. 2379 Faertes, D. 2587
Chen, K.Y. 39 Dehombreux, P. 2117 Fallon, C. 1609, 3007
Chen, X. 863, 1663 Deleuze, G. 1309, 3093 Fan, K.S. 2757
Chiu, C.-H. 1651 Deloux, E. 469 Faragona, B. 3217
Cho, S. 2851 Delvenne, P. 3007 Farré, J. 1301
Choi, Y. 2913 Delvosalle, C. 2369, 3067 Faško, P. 1671
Chojnacki, E. 697, 905 Denis, J.-B. 2609 Faure, J. 2185, 2217
Chou, Y.-P. 2405 Depool, T. 2409, 2415 Fechner, B. 147
Christley, R.M. 2317 Dersin, P. 2117, 3163 Fernández, A. 1533
Christou, M.D. 2389 Despujols, A. 531 Fernández, I. 3, 121
Chung, P.W.H. 1739 Destercke, S. 697, 905 Fernández, J. 205, 1395
Ciancamerla, E. 2501 Deust, C. 3191 Fernández-Villodre, G.
Clarhaut, J. 3199 Di Baldassarre, G. 2749 1755
Clavareau, J. 455 Di Gravio, G. 1495 Fernandez Bacarizo, H. 559
Clemente, G. 505 Di Maio, F. 2873 Ferreira, R.J.P. 1165
Clemente, R. 2501 Dien, Y. 63 Ferreiro, S. 2175
Clímaco, J. 2627 Dijoux, Y. 1901 Feuillard, V. 2135
Clough, H.E. 2317 Diou, C. 2549 Fiévez, C. 2369, 3067
Cocquempot, V. 3199 Dohnal, G. 1847 Figueiredo, F.A. 627
Cojazzi, G.G.M. 3135 Doménech, E. 2275, Finkelstein, M.S. 1909
Colli, A. 341, 2715 2289 Flage, R. 1335, 2081
Collins, A. 1251 Dondi, C. 2397 Flammini, F. 105
Conejo, A.J. 2689 Dong, X.L. 2845 Fleurquin, G. 2117
Conrard, B. 3199 Doudakmani, O. 787 Fodor, F. 1309
Contini, S. 1009, 3135 Downes, C.G. 1739, 1873 Forseth, U. 3039, 3047
Cooke, R.M. 2223 Driessen, P.P.J. 369 Fouladirad, M. 567, 593,
Cooper, J. 2223 Duckett, D.G. 1325 2003
Cordella, M. 2345 Duffey, R.B. 941, 1351 Frackowiak, W. 3331
Cornil, N. 2369, 3067 Dunjó, J. 2421 Franzoni, G. 1049
854
Fraser, S.J. 2353 Grall, A. 531, 567, 3125 Hryniewicz, O. 581
Frenkel, I. 483, 551 Grande, Ø. 2937 Hsieh, C.C. 1267
Frimannslund, L. 2963 Grande, O. 1431, 3265 Huang, W.-T. 1651
Froihofer, L. 1539 Grazia Gnoni, M. 2701 Hurrell, A.C. 749
Frutuoso e Melo, P.F. 497 Grenier, E. 2609 Huseby, A.B. 1747, 2029,
Fuchs, P. 635 Groth, K.M. 113 2199
Fugas, C. 243 Gruber, M. 2675 Hwang, M. 2861
Furuta, K. 33 Guaglio, G. 2541
Fuster, V. 1395, 1401 Gucma, L. 3285 Iacomini, A. 2501
Guedes Soares, C. 881, Ibáñez, M.J. 2743
Gagliardi, R.V. 27 3265 Ibáñez-Llano, C. 2051
Gaglione, A. 105 Gugliermetti, F. 1341 Idasiak, V. 2259
Galarza, N. 727 Guida, M. 2251 Idée, E. 1901
Galassi, G. 2899 Guidi, G. 1341 Innal, F. 1173
Galdámez, P. 1539 Guillaume, E. 847 Iooss, B. 2107, 2135,
Gallay, A. 2609 Guo, B. 649 2899
Gámiz, M.L. 2013 Gurley, K. 2453 Ipiña, J.L. 727
Gómez Fernández, J. 929 Gutteling, J.M. 1317, 1585 Isaksen, S.L. 1747, 1891,
Gómez Fernández, J.F. 669 Guttormsen, G. 813 2029, 2937
Gómez, J.F. 687, 829 Izquierdo, J.M. 121, 163
Gómez-Mares, M. 1119 Håbrekke, S. 805
Gäng, J. 2233 Hagen, J.M. 407, 2649 Jallouli, M. 2549
Gåsemyr, J. 1747, 2029 Hamid, S. 2453 Jamieson, R. 1447
Gamiz, M.L. 2447 Hänle, A. 1547, 1555 Jammes, L. 305
Gamo, L. 3, 121 Hansson, L. 733 Janilionis, V. 1819
Ganapini, S. 1199 Hardeman, F. 89 Jarl Ringstad, A. 813
García Ortiz, J.C. 1539 Hardman, G. 987 Jeong, J. 2619
García, B. 757 Häring, I. 1547, 1555 Jiang, Y. 863, 1663
García-Díaz, J.C. 201 Harrami, O. 391, 399 Jo, K.T. 913
Garcia, P.A.A. 497 Harvey, J. 291, 299, 1447 Jóźwiak, I.J. 1929
García-Bertrand, R. 2689 Hauge, S. 2921 Jodejko, A. 1065
Gayen, J.-T. 1283 Haugen, K.-E. 1489 Joffe, H. 1293
Gerbec, M. 1473, 2157 Haugland, D. 2963 Johansson, J. 2491
Gerigk, M. 3303 Hauschild, J. 2245 Johnsen, S.O. 805
Geurts, P.A.T.M. 2781 Hausken, K. 1157 Jongejan, R.B. 1259
Gil, A. 205 Haver, K. 2929 Jönsson, H. 2491
Gil, J. 3, 121 Hayat, S. 3199 Jordá, L. 727
Gillon, P. 3007 Helland, A. 361 Jore, S.H. 3077
Giménez, M. 2899 Hepsø, V. 813, 1407 Joris, G. 1609
Giner-Bosch, V. 2735 Hernández-Simón, L.M. 11 Jóźwiak, I.J. 1455
Ginestar, D. 175 Herrera, I.A. 19 Jóźwiak, K. 1455
Giorgio, M. 2251 Herrero, R. 121 Jun, L. 1943
Girard, Ph. 331 Heslop, S. 299 Jung, K. 1629, 1635
Giraud, J.-B. 2987 Hildebrandt, M. 267 Jung, W. 221
Glor, M. 1217 Holicky, M. 1629 Jung, W.S. 2913
Goeschka, K.M. 1539 Holmberg, J.-E. 227 Juocevičius, Virg. 1641
Gomes, T. 2627 Hong, Y. 1943 Juocevičius, Virm. 1641
González Díaz, V. 929 Hoon Han, S. 2619 Juocevičius, V. 1677
González, J.R. 1949 Hoppe, G. 2037
González, P. 3, 121 Horlick-Jones, T. 1301, Kalusche, W. 2431
González, V. 669, 687, 829 1371, 1601, 2867 Kamenický, J. 891
Gonzalo, J. 1301 Hortal, J. 3, 121, 379 Kangur, K. 797
Gordon, P. 423 Hossein Mohammadian M., Kanno, T. 33
Goti, A. 2707 S. 1001 Kar, A.R. 3323
Gouriveau, R. 191 Hou, H.-Y. 2405 Karlsen, J.E. 1595
Goyal, S. 949 Hovden, J. 839 Kastenholz, H. 361
Grachorloo, N. 2151 Høyland, S. 1385 Kayrbekova, D. 2955
855
Kazeminia, A. 2245 Lèbre La Rovere, E. 957, Massaiu, S. 267
Kellner, J. 2613 1273 Mateusz, Z. 3237
Kermisch, C. 1357 Lebrun, R. 2093 Matuzas, V. 2569
Khan, F.I. 1147 Lecoze, J.C. 3191 Matuzienė, V. 2575
Khatab, A. 641 Lei, H.T. 649 Matuziene, V. 3101
Khvatskin, L. 483 Leira, B.J. 3311 Mavko, B. 1771
Kim, K.Y. 2913 Leitão, A.F. 675 Mazri, C. 3191
Kim, M.C. 2909 Lejette, F. 3231 Mazzocca, N. 105
Kim, S. 2851 Lemes, M.J.R. 2207 McClure, P. 2295
Kiranoudis, C. 281 Leopold, T. 875 McGillivray, B.H. 993
Kleyner, A.V. 1961 Lerena, P. 1217 McMillan, D. 2601
Kloos, M. 2125 Lettera, G. 2701 Mearns, K. 1415
Kobelsky, S. 1141 Levitin, G. 1157, 1723 Medina, H. 1073
Kohda, T. 1035 Li, Pan 79 Medonos, S. 1239
Koivisto, R. 2511 Li, Z.Z. 2845 Medromi, H. 2549
Kollmann, E. 2641 Limbourg, P. 1705 Mehers, J.P. 2317
Kolowrocki, K. 1969, 1985 Limnios, N. 2167 Mehicic Eberhardt, S. 2431
Konak, A. 2657 Lin, P.H. 2223 Meier-Hirmer, C. 3183,
Kongsvik, T. 733 Lindøe, P.H. 1595 3231
Konstandinidou, M. 281, Lindhe, A. 1041 Meléndez, E. 121, 2051
767, 777 Lins, I.D. 541 Meliá, J.L. 243, 1415
Kontic, B. 2157 Lirussi, M. 2727 Membrë, J.-M. 2295
Korczak, E. 1795 Lisi, R. 1019, 3143 Mendes, J.M. 1577
Kortner, H. 1489 Lisnianski, A. 483, 551 Mendizábal, R. 379, 2827,
Kosmowski, K.T. 249, 1463 Lizakowski, P. 3319 2837, 2891
Kosugi, M. 2305, 2311 LLovera, P. 1401 Meneghetti, A. 2727
Koucky, M. 1807, 1813 Loizzo, M. 2987 Menoni, S. 3023
Koutras, V.P. 1525 Lonchampt, J. 531 Mercier, S. 155, 603
Kovacs, S.G. 99 Lopes, I.S. 675 Merz, H.M. 2773
Kowalczyk, G. 449 López Droguett, E. 541 Meyer, P. 275
Kratz, F. 2259 Lorenzo, G. 2899 Meyna, A. 2239
Krikštolaitis, R. 2575, 3101 Lukoševiciene, O. 1685 Mikulová, K. 1671
Kröger, W. 2541 Lundteigen, M.A. 2921 Milazzo, M.F. 1019, 3143
Krummenacher, B. 2773 Miles, R. 1251
Kubota, H. 2305, 2311 MacGillivray, B.H. 415 Mínguez, R. 2473, 2689
Kudzys, A. 1677, 1685 Maftei, E. 2333 Minichino, M. 2501
Kuiper, J. 767, 777 Magott, J. 1055 Missler-Behr, M. 2431
Kujawski, K. 1929 Mai Van, C. 2797 Mlynczak, M. 57
Kulot, E. 1049 Makin, A.-M. 739 Mock, R. 2641
Kulturel-Konak, S. 2657 Malassé, O. 1829, 2549 Moeller, S. 2431
Kurowicka, D. 2223 Malich, G. 1081 Molag, M. 3153
Kuttschreuter, M. 1317 Mancini, G. 1621 Moltu, B. 813
Kvernberg Andersen, T. Manuel, H.J. 1113 Monfort, E. 2743
3039, 3047 Marais, K.B. 659 Monteiro, F. 2549
Marcos, J. 1533 Montoro-Cazorla, D. 1955
Labeau, P.E. 455 Maris, U. 2325 Montoya, M.I. 1089
Labeau, P.-E. 559, 1357 Markatos, N. 281 Moonis, M. 2353
Laclemence, P. 3093 Markeset, T. 2945, 2955 Morales, O. 2223
Laheij, G.M.H. 1191 Marková, J. 1635 Moreno, J. 3
Lamvik, G.M. 2981 Marquès, M. 2899 Moreu de León, P. 669,
Landucci, G. 3153 Marrel, A. 2135 687, 829, 929
Langbecker, U. 3275 Martín, J. 869 Morra, P. 2345
Langeron, Y. 3125 Martinez-Alzamora, N. 441 Mosleh, A. 113
Larisch, M. 1547 Martorell, S. 175, 441, 505, Motoyoshi, T. 2685
Laulheret, R. 2185, 2217 1881, 2275, 2289, 2827, Muñoz, M. 1119
Le Bot, P. 275 2837, 2873, 2971 Muñoz-Escoí, F.D. 1539
Le Guen, Y. 2987 Maschio, G. 1019, 3143 Mud, M. 767, 777
856
Mulley, C. 299 Park, J.J. 1481 Quigley, J. 987
Mullor, R. 441 Park, S.D. 913 Quijano, A. 1395, 1401
Muslewski, L. 2037 Park, S.J. 913
Mutel, B. 1001 Parra, C. 687, 829 Rabbe, M. 2199
Parra Márquez, C. 669, 929 Rachel, F.M. 1503
Næsje, P. 259, 821, 1407 Pashazadeh, S. 2151 Raffetti, A. 3217
Næsje, P.C. 2981 Pečiulytė, S. 2575, 3101 Rajabalinejad, M. 717
Nøkland, T.E. 1207, 2929 Pearce, K. 1447 Rakowsky, U.K. 2045,
Naked Haddad, A. 919 Pecho, J. 1671 3055
Napolitano, N. 1495 Pedersen, L.M. 2581 Raman, R. 1239
Natvig, B. 1747, 2029 Pedroni, N. 709 Raschky, P.A. 965, 973
Navajas, J. 1301, 1371, Peiretti, A. 1119 Rasulo, A. 2519
2867 Pelayo, F. 379, 2827, 2837 Rauzy, A. 1173, 1937, 2051
Navarro, E. 757 Pelaz, A. 727 Real, A. 175
Navarro, J. 1915 Penalva, M.L. 205 Reer, B. 233
Navarro-Esbrí, J. 175 Pereira, G.A.B. 675 Reinders, J. 3153
Navrátil, J. 2613 Pérez, C.J. 869 Remenyte-Prescott, R. 1739
Nebot, Y. 2827, 2873 Pérez-Ocón, R. 1755, Renaux, D. 3245
Nedelec, B. 3191 1955 Renda, G. 3135
Neto, H.V. 761 Peschke, J. 2125 Revilla, O. 3223
Newby, M. 619 Pesme, H. 275 Rey-Stolle, I. 1949
Nguyen, H. 3331 Pey, A. 1217 Rezaie, K. 1125, 2379
Nicholls, J. 291 Pierlot, S. 63 Rhee, T.J. 703
Nicol, A.-M. 749 Pierro, F. 2899 Rheinberger, C.M. 1365
Nieto, F. 2051 Pinelli, J.-P. 2453 Riedstra, D. 1191
Niezgoda, T. 449 Pita, G.L. 2453 Rietveld, P. 2817
Nivolianitou, Z. 281 Pittiglio, P. 137 Rimas, J. 1819
Njå, O. 3077 Piwowar, J. 3093 Rivera, S.S. 1129, 1135
Nogueira Díaz, E. 899 Planas, E. 1089 Robin, V. 331
Norberg, T. 1041 Platis, A.N. 1525 Rocco S., C.M. 1803
Nordgård, D.E. 2561 Pock, M. 1829 Rocha Fonseca, D. 919
Nowakowski, T. 1055, Podofillini, L. 233 Rodríguez, G. 3, 121
1065, 1455, 1929 Podsiadlo, A. 3289, 3331 Rodríguez, V. 2707
Nunes, E. 587 Polič, M. 3015 Rodríguez Cano, D. 899
Núñez Mc Leod, J.E. 1129, Ponchet, A. 567 Røed, W. 2929
1135 Pop, P. 2333 Roelen, A.L.C. 2223
Núñez, N. 1949 Popenţiu Vlǎdicescu, F. Rohrmann, R. 1567
Nuti, C. 2519 2333 Román, Y. 2013
Popoviciu, N. 1027 Romang, H. 2789
Oh, J. 767, 777 Post, J.G. 767, 777 Rosén, L. 1041
Oliveira, A. 3177 Postgård, U. 391, 399 Rosness, R. 839
Oliveira, L.F.S. 1919, 2587 Pouligny, Ph. 3183 Roussignol, M. 155
Olmos-Peña, S. 11 Poupard, O. 2987 Rowbotham, A.L. 2353
Oltedal, H.A 1423 Poupart, E. 45 Rubio, B. 727
Oltra, C. 1301, 1371, 2867 Prades, A. 1301, 1371, Rubio, G. 757
Or, I. 3257 2867 Rubio, J. 727
Osrael, J. 1539 Pragliola, C. 105 Rücker, W. 1567
Özbaş, B. 3257 Praks, P. 559 Rudolf Müller, J. 2665
Prescott, D.R. 1873 Ruiz-Castro, J.E. 1755
Palacios, A. 1119 Prosen, R. 2883 Runhaar, H.A.C. 369
Palanque, P. 45 Proske, D. 2441
Pandey, M.D. 431 Pulcini, G. 2251 Sætre, F. 2635
Pantanali, C. 2727 Puuronen, S. 1995 Sabatini, M. 1199
Papazoglou, I.A. 767, 777, Pyy, P. 227 Sadovský, Z. 1671
787 Sagasti, D. 727
Paridaens, J. 89 Quayzin, X. 1937 Saleh, J.H. 659
Park, J. 221, 2909 Queral, C. 3, 121 Salzano, E. 3085
857
Samaniego, F.J. 1915 Soriano, M.L. 1395 Tveiten, C.K. 2997
Samrout, M. 1731 Soszynska, J. 1985 Tymoteusz, B. 3237
San Matías, S. 2735 Soto, E. 1533
Sánchez, M. 121 Sousa, S.D. 761 Ušpuras, E. 1867
Sánchez, A. 441, 505, 2707 Spadoni, G. 2397 Ulmeanu, A.P. 2167
Sand, K. 2561 Sperandio, S. 331 Ulusçu, O.S. 3257
Sansavini, G. 1861 Spitsa, R. 1141 Unagami, T. 2685
Santamaría, C. 757 Spouge, J. 2223 Uusitalo, T. 2511
Sant’Ana, M.C. 497 Stamenković, B.B. 3163,
Santos-Reyes, J.R. 11, 2765 3209 Vázquez López, M. 899
Sarshar, S. 183 Steen, R. 323 Vázquez, M. 1949
Saull, J.W. 1351 Steinka, I. 2269 Vaccaro, F. 3217
Savić, R. 1513 Stelmach, A.W. 2191 Vaidogas, E.R. 1641
Saw, J.L. 2353 Sterkenburg, R.P. 2363 Valis, D. 1807, 1813
Scarf, P.A. 423 Stevens, I. 3117 van den Berg, A. 1113
Scarlatti, A. 2501 Stian Østrem, J. 1335 van der Boom, R.P. 2223
Schäbe, H. 1283 Stoop, J.A. 1519 van der Most, H. 1585
Schiefloe, P.M. 2997 Strömgren, M. 391, 399 van der Sluijs, J.P. 369
Schmitz, W. 2511 Su, J.L. 2757 van der Veen, A. 2781
Schnieder, E. 2665 Subramanian, C.S. 2453 van der Weide, J.A.M. 431
Schröder, R.W. 1097 Sunde, L. 1489 van Erp, N. 717
Schweckendiek, T. 2807 Susperregui, L. 3223 van Gelder, P.H.A.J.M. 717,
Schwindt, M. 965 Suter, G. 1217 2797
Segovia, M.C. 881, 1955 Sykora, M. 1629 van Mierlo, M.C.L.M.
Serbanescu, D. 341, 2593, Szpytko, J. 1231 2807
2715 van Noortwijk, J.M. 431
Serradell, V. 2827, 2837 Takai, J. 2685 van Vliet, A.A.C. 1191
Servranckx, L. 2369, 3067 Tambour, F. 2369, 3067 Vanem, E. 3275
Shehata, S. 2285 Tao, J. 1663 van’t Sant, J.P. 1113
Shingyochi, K. 1715, 1839 Tarelko, W. 3289 Vanzi, I. 2519
Shokravi, S. 1125 Tavares, A.T. 1577 Vaquero, C. 727
Shu, C.M. 71, 1267 Tchórzewska-Cieślak, B. Vaurio, J.K. 1103
Shu, C.-M. 39, 2405 2463 Čepin, M. 1771, 2883
Siebold, U. 1547 Telhada, J. 587 Veiga, F. 205
Siegrist, M. 361 Terruggia, R. 2501 Verga, S. 315
Signoret, J.-P. 1173 Thöns, S. 1567 Verhoef, E.T. 2817
Silva, S.A. 1415 Thevik, H. 1335 Verleye, G. 3117
Simões, C. 2627 Thompson, H.A. 1881, Vetere Arellano, A.L. 341,
Simos, G. 281 2971 2593
Singh, M. 2945 Thorpe, N. 299 Vikland, K.M. 1377
Sipa, J. 57 Thorstad, H.H. 2581 Vílchez, J.A. 2421
Skarholt, K. 259, 821, Tian, Z. 1723 Viles, E. 205
1407, 2981 Todinov, M.T. 1655, 2143 Villamizar, M. 505
Skjerve, A.B. 941 Torres-Echeverria, A.C. Villanueva, J.F. 2827,
Skjong, R. 3275 1881, 2971 2837
Skorupski, J. 2191 Torvatn, H. 259, 2981, Vinnem, J.E. 1181
Skrobanek, P. 1055 3039, 3047 Vintr, Z. 1813
Sliwinski, M. 1463 Trainor, M.T. 2353 Vivalda, C. 305
Smalko, Z. 1231, 3337 Trijssenaar-Buhre, I.J.M. Vleugel, J.M. 1519
Smith, N.W. 1293 2363 Voirin, M. 63
Smolarek, L. 3295 Tronci, M. 1495 Vojtek, M. 1671
Sniedovich, M. 2071 Trucco, P. 1431, 3265 Volkanovski, A. 1771
Solano, H. 2447 Tseng, J.M. 71 Volovoi, V. 1961
Solberg, G. 733 Tsujimura, Y. 1839 Vrancken, J.L.M. 1519
Soliwoda, J. 3295 Tucci, M. 211 Vrijling, J.K. 1259, 2797
Son, K.S. 1481 Tugnoli, A. 1147, 2345 Vrouwenvelder, A.C.W.M.
Soria, A. 1401 Turcanu, C. 89 2807
858
Wagner, S. 2541 Woltjer, R. 19 Zanelli, S. 1199
Walls, L. 987 Woropay, M. 2037 Zanocco, P. 2899
Walter, M. 1705, 1829 Wu, C.C. 2757 Zendri, E. 2501
Wang, C. 113 Wu, S.H. 71, 1267 Zerhouni, N. 191
Wang, J. 3109 Wu, S.-H. 39, 2405 Železnik, N. 3015
Wang, W. 523 Zhang, C. 863, 1663
Wang, Y. 863 Xu, S. 2845 Zhang, T. 649
Wemmenhove, E. 2295 Xuewei Ji, A. 79 Zhao, X. 593
Weng, W.P. 1267 Zhu, D. 113
Wenguo Weng, B. 79 Yamaguchi, T. 1839 Zieja, M. 449
Werbinska, S. 1055, Yamamoto, H. 1715, 1839
Zilber, N. 3231
1851 Yang, J.-E. 2861
Zille, V. 531
Wiencke, H.S. 2929 Yannart, B. 2369, 3067
Wiersma, T. 1223 Yeung, T.G. 3171 Zio, E. 477, 703, 709,
Wiesner, R. 351 Yoon, C. 2861 1861, 2081, 2101, 2873
Wijnant-Timmerman, S.I. Yu, L.Q. 2845 Zubeldia, U. 3223
1223, 2363 Yufang, Z. 1943 Zuo, M.J. 1723
Wilday, A.J. 2353 Yukhymets, P. 1141 Żurek, J. 449
Wilson, S.P. 949 Žutautaite-Šeputiene, I.
Winder, C. 739, 1081 Zaitseva, E. 1995 1867
Winther, R. 183, 2635 Zajicek, J. 635 Zwetkoff, C. 1609
859
SAFETY, RELIABILITY AND RISK ANALYSIS: THEORY, METHODS
AND APPLICATIONS
PROCEEDINGS OF THE EUROPEAN SAFETY AND RELIABILITY CONFERENCE, ESREL 2008,
AND 17TH SRA-EUROPE, VALENCIA, SPAIN, SEPTEMBER, 22–25, 2008
Editors
Sebastián Martorell
Department of Chemical and Nuclear Engineering,
Universidad Politécnica de Valencia, Spain
C. Guedes Soares
Instituto Superior Técnico, Technical University of Lisbon, Lisbon, Portugal
Julie Barnett
Department of Psychology, University of Surrey, UK
VOLUME 2
Cover picture designed by Centro de Formación Permanente - Universidad Politécnica de Valencia
CRC Press/Balkema is an imprint of the Taylor & Francis Group, an informa business
All rights reserved. No part of this publication or the information contained herein may be reproduced, stored
in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, by photocopying,
recording or otherwise, without written prior permission from the publisher.
Although all care is taken to ensure integrity and the quality of this publication and the information herein, no
responsibility is assumed by the publishers nor the author for any damage to the property or persons as a result
of operation or use of this publication and/or the information contained herein.
Table of contents
Preface XXIV
Organization XXXI
Acknowledgment XXXV
Introduction XXXVII
VOLUME 1
Thematic areas
Accident and incident investigation
A code for the simulation of human failure events in nuclear power plants: SIMPROC 3
J. Gil, J. Esperón, L. Gamo, I. Fernández, P. González, J. Moreno, A. Expósito,
C. Queral, G. Rodríguez & J. Hortal
A preliminary analysis of the ‘Tlahuac’ incident by applying the MORT technique 11
J.R. Santos-Reyes, S. Olmos-Peña & L.M. Hernández-Simón
Comparing a multi-linear (STEP) and systemic (FRAM) method for accident analysis 19
I.A. Herrera & R. Woltjer
Development of a database for reporting and analysis of near misses in the Italian
chemical industry 27
R.V. Gagliardi & G. Astarita
Development of incident report analysis system based on m-SHEL ontology 33
Y. Asada, T. Kanno & K. Furuta
Forklifts overturn incidents and prevention in Taiwan 39
K.Y. Chen, S.-H. Wu & C.-M. Shu
Formal modelling of incidents and accidents as a means for enriching training material
for satellite control operations 45
S. Basnyat, P. Palanque, R. Bernhaupt & E. Poupart
Hazard factors analysis in regional traffic records 57
M. Mlynczak & J. Sipa
Organizational analysis of availability: What are the lessons for a high risk industrial company? 63
M. Voirin, S. Pierlot & Y. Dien
Thermal explosion analysis of methyl ethyl ketone peroxide by non-isothermal
and isothermal calorimetry application 71
S.H. Wu, J.M. Tseng & C.M. Shu
V
Crisis and emergency management
A mathematical model for risk analysis of disaster chains 79
A. Xuewei Ji, B. Wenguo Weng & Pan Li
Effective learning from emergency responses 83
K. Eriksson & J. Borell
On the constructive role of multi-criteria analysis in complex decision-making:
An application in radiological emergency management 89
C. Turcanu, B. Carlé, J. Paridaens & F. Hardeman
Decision support systems and software tools for safety and reliability
Complex, expert based multi-role assessment system for small and medium enterprises 99
S.G. Kovacs & M. Costescu
DETECT: A novel framework for the detection of attacks to critical infrastructures 105
F. Flammini, A. Gaglione, N. Mazzocca & C. Pragliola
Methodology and software platform for multi-layer causal modeling 113
K.M. Groth, C. Wang, D. Zhu & A. Mosleh
SCAIS (Simulation Code System for Integrated Safety Assessment): Current
status and applications 121
J.M. Izquierdo, J. Hortal, M. Sánchez, E. Meléndez, R. Herrero, J. Gil, L. Gamo,
I. Fernández, J. Esperón, P. González, C. Queral, A. Expósito & G. Rodríguez
Using GIS and multivariate analyses to visualize risk levels and spatial patterns
of severe accidents in the energy sector 129
P. Burgherr
Weak signals of potential accidents at ‘‘Seveso’’ establishments 137
P.A. Bragatto, P. Agnello, S. Ansaldi & P. Pittiglio
Dynamic reliability
A dynamic fault classification scheme 147
B. Fechner
Importance factors in dynamic reliability 155
R. Eymard, S. Mercier & M. Roussignol
TSD, a SCAIS suitable variant of the SDTPD 163
J.M. Izquierdo & I. Cañamón
VI
From diagnosis to prognosis: A maintenance experience for an electric locomotive 211
O. Borgia, F. De Carlo & M. Tucci
Human factors
A study on the validity of R-TACOM measure by comparing operator response
time data 221
J. Park & W. Jung
An evaluation of the Enhanced Bayesian THERP method using simulator data 227
K. Bladh, J.-E. Holmberg & P. Pyy
Comparing CESA-Q human reliability analysis with evidence from simulator:
A first attempt 233
L. Podofillini & B. Reer
Exploratory and confirmatory analysis of the relationship between social norms
and safety behavior 243
C. Fugas, S.A. da Silva & J.L. Melià
Functional safety and layer of protection analysis with regard to human factors 249
K.T. Kosmowski
How employees’ use of information technology systems shape reliable operations
of large scale technological systems 259
T.K. Andersen, P. Næsje, H. Torvatn & K. Skarholt
Incorporating simulator evidence into HRA: Insights from the data analysis of the
international HRA empirical study 267
S. Massaiu, P.Ø. Braarud & M. Hildebrandt
Insights from the ‘‘HRA international empirical study’’: How to link data
and HRA with MERMOS 275
H. Pesme, P. Le Bot & P. Meyer
Operators’ response time estimation for a critical task using the fuzzy logic theory 281
M. Konstandinidou, Z. Nivolianitou, G. Simos, C. Kiranoudis & N. Markatos
The concept of organizational supportiveness 291
J. Nicholls, J. Harvey & G. Erdos
The influence of personal variables on changes in driver behaviour 299
S. Heslop, J. Harvey, N. Thorpe & C. Mulley
The key role of expert judgment in CO2 underground storage projects 305
C. Vivalda & L. Jammes
VII
Precaution in practice? The case of nanomaterial industry 361
H. Kastenholz, A. Helland & M. Siegrist
Risk based maintenance prioritisation 365
G. Birkeland, S. Eisinger & T. Aven
Shifts in environmental health risk governance: An analytical framework 369
H.A.C. Runhaar, J.P. van der Sluijs & P.P.J. Driessen
What does ‘‘safety margin’’ really mean? 379
J. Hortal, R. Mendizábal & F. Pelayo
VIII
Maintenance modelling integrating human and material resources 505
S. Martorell, M. Villamizar, A. Sánchez & G. Clemente
Modelling competing risks and opportunistic maintenance with expert judgement 515
T. Bedford & B.M. Alkali
Modelling different types of failure and residual life estimation for condition-based maintenance 523
M.J. Carr & W. Wang
Multi-component systems modeling for quantifying complex maintenance strategies 531
V. Zille, C. Bérenguer, A. Grall, A. Despujols & J. Lonchampt
Multiobjective optimization of redundancy allocation in systems with imperfect repairs via
ant colony and discrete event simulation 541
I.D. Lins & E. López Droguett
Non-homogeneous Markov reward model for aging multi-state system under corrective
maintenance 551
A. Lisnianski & I. Frenkel
On the modeling of ageing using Weibull models: Case studies 559
P. Praks, H. Fernandez Bacarizo & P.-E. Labeau
On-line condition-based maintenance for systems with several modes of degradation 567
A. Ponchet, M. Fouladirad & A. Grall
Opportunity-based age replacement for a system under two types of failures 575
F.G. Badía & M.D. Berrade
Optimal inspection intervals for maintainable equipment 581
O. Hryniewicz
Optimal periodic inspection of series systems with revealed and unrevealed failures 587
M. Carvalho, E. Nunes & J. Telhada
Optimal periodic inspection/replacement policy for deteriorating systems with explanatory
variables 593
X. Zhao, M. Fouladirad, C. Bérenguer & L. Bordes
Optimal replacement policy for components with general failure rates submitted to obsolescence 603
S. Mercier
Optimization of the maintenance function at a company 611
S. Adjabi, K. Adel-Aissanou & M. Azi
Planning and scheduling maintenance resources in a complex system 619
M. Newby & C. Barker
Preventive maintenance planning using prior expert knowledge and multicriteria method
PROMETHEE III 627
F.A. Figueiredo, C.A.V. Cavalcante & A.T. de Almeida
Profitability assessment of outsourcing maintenance from the producer (big rotary machine study) 635
P. Fuchs & J. Zajicek
Simulated annealing method for the selective maintenance optimization of multi-mission
series-parallel systems 641
A. Khatab, D. Ait-Kadi & A. Artiba
Study on the availability of a k-out-of-N System given limited spares under (m, NG )
maintenance policy 649
T. Zhang, H.T. Lei & B. Guo
System value trajectories, maintenance, and its present value 659
K.B. Marais & J.H. Saleh
IX
The maintenance management framework: A practical view to maintenance management 669
A. Crespo Márquez, P. Moreu de León, J.F. Gómez Fernández, C. Parra Márquez & V. González
Workplace occupation and equipment availability and utilization, in the context of maintenance
float systems 675
I.S. Lopes, A.F. Leitão & G.A.B. Pereira
Occupational safety
Application of virtual reality technologies to improve occupational & industrial safety
in industrial processes 727
J. Rubio, B. Rubio, C. Vaquero, N. Galarza, A. Pelaz, J.L. Ipiña, D. Sagasti & L. Jordá
Applying the resilience concept in practice: A case study from the oil and gas industry 733
L. Hansson, I. Andrade Herrera, T. Kongsvik & G. Solberg
Development of an assessment tool to facilitate OHS management based upon the safe
place, safe person, safe systems framework 739
A.-M. Makin & C. Winder
Exploring knowledge translation in occupational health using the mental models approach:
A case study of machine shops 749
A.-M. Nicol & A.C. Hurrell
Mathematical modelling of risk factors concerning work-related traffic accidents 757
C. Santamaría, G. Rubio, B. García & E. Navarro
New performance indicators for the health and safety domain: A benchmarking use perspective 761
H.V. Neto, P.M. Arezes & S.D. Sousa
Occupational risk management for fall from height 767
O.N. Aneziris, M. Konstandinidou, I.A. Papazoglou, M. Mud, M. Damen, J. Kuiper, H. Baksteen,
L.J. Bellamy, J.G. Post & J. Oh
Occupational risk management for vapour/gas explosions 777
I.A. Papazoglou, O.N. Aneziris, M. Konstandinidou, M. Mud, M. Damen, J. Kuiper, A. Bloemhoff,
H. Baksteen, L.J. Bellamy, J.G. Post & J. Oh
Occupational risk of an aluminium industry 787
O.N. Aneziris, I.A. Papazoglou & O. Doudakmani
Risk regulation bureaucracies in EU accession states: Drinking water safety in Estonia 797
K. Kangur
X
Organization learning
Can organisational learning improve safety and resilience during changes? 805
S.O. Johnsen & S. Håbrekke
Consequence analysis as organizational development 813
B. Moltu, A. Jarl Ringstad & G. Guttormsen
Integrated operations and leadership—How virtual cooperation influences leadership practice 821
K. Skarholt, P. Næsje, V. Hepsø & A.S. Bye
Outsourcing maintenance in services providers 829
J.F. Gómez, C. Parra, V. González, A. Crespo & P. Moreu de León
Revising rules and reviving knowledge in the Norwegian railway system 839
H.C. Blakstad, R. Rosness & J. Hovden
Risk Management in systems: Learning to recognize and respond to weak signals 847
E. Guillaume
Author index 853
VOLUME 2
XI
Risk and evidence based policy making
Environmental reliability as a requirement for defining environmental impact limits
in critical areas 957
E. Calixto & E. Lèbre La Rovere
Hazardous aid? The crowding-out effect of international charity 965
P.A. Raschky & M. Schwindt
Individual risk-taking and external effects—An empirical examination 973
S. Borsky & P.A. Raschky
Licensing a Biofuel plan transforming animal fats 981
J.-F. David
Modelling incident escalation in explosives storage 987
G. Hardman, T. Bedford, J. Quigley & L. Walls
The measurement and management of Deca-BDE—Why the continued certainty of uncertainty? 993
R.E. Alcock, B.H. McGillivray & J.S. Busby
XII
Developments in fault tree techniques and importance measures 1103
J.K. Vaurio
Dutch registration of risk situations 1113
J.P. van’t Sant, H.J. Manuel & A. van den Berg
Experimental study of jet fires 1119
M. Gómez-Mares, A. Palacios, A. Peiretti, M. Muñoz & J. Casal
Failure mode and effect analysis algorithm for tunneling projects 1125
K. Rezaie, V. Ebrahimipour & S. Shokravi
Fuzzy FMEA: A study case on a discontinuous distillation plant 1129
S.S. Rivera & J.E. Núñez Mc Leod
Risk analysis in extreme environmental conditions for Aconcagua Mountain station 1135
J.E. Núñez Mc Leod & S.S. Rivera
Geographic information system for evaluation of technical condition and residual life of pipelines 1141
P. Yukhymets, R. Spitsa & S. Kobelsky
Inherent safety indices for the design of layout plans 1147
A. Tugnoli, V. Cozzani, F.I. Khan & P.R. Amyotte
Minmax defense strategy for multi-state systems 1157
G. Levitin & K. Hausken
Multicriteria risk assessment for risk ranking of natural gas pipelines 1165
A.J. de M. Brito, C.A.V. Cavalcante, R.J.P. Ferreira & A.T. de Almeida
New insight into PFDavg and PFH 1173
F. Innal, Y. Dutuit, A. Rauzy & J.-P. Signoret
On causes and dependencies of errors in human and organizational barriers against major
accidents 1181
J.E. Vinnem
Quantitative risk analysis method for warehouses with packaged hazardous materials 1191
D. Riedstra, G.M.H. Laheij & A.A.C. van Vliet
Ranking the attractiveness of industrial plants to external acts of interference 1199
M. Sabatini, S. Zanelli, S. Ganapini, S. Bonvicini & V. Cozzani
Review and discussion of uncertainty taxonomies used in risk analysis 1207
T.E. Nøkland & T. Aven
Risk analysis in the frame of the ATEX Directive and the preparation of an Explosion Protection
Document 1217
A. Pey, G. Suter, M. Glor, P. Lerena & J. Campos
Risk reduction by use of a buffer zone 1223
S.I. Wijnant-Timmerman & T. Wiersma
Safety in engineering practice 1231
Z. Smalko & J. Szpytko
Why ISO 13702 and NFPA 15 standards may lead to unsafe design 1239
S. Medonos & R. Raman
XIII
Thermal characteristic analysis of Y type zeolite by differential scanning calorimetry 1267
S.H. Wu, W.P. Weng, C.C. Hsieh & C.M. Shu
Using network methodology to define emergency response team location: The Brazilian
refinery case study 1273
E. Calixto, E. Lèbre La Rovere & J. Eustáquio Beraldo
Safety culture
‘‘Us’’ and ‘‘Them’’: The impact of group identity on safety critical behaviour 1377
R.J. Bye, S. Antonsen & K.M. Vikland
Does change challenge safety? Complexity in the civil aviation transport system 1385
S. Høyland & K. Aase
Electromagnetic fields in the industrial enviroment 1395
J. Fernández, A. Quijano, M.L. Soriano & V. Fuster
Electrostatic charges in industrial environments 1401
P. LLovera, A. Quijano, A. Soria & V. Fuster
Empowering operations and maintenance: Safe operations with the ‘‘one directed team’’
organizational model at the Kristin asset 1407
P. Næsje, K. Skarholt, V. Hepsø & A.S. Bye
XIV
Leadership and safety climate in the construction industry 1415
J.L. Meliá, M. Becerril, S.A. Silva & K. Mearns
Local management and its impact on safety culture and safety within Norwegian shipping 1423
H.A Oltedal & O.A. Engen
Quantitative analysis of the anatomy and effectiveness of occupational safety culture 1431
P. Trucco, M. De Ambroggi & O. Grande
Safety management and safety culture assessment in Germany 1439
H.P. Berg
The potential for error in communications between engineering designers 1447
J. Harvey, R. Jamieson & K. Pearce
Software reliability
Assessment of software reliability and the efficiency of corrective actions during the software
development process 1513
R. Savić
ERTMS, deals on wheels? An inquiry into a major railway project 1519
J.A. Stoop, J.H. Baggen, J.M. Vleugel & J.L.M. Vrancken
Guaranteed resource availability in a website 1525
V.P. Koutras & A.N. Platis
Reliability oriented electronic design automation tool 1533
J. Marcos, D. Bóveda, A. Fernández & E. Soto
Reliable software for partitionable networked environments—An experience report 1539
S. Beyer, J.C. García Ortiz, F.D. Muñoz-Escoí, P. Galdámez, L. Froihofer,
K.M. Goeschka & J. Osrael
SysML aided functional safety assessment 1547
M. Larisch, A. Hänle, U. Siebold & I. Häring
UML safety requirement specification and verification 1555
A. Hänle & I. Häring
XV
Stakeholder and public involvement in risk governance
Assessment and monitoring of reliability and robustness of offshore wind energy converters 1567
S. Thöns, M.H. Faber, W. Rücker & R. Rohrmann
Building resilience to natural hazards. Practices and policies on governance and mitigation
in the central region of Portugal 1577
J.M. Mendes & A.T. Tavares
Governance of flood risks in The Netherlands: Interdisciplinary research into the role and
meaning of risk perception 1585
M.S. de Wit, H. van der Most, J.M. Gutteling & M. Bočkarjova
Public intervention for better governance—Does it matter? A study of the ‘‘Leros Strength’’ case 1595
P.H. Lindøe & J.E. Karlsen
Reasoning about safety management policy in everyday terms 1601
T. Horlick-Jones
Using stakeholders’ expertise in EMF and soil contamination to improve the management
of public policies dealing with modern risk: When uncertainty is on the agenda 1609
C. Fallon, G. Joris & C. Zwetkoff
VOLUME 3
XVI
A depth first search algorithm for optimal arrangements in a circular
consecutive-k-out-of-n:F system 1715
K. Shingyochi & H. Yamamoto
A joint reliability-redundancy optimization approach for multi-state series-parallel systems 1723
Z. Tian, G. Levitin & M.J. Zuo
A new approach to assess the reliability of a multi-state system with dependent components 1731
M. Samrout & E. Chatelet
A reliability analysis and decision making process for autonomous systems 1739
R. Remenyte-Prescott, J.D. Andrews, P.W.H. Chung & C.G. Downes
Advanced discrete event simulation methods with application to importance measure
estimation 1747
A.B. Huseby, K.A. Eide, S.L. Isaksen, B. Natvig & J. Gåsemyr
Algorithmic and computational analysis of a multi-component complex system 1755
J.E. Ruiz-Castro, R. Pérez-Ocón & G. Fernández-Villodre
An efficient reliability computation of generalized multi-state k-out-of-n systems 1763
S.V. Amari
Application of the fault tree analysis for assessment of the power system reliability 1771
A. Volkanovski, M. Čepin & B. Mavko
BDMP (Boolean logic driven Markov processes) as an alternative to event trees 1779
M. Bouissou
Bivariate distribution based passive system performance assessment 1787
L. Burgazzi
Calculating steady state reliability indices of multi-state systems using dual number algebra 1795
E. Korczak
Concordance analysis of importance measure 1803
C.M. Rocco S.
Contribution to availability assessment of systems with one shot items 1807
D. Valis & M. Koucky
Contribution to modeling of complex weapon systems reliability 1813
D. Valis, Z. Vintr & M. Koucky
Delayed system reliability and uncertainty analysis 1819
R. Alzbutas, V. Janilionis & J. Rimas
Efficient generation and representation of failure lists out of an information flux model
for modeling safety critical systems 1829
M. Pock, H. Belhadaoui, O. Malassé & M. Walter
Evaluating algorithms for the system state distribution of multi-state k-out-of-n:F system 1839
T. Akiba, H. Yamamoto, T. Yamaguchi, K. Shingyochi & Y. Tsujimura
First-passage time analysis for Markovian deteriorating model 1847
G. Dohnal
Model of logistic support system with time dependency 1851
S. Werbinska
Modeling failure cascades in network systems due to distributed random disturbances 1861
E. Zio & G. Sansavini
Modeling of the changes of graphite bore in RBMK-1500 type nuclear reactor 1867
I. Žutautaite-Šeputiene, J. Augutis & E. Ušpuras
XVII
Modelling multi-platform phased mission system reliability 1873
D.R. Prescott, J.D. Andrews & C.G. Downes
Modelling test strategies effects on the probability of failure on demand for safety
instrumented systems 1881
A.C. Torres-Echeverria, S. Martorell & H.A. Thompson
New insight into measures of component importance in production systems 1891
S.L. Isaksen
New virtual age models for bathtub shaped failure intensities 1901
Y. Dijoux & E. Idée
On some approaches to defining virtual age of non-repairable objects 1909
M.S. Finkelstein
On the application and extension of system signatures in engineering reliability 1915
J. Navarro, F.J. Samaniego, N. Balakrishnan & D. Bhattacharya
PFD of higher-order configurations of SIS with partial stroke testing capability 1919
L.F.S. Oliveira
Power quality as accompanying factor in reliability research of electric engines 1929
I.J. Jóźwiak, K. Kujawski & T. Nowakowski
RAMS and performance analysis 1937
X. Quayzin, E. Arbaretier, Z. Brik & A. Rauzy
Reliability evaluation of complex system based on equivalent fault tree 1943
Z. Yufang, Y. Hong & L. Jun
Reliability evaluation of III-V Concentrator solar cells 1949
N. Núñez, J.R. González, M. Vázquez, C. Algora & I. Rey-Stolle
Reliability of a degrading system under inspections 1955
D. Montoro-Cazorla, R. Pérez-Ocón & M.C. Segovia
Reliability prediction using petri nets for on-demand safety systems with fault detection 1961
A.V. Kleyner & V. Volovoi
Reliability, availability and cost analysis of large multi-state systems with ageing components 1969
K. Kolowrocki
Reliability, availability and risk evaluation of technical systems in variable operation conditions 1985
K. Kolowrocki & J. Soszynska
Representation and estimation of multi-state system reliability by decision diagrams 1995
E. Zaitseva & S. Puuronen
Safety instrumented system reliability evaluation with influencing factors 2003
F. Brissaud, D. Charpentier, M. Fouladirad, A. Barros & C. Bérenguer
Smooth estimation of the availability function of a repairable system 2013
M.L. Gámiz & Y. Román
System design optimisation involving phased missions 2021
D. Astapenko & L.M. Bartlett
The Natvig measures of component importance in repairable systems applied to an offshore
oil and gas production system 2029
B. Natvig, K.A. Eide, J. Gåsemyr, A.B. Huseby & S.L. Isaksen
The operation quality assessment as an initial part of reliability improvement and low cost
automation of the system 2037
L. Muslewski, M. Woropay & G. Hoppe
XVIII
Three-state modelling of dependent component failures with domino effects 2045
U.K. Rakowsky
Variable ordering techniques for the application of Binary Decision Diagrams on PSA
linked Fault Tree models 2051
C. Ibáñez-Llano, A. Rauzy, E. Meléndez & F. Nieto
Weaknesses of classic availability calculations for interlinked production systems
and their overcoming 2061
D. Achermann
XIX
Model of air traffic in terminal area for ATFM safety analysis 2191
J. Skorupski & A.W. Stelmach
Predicting airport runway conditions based on weather data 2199
A.B. Huseby & M. Rabbe
Safety considerations in complex airborne systems 2207
M.J.R. Lemes & J.B. Camargo Jr
The Preliminary Risk Analysis approach: Merging space and aeronautics methods 2217
J. Faure, R. Laulheret & A. Cabarbaye
Using a Causal model for Air Transport Safety (CATS) for the evaluation of alternatives 2223
B.J.M. Ale, L.J. Bellamy, R.P. van der Boom, J. Cooper, R.M. Cooke, D. Kurowicka, P.H. Lin,
O. Morales, A.L.C. Roelen & J. Spouge
Automotive engineering
An approach to describe interactions in and between mechatronic systems 2233
J. Gäng & B. Bertsche
Influence of the mileage distribution on reliability prognosis models 2239
A. Braasch, D. Althaus & A. Meyna
Reliability prediction for automotive components using Real-Parameter Genetic Algorithm 2245
J. Hauschild, A. Kazeminia & A. Braasch
Stochastic modeling and prediction of catalytic converters degradation 2251
S. Barone, M. Giorgio, M. Guida & G. Pulcini
Towards a better interaction between design and dependability analysis: FMEA derived from
UML/SysML models 2259
P. David, V. Idasiak & F. Kratz
XX
Risk perception and communication of food safety and food technologies in Flanders,
The Netherlands, and the United Kingdom 2325
U. Maris
Synthesis of reliable digital microfluidic biochips using Monte Carlo simulation 2333
E. Maftei, P. Pop & F. Popenţiu Vlădicescu
Civil engineering
Decision tools for risk management support in construction industry 2431
S. Mehicic Eberhardt, S. Moeller, M. Missler-Behr & W. Kalusche
Definition of safety and the existence of ‘‘optimal safety’’ 2441
D. Proske
Failure risk analysis in Water Supply Networks 2447
A. Carrión, A. Debón, E. Cabrera, M.L. Gamiz & H. Solano
Hurricane vulnerability of multi-story residential buildings in Florida 2453
G.L. Pita, J.-P. Pinelli, C.S. Subramanian, K. Gurley & S. Hamid
Risk management system in water-pipe network functioning 2463
B. Tchórzewska-Cieślak
XXI
Use of extreme value theory in engineering design 2473
E. Castillo, C. Castillo & R. Mínguez
Critical infrastructures
A model for vulnerability analysis of interdependent infrastructure networks 2491
J. Johansson & H. Jönsson
Exploiting stochastic indicators of interdependent infrastructures: The service availability of
interconnected networks 2501
G. Bonanni, E. Ciancamerla, M. Minichino, R. Clemente, A. Iacomini, A. Scarlatti,
E. Zendri & R. Terruggia
Proactive risk assessment of critical infrastructures 2511
T. Uusitalo, R. Koivisto & W. Schmitz
Seismic assessment of utility systems: Application to water, electric power and transportation
networks 2519
C. Nuti, A. Rasulo & I. Vanzi
Author index 2531
VOLUME 4
XXII
Cyanotoxins and health risk assessment 2613
J. Kellner, F. Božek, J. Navrátil & J. Dvořák
The estimation of health effect risks based on different sampling intervals of meteorological data 2619
J. Jeong & S. Hoon Han
Manufacturing
A decision model for preventing knock-on risk inside industrial plant 2701
M. Grazia Gnoni, G. Lettera & P. Angelo Bragatto
Condition based maintenance optimization under cost and profit criteria for manufacturing
equipment 2707
A. Sánchez, A. Goti & V. Rodríguez
PRA-type study adapted to the multi-crystalline silicon photovoltaic cells manufacture
process 2715
A. Colli, D. Serbanescu & B.J.M. Ale
Mechanical engineering
Developing a new methodology for OHS assessment in small and medium enterprises 2727
C. Pantanali, A. Meneghetti, C. Bianco & M. Lirussi
Optimal Pre-control as a tool to monitor the reliability of a manufacturing system 2735
S. San Matías & V. Giner-Bosch
The respirable crystalline silica in the ceramic industries—Sampling, exposure
and toxicology 2743
E. Monfort, M.J. Ibáñez & A. Escrig
XXIII
Natural hazards
A framework for the assessment of the industrial risk caused by floods 2749
M. Campedel, G. Antonioni, V. Cozzani & G. Di Baldassarre
A simple method of risk potential analysis for post-earthquake fires 2757
J.L. Su, C.C. Wu, K.S. Fan & J.R. Chen
Applying the SDMS model to manage natural disasters in Mexico 2765
J.R. Santos-Reyes & A.N. Beard
Decision making tools for natural hazard risk management—Examples from Switzerland 2773
M. Bründl, B. Krummenacher & H.M. Merz
How to motivate people to assume responsibility and act upon their own protection from flood
risk in The Netherlands if they think they are perfectly safe? 2781
M. Bočkarjova, A. van der Veen & P.A.T.M. Geurts
Integral risk management of natural hazards—A system analysis of operational application
to rapid mass movements 2789
N. Bischof, H. Romang & M. Bründl
Risk based approach for a long-term solution of coastal flood defences—A Vietnam case 2797
C. Mai Van, P.H.A.J.M. van Gelder & J.K. Vrijling
River system behaviour effects on flood risk 2807
T. Schweckendiek, A.C.W.M. Vrouwenvelder, M.C.L.M. van Mierlo, E.O.F. Calle & W.M.G. Courage
Valuation of flood risk in The Netherlands: Some preliminary results 2817
M. Bočkarjova, P. Rietveld & E.T. Verhoef
Nuclear engineering
An approach to integrate thermal-hydraulic and probabilistic analyses in addressing
safety margins estimation accounting for uncertainties 2827
S. Martorell, Y. Nebot, J.F. Villanueva, S. Carlos, V. Serradell, F. Pelayo & R. Mendizábal
Availability of alternative sources for heat removal in case of failure of the RHRS during
midloop conditions addressed in LPSA 2837
J.F. Villanueva, S. Carlos, S. Martorell, V. Serradell, F. Pelayo & R. Mendizábal
Complexity measures of emergency operating procedures: A comparison study with data
from a simulated computerized procedure experiment 2845
L.Q. Yu, Z.Z. Li, X.L. Dong & S. Xu
Distinction impossible!: Comparing risks between Radioactive Wastes Facilities and Nuclear
Power Stations 2851
S. Kim & S. Cho
Heat-up calculation to screen out the room cooling failure function from a PSA model 2861
M. Hwang, C. Yoon & J.-E. Yang
Investigating the material limits on social construction: Practical reasoning about nuclear
fusion and other technologies 2867
T. Horlick-Jones, A. Prades, C. Oltra, J. Navajas & J. Espluga
Neural networks and order statistics for quantifying nuclear power plants safety margins 2873
E. Zio, F. Di Maio, S. Martorell & Y. Nebot
Probabilistic safety assessment for other modes than power operation 2883
M. Čepin & R. Prosen
Probabilistic safety margins: Definition and calculation 2891
R. Mendizábal
XXIV
Reliability assessment of the thermal hydraulic phenomena related to a CAREM-like
passive RHR System 2899
G. Lorenzo, P. Zanocco, M. Giménez, M. Marquès, B. Iooss, R. Bolado Lavín, F. Pierro,
G. Galassi, F. D’Auria & L. Burgazzi
Some insights from the observation of nuclear power plant operators’ management of simulated
abnormal situations 2909
M.C. Kim & J. Park
Vital area identification using fire PRA and RI-ISI results in UCN 4 nuclear power plant 2913
K.Y. Kim, Y. Choi & W.S. Jung
Policy decisions
Dealing with nanotechnology: Do the boundaries matter? 3007
S. Brunet, P. Delvenne, C. Fallon & P. Gillon
Factors influencing the public acceptability of the LILW repository 3015
N. Železnik, M. Polič & D. Kos
Risk futures in Europe: Perspectives for future research and governance. Insights from a EU
funded project 3023
S. Menoni
Risk management strategies under climatic uncertainties 3031
U.S. Brandt
XXV
Safety representative and managers: Partners in health and safety? 3039
T. Kvernberg Andersen, H. Torvatn & U. Forseth
Stop in the name of safety—The right of the safety representative to halt dangerous work 3047
U. Forseth, H. Torvatn & T. Kvernberg Andersen
The VDI guideline on requirements for the qualification of reliability engineers—Curriculum
and certification process 3055
U.K. Rakowsky
Public planning
Analysing analyses—An approach to combining several risk and vulnerability analyses 3061
J. Borell & K. Eriksson
Land use planning methodology used in Walloon region (Belgium) for tank farms of gasoline
and diesel oil 3067
F. Tambour, N. Cornil, C. Delvosalle, C. Fiévez, L. Servranckx, B. Yannart & F. Benjelloun
XXVI
Impact of preventive grinding on maintenance costs and determination of an optimal grinding cycle 3183
C. Meier-Hirmer & Ph. Pouligny
Logistics of dangerous goods: A GLOBAL risk assessment approach 3191
C. Mazri, C. Deust, B. Nedelec, C. Bouissou, J.C. Lecoze & B. Debray
Optimal design of control systems using a dependability criteria and temporal sequences
evaluation—Application to a railroad transportation system 3199
J. Clarhaut, S. Hayat, B. Conrard & V. Cocquempot
RAM assurance programme carried out by the Swiss Federal Railways SA-NBS project 3209
B.B. Stamenković
RAMS specification for an urban transit Maglev system 3217
A. Raffetti, B. Faragona, E. Carfagna & F. Vaccaro
Safety analysis methodology application into two industrial cases: A new mechatronical system
and during the life cycle of a CAF’s high speed train 3223
O. Revilla, A. Arnaiz, L. Susperregui & U. Zubeldia
The ageing of signalling equipment and the impact on maintenance strategies 3231
M. Antoni, N. Zilber, F. Lejette & C. Meier-Hirmer
The development of semi-Markov transportation model 3237
Z. Mateusz & B. Tymoteusz
Valuation of operational architecture dependability using Safe-SADT formalism: Application
to a railway braking system 3245
D. Renaux, L. Cauffriez, M. Bayart & V. Benard
Waterborne transportation
A simulation based risk analysis study of maritime traffic in the Strait of Istanbul 3257
B. Özbaş, I. Or, T. Altiok & O.S. Ulusçu
Analysis of maritime accident data with BBN models 3265
P. Antão, C. Guedes Soares, O. Grande & P. Trucco
Collision risk analyses of waterborne transportation 3275
E. Vanem, R. Skjong & U. Langbecker
Complex model of navigational accident probability assessment based on real time
simulation and manoeuvring cycle concept 3285
L. Gucma
Design of the ship power plant with regard to the operator safety 3289
A. Podsiadlo & W. Tarelko
Human fatigue model at maritime transport 3295
L. Smolarek & J. Soliwoda
Modeling of hazards, consequences and risk for safety assessment of ships in damaged
conditions in operation 3303
M. Gerigk
Numerical and experimental study of a reliability measure for dynamic control of floating vessels 3311
B.J. Leira, P.I.B. Berntsen & O.M. Aamo
Reliability of overtaking maneuvers between ships in restricted area 3319
P. Lizakowski
Risk analysis of ports and harbors—Application of reliability engineering techniques 3323
B.B. Dutta & A.R. Kar
XXVII
Subjective propulsion risk of a seagoing ship estimation 3331
A. Brandowski, W. Frackowiak, H. Nguyen & A. Podsiadlo
The analysis of SAR action effectiveness parameters with respect to drifting search area model 3337
Z. Smalko & Z. Burciu
The risk analysis of harbour operations 3343
T. Abramowicz-Gerigk
Author index 3351
XXVIII
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Preface
This Conference stems from a European initiative merging the ESRA (European Safety and Reliability
Association) and SRA-Europe (Society for Risk Analysis—Europe) annual conferences into the major safety,
reliability and risk analysis conference in Europe during 2008. This is the second joint ESREL (European Safety
and Reliability) and SRA-Europe Conference after the 2000 event held in Edinburg, Scotland.
ESREL is an annual conference series promoted by the European Safety and Reliability Association. The
conference dates back to 1989, but was not referred to as an ESREL conference before 1992. The Conference
has become well established in the international community, attracting a good mix of academics and industry
participants that present and discuss subjects of interest and application across various industries in the fields of
Safety and Reliability.
The Society for Risk Analysis—Europe (SRA-E) was founded in 1987, as a section of SRA international
founded in 1981, to develop a special focus on risk related issues in Europe. SRA-E aims to bring together
individuals and organisations with an academic interest in risk assessment, risk management and risk commu-
nication in Europe and emphasises the European dimension in the promotion of interdisciplinary approaches of
risk analysis in science. The annual conferences take place in various countries in Europe in order to enhance the
access to SRA-E for both members and other interested parties. Recent conferences have been held in Stockholm,
Paris, Rotterdam, Lisbon, Berlin, Como, Ljubljana and the Hague.
These conferences come for the first time to Spain and the venue is Valencia, situated in the East coast close
to the Mediterranean Sea, which represents a meeting point of many cultures. The host of the conference is the
Universidad Politécnica de Valencia.
This year the theme of the Conference is "Safety, Reliability and Risk Analysis. Theory, Methods and
Applications". The Conference covers a number of topics within safety, reliability and risk, and provides a
forum for presentation and discussion of scientific papers covering theory, methods and applications to a wide
range of sectors and problem areas. Special focus has been placed on strengthening the bonds between the safety,
reliability and risk analysis communities with an aim at learning from the past building the future.
The Conferences have been growing with time and this year the program of the Joint Conference includes 416
papers from prestigious authors coming from all over the world. Originally, about 890 abstracts were submitted.
After the review by the Technical Programme Committee of the full papers, 416 have been selected and included
in these Proceedings. The effort of authors and the peers guarantee the quality of the work. The initiative and
planning carried out by Technical Area Coordinators have resulted in a number of interesting sessions covering
a broad spectre of topics.
Sebastián Martorell
C. Guedes Soares
Julie Barnett
Editors
XXIX
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Organization
Conference Chairman
Dr. Sebastián Martorell Alsina Universidad Politécnica de Valencia, Spain
Conference Co-Chairman
Dr. Blás Galván González University of Las Palmas de Gran Canaria, Spain
XXXI
Bris R, Czech Republic Le Bot P, France
Bründl M, Switzerland Limbourg P, Germany
Burgherr P, Switzerland Lisnianski A, Israel
Bye R, Norway Lucas D, United Kingdom
Carlos S, Spain Luxhoj J, United States
Castanier B, France Ma T, United Kingdom
Castillo E, Spain Makin A, Australia
Cojazzi G, Italy Massaiu S, Norway
Contini S, Italy Mercier S, France
Cozzani V, Italy Navarre D, France
Cha J, Korea Navarro J, Spain
Chozos N, United Kingdom Nelson W, United States
De Wit S, The Netherlands Newby M, United Kingdom
Droguett E, Brazil Nikulin M, France
Drottz-Sjoberg B, Norway Nivolianitou Z, Greece
Dutuit Y, France Pérez-Ocón R, Spain
Escriche I, Spain Pesme H, France
Faber M, Switzerland Piero B, Italy
Fouladirad M, France Pierson J, France
Garbatov Y, Portugal Podofillini L, Italy
Ginestar D, Spain Proske D, Austria
Grall A, France Re A, Italy
Gucma L, Poland Revie M, United Kingdom
Hardman G, United Kingdom Rocco C, Venezuela
Harvey J, United Kingdom Rouhiainen V, Finland
Hokstad P, Norway Roussignol M, France
Holicky M, Czech Republic Sadovsky Z, Slovakia
Holloway M, United States Salzano E, Italy
Iooss B, France Sanchez A, Spain
Iung B, France Sanchez-Arcilla A, Spain
Jonkman B, The Netherlands Scarf P, United Kingdom
Kafka P, Germany Siegrist M, Switzerland
Kahle W, Germany Sørensen J, Denmark
Kleyner A, United States Storer T, United Kingdom
Kolowrocki K, Poland Sudret B, France
Konak A, United States Teixeira A, Portugal
Korczak E, Poland Tian Z, Canada
Kortner H, Norway Tint P, Estonia
Kosmowski K, Poland Trbojevic V, United Kingdom
Kozine I, Denmark Valis D, Czech Republic
Kulturel-Konak S, United States Vaurio J, Finland
Kurowicka D, The Netherlands Yeh W, Taiwan
Labeau P, Belgium Zaitseva E, Slovakia
Zio E, Italy
Webpage Administration
Alexandre Janeiro Instituto Superior Técnico, Portugal
XXXII
Rafael Pérez Ocón Universidad de Granada
Ana Isabel Sánchez Galdón Universidad Politécnica de Valencia
Vicente Serradell García Universidad Politécnica de Valencia
Gabriel Winter Althaus Universidad de Las Palmas de Gran Canaria
Sponsored by
Ajuntament de Valencia
Asociación Española para la Calidad (Comité de Fiabilidad)
CEANI
Generalitat Valenciana
Iberdrola
Ministerio de Educación y Ciencia
PMM Institute for Learning
Tekniker
Universidad de Las Palmas de Gran Canaria
Universidad Politécnica de Valencia
XXXIII
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Acknowledgements
The conference is organized jointly by Universidad Politécnica de Valencia, ESRA (European Safety and
Reliability Association) and SRA-Europe (Society for Risk Analysis—Europe), under the high patronage of
the Ministerio de Educación y Ciencia, Generalitat Valenciana and Ajuntament de Valencia.
Thanks also to the support of our sponsors Iberdrola, PMM Institute for Learning, Tekniker, Asociación
Española para la Calidad (Comité de Fiabilidad), CEANI and Universidad de Las Palmas de Gran Canaria. The
support of all is greatly appreciated.
The work and effort of the peers involved in the Technical Program Committee in helping the authors to
improve their papers are greatly appreciated. Special thanks go to the Technical Area Coordinators and organisers
of the Special Sessions of the Conference, for their initiative and planning which have resulted in a number of
interesting sessions. Thanks to authors as well as reviewers for their contributions in the review process. The
review process has been conducted electronically through the Conference web page. The support to the web
page was provided by the Instituto Superior Técnico.
We would like to acknowledge specially the local organising committee and the conference secretariat and tech-
nical support at the Universidad Politécnica de Valencia for their careful planning of the practical arrangements.
Their many hours of work are greatly appreciated.
These conference proceedings have been partially financed by the Ministerio de Educación y Ciencia
de España (DPI2007-29009-E), the Generalitat Valenciana (AORG/2007/091 and AORG/2008/135) and the
Universidad Politécnica de Valencia (PAID-03-07-2499).
XXXV
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Introduction
The Conference covers a number of topics within safety, reliability and risk, and provides a forum for presentation
and discussion of scientific papers covering theory, methods and applications to a wide range of sectors and
problem areas.
Thematic Areas
• Accident and Incident Investigation
• Crisis and Emergency Management
• Decision Support Systems and Software Tools for Safety and Reliability
• Dynamic Reliability
• Fault Identification and Diagnostics
• Human Factors
• Integrated Risk Management and Risk-Informed Decision-making
• Legislative dimensions of risk management
• Maintenance Modelling and Optimisation
• Monte Carlo Methods in System Safety and Reliability
• Occupational Safety
• Organizational Learning
• Reliability and Safety Data Collection and Analysis
• Risk and Evidence Based Policy Making
• Risk and Hazard Analysis
• Risk Control in Complex Environments
• Risk Perception and Communication
• Safety Culture
• Safety Management Systems
• Software Reliability
• Stakeholder and public involvement in risk governance
• Structural Reliability and Design Codes
• System Reliability Analysis
• Uncertainty and Sensitivity Analysis
XXXVII
• Nuclear Engineering
• Offshore Oil and Gas
• Policy Decisions
• Public Planning
• Security and Protection
• Surface Transportation (road and train)
• Waterborne Transportation
XXXVIII
Reliability and safety data collection and analysis
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Step-stress ALT is a widely used method in life validation of products with high reliability. This
paper presents a new step-stress ALT approach with an opposite exerting sequence of stress levels in contrast to
traditional step-stress, so-called Step-Down-Stress (SDS). The testing efficiency of SDS ALT is compared with
step-stress ALT by Monte-Carlo simulation and contrastive experiment. This paper also presents a statistical
analysis procedure for SDS ALT under Weibull distribution. A practical ALT on bulb is given in the end to
illustrate the approach. SDS ALT may advance testing efficiency of traditional step-stress ALT remarkably
when applied in life validation of products with high reliability. It consumes less time for same failure number,
and gets more failures in same testing time than traditional step-stress ALT with identical testing plan. It also
helps to introduce the statistical analysis procedure accordingly which establishes a uniform analysis procedure
and can be applied to different acceleration equation easily.
1 INTRODUCTION
863
subjected to a specified constant stress for a speci-
fied length of time; after that, they are subjected to a
higher stress level for another specified time; the stress
on specimens is thus increased step by step[1∼8] .
This paper presents a new step-stress ALT approach
with an opposite exerting sequence of stress levels in
contrast to traditional step-stress, so-called step-down-
stress (SDS), from the assumption that the change in
exerting sequence of stress levels will improve test-
ing efficiency. The validity of SDS ALT is discussed
through comparison with tradition step-stress ALT by
Monte-Carlo simulation and contrastive experiment,
and it concludes that SDS ALT takes less time for same
failure number and gets more failures in same time.
A new s-analysis procedure is constructed for SDS
ALT, which is applicable to different acceleration
equation and may be programmed easily.
The rest of this paper is organized as follows:
section 2 describes SDS ALT including basic assump-
tions, the definition, s-analysis model, and Monte-
Carlo Simulation; section 3 presents an s-analysis
procedure for SDS ALT; section 4 gives a practical
example; section 5 concludes the paper.
n
ln(η) = aj Xj (2)
j=0
2.2 Definition
SDS ALT is shown in Figure 1d. In SDS ALT, speci-
mens are initially subjected to the highest stress level
Sk for rk failures, then stress is stepped down to Sk−1 Figure 3. CEM for SDS ALT.
for rk−1 failures, and then stress is stepped down
again to Sk−2 for rk−2 failures, and so on. The test is
terminated at the lowest stress S1 until r1 failures occur. direction of stress levels. The following text will prove
From the description above, SDS ALT is symmetri- that the change in exerting sequence of stress levels
cal to traditional step-stress ALT with different varying will possibly improve the test efficiency remarkably.
864
Table 1. Monte-Carlo simulations for step-stress and SDS ALT.
1 Model 1: 2.4, [188 115 81 63] 50, [10 10 10 10] 50, [10 10 10 10] 1.318
2 50, [25 5 5 5] 50, [5 5 5 25] 1.338
3 60, [10 10 10 10] 60, [10 10 10 10] 1.399
4 Model 2: 4.5, [58678 16748 5223 1759] 50, [10 10 10 10] 50, [10 10 10 10] 3.916
5 40, [10 10 10 10] 40, [10 10 10 10] 2.276
6 40, [20 5 5 5] 40, [5 5 5 20] 4.699
7 Model 3: 3.8, [311 108 47 26] 40, [10 10 10 10] 40, [10 10 10 10] 1.696
8 40, [20 5 5 5] 40, [5 5 5 20] 2.902
∗η = [η1 , η2 , η3 , η4 ]; r = [r4 , r3 , r2 , r1 ] for SDS ALT, r = [r1 , r2 , r3 , r4 ] for step-stress ALT.
2.3 s-Analysis model means that the total testing time for SDS ALT is
[2] only 21.28% of traditional step-stress ALT.
According to CEM , the remaining life of units under
b. The longer the life of specimen is, the greater
a step-stress pattern depends only on the current cumu-
advantage of SDS ALT has, for example, e of
lative fraction failed and current stress regardless how
Model 2 is commonly higher than other two mod-
the fraction accumulated.
els, which means SDS ALT can be adopted better
As shown in Figure 2, if stress levels in step-stress
in long life validation.
ALT are S1 , S2 , . . . , Sk , where the duration at Si is
ti − ti−1 and the corresponding CDF is Fi (t), the pop-
ulation CDF F0 (t) of specimens in step-stress ALT
equals to F1 (t) at first and then steps to F2 (t) at t1 . 3 STATISTICAL ANALYSIS
F0 (t) steps up successively by that way until Sk .
As shown in Figure 3, if apply CEM to SDS ALT, 3.1 Description of the problem
the population CDF F0 (t) of specimens in SDS ALT
If stress levels in SDS ALT are Sk , Sk−1 , . . .S1 (Sk >
equals to Fk (t) at first and then steps to Fk−1 (t) at tk .
Sk−1 > · · · > S1 ), the specimen size is n and the
F0 (t) steps successively by that way until S1 .
censored failure number is ri for Si . The stress steps
down to Si−1 until ri failures occur at Si . The time
2.4 Monte-carlo simulation to failure in such an SDS ALT can be described as
follows:
In order to discuss the efficiency of SDS ALT fur-
ther, contrastive analysis is performed through Monte-
Carlo simulation shown in Table 1. Sk : tk,1 , tk,2 , . . . , tk,rk
Let the use stress be S0 , the k accelerated stresses Sk−1 : tk−1,1 , tk−1,2 , . . . , tk−1,rk−1
(3)
be S1 , S2 , . . . , Sk , and the scale parameter correspond- ......
ing to Si be η0 , η1 , . . . , ηk according to acceleration S1 : t1,1 , t1,2 , . . . , t1,r1
equation (2). In Monte-Carlo Simulation, the sam-
pling size of units is n, and k censored failure numbers where ti,j means the No. j time to failure under Si timed
corresponding to Si are r1 , r2 , . . . , rk . from the beginning of Si .
Monte-Carlo Simulations, see Table 1, are per-
formed respectively based on three commonly-used
acceleration equations, which come from practical 3.2 Estimation of distribution parameters
products. The result of Monte-Carlo simulation is
expressed as efficiency index e, which is the average Failures in SDS ALT are cumulative effect of several
ratio of the total testing time in traditional step-stress accelerated stresses except for Sk , so it is a key prob-
ALT to that in SDS ALT. If e > 1, the efficiency of lem in s-analysis for SDS ALT that how to convert
SDS ALT is higher than traditional step-stress ALT. testing time between stress levels to obtain population
From Table 1, the following rules can be drawn: life information. Data in s-analysis for traditional step-
stress ALT are converted mainly through acceleration
a. The efficiency of SDS ALT in these occasions are equations [1∼4] , and the solution to this problem will
commonly higher than traditional step-stress ALT. becomes very complex accordingly and sometimes
The highest e = 4.699 in No. 6 simulation, which diverges.
865
If CDF of specimen is Fi (ti ) at ti under Si , according then the inverse moment estimates of Weibull param-
to CEM, tj can be found at Sj to satisfy eters under Si is from
i −1
n
Fi (ti ) = Fj (tj ) (4) ln[uni (m̂i , η̂i )/uj (m̂i , η̂i )] = ni − 1 (12)
j=1
which means that cumulative degradation of life at ⎡⎛ ⎞ ⎤1/m̂i
Si equals to that at Sj in given time respectively. So ni
acceleration factor can be defined as Kij = tj /ti . For η̂i = ⎣⎝ xj i (η̂i ) + (n − ni )xnm̂ii (η̂i )⎠/ni⎦
m̂
See APPENDIX A for the proof of (5). Because 3.3 Estimation of acceleration equation
Ki,i+1 = ti+1 /ti = ηi+1 /ηi , the time to failure ti+1 at
By the procedure above, the s-analysis for SDS ALT
Si+1 can be converted into equivalent data under Si for
is transferred to s-analysis for an equivalent constant-
Weibull distribution
stress ALT, which can be described as follows:
866
Table 3. Distribution parameters under Si . which is identical equation for arbitrary ti . So
APPENDIX
A Proof of (5)
The CDF under Weibull distribution is
(ti /ηi )mi = (Kij ti /ηj )mj (18) Figure A1. Numerical solution algorithm of (12) & (13).
867
If ni (mi (l), ηi (l + 1)) = ni , [2] Nelson, W. 1980. Accelerated Life Testing—Step-
stress Models and Data Analysis. IEEE Trans. on
mi (l + 1) = mi (l) (23) Reliability R-29: 103–108.
[3] Tyoskin, O. & Krivolapov, S. 1996. Nonparametric
If ni (mi (l), ηi (l + 1)) > ni , mi (l + 1) < mi (l) and Model for Step-Stress Accelerated Life Testing. IEEE
Trans. on Reliability 45(2): 346–350.
try again by [4] Tang, L. & Sun, Y. 1996. Analysis of Step-Stress
Accelerated-Life-Test Data: A New Approach. IEEE
mi (l + 1) = mi (l) − m (24) Trans. on Reliability 45(1): 69–74.
[5] Miller, R. & Nelson, W. 1983. Optimum Simple Step-
If ni (mi (l), ηi (l + 1)) < ni , mi (l + 1) > mi (l) and stress Plans for Accelerated Life Testing. IEEE Trans.
try again by on Reliability. 32(1): 59–65.
[6] Bai, D. & Kim, M. & Lee, S. 1989 Optimum Simple
mi (l + 1) = mi (l) + m (25) Step-stress Accelerated Life Tests with censoring. IEEE
Trans. on Reliability. 38(5): 528–532.
[7] Khamis, I. & Higgins, J. 1996. Optimum 3-Step
Figure A1 shows the algorithm above. Step-Stress Tests. IEEE Trans. on Reliability. 45(2):
341–345.
[8] Yeo, K. & Tang, L. 1999. Planning Step-Stress Life-
REFERENCES Test with a Target Acceleration-Factor. IEEE Trans. on
Reliability. 48(1): 61–67.
[1] Nelson, W. 1990. Accelerated Testing: Statistical Mod- [9] Zhang, C. & Chen, X. 2002. Analysis for Constant-
els, Test Plans, and Data Analyses. New York: John stress Accelerated Life Testing Data under Weibull Life
Willey & Sons: 18–22. Distribution. Journal of National University of Defense
Technology (Chinese). 24(2): 81–84.
868
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: The lognormal distribution is commonly used to model certain types of data that arise in several
fields of engineering as, for example, different types of lifetime data or coefficients of wear and friction.
However, a generalized form of the lognormal distribution can be used to provide better fits for many types of
experimental or observational data. In this paper, a Bayesian analysis of a generalized form of the lognormal
distribution is developed. Bayesian inference offers the possibility of taking expert opinions into account. This
makes this approach appealing in practical problems concerning many fields of knowledge, including reliability
of technical systems. The full Bayesian analysis includes a Gibbs sampling algorithm to obtain the samples from
the posterior distribution of the parameters of interest. Empirical proofs over a wide range of engineering data
sets have shown that the generalized lognormal distribution can outperform the lognormal one in this Bayesian
context.
Keywords: Bayesian analysis, Generalized normal distribution, Engineering data, Lognormal distribution,
Markov chain Monte Carlo methods.
869
in this case a noninformative prior distribution is used. The capacity of a distribution to provide an accurate
The full Bayesian analysis includes a Gibbs sampling fit to data depends on its shape. The shape can be
algorithm to obtain the samples from the posterior defined by the third and fourth moments and they
distribution of the parameters of interest. Then, the represent the asymmetry and flatness coefficients of
predictive distribution can be easily obtained. Empir- a given distribution. The logGN distributions allow
ical proofs over a wide range of engineering data sets the modeling of kurtosis providing, in general, a more
have shown that the generalized lognormal distribu- flexible fit to experimental data than the lognormal
tion can outperform the lognormal one in this Bayesian distribution.
context. Random variates from the logGN distribution can
The outline of this work is as follows. In Section 2, be generated from random variates of the GN distribu-
the logGN distribution is described. Section 3 presents tion via exponentiation. Since the GN distribution is
the Bayesian analysis with both noninformative and a reparameterization of the EP distribution, the tech-
informative prior distributions. An example with fric- niques for random generation of these distributions
tion data illustrates the application of the proposed can be used for the GN distribution (see, for example,
approach in Section 4. Finally, Section 5 presents the Devroye (1986), Jhonson (1987) and Barabesi (1993)).
main conclusions. Walker and Gutiérrez-Peña (1999) suggested a mix-
ture representation for the EP distribution that is
adapted here to be valid for the logGN distribution.
2 THE GENERALIZED LOGNORMAL MODEL The following result will be used in the next section
to determine the full conditional distributions neces-
If a random variable X has a logGN distribution, the sary to apply the Gibbs sampling method. The proof
random variable Y = log X is distributed as a GN. is immediate.
Therefore, the probability density function of a logGN
distribution with parameters μ, σ , and s is given by: Proposition 1 Let X and U be two random variables
such that f (x|u) = 2xσ1u1/s I [exp (μ − σ u1/s ) < x <
s log x − μ s
f (x) = exp − ,
2 x σ ( 1s ) σ exp (μ + σ u1/s )] and f (u) = Gamma (shape = 1 +
1/s, scale = 1), then X ∼ log GN(μ, σ , s).
with x > 0, −∞ < μ < +∞, σ > 0 and s ≥ 1. Note
that denotes the gamma function. This result can also be used to generate random
This distribution has the lognormal distribution as variates from a logGN(μ, σ , s). Generating from U
a particular
√ case by taking s = 2 and changing σ is standard, and generating from X |U is obvious
to 2 σ . The log-Laplace distribution is recovered through the inverse transformation method. Then, the
when s = 1. Figure ?? shows the probability density algorithm to generate random values is given by the
functions for some values of s with μ = 0 and σ = 1. following steps:
1. Generate W ∼ Gamma (1 + 1/s, 1)
2. Generate V ∼ Uniform (−1, 1)
s=1.0
3. Set X = exp {σ W 1/s V + μ}
0.8
s=1.5
s=2.0
s=3.0 The next section presents a Bayesian analysis for
the logGN distribution.
0.6
3 BAYESIAN ANALYSIS
Density
0.4
870
information for θ (see, e.g., Box and Tiao (1973) or Proposition 1 is used here to obtain the likelihood.
Gelman et al. (2004)). This prior distribution is nonin- Then, the likelihood of a sample x = (x1 , x2 , . . . ,
formative in the sense that it maximizes the entropy. In xn ), given the vector of mixing parameters u =
order to obtain the expressions for the noninformative (u1 , u2 , . . . , un ), is:
prior distributions of the parameters, the calculation
of the Fisher information matrix is required. The
Fisher information matrix for the logGN distribution L(μ, σ , s, u|x)
is given by:
1 1
n
1/s 1/s
= I [eμ−σ ui < xi < eμ+σ ui ].
I (μ, σ , s) (2σ )n i=1 xi ui1/s
⎛ (s−1)s(1−1/s) ⎞
σ 2 (1/s)
0 0
⎜ s1+2/s ⎟ Therefore, the posterior distribution is given by:
=⎝ 0 σ2
− σ s1−1/s
A
⎠,
(1+1/s)ψ (1+1/s)+A2 −1
0 − σ s1−1/s
A
s3
sn−1 n
e−ui
where ψ is the digamma function and A = log(s) + f (μ, σ , s, u|x) ∝ I
σ n+1 n ( 1s ) i=1 xi
ψ(1 + 1/s).
Noninformative prior distributions are derived for 1/s 1/s
π(μ) ∝ 1,
1 The full conditional distributions are derived:
π(σ ) ∝ ,
σ
(1 + 1/s)ψ (1 + 1/s) + A2 − 1 f (μ|σ , s, u, x) ∝ 1,
π(s) ∝ ,
s3 1/s
max{log(xi ) − σ ui } < μ < min{log(xi ) + σ ui }
1/s
i i
with −∞ < μ < +∞, σ > 0 and s ≥ 1. (1)
Since the expression for π(s) is very involved, a
simple and similar distribution is used, i.e., π(s) ∝ 1 |μ − log(xi )|
f (σ |μ, s, u, x) ∝ , σ > max
1/s, see Figure ??. σ n+1 i 1/s
ui
A Markov Chain Monte Carlo (MCMC) method
is applied to generate samples from the posterior (2)
distribution. Specifically, a Gibbs sampling algo- sn−1
rithm is derived. The mixture representation given in f (s|μ, σ , u, x) ∝ ,
n (1/s)
max{1, ai } < s < min ai (3)
i∈S − i∈S +
I s
0 .6
2 3s
f (ui |μ, σ , s, x) ∝ e−ui ,
| log(xi ) − μ| s
0 .5
ui > , i = 1, 2, . . . , n, (4)
σ
0 .4
s
log(ui )
0 .2
ai = , i = 1, 2, . . . , n.
log(|μ − log(xi )|/σ )
0 .1
871
given in (??) is non-standard, but it can also be eas- The full conditional distributions are:
ily generated by using the rejection method (see, e.g.,
Devroye (1986)). f (μ|σ , s, u, x) ∝ p(μ),
Iterative generations from the above conditional
distributions produce a posterior sample of (μ, σ , s). 1/s
max{log(xi ) − σ ui } < μ < min{log(xi ) + σ ui }
1/s
i i
(8)
−(a0 +n+1) −b0 /σ
3.2 Informative case f (σ |μ, s, u, x) ∝ σ e ,
In many situations, the data analyst is interested in
|μ − log(xi )|
including relevant initial information in the infer- σ > max 1/s
(9)
ence process. The choice of the prior distribution i ui
must be carefully determined to allow the inclusion
of this information. Since the prior distribution choice sn−c0 −1 e−d0 /s
f (s|μ, σ , u, x) ∝ ,
depends on the problem in hand, there are multiple ref- n (1/s)
erences related to this topic in the literature (see, e.g., max{1, ai } < s < min ai (10)
DeGroot (1970), Berger (1985), Ibrahim et al. (2001)), i∈S − i∈S +
and Akman and Huwang (2001). Kadane and Wolfson
f (ui |μ, σ , s, x) ∝ e−ui ,
(1998) present an interesting review on elicitation of
expert opinion. O’Hagan (1998) considers the elicita- | log(xi ) − μ| s
tion of engineers’ prior beliefs. Gutiérrez-Pulido et al. ui > , i = 1, 2, . . . , n. (11)
σ
(2005) present a comprehensive methodology to spec-
ify prior distributions for commonly used models in
reliability. where S − , S + and ai , i = 1, 2, . . . , n, are defined as
The following prior distributions have been pro- in the previous subsection.
posed because they can accommodate many possible In this case, generating from these truncated den-
shapes for the kind of parameters involved in the sities is also easy to perform. Generating from (??)
logGN distribution. Besides, they allow to make effi- depends on the chosen density. Note that the den-
cient posterior calculations and recover the noninfor- sity given in (??) is a left truncated inverse-gamma.
mative distribution for each parameter. The proposed Random variates from this distribution are obtained
prior distributions are given by: by taking the reciprocal of variates from a truncated
gamma distribution. The density for the conditional
distribution given in (??) is again non-standard. Sim-
π(μ) ∝ p(μ), −∞ < μ < +∞, (5) ilarly to the noninformative case, a rejection method
is implemented. Finally, note that (??) is the same
π(σ ) ∝ σ −(a0 +1) e−b0 /σ , σ >0 (6) as (??).
−(c0 +1) −d0 /s
π(s) ∝ s e , s ≥ 1, (7)
872
to make inferences. This corresponds to the informa-
8
tive case. Then, the historical information and the prior
information provided by the engineer are embedded in
the posterior distribution.
6
The following step is to choose the hyperparame-
Density
ter values for the prior distributions of the parameters
of interest μ, σ , and s. There are many ways to elicit
4
these values. One possibility is to specify the values
according to previous direct knowledge on the parame-
2
ters (see, e.g., Berger (1985) and Akman and Huwang
(2001)). Another one consists in using partial infor-
mation elicited by the expert. In this case, there are
0
many criteria to obtain the hyperparameters values as,
for example, maximum entropy and maximum pos- 0.7 0.8 0.9 1.0 1.1 1.2
terior risk (see Savchuk and Martz (1994)). A third Data
possibility considered here is to use expert informa-
tion on the expected data and not on the parameters. Figure 4. Posterior predictive distributions for friction data.
This is easier for engineers who are not familiarized Solid line: logGN, and dashed line: lognormal.
with parameters but have an approximate knowledge
of the process. Finally, it is remarkable that noninfor-
mative prior distributions can be used for any of the hyperparameters obtained are μ0 = −0.0460, σ0 =
parameters and informative prior distributions for the 0.0017, a0 = 80.8737, b0 = 4.0744, c0 = 60.2888,
remaining ones. and d0 = 220.4130.
In this application, the hyperparameters are obta- After it has been considered that the chain conver-
ined by using a method similar to the one pre- gence has been achieved, a sample of size 10,000 for
sented by Gutiérrez-Pulido et al. (2005). In this the parameters of the posterior distribution is gener-
case the expert is asked to provide occurrence ated. The 95% Highest Density Regions (HDR) for μ,
intervals for some usual quantities as the mode, σ , and s are (−0.0490, −0.0422), (0.0595, 0.0855),
median and third quartile. The expert considered and (2.2468, 3.3496), respectively (see Figure ??).
that these quantities should be in the following inter- Note that the HDR for s does not contain the value
vals: [LMo , UMo ] = [0.935, 0.955], [LMe , UMe ] = s = 2, that recovers lognormality.
[0.95, 0.96], and [LQ3 , UQ3 ] = [0.97, 0.985]. By using In order to make a performance comparison, a
the informative prior distributions presented in sub- similar procedure is implemented to obtain the hyper-
section 3.2, with μ ∼ N (μ0 , σ0 ), and following the parameters in the lognormal case. Then, a poste-
development in Gutiérrez-Pulido et al. (2005), the rior sample is generated by using the lognormal
distribution instead of the logGN distribution. Here
the 95% HDR for μ and σ are (−0.0494, −0.0427)
and (0.0923, 0.1416). The posterior predictive distri-
Posterior density
150
1
n
Ū0 = log(p0 (xi ))
n i=1
2.0 2.5 3.0 3.5 4.0
1
s
n
Ū1 = log(p1 (xi )),
Figure 3. 95% HDR for μ, σ , and s. n i=1
873
where p0 and p1 are the posterior predictive DeGroot, M.H. (1970). Optimal Statistical Decisions.
distributions of the lognormal and logGN models, McGraw-Hill, New York.
respectively. The estimated values are Ū0 = 1.4118 Devroye, L. (1986). Non-Uniform Random Variate Genera-
and Ū1 = 1.4373, so the logGN model performs tion. Springer-Verlag.
better than the lognormal one. The same happens Gelman, A., J.B. Carlin, H.S. Stern, and D.B. Rubin (2004).
Bayesian Data Analysis. Chapman & Hall-CRC.
for the noninformative model (Ū0 = 1.5533 and Gómez, E., M.A. Gómez-Villegas, and J.M. Marín (1998).
Ū1 = 1.5881). A multivariate generalization of the power exponential
family of distributions. Communications in Statistics-
Theory and Methods 27(3), 589–600.
5 CONCLUSION Gutiérrez-Pulido, H., V. Aguirre-Torres, and J.A. Christen
(2005). A practical method for obtaining prior distribu-
The generalized form of the lognormal distribution, tions in reliability. IEEE Transaction on Reliability 54(2),
presented and analyzed from a Bayesian viewpoint, 262–269.
offers the possibility of taking expert opinions into Ibrahim, J.G., M.H. Chen, and D. Sinha (2001). Bayesian
Survival Analysis. Springer-Verlag.
account. The proposed approach represents a viable Johnson, M.E. (1987). Multivariate Statistical Simulation.
alternative to analyze data that are supposed to follow John Wiley and Sons.
a lognormal distribution and provides flexible fits to Kadane, J.B. and L.J. Wolfson (1998). Experiences in
many types of experimental or observational data. The elicitation. The Statistician 47, 3–19.
technical development is based on a mixture repre- Meeker, W.Q. and L.A. Escobar (1998). Statistical Methods
sentation that allows to perform inferences via Gibbs for Reliability Data. John Wiley and Sons.
sampling. It is remarkable that the logGN family pro- Mineo, A.M. and M. Ruggieri (2005). A software tool for
vides very flexible distributions that can empirically the exponential power distribution: The normal package.
fit many types of experimental or observational data Journal of Statistical Software 12(4), 1–24.
Nadarajah, S. (2005). A generalized normal distribution.
obtained from engineering studies. Journal of Applied Statistics 32(7), 685–694.
Nica, A. (1969). Theory and Practice of lubrication systems.
Scientific Publications.
ACKNOWLEDGEMENTS O’Hagan, A. (1998). Eliciting expert beliefs in substantial
practical applications. The Statistician 47, 21–35.
This research has been partially supported by Ministe- Portela, J. and M.A. Gómez-Villegas (2004). Implementa-
rio de Educación y Ciencia, Spain (Project TSI2007- tion of a robust bayesian method. Journal of Statistical
66706-C04-02). Computation and Simulation 74(4), 235–248.
Savchuk, V.P. and H.F. Martz (1994). Bayes reliability esti-
mation using multiple sources fo prior information: Bino-
mial sampling. IEEE Transactions on Reliability 43(I),
REFERENCES 138–144.
Steele, C. (2008). The use of the lognormal distribution
Akman, O. and L. Huwang (2001). Bayes computation for the coefficients of friction and wear. Reliability
for reliability estimation. IEEE Transaction on Reliabil- Engineering and System Safety To appear.
ity 46(1), 52–55. Subbotin, M. (1923). On the law of frecuency errors.
Barabesi, L. (1993). Optimized ratio-of-uniform method for Mathematicheskii Sbornik 31, 296–301.
generating exponential power variates. Statistica Appli- Walker, S.G. and E. Gutiérrez-Peña (1999). Robustify-
cata 5(2), 149–155. ing bayesian procedures. In J.M. Bernardo, J.O. Berger,
Berger, J.O. (1985). Statistical Decision Theory and Bayesian A.P. Dawid, and A.F.M. Smith (Eds.), Bayesian Statistics
Analysis. Springer. 6, pp. 685–710. Oxford University Press.
Bernardo, J.M. (1979). Reference posterior distributions Wallbridge, N.C. and D. Dowson (1987). Distribution of wear
for Bayesian inference. Journal of the Royal Statistical rate data and a statistical approach to sliding wear theory.
Society B 41, 113–147. Wear 119, 295–312.
Box, G. and G. Tiao (1973). Bayesian Inference in Statistical
Analysis. Addison-Wesley, Reading.
874
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
T. Leopold
TTI GmbH an der Universität Stuttgart, Germany
B. Bertsche
Institute of Machine Components, Universität Stuttgart, Germany
ABSTRACT: One of the biggest challenges in quantitative reliability analyses is a complete and significant
data basis, which describes the complete product lifetime. Today, this data basis, in regards to the demanded
and needed information, is not given. Especially the circumstances, that lead to a failure while the field usage,
e.g. operational and ambient information before and while failure occurrence, are of highest importance. In the
development phase of products much more detailed data is collected and documented, compared to the amount
in general customer field usage. Today, one of the most important data basis to describe the real field behavior
are warrantee and goodwill data. For an optimal correlation between failures that occur while testing and while
field usage, these data are not sufficient. In order to improve this situation, an approach was developed, with
which the collection of reliability relevant data during costumer usage is enabled over the whole product lifetime
of vehicles. The basis of this reliability orientated data collection is the consideration of already available CAN
signals in modern vehicles.
875
networks in vehicles, a short description of the Enhancement of an
resolution of the
of implementation
fundamentals of the CAN-technology is given first.
number of the
data elements
data elements
existing control unit
low effort
Connection via
2.1 Configuration of a CAN-bus diagnostics interface
876
The resulting files contain classed data with different
Monitor CAN-Bus time scales.
Another task of the data management is to name
the files according to a determined syntax. The file
names include the serial number of the ECU, a short
Translate identifier to identify necessary messages cut for the time scale, the kind of data and the date.
This consistent naming enables a determination of a
prioritized data transfer to the company, which is done
by the file management.
Decide on recording (right event, timeframe)
2.3.2 File management
Taking into account that the data transfer to the com-
pany is realized by radio networks, see Leopold
Classing (counter, time, mileage,…) (2007), and therefore a data transfer is not always
possible for broadcasting all existing files, a useful
sequence of the data transfer has to be managed. The
priority is rising with increasing age of the files and
Data management increasing time scale of the contained classed data.
The reason for rising priority with increasing age of the
files is that the history of the ambient and operational
conditions is available in the company without inter-
File management for data transfer ruption. To get an overview of the field behavior, the
files containing long time scales are of higher priority
than the files containing low time scales. The informa-
Figure 3. Software structure for data processing in the tion with low time scales are used for detailed analyses
vehicle. in a second step after analyzing the data with long time
scales.
The history of the broadcasted files and its status of
to the company. The structure of the software with its successful transfer are stored in a log file, see Figure 4.
main tasks, that executes the data processing in the The exemplary files of Figure 4 describe the classed
vehicle, is shown in Figure 3. data of ABS Activity (Anti-lock braking system) of the
Taking the potentials of data reduction into account, vehicle with the VIN (Vehicle Identification Number)
a data volume of only a few hundred kilobytes per ADB9340. . . . In Detail, the entry 1 2 1 means 1 ABS
month is possible. That means an enormous reduction Activity in class 1, 2 ABS activities in class 2 and 1
of the data volume, compared to many hundreds of ABS Activity in class 3. This kind of saving the classed
megabytes per day when recording the whole CAN data in data fields causes only very little storage space.
communication. As mentioned, a further reduction can The log file includes examples of files containing
be derived by using data compression algorithms. trip (t1), day (d) and month (m) data. The status of 110
of the file containing the classed data of one month
describes the conditions of completeness of the file,
2.3.1 Data management
the execution of the transfer and the status whether the
The data collection has to regard different time scales.
file has been deleted on the data classing device or not.
That offers the possibility to differ between average
By using the serial number of the ECU within the
values over the whole product lifetime as well as sin-
file name and transferring the VIN as a part of the non-
gle months, days or trips. The higher the time scale,
recurring data, an easy allocation of files and vehicle
the more general conclusions can be derived of them.
is possible.
Lower time scales are especially interesting to analyze
the circumstances very short before or while failure
occurrence. For example, failures as a result of misuse
2.4 Transfer of the data to the company
can be distinguished from failures because of fatigue.
In addition to the more or less general differentiation There are different technologies available, which app-
of failure causes, the classed data of few data elements ear to be suitable for broadcasting the data from the
can be used for more detailed analyses. vehicle to the company.
Therefore, the classing has to be executed for differ- One possible realization is the usage of wireless
ent time scales. To enable different files with different connections within the data collecting devices, e.g.,
durations of classing, a data management system is Bluetooth or WLAN (Wireless Local Area Network).
needed that works simultaneously to the data classing. In the first step, the transfer of the data of the
877
Time scale
Data of month
ABS Active
ABS Active
Number of vehicles
#121
#201
… Non-recurring
N data Figure 5. Cumulative costs of data collection.
Ki of vehicle: Truck
Kind
Vehicle Identification No.
V
W
WDB9340… software as well as additional unit costs and recur-
Data of trip … ring costs for the data transfer from the vehicle to the
company.
ABS Active
#121 The fixed costs for the development of the detailed
#201 investigated concepts, the direct data transfer via radio
… networks and the indirect data transfer via outsta-
tions, are nearly the same. In both cases, an existing
ECU has to be enhanced with sufficient storage capac-
Priority of file transfer ity, interfaces and the software, which manages the
Age data processing in the vehicle. The unit costs for
the broadcasting modules differ only slightly. The
Figure 4. Priority of file transfer within file management.
initial investment of the concept with the indirect
data transfer is higher because of the costs for the
outstations.
The main economic differences between the two
concepts are the recurring costs for broadcasting the
vehicles and outstations is realized with these short
data. With rising number of vehicles, which directly
range technologies. In the second step, the data of
transfer the data from the vehicle to the company, the
the outstations have to be transferred to the com-
broadcasting costs are also increasing. In contrast to
pany, e.g., via radio networks like GSM (Global
the broadcasting costs of the direct data transfer, the
System for Mobile Communications), GPRS (General
costs for the indirect data transfer are not rising with
Packet Radio Service) or UMTS (Universal Mobile
higher number of equipped vehicles. The reason is that
Telecommunications System).
costs causing data transfers via radio network arise
Another possibility is the direct transfer of the data
only between outstations and the company. The num-
from the vehicle to the company via radio networks.
ber of outstations is nearly constant, because the single
This kind of data transfer is already used success-
outstations just have to broadcast more data volume.
fully for assistance of fleet management of truckage
The principal trend of the total costs for both
companies.
concepts can be seen in Figure 5.
Depending on the number of vehicles, which are
It is to mention that the graphical visualization of the
equipped with a data collection device, the amount of
costs is a first estimation. The very important conclu-
data and the available storage capacity in the vehicle,
sion is that a field data collection with many vehicles
one of the two possible realizations for broadcasting
causes fewer costs when the data transfer is realized
the data has to be selected.
with the indirect concept.
4 DATA PROTECTION
3 ECONOMIC CONSIDERATION
A comprehensive examination of the data collection
The total costs of the data collection system includes based on the messages of the CAN-bus demands an
costs for the development of the required hard- and assessment of legal aspects. Therefore, the question
878
has to be answered, whether issues of the law, which 35
879
30
The shown approach of using the existing informa-
Fraction of total operating time [%]
25
tion, that are already available in modern vehicles, is
an appropriate solution to a collection of field data for
20
reliability analyses. Data about failed and non-failed
15
parts are available as well as information about opera-
tional and ambient conditions over the whole lifetime
10
of vehicles.
5
The most important steps of the data processing
in the vehicle lead to a significant reduction of the
0
<0 0 0-9 9-18 18-27 27-36 36-45 45-54 54-63 63-72 72-81 81-90 > 90
huge amount of data and enable a reasonable data
transfer between vehicle and company. The consid-
Vehicle speed [km/h]
eration of different time scales has to be considered,
Figure 9. Real curve of vehicle speed of a distribution
as it is realized by the data management and shown
vehicle. by an example. The order of transferring the data files
to the company is executed by the file management
according to a defined logic of prioritization.
1800 A short economic consideration shows the principal
1600 trend of the total costs for two concepts. The concept of
indirect data transfer via outstations is more economic
Relative difference [%]
1400
2 0-4 0
Therefore, a collection and analysis of reliability
0
1 5-2 0 data over the whole product lifetime of vehicles is
0
c]
20
0 -1
1 0-1 5
30
se
40
1 0-
5 -10
possible and has to be realized in forward-looking
50
2 0-
n[
60
3 0-
4 0-
70
0 -5
80
5 0-
io
90
6 0-
1 00
7 0-
at
companies.
8 0-
Brake peda
ur
9 0-
l position
D
[%]
Figure 10. Difference of high and low time scales for brake REFERENCES
pedal position.
Bertsche, B.: Reliability in Automotive and Mechanical
Engineering. Berlin, Springer, 2008.
one day (low time scale). The brake pedal posi- DIN 45667: Data Classing (in German). 1969.
tion describes the braking activity. The differences Felbinger, L.; Schaal, H.: Trucks under Control (in German).
of the results of the classed data are shown in Elektronik Automotive 05/2005.
Figure 10. ISO/DIS 14220-1: Road Vehicles – Unified Diagnostics Ser-
The differences are recognizable clearly, partly up vices (UDS) – Part 1: Specification and Requirements.
draft standard, 2005.
to a factor of 16, which can be seen as an evidence Leopold, T.; Pickard, K.; Bertsche, B.: Development of
for regarding unequal time scales. The differences can a Data Collection of Vehicle Bus Signals for Reliabil-
get quite higher if the differences of the loading of the ity Analyses. Proc. ESREL 2007, 25th–27th June 2007,
vehicles increase within different days. Stavanger, Norway.
SAE J1939/71: Vehicle Application Layer. 2006.
VDA (ed.): Reliability Assurance in Automobile Industry and
6 SUMMARY Suppliers (in German). Vol. 3 Part 2, VDA, Frankfurt,
2000.
Field data of products over the whole product lifetime
is an essential precondition for quantitative reliability
analyses. That enables the possibility to derive analy-
ses and forecasts of the real behavior of the products
in field usage.
880
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
M.C. Segovia
Facultad de Ciencias, University of Granada, Spain
C. Guedes Soares
CENTEC, Instituto Superior Técnico, Technical University of Lisbon, Portugal
ABSTRACT: The parametric estimation is performed for two models based on the Weibull distribution: the
mixture of Weibull distributions and the additive Weibull model. The estimation is carried out by a method
which use the Kolmogorov-Smirnov distance as the objective. Phase-type distributions are introduced and a
comparison is made between the fitted Weibull models and the phase-type fit to various sets of life data.
881
Phase-type distributions can be an alternative way where βi and λi are, respectively, the shape and scale
of describing failure rates. The purpose of this paper parameters of the component distributions; pi repre-
is to compare the fit of complex data by phase-type sentsthe weight of every component in the mixture
distributions with the more traditional approximations and ni=1 pi = 1.
of mixture of Weibulls or composite Weibulls. The particular cases where n = 2 and n = 3 are
To have control of the properties of the data used in considered, because with a greater number of compo-
the analysis, simulated data was adopted. Various data nents the estimation of the parameters is much more
sets were generated with different levels of mixture difficult with the minimax algorithm.
of different basic Weibull distributions. The simu-
lated data are fitted with different methods allowing
2.2 The additive model
conclusions about their relative usefulness.
The fit of a phase-type distribution to the set of The additive model can be interpreted as the lifetime of
failure time data is carried out, with the EMpht soft- a system wich consist in several independent Weibull
ware, based on the EM algorithm. This is an iterative components that are arranged in a series. If T is the
method to find the maximum likelihood estimation, lifetime of the system, then,
see Asmussen (1996).
In order to compare the proposed methods the T = Min(T1 , T2 , . . . , Tn ) (4)
Kolmogorov-Smirnov test is used.
The paper is organized as follows; in section 2 where Ti denote the lifetime of the component i, which
the mixture of Weibull distributions and the additive is a Weibull with parameters λi , βi .
model are introduced. In section 3, phase-type distri- Xie and Lai (1995) presented the additive model
butions are defined and in section 4 the minimax algo- that combines two Weibull distributions (1), one of
rithm for the parametric estimation is described. For them with decreasing failure rate and the other with
the proposed models, in section 5, several numerical increasing failure rate. The combined effect represents
applications are shown. a bathub-shaped failure rate.
The distribution function of this model is given by,
β2
2 THE MIXED AND THE ADDITIVE WEIBULL t β1 t
F (t) = 1 − exp − − , (5)
MODEL λ1 λ2
Because the Weibull distribution is used to study the where βi and λi are the shape and scale parameters,
ageing and the opertional and burn-in time of a device, respectively, of the Weibull distributions.
two models, based on this distribution, are studied. The additive model that combines three Weibull dis-
These models can represent in a better way the failure tributions can be represented by adding a third term to
time data. the exponential function in eqn (5).
The two parameter Weibull distribution function is
given by,
3 PHASE-TYPE DISTRIBUTIONS
F (t) = 1 − exp − (t/λ)β , t ≥ 0, (1)
One of the main purposes of this paper is to compare
the fit obtained for the mixed and additive Weibull
where λ is the scale parameter and β is the shape models by the minimax algorithm, with the phase
parameter. The failure rate function has the next form distribution fit.
The phase-type distributions considered in this
r (t) = (β/λ) (t/λ)β−1 (2) paper are defined in the continuous case.
The continuous distribution F(·) on [0, ∞] is a
phase-type distribution (PH-distribution) with repre-
2.1 The mixture of Weibull distributions sentation (α, T), if it is the distribution of the time
until absorption in a Markov process on the states
In general, the mixture of Weibull distributions (1), {1, . . . , m, m + 1} with generator
can be defined as a weighted sum of these distribu-
tions: T T0
Q= , (6)
0 0
n
t βi
F (t) = pi 1 − exp − , (3) and initial probability vector (α, αm+1 ), where α is a
λi
i=1 row m-vector. The states {1, . . . , m} are all transient.
882
The matrix T of order m is non-singular with negative of failure.
diagonal entries and non-negative off-diagonal entries
and satisfies −Te = T0 ≥ 0. The distribution F(·) is Min Max |Fe (Ti ) − F0 (Ti )| , (9)
given by i=1,2,... ,n
883
As is known, this kind of distributions can be fitted to
any dataset.
To find the PH-representation of this distribution
the EMPht software is used. This representation is
given by,
γ = (0 0 0 1),
⎛ ⎞
−0.003184 0 0 0
⎜ 0 −0.005175 0.003462 0.000947 ⎟
L = ⎝ 0.003184 0 −0.003184 0 ⎠
0 0.134512 0 −0.144241
Figure 2. Failure rate of the Weibull mixture. Figure 3. PH fit to the sample.
884
Table 3 shows the PH-fit for the examples given in
Table 2 and the K-S test.
α= 0 1 0 0 D0.95 = 0.136∗
⎛ ⎞
−0.003733 0 0 0.003733
⎜ 0.008083 −0.013203 0 0 ⎟
T =⎝ ⎠ 0, 136 > 0, 1039+
0 0.000378 −0.003733 0
0 0 0.003733 −0.003733
α = 0.121536 0.160842 0.717622 D0.95 = 0.136∗
⎛ ⎞
−0.085995 0.002930 0.082800
⎝
T = 0.001061 −0.002107 0.000659 ⎠ 0, 136 > 0, 0525+
0.515296 0.019454 −0.571630
α = 0.025961 0.974039 D0.95 = 0.136∗
−0.025961 0.000187
T = 0, 136 > 0, 0830+
0.000067 −0.001484
α = 0 0.208189 0 0.791811 D0.95 = 0.136∗
⎛ ⎞
−0.000210 0 0 −0.000210
⎜ 0 −0.027253 0.000325 0 ⎟
T =⎝ ⎠ 0, 136 > 0, 0630+
0.000331 0.000405 −0.002275 0
0 0.000002 0.002268 −0.002270
∗ Critical value, + K-S experimental.
885
Table 4. Estimated parameters.
886
Table 5. Estimated parameters.
β1 = 0.6486, λ1 = 103.8854
β2 = 5.6458, λ2 = 849.1117
β1 = 0.5555, λ1 = 100.1662
β2 = 2.042, λ2 = 628.2805,
Figure 10. Failure rate of the Weibull Additive model. β3 = 2.0373, λ3 = 628.2824,
887
Figure 13. Fit an Additive Weibull to the sample. Figure 15. PH fit to the sample.
888
7 CONCLUSIONS [6] Jiang, R. & Murthy, D.N.P. 2001. n-fold Weibull mul-
tiplicative model. Reliab. Engng. Syst. Safety 74:
The PH-distributions are introduced as an useful tool 211–219.
to fit any set of failure data, as it is shown in the [7] Ling, J. & Pan, J. 1998. A new method for selection
examples given above. The advantage of this kind of population distribution and parameter estimation.
Reliab. Engng. Syst. Safety 60: 247–255.
of distributions is that it is not necessary to select a [8] Navarro, J. & Hernández, P.J. 2004. How to obtain
parametric distribution to fit to the data set. bathub-shaped failure models from normal mixtures.
On the other hand, to estimate the parameters with Probability in the Engineering and Informational
the minimax algorithm, the appropriate initial value of Sciences 18: 511–531.
these parameters have to be determined, and it can take [9] Montoro-Cazorla, D., Pérez-Ocón, R. & Segovia
a long time, increasing when the number of parameters M.C. 2007. Shock and wear models under policy N
of the distribution is increased. using phase-type distributions. Applied Mathematical
Finally, in all of the examples presented in the paper, Modelling. Article in press.
it is verified, with the K-S test, that the fits obtained, [10] Murthy, D.N.P. & Jiang, R. 1997. Parametric study of
sectional models involving two Weibulls distributions.
with both methods, are all adequate, and the goodness Reliab. Engng. Syst. Safety 56: 151–159.
of fit in the previous examples is more or less similar. [11] Neuts, M.F. 1981. Matrix geometric solutions in
stochastic models. An algorithmic approach. Univ.
Press, Baltimore.
REFERENCES [12] Pérez-Ocón, R. & Segovia M.C. 2007. Modeling life-
times using phase-type distributions. Risk, Reliability
[1] Asmussen S, Nerman O, & Olsson M. 1996. Fitting and Societal Safety. Terje Aven & Jan Erik Vinnem,
phase-type distributions via the em algorithm. Scand. Taylor & Francis. Stavanguer, Norway 1: 463–469.
J. Statist. 23: 419–441. [13] Sun, Y.S., Xie, M., Goh, T.N & Ong, H.L. 1993.
[2] Bucar, T. Nagode, M. & Fajdiga, M. 2004. Reliability Development and applications of a three-parameter
approximation using finite Weibull mixture distribu- Weibull distribution with load-dependent location and
tions. Reliab. Engng. Syst. Safety 84: 241–251. scale parameters Reliab. Engng. Syst. Safety 40:
[3] Jiang, R. & Murthy, D.N.P. 1997. Parametric study of 133–137.
multiplicative model involving two Weibull distribu- [14] Xie, M. & Lai, C.D. 1995. Reliability analysis using
tions. Reliab. Engng. Syst. Safety 55: 217–226. an additive Weibull model with bathub-shaped failure
[4] Jiang, R. & Murthy, D.N.P. 1998. Mixture of Weibull rate function. Reliab Engng. Syst. Safety 52: 87–93.
distributions-parametric characterization of faiulre [15] Xie, M., Tang, Y. & Goh, T.N. 2002. A modified
rate function. Appl. Stochastic models data anal 14: Weibull extension with bathub-shaped failure rate
47–65. function. Reliab Engng. Syst. Safety 76: 279–285.
[5] Jiang, R. & Murthy, D.N.P. 2001. Models involving
two inverse Weibull distributions. Reliab. Engng. Syst.
Safety 73: 73–81.
889
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
J. Kamenický
Technical University of Liberec, Liberec, Czech Republic
ABSTRACT: Electric power is an essential condition of every modern economy. But it is not enough only to
maintain existing power plants, it is also necessary to develop the new ones. Companies need to make machines
with the highest possible reliability (the lowest failure rate, lowest repair time—lowest unavailability) by this
development. It is very complicated to estimate availability of developed engine which have not worked yet.
We can use an estimation of reliability parameters for older machines with similar design. It is also possible to
allocate weak parts of these older machines and make some improvements.
To find such parts of machine we have to analyze it. It is usually done by statistics methods. So the problem
is where to get the input data for the analysis? The presented methodology tells us how to collect relevant data,
how to differentiate and remove unwanted data and of course how to solve the meaningful rest of data. There is
shown making of failure frequency histogram, appointment of exponential distribution for mean time between
failures of equipment inclusive of chi-square test of this hypothesis. In addition to these parts there is shown
how to perform ABC analysis of failure consequences. Very important part of this paper is Appendix 1, where
it is shown an example of methodology application.
891
establishment of machine reliability. However, the 3.3 Reliability parameters calculation
most important part in data collection is still fail-
This chapter handles about failure rate of equipment
ure number, failure causes and their consequences
type, not about each unit. It is required to erase data
location. Power industry in Czech Republic is split
about scheduled overhauls, preventive maintenance
into several branches. Nuclear area looks as separate
tasks and keep only records about failures and break-
section. This is because of massive medial pressure.
downs. These data should be sorted chronologically
This reason makes nuclear area being one step before
so the histogram of failure numbers in each year could
the rest of power industry. Nuclear power plants have
be done. Then number of failures in one year is the
their own system for registration of failures and repairs
sum of all failures which happened on all machines of
of equipment, but presented methodology takes this
one type.
also into account. Second researched area is named
Industrial machinery is usually operating still in the
‘‘classic power plants’’—it means black and brown
same conditions, equipment etc. Because of that it
coal power plants. There is a failure monitoring soft-
seems to us that their failure rate should be also the
ware for classic power stations. Its (dis)advantages
same at the time of their operating life. This presump-
are mentioned in the example in Appendix 1. How-
tion responds to the exponential distribution of mean
ever, recorded data are not processed on adequate level
time between failures. The only parameter of that is λ,
neither in nuclear nor in classic area.
which is reciprocal to the MTBF.
Better failure rate evaluation needs more data. So
Let’s do chi-square test for confirmation/negation
the best evaluation uses all the data about one type
of exponential distribution usage validity. Exponen-
of machine. Then we sort that data regarding on what
tial distribution has constant failure rate, so we can
surrounding machine is processing, what quality and
presuppose the same number of failures in time inter-
maintenance politics is applied etc. Analyst could not
vals of the same length T . Splitting the test period into
do it himself; he needs help of machine operator. Get-
m similar intervals we expect the similar number of
ting informed is the key question of all analysis, not
failures A.
only reliability ones. The best case occurs when there
exists some kind of central database of maintenance,
which is possible to simply get the relevant informa- d
A=w· [1] (1)
tion from. If there is no such a database, data could be T
collected in paper forms, so the analyst has to rewrite
information into electronic representation. The worst, where w is the length of the interval. This length should
but still solvable, case is that the maintenance history be chosen so that there are at least 5 failures in each
is saved only in operator’s memory. Data must be than interval.
rewritten into tabular mode. It is recommended to work d is then number of failures in tested period. Lets
in groups and make a record of work. Analysis could count test statistics:
be repeated then. When no information is available,
it is necessary to make tests or estimate parameters.
m
We assume data are available for this methodology (ri − A)2
χ2 = [1] (2)
purpose. i=1
A
892
Failure rate for exponential distribution is then cou- 3.4 Paret analysis of failure modes
nted as:
Paret analysis was developed as quantitative analysis
1 of the most common failure modes and their effects.
λ= [h−1 ] (4) It can separate substantial factors from minor ones
MTBF
and show where maintenance focus effort should by
Confidence intervals are done by standard [2], removing lacks in equipment maintenance process. So
paragraph 5.1.2.1. Lower confidence interval limit is called Paret analysis presupposes that approximately
counted by form (5a), upper one by (5b): 80% of consequences are caused by only 20% of cau-
sations. This analysis accents the fact that it is not
χ0,2 05 (2r) necessary to deal with all causes but that for satisfac-
λL = [h−1 ] (5a) tory effect is enough to solve only some of the most
2T important of them. For purpose of this study is ade-
χ0,2 95 (2r + 2) quate to reason about operator experiences and follow
λU = [h−1 ] (5b) his advices. It is possible to predict which causes will
2T
be the most common from these experiences. Most of
Where χα2 (v) means α–fractile of distribution func- failures are caused by only three failure mode groups
for the methodology purpose. These groups could be,
tion of χ 2 distribution with v degrees of freedom.
divided into several sub-modes, as shown in following
1 Table 1.
MTBFL = [h] (6a) There are not all failure modes which occurred on
λU the equipment in the tablet. Analyst has to diagnose
1 all failure modes and write them down; e.g., also into
MTBFU = [h] (6b) the tablet or by Paret graph, see Fig. 1.
λL
893
ACKNOWLEDGEMENT
140
Number of failures
Cumulate number of failures This research was supported by the Ministry of Educa-
120
tion, Youth and Sports of the Czech Republic, project
100
No. 1M06059—Advanced Technologies and Systems
for Power Engineering and it was solved by Technical
80 University of Liberec, Faculty of Mechatronics and
Interdisciplinary Engineering Studies.
60
40 REFERENCES
894
Table A1. Chosen columns of central pumps failure rate database.
PUMP PWR_P HTC DAY CNSQ RSN BS_C AD_C SKR_C ST MWH GJ TIME
Description Pr. system WRK EQ type Equipment Date TTR Req. date
Table A3. Corrected, chronologically sorted data about Table A4. Operating times of each pump.
failures.
Start of Est. operational
ID number Date Repair description TTR Unique ID operating time [h]
1VC01D001 17.04.00 Change of relay EZH- 200 P_P1_B1_P1 3.8.1985 184 248
112VT 1VC01L051 P_P1_B1_P2 18.12.1986 172 368
1VC01D001 04.10.00 Pump body cleaning—oil 12 P_P1_B1_P3 15.2.1990 145 080
1VC01D001 16.10.00 Repair of pump bearing 24 P_P1_B1_P4 25.4.1986 177 960
leakage P_P1_B2_P1 18.9.1987 165 888
1VC01D001 23.11.00 Motor run-up measurement 20 P_P1_B2_P2 6.4.1988 161 136
1VC01D001 19.03.01 Oil relay checking 8 P_P1_B2_P3 25.9.1987 165 720
1VC01D001 30.04.01 New seal on pump radial 108 P_P1_B2_P4 17.8.1987 166 632
bearing Total cumulated operational time 1 339 032
1VC01D001 30.04.01 Pump sensors disconnecting 6
Total number of failures 135
895
25 Table A5. Example of the three most common pump failure
modes.
20 Total Set-up Change Mass Drain Seal
Seal
top-up plugged clean
74 27 23 22 1 1
15
Number of failures
Bearing
Total Cooling Revision
ling venting change
10 11 5 2 2 1 1
Total Resea- Top-up Cover With- O ring
system
5 ling leakage drawal montage
Oil
23 9 5 5 2 2
0
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
Test statistic value by (2):
Year
140
Number of failures
Counted value χ 2 is 9, 71, theoretical value χ0,2 9 (7)
120
Cumulated number of failures is equal to 12, 02. Hypothesis of mean time to pump
failure exponential distribution is confirmed on 10%
100
level of significance for years 1985–2000. In the year
80
2001 there were done bigger amount of maintenance
60 tasks, which decreases failure rate in following years.
40 Point estimation of mean time between failures is
20
counted by (3):
0
Alignment
Shaft
Chain
Gearbox
Clutch
Flange
Design
Bearing
Oil system
failure mode
Sensors
Seal system
Noisiness
Prevention
Cooling spiral
1339032
MTBF = [h] = 9900h
135
λ = 1·10−4 h−1
It is evident from the picture that fault current
was relatively constant for whole test period, only in
the year 2001 there was massive growing of failure Confidence levels of failure rate could be obtained
number. Let’s focus on this year during failure cause by (5a) and (5b).
location. In this case there was a try of seal system
change, what increased number of maintenance tasks.
232, 95
There were fewer failures in years after modification, λL = [h−1 ] = 8, 7 · 10−5 h−1
so we can say that the change was successful and pump 2 · 1339032
failure rate decreased. 311, 5
Due to the fact, that in year 2001 were 24 failures λU = [h−1 ] = 1, 2 · 10−4 h−1
2 · 1339032
(this fact is explained, so we are allowed to do simpli-
fication) will be hypothesis of exponential distribution
of mean time to failure tested for years before 2001. Confidence levels of mean time between failures
Tested time is 16 years (1985–2000 included), during could be obtained by (6a) and (6b):
this time there occurred 107 failures, length of testing
period was determined to 2 years. Expected number
2 · 1339032
of failures, counted by (1), is in every 2-years interval: MTBFL = [h] = 8600h
311, 5
107 2 · 1339032
A=2· = 13 MTBFU = [h] = 11500h
16 232, 95
896
Mean time to repair is counted by (7): and bearing failure. That is why these failure modes
were divided out to more sub-modes, called root
3270 causes. This subdivision is shown in Table A5.
MTTR = [h] = 24h
135 These three dominant failure modes really covered
exactly 80% of all failures (it is example from indus-
Confidence limits of mean time to repair are deter- try, based on real data, not school one)—108 from
mined by (8a) and (8b): 135. Number of failures of one failure mode, sorted
by percent occurrence is charted in following Paret
2 · 3270 graph.
MTTRL = [h] = 21h
311, 5 Results from Paret analysis shows that the most
2 · 3270 troubled place in the pumps operational history was
MTTRU = [h] = 28h seal system. However in the year 2001 seals were mod-
232, 95 ified and their failure rate decreased. Because of that
fact analyst recommends to focus on group of sec-
Now we can finish reliability part of work by
ond most common failures, on the oil system failures.
counting of asymptotical unavailability by the form
It is recommended to observe modified seal system
(9):
to ensure that the modification really erase problems
24, 2 with seals.
U = = 2, 4 · 10−3
24, 2 + 9919
Paret analysis
Operators experiences show us that three most
common failures are seal leakage, oil system failure
897
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
E. Nogueira Díaz
Telefónica I +D, UPM, Spain
ABSTRACT: Reliability evaluation based on degradation is very useful in systems with scarce failures. In
this paper a new degradation model based on Weibull distribution is proposed. The model is applied to the
degradation of Light Emitting Diodes (LEDs) under different accelerated tests. The results of these tests are in
agreement with the proposed model and reliability function is evaluated.
Reliability evaluation based on degradation models[1] In degradation models it is assumed that a component
is commonly applied in highly reliable products as a fails when one of its functional parameters (power,
cost effective and confident way of evaluating their voltage, light output etc) degrades enough that does
reliability. In this paper a devices degradation model not allow it to carry out its functionality successfully.
is presented and subsequently applied in the quanti- Degradation failure is usually defined as a percent-
tative analysis of LEDs reliability. With this model age of the nominal value from which the component
the different parameters related to module reliability, is considered to be unable to perform its function.
such as the reliability function, failure rate function, For example in LEDs case, the failure is considered
the Mean Time to Failure (MTTF) or the warranty when the light output falls below 70% of nominal
period can be assessed based on LED degradation. In value [2].
order to obtain reliability data in a suitable period of Classical model assumes that:
time degradation is measured in climatic chamber in
accelerated tests. • The functionality parameter is distributed follow-
The classical degradation model determines the ing a normal distribution with an average, μ, and
number of failures at any time based on degradation standard deviation, σ.
data. This model assumes that functionality para- • Average and standard deviation are functions of
meter, light output in the case of LEDs, of a group of time, μ(t) and σ(t).
devices follows a normal distribution in each instant of
time, whose parameters (mean and standard deviation) For the mean a linear variation is usually used by
change as a function of time. several authors [3–4].
In this paper the classical model limitations, from
theoretical and practical point of view, are analysed. μ(t) = μ0 − A t (1)
The calculations were performed in order to see the
temporal limitation of the classic model, using mean Where:
and standard deviation linear variation with time. The μ0 mean initial value
standard deviation trend limits are also analysed in A constant that indicates the speed of degradation.
order to avoid non real results from the degradation t time.
point of view as LEDS that improve with time and
light output values lower than zero. Linear trend presents a problem for t ≥ μ0 /A
Finally, we propose a model using the Weibull dis- because, in this period of time, functionality parameter
tribution to solve the classical model limitations. takes values lower than zero.
899
Other authors [5] propose an exponential trend: or in a simpler way μ(t) − 3σ(t), will pass through the
failure limit, and in that moment degradation failures
μ(t) = μ0 e−t/C (2) will appear.
Based on this model it is possible to evaluate the
being: reliability as the probability in any instant of time
that functionality parameter is within the non-failure
μ0 mean initial value parameter limits.
C Constant that represents the time for which the
parameter has degraded to a 36.7% of its initial LS −21 p−μ(t) 2
1 σ (t)
value. R(t) = √ e dp (5)
σ (t) 2π
LL
For the time variation of the standard deviation is often
used a linear variation: Where:
p Parameter that is being analysed
σ(t) = σ0 + B t (3) μ mean
σ standard deviation
Where: LL and LS are the lower and upper failures limits.
σ0 initial standard deviation. There are some device manufacturers that provide
B constant that indicates the speed of degradation degradation data but they are scarce. In order to obtain
of standard deviation. data from degradation in a suitable period of time it is
t time. necessary to use accelerate tests as it will be explained
in this paper.
In general this model assumes that the parameter
Reliability from degradation data can be estimated
distribution in any instant of time follows a normal dis-
using the equation (5). One time parameter that
tribution with an average μ(t) and standard deviation
is easily evaluated with this model following the
σ(t).
Figure 1 is the time at which 50% of the devices failed
p−μ(t) 2
R(t50 ) = 0.5.
1 −1
f (p, t) = √ e 2 σ (t)
(4) In the linear parameter trend case t50 will be:
σ (t) 2π
μ0 − p F
t50 = (6)
Figure 1 shows the previous model assuming a lin- A
ear variation of both the average and the standard
deviation. pF failure limit parameter.
Due the standard deviation increases with time, the In the exponential parameter trend case t50 will be:
normal distribution will be flatting with time, and
pF
therefore in a certain instant of time the normal curve, t50 = −C ln (7)
μ0
900
Figure 2. Normal distribution power values (μ+σ, μ, μ−σ) Figure 4. Normal distribution power values (μ+σ, μ, μ−σ)
with mean and standard deviation linear trend according to with average exponential trend and standard deviation linear
the classical model. trend according to the classical model.
being
t0 –location parameter.
Figure 3. Normal distribution power values (μ+σ, μ, μ−σ) η–scale parameter.
with mean and standard deviation linear trend according to ß–shape parameter (or slope).
the classical mode (A ≈ 3B). Related scale parameter:
If β = 1 functionality parameter varies with respect
time following an exponential. It means that degrada-
degradation model. In order to avoid this situation it tion rate is constant in the whole period of time:
is necessary that degradation trend follows the next
equation:
− t+t
η(t + t) η0 e η
= = e−t (12)
μ(t) + 3σ(t) ≤ μ0 + 3σ0 (9) η(t) − t
η0 e η
In the case of mean and standard linear trend it is
necessary that: If β < 1 degradation rate decreases with time.
If β > 1 degradation rate increases with time.
3B≥A (10) η is the scale parameter and is the time at which the
functionality parameter has reduced to e−1 (0.368).
In the next figure it can be seen a case in which t0 – location parameter, defines the degradation start-
A ≈ 3B. ing point.
In the exponential average degradation case the
analysis is very similar to the previous case as it can
For the common case where t0 = 0 and η = 1
be seen in Figure 4.
the figure shows three curves for the three types of β
described in the preceding paragraph.
Main advantages of Weibull function are:
4 PROPOSED MODEL
• It takes values between μ0 in t = 0 and 0 (t =
In the paper we propose a model that is based on infinite) according theoretical degradation models.
the assumptions that functionality parameter decays Although takes zero value for t equal to infinite it
with time following a Weibull distribution function[6]. is possible to model practical zero value at finite
Weibull function is very useful due its versatility times.
901
Pressure cooker
902
Weibull Pm/Po - t
Power luminosity values in normal plot
for 10, 17 y 26 days 1
0 y = 2,1642x - 7,2746
2 R2 = 0,9088
-1
Ln (-Ln P/Po)
1 -2
-3
0
-4
0 0,2 0,4 0,6 0,8
-1 -5
-6
-2
0 0,5 1 1,5 2 2,5 3 3,5
-3 Ln (t)
Figure 7. Normal distribution representation in three dif- Figure 10. Power luminosity vs time in a Weibull plot.
ferent instant of time (day 10-blue and right, day 17-
pink-middle and day 26-yellow-left). Pressure cooker test
(110◦ C/85% RH).
from the beginning till eleven day and the standard
deviation is almost constant. Second period is from
eleven to eighteen day and in this period the standard
Pm(t) – Time (110º C 85 % H) deviation increases following a linear trend, according
to the classical model. In the last period that starts in
0,8
19 day catastrophic failures appear and therefore it is
0,6 not easy to find the standard deviation trend.
Pm
0,4
0,2
0 6.2 Power luminosity Weibull function
0 10 20 30 40
Ti m e
Based on the figure 7 we have evaluated average power
luminosity with respect time. It can be seen that degra-
dation does not start until day 4. In figure 10 we
Figure 8. Average Power luminosity respect time. have represented the relative power luminosity (rel-
ative to power luminosity at fourth day) with respect
time in a Weibull representation concluding that can
Standard deviation
be modelled with a Weibull function.
From Weibull representation we have obtained
0,35
Weibull parameters for this specific test (110◦
0,3 C/85% RH).
0,25 As can be seen following the proposed law with
0,2 β = 2.1642, η = 28.8276days = 691, 86hours, and
0,15
0,1 therefore power luminosity evolutions with time in the
0,05 following way.
0
1 3 5 7 9 11 13 15 17 19 21 23 2.16
− t−96
Time Pm (t) = 0, 62e 691,86
. (13)
903
Table 2. Accumulated 9 CONCLUSIONS
failures at different days
(110◦ C/85% RH). Main conclusions of this paper are:
Days Accumulated failures • We have proposed a degradation model based on
Weibull function that fits with several degradation
12 1 models for different devices reported in the litera-
13 3 ture.
16 4 • From this model it is possible to evaluate the relia-
20 8
22 9
bility function of any device by means of analyzing
23 11 degradation data.
24 14 • First results in accelerated tests in AlGaInP LEDs
25 15 shows that:
◦ LEDs degradation follows a Weibull function
respect time in agreement with the proposed
model.
◦ Reliability in all pressure cooker tests follows a
Weibull plot Weibull function with a shape parameter higher
2 than one in agreement with the degradation
y = 4,6621x - 14,219
1 mechanism.
R2 = 0,9309
0 • Accelerated tests at different conditions are on going
F(t)
904
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: In this paper, we’re interested in the problem of evaluating, analyzing and synthesizing
information delivered by multiple sources about the same badly known variable. We focus on two approaches that
can be used to solve the problem, a probabilistic and a possibilistic one. They are first described and then applied
to the results of uncertainty studies performed in the framework of the OECD BEMUSE project. Usefulness and
advantages of the proposed methods are discussed and emphasized in the lights of obtained results.
905
q95 % q100%
1 1
0.9
45%
%
0.5
q50 %
q0% 45%
%
q5%
% 5%
| 0.1
0 5% 0
50 0 K 60 0 K 80 0 K 90 0 K 1000 K 500 K 600 K 700 K 800 K 900 K 1000 K
converge to the fact that single probabilities cannot be interpreted as lower and upper probability mea-
adequately account for incompleteness, imprecision sures (Dubois and Prade 1992), thus defining a set
or unreliability in the information (See (Ferson and Pπ of probability distributions such that
Ginzburg 1996) for a short discussion). Other uncer-
tainty theories, such as possibility theory, allows to Pπ = {P|∀A ⊆ RN (A) ≤ P(A) ≤ (A)}
explicitly account for such features of the information.
Such theories are less precise than probability theory, where P are probability measures over R. This set of
but ensure that no extra assumptions are added to the probabilities is also related to α-cuts in the following
available information. sense
The probability distribution that fits a set of per-
centiles qk% 1 and maximize entropy simply corre- Pπ = {P|∀α ∈ [0, 1], P(πα ) ≥ 1 − α}.
sponds to a linear interpolation between percentiles.
Figure 1 represents a cumulative distribution func- This relation indicates that possibility distributions
tion (CDF) corresponding to the peak clad temperature allows to model information given in terms of nested
(Maximal temperature value reached during an acci- intervals associated to confidence levels (the narrower
dental transient phase) temperature of a fuel rode in the interval, the less the confidence in it).
a nuclear reactor core for which available information It can thus model information given by a finite
is q0% = 500 K, q5% = 600 K, q50% = 800 K, number of percentiles, as well as cases where we
q95% = 900 K, q100% = 1000 K. The corresponding have partial information about characteristics of an
probability density is pictured in dashed lines. unknown distribution (e.g. mean, percentiles, mode,
A possibility distribution (Dubois and Prade 1988) . . . , see (Baudrit and Dubois 2006). Figure 2 repre-
over the reals is formally defined as a mapping π : sents a possibility distribution corresponding to the
R → [0, 1]. For a given value α ∈ [0, 1], the (strict) α- peak clad temperature of a fuel rode in a nuclear reac-
cut of π is defined as the set πα = {x ∈ R|π(x) > α}. tor core where information consists of four intervals
Given a possibility distribution π, possibility and [750 K, 850 K], [650 K, 900 K], [600 K, 950 K],
necessity N measures of an event A are respectively [500 K, 1000 K] which have respective confidence
defined as: levels of 10%, 50%, 90% and 100%.
906
Variables on which are computed calibration are called 1
seed variables (that is, variables for which sources have
given information and for which experimental data are source 1
or will be available) weight 0.5
0
In the probabilistic approach, informativeness ql q5% q50% q95% qu
and calibration are computed by the means of the 1
Kullbach-Leibler (KL) divergence, which can be inter-
preted as a distance between two probabilities. The source 2
weight 0.5
informativeness is obtained by comparing the proba- 0
bility distribution pX derived from the source informa- ql q5% q50% q95% qu
tion to the uniform probability distribution uX defined 1
on the whole variation domain of the variable. Cali-
bration is obtained by comparing probability pX to an synthesis
empirical distribution rX built from the observations. 0
ql q q65% q96 . 25%
If distributions are discretized in B elements, then the q3 . 75%8 . 75% q42 . 5% q83 . 75% qu
KL divergence used to compute informativeness and
calibration of a source respectively read:
Figure 3. Probabilistic synthesis illustration.
B
pi
I (p, u) = pi log 1 2
i=1
ui 1 1
∪
and
0 0
B
ri
I (r, p) = ri log 1
h
1
i=1
pi
mean
∩
And are then transformed to obtain, for all sources, 0 0
non-negative scores summing up to one. In the proba-
bilistic approach, calibration is based on a convergence Figure 4. Possibilistic synthesis illustration.
argument and requires about 10 experiment to ensure
a good stability. It is argued by Sandri et al. (San-
dri, Dubois, and Kalfsbeek 1995) that the probabilistic 2.3 Synthesizing the information
approach tends to confuse variability and imprecision.
Synthesizing the information consists of aggregating
In the possibilistic approach, informativeness is
multiple models built from the information given by
evaluated by comparing the distribution built from the
different sources to get a single models. This model
source information to the interval covering the whole
can be used in subsequent treatments or analyzed to
variation domain of a variable. Calibration is simply
get information about the sources. Three main kinds
the extent to which experimental value are judged plau-
of operators are usually used:
sible by the built distribution. In this case, no argument
Conjunction: equivalent to set intersection. Sup-
of convergence is used. Let Xr denote the variation
poses that all sources are reliable. Conjunction gives
domain of a variable X , IXr the indicator function of
poorly reliable results in case of disagreement between
Xr (i.e. has value one in Xr , zero elsewhere), and
sources, but allows to detect such disagreement.
πX the possibility distribution built from the source
Disjunction: equivalent to set union. Supposes that
information. Informativeness is given by:
at least one source is reliable. Disjunction gives reli-
able results that are often very imprecise (hence of
X (IXr − πX )dx
I (πX ) = r limited usefulness).
Xr IXr dx Arithmetic mean: equivalent to a statistical count-
ing of the sources. Supposes that sources are indepen-
and if x∗ denote the observed value for X , calibration dent, and gives a result that is between conjunction
score C(πX ) is simply given by the value πX (x∗ ) (the and disjunction. With this operator, sources can also
upper confidence degree given to x∗ . be weighted by scores obtained during the evaluation
Once calibration and informativeness scores for phase.
every source and for all variables are computed, Disjunctive and conjunctive operators are not appli-
these scores are then normalized so that they are cable to the probabilistic approach, and it is commonly
non-negative and sums up to one. recognized that the weighted arithmetic mean is the
907
best approach to aggregate probability distributions. operators respectively called t-norms and t-conorms
We don’t consider Bayesian methods here, because we (Klement, Mesiar and Pap 2000).
do not assume we have prior information (see (Clemen
and Winkler 1999) for a recent review of such meth-
ods). Let p1 , . . . , pN be the probability distributions 3 APPLICATION TO BEMUSE BENCHMARK
corresponding to the information delivered by N dif-
ferent sources, and λ1 , . . . , λN be the non-negative To show the usefulness and potential applications of
weights summing to one attached to these sources the methodology, we apply them to the results of the
(possibly provided by the evaluation procedure briefly BEMUSE (Best Estimate Methods—Uncertainty and
described in Section 2.2). The probability distribution Sensitivity Evaluation) programme (OCDE 2007) per-
p obtained by arithmetic weighted mean is: formed by the NEA (Nuclear Energy Agency). Our
study will focus on the results of the first step of the
N
programme, in which nine organisations were brought
p = λi pi together in order to compare their respective uncer-
i=1 tainty analysis with experimental data coming from
This is not the case for the possibilistic approach, for the experiment L2-5 performed on the loss-of-fluid
which conjunctive (π∩ ), disjunctive operators (π∪ ) and test (LOFT) facility, for which an accidental transient
the arithmetic mean (πmean ) are well defined, allowing was simulated.
for a greater flexibility in the synthesis and analysis. We will focus on four scalar variables for which
Let π1 , . . . , πN be the probability distributions corre- each participant had to provide a lower bound (Low), a
sponding to the information delivered by N different reference value (Ref) and an upper bound (Upp). These
sources, and λ1 , . . . , λN be the non-negative weights variables are the first (PCT1) and second (PCT2) peak
summing to one attached to these sources (possibly clad temperature (respectively corresponding to the
provided by the evaluation procedure briefly described peak of the blowdown and of the reflood phase), the
in Section 2.2). Then, classical conjunctions, disjunc- time of accumulator injection (Tinj ) and the time of
tions and arithmetic mean are given, for all x ∈ R, by: complete quenching (Tq ). These four variables are
amongst the more critical values that have to be sur-
veyed in case of nuclear accident (this is particularly
π∩ (x) = min πi (x) (1) true for the peak clad temperatures). Values result-
i=1,... ,N
ing from the uncertainty studies achieved by each
π∪ (x) = max πi (x) (2) participant are summarized in Table 1
i=1,... ,N For each participant and each variable, the chosen
probabilistic model was to take the lower bound as q1% ,
N
the reference value as q50% (median) and the upper
π (x) = λi πi (x) (3) bound as q99% . The possibilistic model was taken as
i=1 π(Low) = π(Upp) = 0.02 (98% confidence inter-
val), π(Ref ) = 1 (most plausible value). Figure 5
Note that the above conjunctive and disjunctive illustrates both models built from the information of
operators belongs to a broad family of mathematical NRI2 concerning the second PCT.
908
1 and informal observations confirms that using formal
methods to analyze information is meaningful.
Another noticeable result is that participants using
the same code can have very different scores (both
high and low, e.g. global scores of RELAP5 users
can range from 0.025 to 0.59), which illustrates and
0 T(K) confirms the well-known user influence on the result
592 845 1012 1167 1228 of a given computer code. Also note that, since scores
are built to be directly comparable between them, they
can also be used as code validation tools (the better
1
the global result, the better the information delivered
by the code). We will see in the next section that using
the results of the evaluation can improve the results of
the synthesis.
0 T(K)
592 845 1012 1167 1228 3.2 Synthesis
Figure 6 shows some results of the synthesis for the
Figure 5. Probability and possibility dist. of NRI1 for the
PCT2. Since this variable is of critical importance in
2PCT.
accidental transient and is difficult to estimate, it is of
particular interest in the current problem.
Figure 6.A shows the synthetic probabilities when
we consider subgroup of participant using the same
3.1 Evaluation
code. This figures indicate that, while CATHARE
Table 2 shows the results of the evaluation steps per- and RELAP5 users seem to underestimate the exper-
formed on the results of the BEMUSE programme, imental value, ATHLET users tend to overestimate it.
with the models described above. From a methodologi- Figure 6.B shows the benefits of weighting sources
cal point of view, we can notice that the scores and the or of selecting a subgroup of sources judged better
ranking between sources are globally in agreement, by the evaluation step. Such a selection and weight-
even if there are some differences coming from the ing shift the curves towards the experimental value
differences between formalisms. (resulting in a better global calibration) and tighten
From a practical standpoint, interesting things can their uncertainty bounds (resulting in a better global
be said from the analysis of results. First, our results are informativeness). We also see that the arithmetic
in accordance with informal observations made in pre- mean tends to average the result, and that using
vious reports (OCDE 2007): PSI and UNIPI have high probabilistic modeling do not allow us to see pos-
informative scores, which reflects their narrow uncer- sible disagreements between sources. This can be
tainty bands, and have very low calibration scores, due problematic, since it is often desirable to detect and
to the fact that, for each of them, two experimental investigate the sources of such disagreements, partic-
values are outside interval [Low, Upp]. This consis- ularly when synthesis tools are used to analyze the
tency between conclusions drawn from our methods information.
909
1 1
RELAP5 (KINS,NRI1,UNIPI,UPC)
0.9 CATHARE (IRSN,CEA) 0.9
ATHLET (GRS,NRI2)
0.8 0.8 (GRS,IRSN,NRI1,UNIPI)
IRSN,KINS,NRI1,UNIPI
0.7 0.7
0.6 0.6
F(X)
F(X)
0.5 0.5
0.4 0.4
0.3 0.3
0.2 0.2
0.1 0.1
0 0
500 600 700 800 900 1000 1100 1200 1300 500 600 700 800 900 1000 1100 1200 1300
T(K) T(K)
0.7 0.7
0.6 0.6
(x)
(x)
0.5 0.5
0.4 0.4
0.3 0.3
0.2 0.2
0.1 0.1
0 0
500 600 700 800 900 1000 1100 1200 1300 600 700 800 900 1000 1100 1200 1300
T(K) T(K)
0.8 0.8
0.7 0.7
0.6 0.6
(x)
(x)
0.5 0.5
0.4 0.4
0.3 0.3
0.2 0.2
0.1 0.1
0 0
500 600 700 800 900 1000 1100 1200 1300 300 400 500 600 700 800 900 1000 1100 1200 1300
T(K) T(K)
Figure 6. Results of synthesis for PCT2: probabilistic and possibilistic approaches (- - -: experimental value).
Figure 6.C and 6.D show synthetic possibility distri- that all sources strongly disagreeing when considered
butions resulting from the application of a conjunctive as a whole, but that the best sources globally agree
operator (Equation (1)). In this case, the disagree- together, and that taking only their information into
ment between sources of a particular subgroup is account gives a more reliable synthesis.
directly visible, both graphically and quantitatively Figure 6.E and 6.F respectively illustrate the syn-
(disagreement is measured by the maximal height of thetic possibility distributions resulting from the appli-
a distribution: the lower the distribution, the higher cation of the disjunction (Equation (2)) and of the
the disagreement). We can thus see that informa- arithmetic weighted mean (Equation (3)) over all
tion given by ATHLET users are more conflicting sources. Anew, we can see on Figure 6.F that the arith-
than those given by CATHARE users (this could be metic mean averages the result, thus smoothing the
explained by the higher number of input data param- resulting curves. Figure 6.E well illustrates the poten-
eters in ATHLET code). Similarly, Figure 6.D shows tial high imprecision resulting from the disjunction.
910
Although the resulting uncertainty model is reliable, are needed. This is why the IRSN is working on
its informative content appears of poor interest (e.g. methods that are more complex but remain tractable
the 50% confidence interval for the 2PCT temperature and interpretable (Destercke, Dubolis, and Chojnacki
is [800, 1200], which is very broad). 2007).
REFERENCES
4 CONCLUSIONS
Abellan, J. and M. Gomez (2006). Measures of divergence
We have applied methods to evaluate, synthesize and on credal sets. Fuzzy Sets and System 157 (11).
analyze information coming from multiple sources Baudrit, C. and D. Dubois (2006). Practical representations
to results of uncertainty studies on various computer of incomplete probabilistic knowledge. Computational
codes. By using formal methods based on rational Statistics and Data Analysis 51 (1), 86–108.
requirements, evaluations are made as objective as Clemen, R. and R. Winkler (1999). Combining probability
possible. distributions from experts in risk analysis. Risk Analysis
Proposed methods allow to take uncertainty (either 19 (2), 187–203.
Cooke, R. (1991). Experts in uncertainty. Oxford, UK:
aleatory or coming from imprecision in the data) Oxford University Press.
explicitly into account in the evaluation process. They Destercke, S. and E. Chojnacki (2007). Methods for the
provide interesting tools to evaluate sources. In the par- evaluation and synthesis of multiple sources of infor-
ticular case of computer codes, they give new instru- mation applied to nuclear computer codes. Accepted for
mental tools for code validation procedures (Trucano, publication in Nuclear Eng. and Design.
Swiler, Igusa, Oberkampf, and Pilch 2006), a problem Destercke, S., D. Dubois, and E. Chojnacki (2007). Pos-
particularly important for nuclear safety institute as sibilistic information fusion using maximal coherent
the IRSN. The consistency between conclusions drawn subsets. In Proc. IEEE Int. Conf. On Fuzzy Systems
from our results and informal observations confirms (FUZZ’IEEE).
Dubois, D. and H. Prade (1988). Possibility Theory: An
that using formal methods to analyze information is Approach to Computerized Processing of Uncertainty.
meaningful and can be useful. Compared to such New York: Plenum Press.
informal observations, presented methods allow for Dubois, D. and H. Prade (1992). On the relevance of non-
a more subtle analysis, allowing to quantify disagree- standard theories of uncertainty in modeling and pool-
ment among sources, to detect biases, underestimated ing expert opinions. Reliability Engineering and System
uncertainty, . . . Safety 36, 95–107.
We have also illustrated the potential advantages Ferson, S. and L.R. Ginzburg (1996). Different methods are
offered by the use of possibility theory. In terms of needed to propagate ignorance and variability. Reliability
information evaluation, probabilistic and possibilis- Engineering and System Safety 54, 133–144.
Klement, E., R. Mesiar, and E. Pap (2000). Triangular
tic approaches have comparable results (which is not Norms. Dordrecht: Kluwer Academic Publisher.
surprising, since they are based on similar rational OCDE (2007, May). Bemuse phase iii report: Uncertainty
requirements). However, the possibilistic approach has and sensitivity analysis of the loft l2-5 test. Technical
more flexibility to synthesis and analyze the informa- Report NEA/NCIS/R(2007)4, NEA.
tion, offering a wider range of tools. The fact that both Sandri, S., D. Dubois, and H. Kalfsbeek (1995, August).
probabilities and possibilities can be seen as special Elicitation, assessment and pooling of expert judgments
cases of imprecise probabilities could be used to build using possibility theory. IEEE Trans. on Fuzzy Systems 3
a generalized approach, possibly by using some recent (3), 313–335.
research results about measure of divergence for sets Trucano, T., L. Swiler, T. Igusa, W. Oberkampf, and M. Pilch
(2006). Calibration, validation, and sensitivity analysis:
of probabilities (Abellan and Gomez 2006). Such a What’s what. Reliability Engineering and System Safety
generalization remains the subject of further research. 91, 1331–1357.
Also, since results given by basic synthesizing oper- Walley, P. (1991). Statistical reasoning with imprecise Prob-
ators can sometimes be found too rough, sometimes abilities. New York: Chapman and Hall.
more complex tools that allow for a finer analysis
911
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
K.T. Jo
Digital Printing Division, Samsung Electronics, Suwon, Korea
ABSTRACT: To improve reliability of a newly designed product, we introduced new processes and methods.
The reliability definitions contain ‘‘probability’’, ‘‘intended function’’, ‘‘specified period’’ and ‘‘stated condi-
tions’’. Therefore, it is inevitable to research the operating condition, current state of probability and target of
probability, potential failure mode and mechanism of the product for the specified period.
We conducted a 4-step test program that is, Architecture and Failure Mode Analysis, Potential Failure Mech-
anism Analysis, Dominant Failure Extraction and Compliance Test. Based upon the Architecture and Failure
Mode Analysis, we selected the stress factors in an ALT and reproduced the field failure mode by an ALT.
Based on the results of researches, test plans are designed to satisfy the target of reliability. Stress analysis is
also useful tool to improve the reliability of a printed circuit assembly. HALT and HASS are respectively used
to improve reliability by finding root causes of latent defects at the stage of development and screening weak
products at the stage of pre-mass production in a short time. We conducted all these kinds of processes and
methods to improve the reliability of electronic devices developed for the first time.
913
M ea n balance between stress and strength. We also con-
f ducted transient analysis to protect abnormal problem
Stress Strength in the field. For example, the stress ratio of main com-
ponents is analyzed in case of mode change, on/off
testing of power, motor, heater, etc. More than 20
parts of the original design were changed to assure
Varian ce the reliability of the product through stress analysis
Stress/Strength
F ailure s 2 RELIABILITY ASSURANCE PROCESS
914
Table 1. Determination of the sample size.
Product Set
h = 500 hrs r=0 r=1 r=2
Annual failure rate n%
n 29 41 63
2.4 Determine the sample size and test time Therefore, we can reduce the sample size by AF times.
We will describe how to make test plan for assuring In the case of a decreasing or increasing failure rate,
the target of failure rate. the number of test samples would be calculated with
First, we will explain the case of a constant failure about a 60% confidence level as follows (Ryu & Jang,
rate. If the target of failure rate is determined, the test 2005).
plan to prove it can be set up. Tests can be censored β
(stopped) at either a pre-planed number of hours or a 1 LB
n ≥ (r + 1) · · (4)
pre-planned number of failures. Censoring at a prede- x h
termined amount of time allows for scheduling when
the test will be completed and is called Type I censor- where LB is Bx life and x is the probability of failure
ing. Censoring at a predetermined number of failures until LB .
allows for planning the maximum number of units that
will be required for testing and is referred to as Type II
censoring (Nelson, 1990). In real situation, Type I 3 4-STEP TEST PROGRAMS
censoring is usually adopted as a censoring scheme
to meet the due date of a product development. For a We use a 4-step test program that is, architecture and
one-sided upper confidence limit in a Type I censoring failure mode analysis, potential failure mechanism
situation with a few failure, calculate:
χ(α,
2
2r + 2) 1
λ≤ · (1) Architecture,
2 T Step 1
failure mode analysis
where λ = failure rate; χα2 = 100 (1 − α) percentile
of the chi-square distribution with degrees of freedom
2r + 2; r = the number of failures; T = the total time
on test. Potential failure
The failure rate should be less than or equal to the Step 2
target. Therefore, the sample size under 60% confi- mechanism analysis
dence level can be determined as follows (Ryu et al.
2003).
λ ≤ (r + 1) ·
1
≤ λt arg et Step 3 Dominant failure
n·h extraction
1
∴ n ≥ (r + 1) · (2)
λt arg et · h
915
Table 2. Key parts and its material. Table 3. Extraction potential failure mechanisms.
Environmental condition
Potential
Key failure Temp Humidity Voltage
parts mechanism (0 ∼ 50◦ C) (0 ∼ 85%RH) (21 ∼ 26V) Point
◦ : 5, : 3, : 1.
Point
916
Table 5. Compliance test. 1 Cycle = 5 hours
Environmental
condition Min Mean Max Remark
Temperature (◦ C) 0 30 50 Operating
Humidity (%RH) 10 65 85
β−1
β t t β The Maximum likelihood estimates (MLEs) of
f (t) = exp − (5) Weibull distribution parameters for the lifetime data
η η η
are presented in Table 8 and Figure 9.
917
Table 8. Weibull parameters. calculated AF and equation (4). The annual printing
time in the field is 104 hours. The number of sample
Test condition β η size to assure B5 = 5 years, that is 5 % probability of
failure until 5 years, under confidence level 60 % is
Set level 1.15 556.41
calculated as Table 9.
Unit level 1.15 145.53
The newly designed assembly is conducted acceler-
ated test to evaluate the reliability. We tested 7 fusers
until 300 hrs and couldn’t find any failure. There-
fore, the cumulated failure probability of the newly
designed one for 5 years would be less than 5%.
6 CONCLUSIONS
918
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Daniel I. De Souza
North Fluminense University & Fluminense Federal University, Campos & Niterói, RJ, Brazil
ABSTRACT: In this work we will apply a combined approach of a sequential life testing and an accelerated
life testing to friction-resistant low alloy-high strength steel rails used in Brazil. One possible way to translate test
results obtained under accelerated conditions to normal using conditions could be through the application of the
‘‘Maxwell Distribution Law.’’ To estimate the three parameters of the underlying Inverse Weibull sampling model
we will use a maximum likelihood approach for censored failure data. We will be assuming a linear acceleration
condition. To evaluate the accuracy (significance) of the parameter values obtained under normal conditions for
the underlying Inverse Weibull model we will apply to the expected normal failure times a sequential life testing
using a truncation mechanism developed by De Souza (2005). An example will illustrate the application of this
procedure.
919
2 THE ACCELERATING CONDITION Weibull model represents the life distribution at one
stress level, a three-parameter Inverse Weibull model
The ‘‘Maxwell Distribution Law,’’ which expresses the also represents the life distribution at any other stress
distribution of kinetic energies of molecules, is given level. We will be assuming a linear acceleration condi-
by the following equation: tion. In general, the scale parameter and the minimum
life can be estimated by using two different stress levels
MTE = Mtot × e−E/KT (1) (temperature or cycles or miles, etc.), and their ratios
will provide the desired value for the acceleration
MTE represents the number of molecules at a partic- factors AFθ and AFϕ . Then:
ular absolute Kelvin temperature T (Kelvin = 273.16
plus the temperature in Centigrade), that passes a θn
AFθ = (6)
kinetic energy greater than E among the total number θa
of molecules present, Mtot ; E is the energy of activa- ϕn
tion of the reaction and K represents the gas constant AFϕ = (7)
(1.986 calories per mole). Equation 1 expresses the ϕa
probability of a molecule having energy in excess of According to De Souza (2005), for the Inverse
E. The acceleration factor AF2/1 at two different stress Weibull model the cumulative distribution function
temperatures, T2 and T1 , will be given by the ratio of at normal testing condition Fn (tn − ϕn ) for a certain
the number of molecules having energy E at these two testing time t = tn , will be given by:
different temperatures, that is:
⎡ βn⎤
θn
MTE (2) e−E/KT2 t
AF2/1 = = −E/KT Fn (t) = Fa = exp ⎣− AF
ϕn
⎦ (8)
MTE (1) e 1 AF AF t − AF
E 1 1
AF2/1 = exp − (2) Equation 8 tells us that, under a linear accelera-
K T1 T2
tion assumption, if the life distribution at one stress
Applying natural logarithm to both sides of Equa- level is Inverse Weibull, the life distribution at any
tion 1 and after some algebraic manipulation, we will other stress level is also an Inverse Weibull model.
obtain: The shape parameter remains the same while the
accelerated scale parameter and the accelerated min-
MTE (2) E 1 1 imum life are multiplied by the acceleration factor.
ln AF2/1 = ln = − (3) The equal shape parameter is a necessary mathe-
MTE (1) K T1 T2
matical consequence to the other two assumptions;
From Equation 3 we can estimate the term E/K by assuming a linear acceleration model and an Inverse
testing at two different stress temperatures and com- Weibull sampling distribution. If different stress levels
puting the acceleration factor on the basis of the fitted yield data with very different shape parameters, then
distributions. Then: either the Inverse Weibull sampling distribution is the
wrong model for the data or we do not have a linear
E ln AF2/1 acceleration condition.
=
(4)
K 1
− 1
T1 T2 3 HYPOTHESIS TESTING SITUATIONS
The acceleration factor AF2/1 will be given by the The hypothesis testing situations will be given by:
relationship θ1 /θ2 , with θi representing a scale param- 1. For the scale parameter θ:
eter or a percentile at a stress level corresponding to
Ti . Once the term E/K is determined, the acceleration H0 : θ ≥ θ0 ; H1 : θ < θ0
factor AF2/n to be applied at the normal stress tem-
perature is obtained from Equation 2 by replacing the The probability of accepting H0 will be set at
stress temperature T1 with the temperature at normal (1−α) if θ = θ0 . If θ = θ1 where θ1 < θ0 , the prob-
condition of use Tn . Then: ability of accepting H0 will be set at a low level γ.
2. For the shape parameter β:
E 1 1
AF2/n = exp − (5)
K Tn T2 H0 : β ≥ β0 ; H1 : β < β0
De Souza (2005) has shown that under a linear The probability of accepting H0 will be set at
acceleration assumption, if a three-parameter Inverse (1 − α) if β = β0 . If β = β1 where β1 < β0 , the
920
probability of accepting H0 will also be set at a low 5 EXPECTED SAMPLE SIZE
level γ. OF A SEQUENYIAL LIFE TESTING
3. For the location parameter ϕ:
According to Mood & Graybill (1963), an approxi-
H0 : ϕ ≥ ϕ0 ; H1 : ϕ < ϕ0 mate expression for the expected sample size E(n) of
a sequential life testing will be given by:
Again, the probability of accepting H0 will be set
at (1 − α) if ϕ = ϕ0 . Now, if ϕ = ϕ1 where ϕ < ϕ0 , E(Wn∗ )
E(n) = (11)
then the probability of accepting H0 will be once more E(w)
set at a low level γ.
Here, w is given by:
4 SEQUENTIAL TESTING
f (t; θ1 , β1 , φ1 )
w = ln (12)
According to (Kapur & Lamberson 1977, De Souza f (t; θ0 , β0 , φ0 )
2004), the development of a sequential test uses the
likelihood ratio given by the following relationship: The variate Wn∗ takes on only values in which Wn∗
exceeds ln (A) or falls short of ln (B). When the true
L1;n /L0;n distribution is f (t; θ, β, ϕ), the probability that Wn∗
takes the value ln (A) is P(θ, β, ϕ), while the probabil-
The sequential probability ratio (SPR) will be given ity that it takes the value ln (B) is 1 − P(θ, β, ϕ). Then,
by SPR = L1,1,1,n /L0,0,0,n , or yet, according to De according to Mood & Graybill (1963), the expres-
Souza (2004), for the Inverse Weibull model, the sion for the expected value of the variate Wn∗ will
sequential probability ratio (SPR) will be: be given by:
n n
E Wn∗ ≈ P (θ, β, ϕ) ln (A) + [1 − P (θ, β, ϕ)] ln (B)
θ11 (ti − ϕ0 )β0 +1
β
β1
SPR = β × (13)
θ00 β0
i=1
(ti − ϕ1 )β1 +1
n
β
θ1 1
β
θ00 Hence, with A = γ/(1 − α) and B = (1 − γ)/α,
× exp − − Equation 11 becomes:
i=1
(ti − ϕ1 )β1 (ti − ϕ0 )β0
P (θ, β, ϕ) ln (A) + [1 − P (θ, β, ϕ)] ln (B)
So, the continue region becomes A < SPR < B, E (n) ≈
E (w)
where A = γ/(1 − α) and B = (1 − γ)/α. We will (14)
accept the null hypothesis H0 if SPR ≥ B and we will
reject H0 if SPR ≤ A. Now, if A < SPR < B, we
will take one more observation. Then, by taking the Equation 14 enables one to compare sequential tests
natural logarithm of each term in the above inequality with fixed sample size tests. The proofs of the exis-
and rearranging them, we get: tence of Equations 11 to 14 can be found in Mood &
Graybill (1963), pp. 391–392.
β
For a three-parameter Inverse Weibull sampling dis-
β1 θ1 (1 − γ) tribution, the expected value of Equation 12 will be
n ln β × 1
− ln <X
θ00 β0 α given by:
β
β1 θ1 1 (1 − α)
< n ln β × + ln (9) E (w) = ln (C) + (β0 + 1) E [ln (ti − ϕ0 )] − (β1 + 1)
θ00 β0 γ β1
β1 1
× E [ln (ti − ϕ1 )] − θ1 E
(ti − ϕ1 )
n β
θ1 1
β
θ00 β0
X= − − (β0 + 1) β
+ θ0 0 E
1
i=1
(ti − ϕ1 )β1 (ti − ϕ0 )β0 (ti ϕ0 )
−
(15)
n
n
× ln (ti − φ0 ) + (β1 + 1) ln (ti − φ1 ) (10) The solution for the components of Equation 15
i=1 i=1 can be found in De Souza (2004).
921
6 MAXIMUM LIKELIHOOD ESTIMATION dL r r
= + r ln (θ) − ln (ti − ϕ)
FOR THE INVERSE WEIBULL MODEL dβ β
i=1
FOR CENSORED TYPE II DATA (FAILURE
r
β
CENSORED) θ θ
− × ln
ti − ϕ ti − ϕ
The maximum likelihood estimator for the shape, scale i=1
and minimum life parameters of an Inverse Weibull β
θ θ
sampling distribution for censored Type II data (failure − (n − r) ln =0 (21)
censored) will be given by: tr − ϕ tr − ϕ
dL 1
r
r = (β + 1) − βθβ
dϕ (ti − ϕ)
i=1
L(β; θ; ϕ) = k! f (ti ) [1 − F(tr )]n−r , or yet: r β+1
i=1
1
r ×
ti − ϕ
i=1
L (β; θ; ϕ) = k! f (ti ) [R(tr )]n−r ; t > 0 (16) β+1
i=1 1
+ (n − r) =0 (22)
β+1 β tr − ϕ
β θ θ
f (ti ) = exp − (17)
θ ti − ϕ ti − ϕ
From Equation 20 we obtain:
β
θ ⎛ ⎞1/β
R(tr ) = exp − (18)
tr − ϕ ⎜ ⎟
r
r β+1 θ=⎜
⎝ r
β
β ⎟
⎠ (23)
r βr 1 1
+ (n − r) 1
L (β; θ; ϕ) = k! β θ ti −ϕ tr −ϕ
(ti − ϕ) i=i
i=1
r
n−r Notice that, when β = 1, Equation 23 reduces
− (θ/ti −ϕ)β β
×e i=1 e−(θ/tr −ϕ) (19) to the maximum likelihood estimator for the inverse
two-parameter exponential distribution. Using Equa-
tion 23 for θ in Equations 21 and 22 and applying some
algebra, Equations 21 and 22 reduce to:
The log likelihood function L = ln [L (β; θ; ϕ)] will
be given by:
r
r
− ln (ti − ϕ)
β
i=1
L = ln (k!) + r ln (β) + rβ ln (θ) − (β + 1) r
1 β
r r β r× ln (ti − ϕ)
θ ti −ϕ
× ln (ti − ϕ) − i=1
β
ti − ϕ
i=1 i=1 + (n − r) tr −ϕ 1
ln (tr − ϕ)
β + =0
θ r
β
β
− (n − r) 1
+ (n − r) 1
tr − ϕ ti −ϕ tr −ϕ
i=1
(24)
To find the value of θ and β that maximizes the log
likelihood function, we take the θ, β and ϕ derivatives
and make them equal to zero. Then, we will have:
r
1
(β + 1)
(ti − ϕ)
i=1
r β r
β+1
β+1
dL rβ 1
= − βθβ−1 βr 1
ti −ϕ + (n − r) 1
tr −ϕ
dθ θ ti − ϕ i=1
i=1 − r
β
β =0
β
1
1
ti −ϕ + (n − r) 1
tr −ϕ
− (n − r) βθβ−1 =0 (20) i=1
tr − ϕ (25)
922
Equations 24 and 25 must be solved iteratively. we can determine a ϕ0 value which should make the
The problem was reduced to the simultaneous solu- right side of Equation 26 equal to the first failure time
tion of the two iterative Equations 24 and 25. The t1 . When the decisions about these quantities θ0 , θ1 ,
simultaneous solution of two iterative equations can β0 , β1 , ϕ0 , ϕ1 , α, γ and P(θ, β) are made, and after the
be seen as relatively simple when compared to the E(n) is calculated, the sequential test is totally defined.
arduous task of solving three simultaneous iterative
Equations (20, 21, 22) as outlined by Harter (Har-
ter et al. 1965). Even though this is the present case,
one possible simplification in solving for estimates 7 EXAMPLE
when all three parameters are unknown could be the
following approach proposed by Bain (1978). We are trying to determine the values of the shape,
scale and minimum life parameters of an underlying
For example, let us suppose that β̂ and θ̂ represent three-parameter Inverse Weibull model, representing
the good linear unbiased estimators (GLUEs) of the the life cycle of a new friction-resistant low alloy-high
shape parameter β and of the scale parameter θ for a strength steel rail. Once a life curve for this steel rail
fixed value of the minimum life ϕ. We could choose an is determined, we will be able to verify using sequen-
initial value for ϕ to obtain the estimators β̂ and θ̂, and tial life testing, if new units produced will have the
then apply these two values in Equation 18, that is, the necessary required characteristics. It happens that the
maximum likelihood equation for the minimum life ϕ. amount of time available for testing is considerably
An estimate ϕ̆ can then be obtained from Equation 25, less than the expected lifetime of the component. So,
then the GLUEs of β and of θ can be recalculated for we will have to rely on an accelerated life testing
the new estimate ϕ̆, and a second estimate for the min- procedure to obtain failure times used on the parame-
imum life ϕ obtained from Equation 25. Continuing ters estimation procedure. The steel rail has a normal
this iteration would lead to approximate values of the operating temperature of 296 K (about 23 degrees
maximum likelihood estimators. As we can notice, the Centigrade). Under stress testing at 480 K, 16 steel
advantage of using the GLUEs in this iteration is that rail items were subjected to testing, with the testing
only one equation must be solved implicitly. The exis- being truncated at the moment of occurrence of the
tence of solutions to the above set of Equations 24 twelfth failure. Table 1 shows these failure time data
and 25 has been frequently addressed by researchers (hours).
as there can be more than one solution or none at all; Now, under stress testing at 520 K, 16 steel rail
see Zanakis & Kyparisis (1986). items were again subjected to testing, with the testing
The standard maximum likelihood method for esti- being truncated at the moment of occurrence of the
mating the parameters of the three-parameter Weibull twelfth failure. Table 2 shows these failure time data
model can have problems since the regularity condi- (hours).
tions are not met, see (Murthy et al. 2004, Blischke Using the maximum likelihood estimator approach
1974, Zanakis & Kyparisis 1986). To overcome this for the shape parameter β, for the scale parameter θ
regularity problem, one of the approaches proposed by and for the minimum life ϕ of the Inverse Weibull
Cohen (Cohen et al. 1984) is to replace Equation 25 model for censored Type II data (failure censored), we
with the equation obtain the following values for these three parameters
k+1
g
−1/β
−Ui n
n×θ× × Ui 1−e × (1, 2or4) Table 1. Failure times (hours) of steel rail items tested under
3
i=1 accelerated temperature conditions (480 K).
k+1
g n
+ n × ϕj × × 1 − e−Ui × (1, 2or4) = t1 765.1 843.6 850.4
3 862.2 877.3 891.0
i=1
909.4 930.9 952.4
(26) 973.2 1,014.7 1,123.6
923
under accelerated conditions of testing: normal stress temperature AFϕ2/n , will be:
At 480 K. β1 = βn = β = 8.38; θ1 = 642.3 hours; 1 1
AFϕ2/n = exp 1, 015.1 − = 4.38
ϕ1 = 117.9 hours 296 520
At 520 K.β2 = βn = β = 8.41; θ2 = 548.0 hours; Then, as we expected, AFθ = 4.23 ≈ AFϕ =
4.38 ≈ AF = 4.3. Finally, the minimum life parame-
ϕ2 = 100.2 hours
ter of the component at normal operating temperatures
is estimated to be:
The shape parameter did not change with β ≈ 8.4.
The acceleration factor for the scale parameter AFθ2/1
ϕn = AFϕ2/n × ϕ2 = 4.3 × 100.2 = 430.9 hours
will be given by:
924
NUMBER OF ITEMS able to identify a specific rate that is assignable to a
specific temperature. If the mechanism of reaction at
0 higher or lower temperatures should differ, this, too,
0 1 2 3 4 5 6
-5
would alter the slope of the curve. Second, it is nec-
V essary that the energy activation be independent of
A -10 temperature, that is, constant over the range of tem-
L
U -15
ACCEPT Ho peratures of interest. It happens that, according to
E Chornet & Roy (1980), ‘‘the apparent energy of acti-
S
-20 vation is not always constant, particularly when there
-25 is more than one process going on.’’ Further comments
O on the limitations of the use of the Arrhenius equation
F -30 REJECT Ho
can be found in Feller (1994). In this work we life-
X -35 tested a new industrial product using an accelerated
mechanism. We assumed a linear acceleration condi-
-40
tion. To estimate the parameters of the three-parameter
Inverse Weibull model we used a maximum likelihood
Figure 1. Sequential test graph for the three-parameter approach for censored failure data, since the life-
Inverse Weibull model. testing will be terminated at the moment the truncation
point is reached. The shape parameter remained the
same while the accelerated scale parameter and the
we will have: accelerated minimum life parameter were multiplied
by the acceleration factor. The equal shape param-
P (θ, β) ln (A) + [1 − P (θ, β)] ln (B) eter is a necessary mathematical consequence of the
other two assumptions; that is, assuming a linear accel-
= −0.01 × 2.2513 + 0.99 × 2.8904 = 2.8390 eration model and a three-parameter Inverse Weibull
sampling distribution. If different stress levels yield
Then: E (n) = 2.8390 data with very different shape parameters, then either
0.6115 = 4.6427 ≈ 5 items.
the three-parameter Inverse Weibull sampling distri-
So, we could make a decision about accepting or bution is the wrong model for the data or we do not
rejecting the null hypothesis H0 after the analysis of have a linear acceleration condition. In order to trans-
observation number 5. Using Equations 9 and 10 and late test results obtained under accelerated conditions
the twelve failure times obtained under accelerated to normal using conditions we applied some reasoning
conditions at 520 K given by Table 2, multiplied by given by the ‘‘Maxwell Distribution Law.’’ To evalu-
the accelerating factor AF of 4.3, we calculate the ate the accuracy (significance) of the three-parameter
sequential life testing limits. Figure 1 below shows the values estimated under normal conditions for the
sequential life-testing for the three-parameter Inverse underlying Inverse Weibull model we employed, to the
Weibull model. expected normal failure times, a sequential life test-
Then, since we were able to make a decision ing using a truncation mechanism developed by De
about accepting or rejecting the null hypothesis H0 Souza (2004). These expected normal failure times
after the analysis of observation number 4, we do not were acquired by multiplying the twelve failure times
have to analyze a number of observations correspond- obtained under accelerated testing conditions at 520 K
ing to the truncation point (5 observations). As we given by Table II, by the accelerating factor AF of
can see in Figure 1, the null hypothesis H0 should be 4.3. Since we were able to make a decision about
accepted since the final observation (observation num- accepting or rejecting the null hypothesis H0 after the
ber 4) lays on the region related to the acceptance of H0 . analysis of observation number 4, we did not have to
analyze a number of observations corresponding to
the truncation point (5 observations). As we saw in
8 CONCLUSIONS Figure 1, the null hypothesis H0 should be accepted
since the final observation (observation number 4)
There are two key limitations to the use of the Arrhe- lays on the region related to the acceptance of H0 .
nius equation: first, at all the temperatures used, lin- Therefore, we accept the hypothesis that the friction-
ear specific rates of change must be obtained. This resistant low alloy-high strength steel rails life when
requires that the rate of reaction, regardless of whether operating at normal use conditions could be repre-
or not it is measured or represented, must be constant sented by a three-parameter Inverse Weibull model
over the period of time at which the aging process is having a shape parameter β of 8.4; a scale parame-
evaluated. Now, if the expected rate of reaction should ter θ of 2,320 hours and a minimum life ϕ of 430
vary over the time of the test, then one would not be hours.
925
REFERENCES Murthy, D.N.P., Xie, M. & Hang, R. 2004. Weibull Models. In
Wiley Series in Probability and Statistics, John Wiley &
Bain, Lee J. 1978. Statistical Analysis of Reliability and Sons, Inc., New Jersey.
Life-Testing Models, Theory and Method. Marcel Dekker, Zanakis, S.H. & Kyparisis, J. 1986. A Review of Maximum
Inc., New York, NY, USA. Likelihood Estimation Methods for the Three Parameter
Blischke, W.R. 1974. On non-regular estimation II. Esti- Weibull Distribution. Journal of Statistical Computation
mation of the Location Parameter of the Gamma and and Simulation, 25, 53–73.
Weibull Distributions, Communications in Statistics, 3,
1109–1129.
Chornet & Roy. 1980. Compensation of Temperature on Per- APPENDIX 1. DETERMINING AN INITIAL
oxide Initiated Cross linking of Polypropylene, European ESTIMATE TO THE MINIMUM LIFE ϕ
Polymer Journal, 20, 81–84.
Cohen, A.C.; Whitten, B.J. & Ding, Y. 1984. Mod-
ified Moment Estimation for the Three-Parameter
The pdf of t1 will be given by:
Weibull Distribution, Journal of Quality Technology 16,
159–167. f (t1 ) = n [1 − F(t1 )]n−1 f (t1 ). Since
De Souza & Daniel I. 2000. Further thoughts on a sequen-
tial life testing approach using a Weibull model. In F(t1 ) = 1−R(t1 ), we will have
Cottam, Harvey, Pape & Tait (eds.), Foresight and Precau-
tion, ESREL 2000 Congress. 2: 1641–1647, Edinburgh,
f (t1 ) = n [R(t1 )]n−1 f (t1 )
Scotland: Balkema.
De Souza & Daniel I. 2001. Sequential Life Testing with For the three-parameter Inverse Weibull sampling
a Truncation Mechanism for an Underlying Weibull distribution, we will have:
Model. In Zio, Demichela & Piccinini (eds.), Towards a
β+1 β n
Safer World, ESREL 2001 Conference, 16–20 September. nβ θ θ
3:1539–1546. Politecnico Di Torino. Italy. f (t1 ) = 1 − exp −
De Souza & Daniel I. 2004. Sequential Life-Testing with θ t−ϕ t−ϕ
Truncation Mechanisms for Underlying Three-Parameter
Weibull and Inverse Weibull Models.,In Raj B.K. Rao, The expected value of x1 is given by:
B.E. Jones & R.I. Grosvenor Eds.; COMADEM Confer-
ence, Cambridge, U.K., August 2004260–271, Comadem ∞ β+1
International, Birmingham, U.K. nβ θ
E(t1 ) = t
De Souza & Daniel I. 2005. A Maximum Likelihood θ t−ϕ
Approach Applied to an Accelerated Life Testing with ϕ
an Underlying Three-Parameter Inverse Weibull Model β n
In: Raj B.K. Rao & David U Mba Eds. COMADEM θ
× 1− exp− dt
2005 – Condition Monitoring and Diagnostic Engineer- t−ϕ
ing Management, University Press, 2005. v.01. p.63 – 72.
Cranfield, Bedfordshire, UK.
β
θ
De Souza, Daniel I. & Addad, Assed N. 2007. Sequential Letting U = t−ϕ , we will have:
Life-Testing with an Underlying Three-Parameter Inverse
Weibull Model – A Maximum Likelihood Approach β+1
In: IIE Annual Conference and Exposition. Nashville, β θ θ
TN: The Institute of Industrial Engineering, 2007. V.01. du = − dt; t = +ϕ
θ t−ϕ U1/β
pp. 907 – 912. USA.
De Souza, Daniel I. & Lamberson, Leonard R. 1995.
Bayesian Weibull Reliability Estimation, IIE Transactions
When t → ∞, U → 0; When t → ϕ, U → ∞. Then:
27 (3), 311–320.
∞
Erto & Pasquale. 1982. New Practical Bayes Estimators for !n
the 2-Parameter Weibull Distribution, IEEE Transactions E (t1 ) = n θU−1/β + ϕ 1 − e−U du
on Reliability, R-31, (2), 194–197. 0
Feller & Robert L. 1994. Accelerated Aging, Photochemical
and Thermal Aspects. The Getty Conservation Institute, ∞
!n
Eds.; Printer: Edwards Bross., Ann Harbor, Michigan. E (t1 ) = nθ U−1/β 1 − e−U du
Harter, H. et al. 1965, Maximum Likelihood Estimation of
the Parameters of Gamma and Weibull Populations from 0
Complete and from Censored Samples, Technometrics, ∞
No 7, pp. 639–643; erratum, 15 (1973), pp. 431. !n
Kapur, K. & Lamberson, L.R. 1977. Reliability in Engineer-
+ nϕ 1 − e−U du
ing Design, John Willey & Sons, Inc., New York. 0
Mood, A.M. & Graybill, F.A. 1963. Introduction to the The-
ory of Statistics. Second Edition, McGraw-Hill, New The above integrals have to be solved by using a
York. numerical integration procedure, such as Simpson’s
926
1/3 rule. Remembering that Simpson’s 1/3 rule is Using Equations A and B, we will have:
given by:
∞
!n
b E (t1 ) = nθ U−1/β 1 − e−U du
g
f (x)dx = (f1 + 4f2 + 2f3 + · · · + 4fk + fk+1 ) 0
3
a ∞
!n
− error + nϕ 1 − e−U du.
0
Making the error = 0; and with i = 1, 2, . . ., k + 1,
we will have: Finally:
∞ ⎧ ⎡ ⎛ ⎞⎤⎫
! ⎪k+1 1 ⎪
g ⎨ ⎢
−1/β ⎬
−1/β −U n g
nθ U 1−e du = n × θ × E (t1 ) = n × θ × ⎣ Ui 1−e −Ui n ⎜ 2 ⎟⎥
× ⎝or ⎠⎦
3 3⎪⎩ i=1 ⎪
⎭
0 4
k+1 k+1
−1/β
g n
−Ui n
× Ui 1−e × (1, 2 or 4) + n × ϕj × × 1 − e−Ui × (1, 2 or 4) . (27)
3
i=1 i=1
(A)
∞
!n g
nϕ 1 − e−U du = n × ϕj ×
3
0
k+1
−Ui n
× 1−e × (1, 2 or 4) (B)
i=1
927
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Carlos Parra Márquez, Adolfo Crespo Márquez, Pedro Moreu de León, Juan Gómez Fernández &
Vicente González Díaz
Department of Industrial Management School of Engineering, University of Seville, Spain
ABSTRACT: This paper aims to explore different aspects related with the failure costs (non reliability costs)
within the Life Cycle Cost Analysis (LCCA) of a production asset. Life cycle costing is a well-established
method used to evaluate alternative asset options. This methodology takes into account all costs arising during
the life cycle of the asset. These costs can be classified as the ‘capital expenditure’ (CAPEX) incurred when
the asset is purchased and the ‘operating expenditure’ (OPEX) incurred throughout the asset’s life. In this paper
we explore different aspects related with the ‘‘failure costs’’ within the life cycle cost analysis, and we describe
the most important aspects of the stochastic model called: Non-homogeneous Poisson Process (NHPP). This
model will be used to estimate the frequency failures and the impact that could cause the diverse failures in the
total costs of a production asset. The paper also contains a case study where we applied the above mentioned
concepts. Finally, the model presented provides maintenance managers with a decision tool that optimizes the
life cycle cost analysis of an asset and will increase the efficiency of the decision-making process related with
the control of failures.
Keywords: Asset; Failures; Life Cycle Cost Analysis (LCCA); Non-homogeneous Poisson Process (NHPP);
Maintenance; Reliability; Repairable Systems
929
2 ANTECEDENTS OF THE LCCA • 1980, the American Society for Testing and
TECHNIQUES Materials (ASTM) developed a series of standards
and database oriented to ease the search of necessary
In the last years, the investigation area related with the information for the application of the LCCA.
Life cycle Costs Analysis, has continued its develop- • 1992, two investigators of the University of
ment, as much in the academic level as to the industrial Virginia, Wolter Fabrycky and B.S. Blanchard,
level. It is important to mention the existence of other developed a model of LCCA—see details in
methodologies that have emerged in the area of LCCA, (Fabrycky and Blanchard, 1993), in which they
such as: Life cycle Costs Analysis and Environmen- include a structured process to calculate the costs of
tal Impact, Total Costs Analysis of Production Assets, Non Reliability starting from the estimate of con-
among other (Durairaj and Ong, 2002). These method- stant values of failures per year (constant rate of
ologies have their particular characteristics, although failures).
regarding the estimation process of the costs for failure • 1994, Woodward (1997), from the School of Busi-
events impact, they propose Reliability analysis usu- ness of the University of Staffordshire (England,
ally based on rate of constant failures. The antecedents Great Britain), developed an investigation line in
of the LCCA are shown next (Kirt and Dellisola, which included basic aspects of analysis of the Reli-
1996): ability factor and their impact on the Costs of Life
cycle.
• 1930, one of the first records that are known of • 1998, David Willians and Robert Scott of the con-
the LCCA techniques is found in the book named sulting firm RM-Reliability Group, developed a
Principles of Engineering Economics by Eugene L. model of LCCA based on the Weibull Distribution
Grant. to estimate the frequency of failures and the impact
• 1933, the first reference of Life cycle Analysis by of the Reliability Costs, see details in (Zohrul Kabil,
the Government of the United States shows up car- 1987, Ebeling, 1997 and Willians and Scott, 2000).
ried out by part of the federal department: General • 1999, the Woodhouse Partnership consulting group
Accounting Office (GAO), which is related to the participated in the European Project EUREKA,
purchase of a series of tractors. specifically inside the line of investigation
• 1950, Lawrence D. Miles originated the concept denominated MACRO (Maintenance Cost/Risk
of Value Engineering at General Electric, incor- Optimization Project) and they developed an LCCA
porating aspects related with the techniques of commercial software of denominated APT Lifes-
LCCA. pan, see details in (Roca, 1987, Barlow, Clarotti and
• 1960, Stone (1975) began to work in England, Spizzichino, 1993, Woodhouse, 1991 and Riddell
giving as a result in the decade of the 70’s the pub- and Jennings, 2001).
lication of two of the biggest texts developed in • 2001, the Woodhouse Partnership consulting firm
Europe in relation to costs engineering. and the Venezuelan Oil Technological Institute
• 1960, the Logistics Management Institute of the (INTEVEP), put on test this model, evaluating the
United States developed an investigation in the area Total Costs of Life cycle for 56 gas compression
of Obsolescence Engineering for the Ministry of systems, used for the extraction of heavy oil in the
Defense. The final result of this investigation was San Tomé District (Venezuela), see details in (Parra
the publication of the first Life cycle Cost Manual and Omaña, 2003).
in the year of 1970.
• 1972, the Ministry of Defense of the United States,
3 BASIC ASPECTS OF THE LCCA
promoted the development of a group of Manuals
with the purpose of applying the LCCA Methodol-
To evaluate the costs associated to the life cycle of
ogy, in all the Logistics areas.
a production system, a collection of procedures that
• 1974, the Department of Energy of the United
group together exists in the denominated: Techniques
States, decided to develop its expansion and energy
of Life cycle Costs Analysis. The early implementa-
consumption plans supported by the analysis of Life
tion of the costs analysis techniques allows to evaluate
cycle.
in advance the potential design problems and to quan-
• 1975, the Federal Department of Supplies and Ser-
tify the potential impact in the costs along the life cycle
vices of the United States developed a Logistics and
of the industrial assets (Durairaj and Ong, 2002). Next,
Acquisition technique based on the LCCA.
some basic definitions of Life cycle Cost Analysis are
• 1979, the Department of Energy introduced a pro-
presented:
posal (44 FR 25366, April 30 1979) which intended
that evaluations of LCCA were included in all – Kirt and Dellisolla (1996) defines the LCCA as
the new constructions and mayor modifications in a technique of economic calculation that allows
government facilities. to optimize the making of decisions associated to
930
the design processes, selection, development and consideration of the costs. Inside the dynamic process
substitution of the assets that conform a produc- of change, the acquisition costs associated to the new
tion system. It intends to evaluate in a quantitative systems are not the only ones to increase, but rather
way all the costs associated to the economic period the operation and maintenance costs of the systems
of expected useful life, expressed in yearly equiv- already in use also do it in a quick way. This is due
alent monetary units (Dollars/year, Euros/year, mainly to a combination of such factors as (Fabrycky,
Pesos/year). 1997):
– Woodhouse (1991) defines the LCCA like a sys-
tematic process of technical-economical evaluation, • Inaccuracies in the estimates, predictions and
applied in the selection and replacement process of forecasts of the events of failures (Reliability),
production systems that allows to consider in simul- ignorance of the probability of occurrence of the dif-
taneous way economic and Reliability aspects, with ferent failure events inside the production systems
the purpose of quantifying the real impact of all the in evaluation.
costs along the life cycle of the assets ($/year), and • Ignorance of the deterioration processes behavior.
in this way, be able to select the asset that contributes • Lack of forecast in the maintenance processes and
the largest benefits to the productive system. ignorance of the modern techniques of maintenance
management.
The great quantity of variables that must be man- • Engineering changes during the design and devel-
aged when estimating the real costs of an asset along opment.
its useful life generates a scenario of high uncertainty • Changes in the own construction of the system.
(Durairaj and Ong, 2002). The combination among • Changes in the expected production patterns.
inflation, rise/decrease of the costs, reduction/increase • Changes during the acquisition of system compo-
of the purchasing power, budget limitations, increase nents.
of the competition and other similar characteristics, • Setbacks and unexpected problems.
has generated a restlessness and interest about the total
cost of the assets. Often the total cost of the production
system is not visible, in particular those costs associ-
ated with: operation, maintenance, installation tests, 3.1 Characteristics of the costs
personnel’s training, among others. in a production asset
Additionally, the dynamics of the economic sce- The cost of a life cycle is determined identifying the
nario generate problems related to the real determina- applicable functions in each one of its phases, cal-
tion of the asset’s cost. Some of them are (Fabrycky, culating the cost of these functions and applying the
1997): appropriate costs during the whole extension of the
• The factors of costs are usually applied incorrectly. life cycle. So that it is complete, the cost of the life
The individual costs are inadequately identified cycle should include all the costs of design, fabrica-
and, many times, they are included in the wrong tion and production (Ahmed, 1995). In the following
category: the variable costs are treated as fixed paragraphs the characteristics of the costs in the dif-
(and vice versa); the indirect costs are treated as ferent phases of an asset’s life cycle are summarized
direct, etc. (Levi and Sarnat, 1990):
• The countable procedures do not always allow a
realistic and timely evaluation of the total cost. • Investigation, design and development costs: initial
Besides, it is often difficult (if not impossible) to planning, market analysis, product investigation,
determine the costs, according to a functional base. design and engineering requirements, etc.
• Many times the budgetary practices are inflexible • Production, acquisition and construction costs:
with regard to the change of funds from a category industrial engineering and analysis of operations,
to another, or, from one year to another. production (manufacturing, assembly and tests),
construction of facilities, process development,
To avoid the uncertainty in the costs analysis, the production operations, quality control and initial
studies of economic viability should approach all the requirements of logistics support.
aspects of the life cycle cost. The tendency to the vari- • Operation and support costs: operations inputs of
ability of the main economic factors, together with the the production system, planned maintenance, cor-
additional problems already enunciated, have driven rective maintenance (it depends on the Reliability
to erroneous estimates, causing designs and develop- Factor) and costs of logistical support during the
ments of production systems that are not suitable from system’s life cycle.
the point of view of cost-benefit (Fabrycky, 1997). It • Remove and elimination costs: elimination of non
can be anticipated that these conditions will worsen, repairable elements along the life cycle, retirement
unless the design engineers assume a bigger grade of of the system and recycling material.
931
From the financial point of view, the costs generated Costs of Non
along the life cycle of the asset are classified in two Reliability
types of costs:
• CAPEX: Capital costs (design, development, acqui-
sition, installation, staff training, manuals, doc-
umentation, tools and facilities for maintenance, Costs for
Costs for
replacement parts for assurance, withdrawal). corrective
• OPEX: Operational costs: (manpower, operations, penalization maintenance
932
4.3 Generalized renewal process (GRP)
A repairable system may end up in one of the five
possible states after a repair:
a. As good as new
b. As bad as old
c. Better than old, but worse than new
d. Better than new
e. Worse than old
The two models described before, ordinary renewal
process and NHPP, account for the first two states
Figure 2. Basic notation for a stochastic point process.
respectively. However, the last three repair states have
received less attention since they involve more com-
plex mathematical models. Kijima and Sumita (1987)
4.1 Ordinary Renewal Process (ORP) proposed a probabilistic model for all the after-repair
This model assumes that, following a repair, the states called Generalized Renewal Process (GRP).
unit returns to an ‘‘as good as new’’ (AGAN) con- According to this approach, the ordinary renewal pro-
dition. In this process, the interarrival times, xi, cess and the NHPP are considered specific cases of
between successive failures (see Figure 2) are consid- the generalized model. The GRP theory of repairable
ered independently and identically distributed random items introduces the concept of virtual age (An). This
variables. It is a generalization of a Homogeneous value represents the calculated age of the element
Poisson Process (HPP). This model represents an ideal immediately after the nth repair occurs. For An = y the
situation; it is only appropriate for replaceable items system has a time to the (n + 1)th failure, xn+1 , which
and hence has very limited applications in the analysis is distributed according to the following cumulative
of repairable components and systems. Variations of distribution function (cdf ):
the ORP can also be defined. The modified renewal
process, where the first interarrival time differs from F(x + y) − F(y)
F(x |A n = y) = (2)
the others, and the superimposed renewal process 1 − F(y)
(union of many independent ORPs) are examples of
these possible variations (Ascher and Feingold, 1984). where F(x) is the cdf of the time to the first failure
(TTFF) distribution of a new component or system.
The summation:
4.2 Non-Homogeneous Poisson Process (NHPP)
n
This model is also called ‘‘minimal repair’’ and it Sn = xi (3)
assumes that the unit returns to an ‘‘as bad as old’’ i=1
(ABAO) condition after a repair. So that, after the
restoration the item is assumed to be operative but with S = 0, is called the real age of the element. The
as old as it was before the failure. The NHPP differs model assumes that the nth repair only compensates
from the HPP in that the rate of occurrence of failures for the damage accumulated during the time between
varies with time rather the being constant (Ascher and the (n − 1)th and the nth failure. With this assumption,
Feingold, 1984). Unlike the previous model, in this the virtual age of the component or system after the
process the interarrival times are neither independent nth repair is:
nor identically distributed. The NHPP is a stochastic
point process in which the probability of occurrence An = An−1 + qxn = qSn (4)
of n failures in any interval [t1, t2] has a Poisson
distribution with: where q is the repair effectiveness (or rejuvenation)
parameter and A0 = 0. According to this model, the
t2 result of assuming a value of q = 0 leads to an ordinary
mean = λ(t)dt (1) renewal process (as good as new), while the assump-
tion of q = 1 corresponds to a non-homogeneous
t1 Poisson process (as bad as old). The values of q that
fall in the interval 0 < q < 1 represent the after-repair
where λ(t) is the rate of occurrence of failures states in which the condition of the element is better
(ROCOF) defined as the inverse of the expected inter- than old but worse than new, whereas the cases where
arrival times, 1/E[xi] (Ascher and Feinfold, 1984 and q > 1 correspond to a condition worse than old. Sim-
Crow, 1974 ). ilarly, cases with q < 0 would suggest a component
933
or system restored to a state better than new. There-
fore, physically speaking, q can be seen as an index
for representing the effectiveness and quality of repairs
(Yañez et al., 2002). Even though the q value of the
GRP model constitutes a realistic approach to simulate
the quality of maintenance, it is important to point out
that the model assumes an identical q for every repair
in the item life. A constant q may not be the case for
some equipment and maintenance process, but it is a
reasonable approach for most repairable components Figure 3. Conditional probability of occurrence of failure.
and systems.
The three models described above have advantages
and limitations. In general, the more realistic is the
model, the more complex are the mathematical expres- Law Model (Ascher and Feinfold, 1984 and Crow,
sion involved. The NHPP model has been proved to 1974 ):
provide good results even for realistic situations with
better-than-old but worse-than-new repairs (Yañez β−1
β t
et al., 2002). Based on this, and given its conservative λ(t) = (8)
nature and manageable mathematical expressions, the α α
NHPP was selected for this particular work. The spe-
cific analytical modeling is discussed in the following This form comes from the assumption that the inter-
section. arrival times between successive failures follow a
conditional Weibull probability density function, with
parameters α and β. The Weibull distribution is typ-
4.4 Non-homogeneous Poisson process ically used in maintenance area due to its flexibility
analytical modeling and applicability to various failure processes, however,
solutions to Gamma and Log-normal distributions are
The NHPP is a stochastic point process in which the also possible. This model implies that the arrival of
probability of occurrence of n failures in any interval the ith failure is conditional on the cumulative operat-
[t1, t2] has a Poisson distribution with the mean: ing time up to the (i − 1)th failure. Figure 3 shows a
schematic of this conditionality (Yañez et al., 2002).
t2 This conditionality also arises from the fact that the
λ= λ(t)dt (5) system retains the condition of as bad as old after
t1
the (i − 1)th repair. Thus, the repair process does not
restore any added life to the component or system.
where λ(t) is the rate of occurrence of failures In order to obtain the maximum likelihood (ML)
(ROCOF). estimators of the parameters of the power law model,
Therefore, according to the Poisson process: consider the following definition of conditional
probability:
Pr[N (t2 ) − N (t1 ) = n]
n F(t) − F(t1 )
t2 t P(T ≤ t |T > t1 ) =
t1 λ(t)dt exp − t12 λ(t)dt R(t1 )
= (6) 1 − R(t) − 1 + R(t)
n! =
R(t1 )
where n = 0, 1, 2, . . . are the total expected number of R(t)
failures in the time interval [t1, t2]. The total expected =1− (9)
R(t1 )
number of failures is given by the cumulative intensity
function:
where F(·) and R(·) are the probability of compo-
t
nent failure and the reliability at the respective times.
(t) = λ(t)dt (7) Assuming a Weibull distribution, Eq. (9) yields:
0
β β
ti−1 ti
One of the most common forms of ROCOF used in F(ti ) = 1 − exp − (10)
α α
reliability analysis of repairable systems is the Power
934
Therefore, the conditional Weibull density func- 1
tion is: (tn , tn+s ) = β
(tn + ts )β − (tn )β (16)
α
β
β ti β−1 ti−1 β ti where ts is the time after the last failure occurred in
f (ti ) = . exp − (11) the one which needs to be considered the number of
α α α α
failures and
935
In the expression (16), ts it will be a year (1 year) or – Define the types of failures (f ). Where f = 1. . .F
equivalent units (8760 hours, 365 days, 12 months, for F types of failures:
etc.). This time ts represents the value for estimate
de frequency of failures per year. F = 1 types of failures
5. Calculate the total costs per failures per year TCPf ,
generated by the different events of stops in the – Calculate the Costs per failure Cf (these costs
production, operations, environment and security, include: costs of replacement parts, manpower,
with the following expression: penalization for production loss and operational
impact):
F
TCPf = (tn , tn+s ) × Cf (18) Cf = 5000
$
f failure
5 7 3 7 2 4 3 5 8 9 2 4 6 3 4 2 4 3 8 9 4 4 7 4
936
– Calculate the total cost per failure in present value In the process of analysis of the costs along the life
PTCPf , use expression (19), for a period T = 10 cycle of an asset, many decisions and actions exist
years and discount rate i = 10%: that should be taken, being of particular interest for
this work, those aspects related with the process of
PTCPf = 73734, 805$, improvement of the Reliability (quality of the design,
used technology, technical complexity, frequency of
value that represents the quantity of money (today) failures, costs of preventive/corrective maintenance,
that the organization needs to be able to cover maintainability levels and accessibility), since these,
the annual expenses projected by failures in the have a great impact on the total cost of the life cycle
next 10 years, with a discount factor of 10%. For of the asset, and they influence in great measure on
this example, the total expected number of fail- the possible expectations to extend the useful life of
ures in the time interval [tn, tn + s] is estimated the assets to reasonable costs. For these reasons, it
by the NHPP stochastic model (Weibull cumulative is of supreme importance inside the process to esti-
intensity function), see Modarres et al., 1999. mate the life cycle of the assets, to evaluate and to
analyze detailedly the aspects related with the failure
rate. According to Ascher (1984), the following points
6.1 Limitations of the model evaluated
should be considered in failure rate trend analyses:
The NHPP model has been proved to provide good
results even for realistic situations with better-than- • Failure of a component may be partial, and repair
old but worse-than-new repairs (Hurtado et al., 2005). work done on a failed component may be imperfect.
Based on this, and given its conservative nature and Therefore, the time periods between successive fail-
manageable mathematical expressions, the NHPP was ures are not necessarily independent. This is a major
selected for this particular work. The model described source of trend in the failure rate.
above has advantages and limitations. In general, the • Imperfect repairs performed following failures do
more realistic is the model, the more complex are the not renew the system, i.e., the component will
mathematical expression involved. The main strengths not be as good as new; only then can the statisti-
and weakness of this model are summarized next: cal inference methods using a Rate Of Occurrence
Strengths: Of Failures (ROCOF) assumption be used.
• Repairs made by adjusting, lubricating, or other-
• It is a useful and quite simple model to represent wise treating component parts that are wearing out
equipment under aging (deterioration). provide only a small additional capability for fur-
• Involves relatively simple mathematical expres- ther operation, and do not renew the component or
sions. system. These types of repair may result in a trend
• It is a conservative approach and in most cases pro- of a increasing ROCOF.
vides results very similar to those of more complex • A component may fail more frequently due to aging
models like GRP (Hurtado et al., 2005). and wearing out.
Weakness: It is important to mention that inside the LCCA
• Is not adequate to simulate repair actions that restore techniques a potential area of optimization related
the unit to conditions better than new or worse with the evaluation of the Reliability impact exists.
than old. In the near future the new proposals of evaluation of
the costs generated by aspects of low Reliability will
use advanced mathematical methods such as:
7 FUTURE DIRECTIONS
• Stochastic methods see (Tejms, 1986, Karyagina
The specific orientation of this work toward the analy- et al., 1998, Yañez et al., 2002, Hurtado et al.,
sis of the Reliability factor and its impact in the costs, is 2005 and Vasiliy, 2007). Table 2 shows the stochas-
due to, that great part of the increment of the total costs tic processes used in reliability investigations of
during the expected cycle of useful life of a production repairable systems, with their possibilities and
system, is caused in its majority, for the lack of pre- limits (Modarres et al., 1999).
vision in the face of unexpected appearance of failure • Advanced maintenance optimization using genetic
events, scenario basically provoked by ignorance and algorithms see (Martorell et al., 2000 and Martorell
by the absence of a technical evaluation in the design et al., 2005).
phase of the aspects related with the Reliability. This • Monte Carlo simulation techniques see (Barringer,
situation brings as a result an increment in the total 1997, Barringer and Webber, 1996, and Kaminskiy
costs of operation (costs that were not considered in and Krivtsov, 1998).
the beginning) affecting in this way the profitability of • Advanced Reliability distribution analysis see
the production process. (Elsayed, 1982, Barlow, Clarotti and Spizzichino,
937
Table 2. Stochastic processes used in reliability analysis of REFERENCES
repairable systems.
Ahmed, N.U. 1995. ‘‘A design and implementation model
Stochastic Background/ for life cycle cost management system’’, Information and
process Can be used Difficulty Management, 28, pp. 261–269.
Asiedu, Y. and Gu, P. 1998. ‘‘Product lifecycle cost analysis:
Renewal process Spare parts provisioning Renewal state of art review’’, International Journal of Production
in the case of theory/ Research, Vol. 36 No. 4, pp. 883–908.
arbitrary failure rates Medium Ascher, H. and Feingold, H. ‘‘Repairable System Reliability:
and negligible Modeling, Inference, Misconceptions and their Causes’’,
replacement or repair New York, Marcel Dekker, 1984.
time (Poisson Barlow, R.E., Clarotti, C.A. and Spizzichino, F. 1993. Relia-
process) bility and Decision Making, Chapman & Hall, London.
Alternating One-item repairable Renewal Barringer, H. Paul and David P. Weber. 1996. ‘‘Life
renewal (renewable) structure theory/ Cycle Cost Tutorial’’, Fifth International Conference
process with arbitrary failure Medium on Process Plant Reliability, Gulf Publishing Company,
and repair rates Houston, TX.
Markov process Systems of arbitrary Differential Barringer, H. Paul and David P. Weber. 1997. ‘‘Life Cycle
(MP) structure whose equations Cost & Reliability for Process Equipment’’, 8th Annual
elements have constant or integral ENERGY WEEK Conference & Exhibition, George R.
failure and repair rates equations/ Brown Convention Center, Houston, Texas, Organized by
during the stay Low American Petroleum Institute.
time (sojourn time) in Barroeta, C. 2005. Risk and economic estimation of inspec-
every state (not tion policy for periodically tested repairable components,
necessarily at a state Thesis for the Master of Science, University of Maryland,
change, e.g. because Faculty of Graduate School, College Park,Cod.Umi-umd-
of load sharing) 2712, pp. 77, August, Maryland.
Semi-Markov Some systems whose Integral Blanchard, B.S. 2001. ‘‘Maintenance and support: a
process (SMP) elements have constant equations/ critical element in the system life cycle’’, Proceedings of
or Erlangian failure Medium the International Conference of Maintenance Societies,
rates (Erlang paper 003, May, Melbourne.
distributed failure- Blanchard, B.S. and Fabrycky, W.J. 1998. Systems Engineer-
free times) and ing and Analysis, 3rd ed., Prentice-Hall, Upper Saddle
arbitrary repair rates River, NJ.
Semi- Systems with only one Integral Bloch-Mercier, S. 2000. ‘‘Stationary availability of a semi-
Regenerative repair crew, arbitrary equations/ Markov system with random maintenance’’, Applied
process structure, and whose High Stochastic Models in Business and Industry, 16,
elements have constant pp. 219–234.
failure rates and Crow, LH. 1974. ‘‘Reliability analysis for complex repairable
arbitrary repair rates systems’’, Reliability and biometry, Proschan F, Serfling
Nonregenerative Systems of arbitrary Partial diff. RJ, eds., SIAM, Philadelphia, pp. 379–410.
process structure whose eq.; case by Dhillon, B.S. 1989. Life Cycle Costing: Techniques, Models
elements have arbitrary base sol./ and Applications, Gordon and Breach Science Publishers,
failure and repair High to New York.
rates very high Dhillon, B.S. 1999. Engineering Maintainability: How to
Design for Reliability and Easy Maintenance, Gulf,
Houston, TX.
1993, Ireson, et al., 1996, Elsayed, 1996, Scarf, Dowlatshahi, S. 1992. ‘‘Product design in a concurrent engi-
1997, Ebeling, 1997 and Dhillon, 1999). neering environment: an optimization approach’’, Journal
• Markov simulation methods see (Roca, 1987, of Production Research, Vol. 30 (8), pp. 1803–1818.
Kijima and Sumita, 1987 Kijima, 1997 and Bloch- Durairaj, S. and Ong, S. 2002. ‘‘Evaluation of Life Cycle
Mercier, 2000). Cost Analysis Methodologies’’, Corporate Environmental
Strategy, Vol. 9, No. 1, pp. 30–39.
These methods will have their particular character- DOD Guide LCC-1, DOD Guide LCC-2, DOD Guide LCC-
istics and their main objective will be to diminish the 3. 1998. ‘‘Life Cycle Costing Procurement Guide, Life
uncertainty inside the estimation process of the total Cycle Costing Guide for System Acquisitions, Life Cycle
Costing Guide for System Acquisitions’’, Department of
costs of an asset along the expected useful life cycle. Defense, Washington, D.C.
Finally, it is not feasible to develop a unique LCCA Ebeling, C. 1997. Reliability and Maintainability Engineer-
model, which suits all the requirements. However, it is ing, McGraw Hill Companies, USA.
possible to develop more elaborate models to address Elsayed, E.A. 1982. ‘‘Reliability Analysis of a container
specific needs such as a Reliability cost-effective asset spreader’’, Microlelectronics and Reliability, Vol. 22,
development. No. 4, pp. 723–734.
938
Elsayed, E.A. 1996. Reliability Engineering, Addison Wesley Martorell, S., Villanueva, J.F., Nebot, Y., Carlos, S.,
Longman INC, New York. Sánchez, A., Pitarch, J.L. and Serradell, V. 2005.
Fabrycky, W.J. 1997. Análisis del Coste de Ciclo de Vida de ‘‘RAMS+C informed decision-making with application
los Sistemas, ISDEFE, Ingeniería de Sistemas, Madrid, to multi-objective optimization of technical specifications
España. and maintenance using genetic algorithms’’. Reliability
Fabrycky, W.J. and Blanchard, B.S. 1993. Life Cycle Costing Engineering & System Safety 87, 65–75.
and Economic Analysis, Prentice Hall, Inc, Englewwod Modarres, M., Kaminskiy, M. and Krivtsov V. 1999. Relia-
Cliff, New Jersey. bility engineering and risk analysis. Marcel Dekker Inc.,
Goffin, K. 2000. ‘‘Design for supportability: essential New York.
component of new product development’’, Research- Nachlas, J. 1995. Fiabilidad, ISDEFE, Ingeniería de Sis-
Technology Management, Vol. 43, No. 2, pp. 40–7. temas, Madrid, España.
Hurtado, J.L., Joglar, F. and Modarres, M. 2005. ‘‘General- Navas, J. 1997. Ingeniería de Mantenimiento, Universidad
ized Renewal Process: Models, Parameter Estimation and de los Andes, Mérida, Venezuela.
Applications to Maintenance Problems’’, International Parra, C. 2002. ‘‘Evaluación de la Influencia de la Confia-
Journal on Performability Engineering, Vol. 1, No. 1, bilidad en el Ciclo de Vida de 16 Motocompresores del
paper 3, pp. 37–50. Distrito Maturín’’, Informe Técnico INT-9680, PDVSA
Ireson, W. Grant, Clyde F. Coombs Jr., Richard Y. Moss. INTEVEP, Venezuela.
1996. Handbook of Reliability Engineering and Manage- Parra, C. y Omaña C. 2003. ‘‘Análisis determinístico del
ment, 2nd edition, McGraw-Hill, New York. Ciclo de Vida y evaluación del factor Confiabilidad en
Kaminskiy M, Krivtsov V. 1998. ‘‘A Monte Carlo Motocompresores de gas para extracción de petróleo’’,
approach to repairable system reliability analysis’’, Prob- Congreso Internacional de Mantenimiento, Colombia,
abilistic safety assessment and management, Springer, Bogotá, Colombia.
pp. 1063–1068. Riddell, H., Jennings, A. 2001. ‘‘Asset Investment & Life
Karyagina, M., Wong, W., Vlacic, L. 1998. ‘‘Life cycle Cycle Costing’’, The Woodhouse Partnership, Technical
cost modelling using marked point processes’’, Reliability paper, London.
Engineering & System Safety, Vol. 59, pp. 291–298. Roca, J.L. 1987. ‘‘An approach in the life cycle costing
Kececioglu, D. 1991. ‘‘Reliability and Life Testing Hand- of an integrated logistic support’’, Microelectronics and
book’’, Prentice Hall, Inc, Englewood Cliff, New Jersey. Reliability, Vol. 27, No. 1, pp. 25–27.
Kijima, M., Sumita, N. 1987. ‘‘A useful generalization Ruff, D.N., and Paasch, R.K. 1993. ‘‘Consideration of failure
of renewal theory: counting process governed by non- diagnosis in conceptual design of mechanical systems’’,
negative Markovian increments’’, Journal Appl. Prob., Design Theory and Methodology, ASME, New York,
Vol. 23, pp. 71–88. pp. 175–187.
Kijima, M. 1977. ‘‘Markov processes for stochastic model- Scarf, P.A. 1997. ‘‘On the application of mathematical mod-
ing’’, Chapman & Hall, London. els in maintenance’’, European Journal of Operational
Kirk, S. and Dellisola, A. 1996. Life Cycle Costing for Design Research, Vol. 99, No. 3, pp. 493–506.
Professionals, McGraw Hill, New York, pp. 6–57. Smith, C. and Knezevic, J. 1996. ‘‘Achieving quality through
Levy, H. and Sarnat, M. 1990. Capital Investment and Finan- supportability: part 1: concepts and principles’’, Journal
cial Decisions, 4th Edition, Prentice Hall, New York. of Quality in Maintenance Engineering, Vol. 2, No. 2,
‘‘Life Cycle Costing Workbook: A guide for implementa- pp. 21–9.
tion of Life on Life Cycle Costing in the Federal Supply Tejms, H.C. 1986. Stochastic Modelling and Analysis, Wiley
Services’’. 1989. U.S. General Services Administration, and Sons, New York, NY.
Washington. Vasiliy, V. 2007. ‘‘Recent advances in theory and applications
‘‘Life Cycle Analysis as an Aid Decision Making’’. 1985. of stochastic point process model in reliability engineer-
Building Information Circular, Department of Energy, ing’’, Reliability Engineering & System Safety, Vol. 92,
Office of Facilities Engineering and Property Manage- No. 5, pp. 549–551.
ment, Washington. Willians, D., Scott R. 2000. ‘‘Reliability and Life Cycle
Mackenzie, J. 1997. ‘‘Turn your company’s strategy into Costs’’, RM-Reliability Group, Technical Paper, Texas,
reality’’, Manufacturing Management, January, pp. 6–8. TX, November.
Markeset, T. and Kumar, U. 2001. ‘‘R&M and risk anal- Woodhouse, J. 1991. ‘‘Turning engineers into businessmen’’,
ysis tools in product design to reduce life-cycle cost 14th National Maintenance Conference, London.
and improve product attractiveness’’, Proceedings of Woodhouse, J. 1993. Managing Industrial Risk, Chapman
the Annual Reliability and Maintainability Symposium, Hill Inc, London.
22–25 January, Philadelphia, pp. 116–122. Woodward, D.G. 1997. ‘‘Life Cycle Costing—Theory, Infor-
Markeset, T. and Kumar, U. 2003. ‘‘Design and develop- mation Acquisition and Application’’, International Jour-
ment of product support and maintenance concepts for nal of Project Management, Vol. 15, No. 6, pp. 335–344.
industrial systems’’, Journal of Quality in Maintenance Yañez, M., Joglar, F., Mohammad, M. 2002. ‘‘Generalized
Engineering, Vol. 9, No. 4, pp. 376–392. renewal process for analysis of repairable systems with
Martorell, S., Carlos, S., Sanchez, A. and Serradell, V. limited failure experience’’, Reliability Engineering &
2000. ‘‘Constrained optimization of test intervals using System Safety, Vol. 77, pp. 167–180.
a steady-state genetic algorithm’’. Reliability Engineer-
ing & System Safety 67, 215–232.
939
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
R.B. Duffey
Atomic Energy of Canada Limited, Chalk River, Ontario, Canada
A.B. Skjerve
Institute for Energy Technology, Norway
ABSTRACT: Industrial accidents, explosions and fires have a depressingly familiar habit of re-occurring, with
similar if not identical causes. There is a continual stream of major losses that commonly are ascribed to poor
operating and management practices. The safety risks associated with modern technological enterprises make it
pertinent to consciously monitor the risk level. A comprehensive approach in this respect is being taken by the
Petroleum Safety Authority Norway (PSA)’s program ‘‘Trends in Risk Levels Norwegian Continental Shelf.’’
We analyse the publicly available data provided by this program using the Duffey–Saull Method. The purpose of
the analysis is to discern the learning trends, and to determine the learning rates for construction, maintenance,
operation and administrative activities in the North Sea oil and gas industry. This outcome of this analysis allows
risk predictions, and workers, management and safety authorities to focus on the most meaningful trends and
high-risk activities.
941
accident (called DFUs), covering many known major risk outcomes as a function of experience. It assumes
and minor outcomes. These indicators include data that with continuous exposure to a given operational
for the differing activity segments of the oil and setting humans will learn to master task performance,
gas offshore and onshore work (shipping, transport, and that the manifest effect of learning will be lower
maintenance . . .) and include events and abnormal accident/incident rates – because humans as a starting
activities (leaks, accidents and incidents . . .), plus point is assumed to be the key contributing fac-
the effectiveness of ‘‘barriers’’ (systems, practices tor to accident/incidents. The present Case Study
and procedures . . .). The yearly trends of the quan- applies these techniques and approaches to analyze
titative data are analyzed as to whether these show the new and publicly available North Sea outcome
change (increase, decrease, or not) of both the num- data. Using the experience-based DSM, we try to dis-
bers and rates of indicator outcomes; and whether there cern the learning trends, and determine the learning
is any relation to more qualitative measures based on rates for construction, maintenance, operation and
attitudinal surveys. drilling activities in the North Sea oil and gas indus-
Determining the safety level based on this type try. In our Case Study, we provide a basis to determine,
of calculation can, however, be a difficult task. The prioritize, and compare the learning rates and injury
recent PSA report states: ‘‘On the basis of the data trends between different key work phases. This anal-
and indicators used in this project, no clear positive ysis allows risk predictions, and provides guidance
or negative trends can be observed in risk level. Most for workers, management and safety authorities to
major accident indicators show an improvement in focus on the most meaningful trends and high-risk
2003 in relation to 2002. Serious injuries to person- activities.
nel also show a decrease in 2003. The position is now
on a level with the average for the previous 10 years.
Cooperation and trust between the parties are seen as 2 RISK INDICATOR DATA ANALYSIS
good.’’
Since the common factor and major cause in indus- The procedure we use is to first determine the risk
trial accidents everywhere is the human involvement, outcomes, rates and numbers, and their distribution
it is postulated here that by understanding the prior with experience. The basic prior data for Norway for
outcomes, human learning and error correction, we 1996–2005 are reported by the PSA in both graphical
can predict the probability of observing any outcome. and tabular form (PSA 2007). Some equivalent data
The key questions to answer when looking at trends for the UK for 1992–2002 are tabulated in Yang &
are: Are we learning from our past mistakes? What is Trbojevic 2007 (Table 6.16 p 195). All the data are typ-
the rate of learning now? What is it predicted to be in ically given and are analyzed by calendar year, such as
the future? the number of injuries to workers, broken down by dif-
Precisely to quantify such issues, Duffey & Saull ferent sub-categories of severity (e.g., major or total),
(2002) have derived measures and methods for the and work location and/or activity type (e.g., fixed or
analysis of learning rates as direct indicators of safety mobile facility, drilling or maintenance).
improvement using existing worldwide outcome data To convert to a learning basis for analysis, we use
for some 200 years and covering over 60 exam- the relevant measure of experience as the accumu-
ples. The approach, called the Duffey-Saull Method lated worker-hours, summing the year-by-year num-
(DSM), uses the Learning Hypothesis to analyze and bers reported. A typical xls. spreadsheet tabulation
predict errors, accidents, injuries and all other such and analysis of the rates is shown in Table 1 for a
942
subset in our observational interval. In this case, the risk) activities are clearly maintenance and drilling,
data are for injuries in drilling at fixed facilities for and must be the areas of most safety importance and
Norway, and similar tables were made for all the management attention.
various sets where numbers were available. Secondly, the lowest rates attained so far (in admin-
This Table is in general for the jth observation inter- istration and production) are ∼5/Mh, or about 1 in
val, with the sub-intervals within it. Such a tabulation 200,000 experience hours, in complete accord with
is not by itself very informative, apart from illustrating the lowest risk found in any other industry (Duffey &
the manipulations and steps in the necessary arithmetic Saull 2002). However, the highest rates are ten times
for each experience increment: more, or ∼1 in 20,000 experience hours, which is also
comparable to other industries.
1. adding up prior worker-hours to obtain the run- Thirdly, the UK has less experience, but a simple
ning total of the accumulated millions of hours of extrapolation forward of the rough fit to the major
experience, ε (AccMh) for each ith sub-interval; injury (MI) data, and backward extrapolation of the
2. turning the injury numbers, ni , into risk Rates per Norway maintenance data shows similar event rate
Mh by straightforward division; magnitudes and learning rates. The implication is that
3. calculating the non-dimensional experience, N∗ , learning of similar effectiveness in Norway and the
by dividing each AccMh interval, εi , by the UK suggests that further research is needed into the
total accumulated experience, εT (εT = AccMh = influencing factors and causes of this similarity. Thus,
53Mh); and we may predict and expect the UK rates to fall further
4. calculating the entropy (Hi = pi ln pj ) in each and track down towards the Norway risk rates if such
ith sub-interval from the probability, where pi = international learning continues. Similar convergence
ni /Nj , where, Nj , is the total number of injuries trends are observed with differing experience in, say,
(Nj = ni = 1073). commercial aircraft near-misses and marine shipping
accidents.
To clarify the trends, typical results of such anal-
ysis of the raw data are then plotted in Figure 1. The
figure also shows some UK data alongside the Norway 3 ARE WE DOING ENOUGH TO ENSURE
data. By grouping the data together in this way, sev- SAFETY?
eral key comparisons and observations are possible.
In addition, to simplify the presentation, simple expo- A key question for managers of hazardous industries
nential fits are shown to the data, since we expect such is: Are we doing enough to ensure safety? In this
a curve to crudely represent the improvement effects section we will take a closer look at learning in a work-
of learning (Duffey & Saull 2002). place setting, and suggest that this question may also
Firstly, learning is evident in most of the data, but be answered based on an assessment of the effective-
the absolute risk indicator rates are higher for some ness of the joint initiatives taken by an organization
activities, and some task areas are clearly learning (or an entire industry) to ensure safety.
slower than others (the slope is half). We may pre- Individuals learn as they gain experience (Ebbing-
dict that they will all reach some asymptotic but slow hause 1885). Employees in petroleum companies will
learning state, by about twice the present experience learn from participation in the formal education and
if learning continues. The most hazardous (highest training programs offered by their organization. The
aim of these programs is to ensure that all employ-
Offshore Risk Rates
ees possess the competence, i.e. the skills, knowledge
(Injuries Data: Norway 1996-2005 and UK 1992-2001) and attitudes required to efficiently perform their jobs
90
Norway administration to the specified standard (IAEA 2002; Skjerve &
Norway production
80
Norway drilling Torgersen 2007). As part of their engagement in the
70 Norway construction
Norway maintenance
every-day work activities, the employees will more-
60 Rate (UK) = 63e
-0.017Mh
UK Major Injuries
UK Major injuries
over face a range of learning opportunities resulting
Norway Maintenance injuries from the myriad of different situations that arise
Rate/ Mh
50
Norway drilling
40
Norway administration from interactions between humans, technology and
Rate (Norway)= 52e
-0.014Mh
administrative systems. The employees will need both
30
the competence acquired from the formal education/
20 -0.0271Mh
Rate= 41.e
2
R = 0.8883
training sessions and the competence acquired based
10
Rate = 21e
2
-0.0289Mh on the more informal experiences gained on-the-job,
R = 0.8865
0 to be able to perform their tasks efficiently (Johnston &
0 10 20 30 40 50 60 70 80
Work Experience, AccMh Hawke 2002). With increased experience, employ-
ees will obtain still more refined insights into the
Figure 1. Typical data plot and simplified curve fits. task performance process and their task performance
943
environment,1 and gradually they will be able to (Svenson 2006). Concretely, organizational learning
perform the routine part of their tasks in a highly may result in the introduction of new work practices,
automated manner (Rasmussen 1986). revisions of operational procedures, refinements of
Observation, imitation, reflection, discussion, and training programs, improvement in the safety manage-
repetition may all constitute important elements in ment approach, etc. That is, in initiatives that jointly
employees’ learning processes. Handling of situa- aim at ensuring safe and efficient production.
tions where unexpected occurrences happen in rela- To facilitate learning processes at all levels in the
tion to task performance provides an important basis organization it is important to ensure that a learn-
for learning. Such unexpected occurrences may be ing culture is engineered (Reason 1997). A learning
caused by human errors (e.g. errors of the particular culture can be defined as ‘‘. . . an environment in
employee, errors of colleagues – in some situations which opportunities for learning are openly valued and
the errors may even be consciously introduced for the supported and are built, where possible, into all activi-
employees to learn something). Unexpected occur- ties’’ (DEST 2005). It has been suggested that effective
rences may also be caused by breakdowns in technol- high-reliability organizations is characterised by their
ogy or administrative systems, or by any combination ability to learn as much as possible for the failures that
of the above factors. When unexpected occurrences occur (Weick & Sutcliffe 2001).
arise things will not progress according to plan, and Finally, the importance of ensuring a sound safety
this will spur the employees to develop a more com- culture is generally reckoned as a prerequisite for
prehensive understanding of the task performance safe production in high-risk industries. The agenda
process and the work environment. This, in turn, will among most actors in the Norwegian petroleum sec-
improve their ability to perform safely in future sit- tor is to improve the safety culture both within and
uations. Accidents constitute important, but highly across the industry (Hoholm 2003). Safety culture can
unwarranted, learning opportunities. When accidents be defined as ‘‘ . . . that assembly of characteristics
happen, they will tend to challenge the organization’s and attitudes in organizations and individuals which
model of the risks it faces and the effectiveness of its establishes that, as an overriding priority, safety issues
countermeasure (Woods 2006). For this reason, radi- receive the attention warranted by their significance.’’
cal changes may be implemented in the organization (Adapted from IAEA 1991, Yang & Trbojevic 2007).
following an accident investigation. This suggests that A sound safety culture means that the structures and
not only individuals but also the organization as such process of the organization should work together to
may learn from experience. ensure safety. Thus, deviations caused by the activities
Organizational learning may be defined as ‘‘. . . the in one part of the organization should be compen-
capacity or processes within an organization to main- sated by the activity in other parts of the organization
tain or improve the performance based on experience’’ so that safety is always ensured (Weick & Sutcliffe
(DiBella 2001, Duffey & Saull 2002). A key ele- 2001). A sound safety culture, moreover, implies that
ment in organizational learning is the transformation the attitudes and behaviours of employees should pro-
of experiences gained by employees to the organiza- mote safety. In the context of the Norwegian petroleum
tional level. In this process, however, the organization industry, the impact of colleagues’ and managers’ atti-
needs to be aware that not all the experiences gained tudes to safety on the individual employee at was
by employees will contribute to increase the likeli- demonstrated in two recent studies (Aase et al. 2005;
hood for safe performance: Employees are engaged in Skjerve, in press).
a continuous learning process. Misunderstandings of One way to answer the question: ‘‘Are we doing
factors in the work environment, misunderstandings of enough to ensure safety?’’ could be to calculate the
the inter-relationship between these factors, inaccurate effectiveness of the joint initiatives taken by an orga-
risk perception, etc. can all be expected to be (inter- nization (or an entire industry) to ensure safety. In the
mediate) elements or states in a learning process. In next section, we introduce ‘‘H’’ as one such possible
addition, to the experiences of the employees, expe- measure.
riences obtained by other organizations or by other
industries may also prove valuable to organizational
learning. Organizational learning should be manifest 4 SAFETY CULTURE, RISK MANAGEMENT
in the structures and processes of the organization AND PREDICTION
944
Entropy risk measure, H, which Duffey & Saull (2007) behavior on the degree of order and on the risk trends
suggest is the objective and quantitative measure of with experience that are attained.
safety culture, management systems, organizational
learning and risk perception. Thus, since we may
regard, H, as a measure of the ‘‘disorder’’ this, of 5 COMPARISON OF THEORY AND DATA
course, is the converse of ‘‘order’’, and hence is an indi-
cation of the effectiveness of these safety management For the present Case Study, we can now compare this
processes. theory to the overall trends of a subset of the present
The statistical theory that determines the outcome risk indicator data, noting that we have evaluated the
risk distribution yields an explicit expression for the entropy already as part of the initial data analysis
Information Entropy, H, using the probability of the (see Table 1). To simplify, the data are normalized to
outcomes (Pierce 1980, Jaynes 2003, Duffey & Saull the initial probability at the initial or lowest experience,
2004, Duffey & Saull 2008). The degree of order is where we take, p0 = 1, by definition. Figure 2 shows
a function of the depth of experience based on the the Norway (injury) and UK (major injury and >3 day
frequency of error state occupation, ni = i Nj . injury) data compared to the theory (SEST) prediction,
The classic result for the Information Entropy, but adopting a value of, a = 1, for the shape or slope
H, is a measure of the uncertainty, or the ‘‘missing parameter in the entropy distribution.
information’’ or the ‘‘degree of order’’ given by: Rather satisfyingly, the theory and data easily
appear side-by-side on the same graph, lending some
Hj = −pi ln pi (1) credence to this analysis. The other data shown
for comparison purposes are the commercial aircraft
Substituting in the expression for the Information near-misses (NMACs), because of the significant and
Entropy, H, in the companion paper (Duffey & Saull traditional airline emphasis on safety (Duffey & Saull
2008), we obtain: 2002). The NMAC line up rather better with the
∗ 2
Hj = 1/2 p0 e−aN {aN∗ + 1/2} (2) Information Entropy
Offshore Injuries UK and Norway
0.4
0.2
tions produced by unpredictable human behavior (the
chaos) are reflected in the emergent order at the system 0.15
945
theoretical prediction, but there are clearly some only occur when the organization is not sufficiently
key differences between the oil and gas data set robust to prevent that human performance will have
trends. Despite the scatter, we note for this data subset adverse implications. The fact that the learning rate
that the: seems to decrease only when incidents and accidents
occur is caused by the fact that accidents/incidents
1. entropy distribution with experience lies above the
(rather than e.g. successful outcomes) serves as input
theory line;
data for the model. In general accidents/incidents can
2. slope trend is less than the theory, indicating
be expected to occur in lower frequencies as an organi-
insufficient attainment of order;
zation or an entire industrial section gains experience.
3. data lie above the best aircraft practices (aircraft
This point of view is emphasised by the representation
near-misses); and
contained in Figure 2. It shows the learning rate based
4. best (but still far from perfect) fit to all the injury
on the level of control an organisation or and industrial
data is a straight line, not an exponential as we
section have over the production processes.
should expect.
Based on our Case Study of the observed and pub-
The approximate straight line ‘‘fit’’ shown is, H = lished safety indicator data for some ten years of
0.28 − 1.11N∗ , which actually corresponds to the first operation of Norway and UK North Sea oil and gas
two terms of the series expansion of the rather slowly- facilities, and the trends shown in a subset of the data,
decaying exponential. Therefore, the implied first- we observe that:
order approximate value is a ≈1.11 for the distribution
exponent. – Learning is occurring in the major risk indicators
All these trends and comparisons suggest symp- as experience is gained, and this trend is similar
toms of potentially insufficient learning, giving inad- between the Norway and UK indicating some com-
equate reduction in risk compared both to the expected monality in approach and safety standards (after
ideal, and other industries. This adverse trend was correction for differing experience);
confirmed by plotting the rates against the Universal – Certain activities, notably maintenance and drilling,
Learning Curve, and finding a similar value of, k ∼ 1, apparently have much higher risk than others, both
for the learning rate constant. in numbers and rates, and suggest themselves as
priority areas for management emphasis; and
– Evaluation of the Learning Entropy as a measure of
6 CONCLUSIONS AND OBSERVATIONS the degree of order attained by safety management
(suggested to represent organizational learning and
We are interested in predicting safety performance safety culture) also indicate symptoms of potentially
and accident occurrences utilizing quantitative anal- insufficient learning.
ysis of prior data. These predictions should serve to Extension of this Case Study to the complete set
inform the industry to facilitate decision making with of risk indicators would be desirable; as also would
respect to when more emphasis on safety initiatives revising the indicator choices to reflect priority of
is required. As the predictions express learning rates, risk-related importance; and changing the conven-
they will allow companies to readily compare their tional purely time-series manner of data reporting and
learning rate with other companies in the same domain analysis.
to establish whether they are on the right track. Like-
wise, the predictions allow for comparisons between
entire industrial sectors, and they may in this way con-
REFERENCES
tribute to decisions of the national safety authorities
when defining requirements to the various industrial Aase, K., Skjerve, A.B.M. & Rosness, R. 2005. Why Good
sectors. Luck has a Reason: Mindful Practices in Offshore Oil and
The two types of representations presented in this Gas Drilling. In: S. Gherardi & D. Nicolini (eds.), The
paper in Figure 1 and Figure 2 invites different inter- Passion for Learning and Knowing. Proceedings of the
pretations of what spurs the learning rate. The repre- 6th International Conference on Organizational Learning
sentation used in Figure 1 may invite the interpretation and Knowledge, vol. 1.: 193–210. Trento: University of
that further accidents/incidents are necessary for learn- Trento e-books.
ing to take place whereas Figure 2 suggests that we can DEST, 2005. The website of the Department of Education,
intercompare learning and progress using the existing Science and Training of Australia. http://www.dest.gov.
au / sectors / training _ skills / policy_issues_reviews/key _
knowledge. issues/nts/glo/ftol.htm#Glossary_-_L (Accessed January
Still, even if handling of unexpected events is a key 2008)
element in the learning process (as discussed above), DiBella, A.K. 2001. Learning practices: Assessment and
this does not imply that accidents/incidents will have to Action for Organizational Improvement. Upper Saddle
take place for people to learn. Accidents/incidents will River, N.J: Prentice-Hall.
946
Duffey, R.B. & Saull, J.W. 2002. Know the Risk, First Edition, Petroleum Safety Authority Norway (PSA) 2003. Trends
Boston, USA, Butterworth and Heinemann. in risk levels-Norwegian Continental Shelf, Summary
Duffey, R.B. & Saull J.W. 2004. Reliability and Failures of Report, Phase 4–2003, Ptil-04-04, p.11, Norway.
Engineering Systems Due to Human Errors, Proc. The Petroleum Safety Authority Norway (PSA) 2007. Supervi-
First Cappadocia Int. Mechanical Engineering Sympo- sion and Facts, Annual Report 2006, Stavanger, Norway,
sium (CMES’-04), Cappadocia, Turkey. 26 April, available at www.ptil.no.
Duffey, R.B. & Saull, J.W. 2007. Risk Perception in Soci- Pierce, J.R. 1980. An Introduction to Information Theory,
ety: Quantification and Management for Modern Tech- Dover, New York.
nologies, Proc. Safety and Reliability Conference, Risk Prigogine, I. and Stengers, I. 1984. Order Out of
Reliability & Societal Safety (ESREL 2007), Stavanger, Chaos: Man’s New Dialogue with Nature, Toronto,
Norway, 24–27 June. Bantam Books.
Duffey, R.B. & Saull, J.W. 2008. Risk Management Measure- Rasmussen, J. 1986, Information Processing and Human-
ment Methodology: Practical Procedures and Approaches Machine Interaction. An Approach to Cognitive Engineer-
for Risk Assessment and Prediction, Proc. ESREL 2008 ing, System Science and Engineering, vol. 12, New York:
and 17th SRA Europe Annual Conference, Valencia, North-Holland.
Spain, 22–25 September. Reason, J. 1997. Managing the Risks of Organizational
Ebbinghaus, H. 1885. Memory: A Contribution to Experi- Accidents. Aldershot, UK: Ashgate.
mental Psychology. (Translated from: "Über das Gedächt- Skjerve, A.B. (in press). The Use of Mindful Safety Practices
nis"). http://psy.ed.asu.edu/∼classics/Ebbinghaus/index. at Norwegian Petroleum Installations. To be published in
htm (Accessed January 2008). Safety Science.
Hoholm, T. 2003. Safety Culture in the Norwegian Skjerve, A.B. & Torgersen, G.E. 2007. An Organizational-
Petroleum Industry: Towards an Understanding of interor- Pedagogical Framework to Support Competence Assur-
ganisational culture development as network learning. ance Activities. In: T. Aven, J.E.Vinnem (Eds.), Risk,
Arbeidsnotat nr. 23/2003. Oslo: Center for Technology, Reliability and Societal Safety: 1925–1932. London, UK:
Innovation and Culture, University of Oslo. Taylor & Francis Group.
IAEA, 1991. Safety Culture, Safety Series no. 75-INSAG-4, Svenson, O. 2006. A Frame of Reference for Studies of Safety
Vienna: International Atomic Energy Agency. Management. In (Ed.) O. Svenson, I. Salo, P. Oedewald, T.
IAEA, 2002. Recruitment, Qualification and Training of Reiman, A.B. Skjerve, Nordic Perspectives on Safety
Personnel for Nuclear Power Plants, Safety Guide no. Management in High Reliability Organizations. Theory
NS-G-2.8, Vienna: International Atomic Energy Agency. and Applications: 1–7. Valdemarsvik, Sweden: Stock-
Jaynes, E.T. 2003. Probability Theory: The Logic of Sci- holm University.
ence, First Edition, Edited by G.L. Bretthorst, Cambridge Weick, K.E. & Sutcliffe, K.M. 2001. Managing the Unex-
University Press, Cambridge, UK. pected. Assuring High Performance in an Age of Com-
Johnston, R. & Hawke, G. 2002. Case studies of organi- plexity. San Francisco, CA: Jossey Bass.
sations with established learning cultures, The National Woods, D.D. 2006. Essential Characteristics of Resilience.
Centre for Vocational Education Research (NCVER), In E. Hollnagel, D.D. Woods & N. Leveson, Resilience
Adelaide, Australia. http://www.ncver.edu.au/research/ Engineering. Concepts and Precepts:21–34. Aldershot,
proj/nr9014.pdf (Accessed January 2008) UK: Asgate.
Johnson-Laird, P. & Byrne, R., 2000. Mental Models Web- Yang, J. & Trbojevic, V. 2007. Design for Safety of Marine
site. http://www.tcd.ie/Psychology/Ruth_Byrne/mental_ and Offshore Systems, IMarEST Publications, ISBN:
models/ (Accessed January 2008). 1-902536-58-4.
Moan, T. 2004. Safety of Offshore Structures, Second Keppel
Offshore and Marine Lecture, CORE Report No. 2005–04,
National University of Singapore.
947
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
Simon P. Wilson
Centre for Telecommunications Value-Chain Research, Trinity College Dublin, Dublin, Ireland
Suresh Goyal
Bell Labs Ireland, Dublin, Ireland
ABSTRACT: We describe a technique for estimating production test performance parameters from typical
data that are available from past testing. Gaussian mixture models are used for the data because it is often
multi-modal, and the inference is implemented via a Bayesian approach. An approximation to the posterior
distribution of the Gaussian mixture parameters is used to facilitate a quick computation time. The method is
illustrated with examples.
949
mixture model is used for x in most circumstances,
since it is able to model a wide range of behaviour
that we have seen in practical examples, such as
extreme outliers, skewness and multi-modality. We let
θ = {pk , μk , σk2 | k = 1, . . . , K} denote the Gaussian
mixture component weights, means and variances.
Therefore:
K
1
px (x | θ ) = pk Figure 1. Flow chart of the test and repair model.
k=1 2π σk2
1
× exp − 2 (x − μk ) ,
2
(1) measurement model for x and y, while in this work we
2σk
leave βBG to be defined directly.
−∞ < x < ∞. We assume in this case that the
measurement error is Gaussian: 2.3 Data
There are three sets of measurements available:
1
e−(y−x) /2s ,
2 2
py|x (y | x, s2 ) = √ 1. Data from a set of ‘‘one-off’’ tests where a single
2π s 2
unit is tested m times. Such tests are occasionally
− ∞ < y < ∞. (2) carried out by the engineers to learn about the
repeatability of the test results and are clearly an
Marginally, y is a Gaussian mixture with the same pk important source of data to learn about py (y | x, s2 ).
and μk as x but with variances σk2 + s2 . The model for We define z1 , . . . , zm to be the measured values
x and y in terms of θ and s2 is called the measurement from the one-off test, which we also refer to as
model. ‘‘one-off data’’ in some equations. We also define
x to be the unknown true value of the unit used in
the one-off test.
2.2 The test and repair model 2. Data from the ‘‘first-pass’’ test where n different
A unit is classified to be good if x is in the interval units are tested. Let y1 , . . . , yn denote the mea-
(L, U ). A unit passes the test if y is in the interval sured values from the first pass test, which are also
(L, U ). The parameters of real interest pertain to the denoted ‘‘first pass data’’.
performance of the test. They are: 3. Data from the ‘‘second-pass’’ test where n2 units,
that failed the first-pass test and were repaired, were
• GI = P(L ≤ x ≤ U | θ ), the proportion of good measured again. In this case we only observe the
units; number of units ns that pass this test.
• αGG = P(L ≤ y ≤ U | L ≤ x ≤ U , θ , s2 ), the
probability that a good unit passes the test; While the quantity being measured in the test may
• αGB = 1 − αGG , the probability that a good unit be continuous, sometimes the available one-off and
fails the test (a false negative); first pass data only show whether the test was passed
• αBB = P(y < L or y > U | x < L or x > U , θ , s2 ), or not e.g. the zj and yi are interval-censored to (L, U ).
the probability that a bad unit fails the test; It is difficult to fit the Gaussian mixture model to such
• αBG = 1 − αBG , the probability that a bad unit interval censored data because they contain very little
passes the test (a false positive). information about the number of components. How-
• βBG , the probability that a unit that is bad is repaired ever we will show that it is possible to fit a single
to good. This arises because a unit that fails the test component Gaussian. We have found that it is suf-
is sent to be repaired and is then retested. There ficiently parsimonious to allow identification of the
is imperfect repair so truly bad units may not be measurement model parameters and produce sensible
repaired to good. We do assume, however, that truly estimates of the test model parameters.
good units that have failed the test cannot be repaired
to be bad.
3 STATISTICAL INFERENCE
Figure 1 represents the test and repair process.
There are therefore 4 free parameters of the test and A Bayesian approach is adopted, so the goal is to com-
repair model: GI , αGG , αBB and βBG . It is important pute the distribution p(GI , αGG , αBG , βBG | data). The
to note that the first three are defined in terms of the likelihood is most easily written in terms of θ, s2 , βBG
950
and also x, the true value of the unit used in the one- 3.2 Computing the posterior distribution
off tests. The deterministic relationships in Section 2.2
Currently we assume flat prior distributions for all
between the measurement model parameters (θ , s2 )
model parameters, although we recognise that a lot of
and the test model parameters then allow us to com-
useful information could be incorporated into a prior
pute the posterior distribution of GI , αGG , αBG and
that could improve the estimation, particularly in the
βBG from that of θ, s2 and βBG .
case of censored data where the information in the data
can be weak. We compute the posterior distribution of
3.1 The likelihood the test parameters p(GI , αGG , αBB , βBG | all data) as
follows. We have found that the second pass data con-
If the measurements themselves are recorded then the tain little information about GI , αGG and αBB so we
likelihood for z1 , . . . , zm and y1 , . . . , yn is: ignore it and use the approximation:
951
factorise the posterior. 3.2.2 Censored Data Case
Here p(θ, s2 , x | one-off data, first pass data) is pro-
p(θ ∗ , s2 , x | one-off data, first pass data) portional to Equation 6, and we only attempt to
fit a single component Gaussian model. Since in
∝ p(s2 , x | one-off data) p(θ ∗ | first pass data). this case θ = (μ, σ 2 ), there are only 4 unknown
(10) parameters—μ, σ 2 , s2 and x—and this distribution
can be evaluated on a discrete grid, from which values
To compute p(θ ∗ | first pass data), the standard of (θ, s2 ) are simulated.
Bayesian approach to fitting a mixture model is
by Monte Carlo simulation and requires a time-
consuming reversible jump MCMC (Richardson and
Green 1997). This is too slow for the practical imple- 4 EXAMPLES
mentation of this method, where we expect the test
engineer to interact with the inference algorithm as Two examples are shown. One is simulated data and the
a test sequence is designed. We adopt a much faster other is a real data example. In both cases the posterior
although more crude alternative that assumes that each distribution of the test properties was computed using
set of component means and variances are indepen- the method of Section 3.2.
dent, and so the posterior distribution is evaluated Data were simulated from the Gaussian mixture
for each separately. This independence assumption model with 3 components. The means, variances
is used in the variational Bayes approximation to and weights of the components were (3.0, 3.5, 20.0),
mixtures (Constantinopoulos and Likas 2007). The (0.22 , 0.42 , 0.32 ) and (0.2, 0.7, 0.1). The measurement
number of components in the mixture K is determined variance is s2 = 0.0052 and the true value of the
by an initial fit using the fast message length algo- unit used in the one-off tests is x = 3.05. Units are
rithm (Figueiredo and Jain 2002). This method also accepted if they are measured to be in the interval
gives point estimates of mixture means, variances and (2, 4). This leads to true test model parameter values
weights which we denote μ̂k , κ̂k2 and p̂k . A posterior of GI = 0.826, αGG = 0.9992 and αBB = 0.9966;
distribution on the μk , κk2 and pk is fitted around these βBG was defined to be 0.9. Finally, sample sizes were
point estimates by first assigning each first pass obser- n = 5000, m = 500 and n2 = 10. Note that the
vation to the mixture component with the smallest data are mainly concentrated in the accept interval but
Mahalonobis distance (yi − μ̂k )/κ̂k . A posterior dis- that there is a group of observations very far from
tribution for each component mean and variance pair that interval, centered around 20.0. Also note that the
(μk , κk2 ) is then computed separately using the obser- second pass data size is small; since few units fail
vations assigned to it using a Gaussian likelihood; the test, this is also typical. The presence of a group
the result is the standard conjugate normal-inverse of extreme outliers like this is common in data from
gamma posterior for each (μk , κk2 ) separately (Gelman real tests. Figure 2 shows the marginal posterior dis-
et al. 2003). Components with no observation assigned tributions of GI , αGG , αBB and βBG . We see that the
are eliminated. The posterior distribution of the pk is method has recovered the true test parameter values
Dirichlet with the parameter given to pk equal to the quite well. The much greater posterior variance for
number of observations assigned to it; this is again the
conjugate posterior distribution for the pk . Thus we
make the approximation:
k=1
× p(p1 , . . . , pn ). (11)
952
the censored data. The analysis now gives pos-
terior means and (2.5%, 97.5%) probability inter-
vals as: GI = 0.950 (0.871, 0.997); αGG =
0.939 (0.880, 0.993); αBB = 0.697 (0.380, 0.962);
βBG = 0.55 (0.13, 0.99). We see that the poste-
rior distributions have considerably higher variance,
reflecting the loss of information from the censoring.
5 CONCLUSIONS
953
ponent splitting. IEEE Transactions on Neural Networks Fisher, E., S. Fortune, M. Gladstein, S. Goyal, W. Lyons,
18, 745–755. J. Mosher, and G. Wilfong (2007b). Economic modeling
Dick, J.H., E. Trischler, C. Dislis, and A.P. Ambler (1994). of global test strategy II: software system and examples.
Sensitivity analysis in economic based test strategy plan- Bell Labs Technical Journal 12, 175–186.
ning. Journal of Electronic Testing: Theory and Applica- Gelman, A., J.B. Carlin, H.S. Stern, and D.B. Rubin (2003).
tions 5, 239–252. Bayesian Data Analysis (Second ed.). London: Chapman
Figueiredo, M. and A.K. Jain (2002). Unsupervised learning and Hall.
of finite mixture models. IEEE Trans. Pattern Anal. Mach. Richardson, S. and P. Green (1997). On Bayesian analy-
Intell. 24, 381–396. sis of mixtures with an unknown number of components
Fisher, E., S. Fortune, M. Gladstein, S. Goyal, W. Lyons, (with discussion). Journal of the Royal Statistical Society,
J. Mosher, and G. Wilfong (2007a). Economic modeling Series B 59, 731–792.
of global test strategy I: mathematical models. Bell Labs
Technical Journal 12, 161–174.
954
Risk and evidence based policy making
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: The main objective of this study is to define reliability requirements in relation to environmental
impacts in critical areas in terms of environmental resource sensitivity. Nowadays many enterprises in Brazil are
evaluated in this area in term of many different environment requirements, but the environmental impact of the
enterprise or the group of enterprises as a whole are not assessed, and nor are their future modifications.
When the number of enterprises in a specific area increases the risk of accidents is also rises. In other words
reliability over time gets worse. Unfortunately most of cases in Brazil do not take into account the entire enterprise
risk impact in a specific area and the decrease of reliability over time.
The methodology in question takes into account all the critical events which cause a serious environmental
impact for each enterprise in the same area that take place over time. By taking into account all relevant events,
it is possible to produce the Environment Diagram Block which covers all related events and their probability
of occurring over time. This means that failures in any block represent accidents with potential environment
impacts.
The environmental reliability target is associated with the tolerable number of environmental impacts in a
specific area, taking into account all events over a specific period of time. The tolerable number of accidents
depends on social perception and environmental sensitivity.
For this analysis the Monte Carlo simulation has to be carried out over a period of time in order to define the
Environmental Availability and Environmental Reliability related to the number of tolerable events. Moreover, in
the case of any enterprise modifications or an increase in the number of enterprises a new block will be inputted
in the Environmental Block Diagram and the new results will be assessed.
957
The first step is to discover the sensitivity of the of system environments will be influenced by
ecosystem in terms of environmental impacts. For this enterprises’ reliability.
the characteristics of the ecosystem have to be ana- After the simulation the system reliability will be
lyzed and its limits estimated. This is very difficult analyzed and it will be possible to discover if the target
in many cases and almost impossible in others due has or has not been achieved and whether the number
to complex features of ecosystems. Therefore, it is of accidents is higher or not. In negative cases, it is also
advisable that ecosystems be compared with others to possible to find out how much improvement is neces-
estimate limits regarding environmental impacts. In sary to achieve the reliability target. The methodology
this case, it is important to be conservative as regards is summarized below in Figure 1.
the tolerable limits of events in order to preserve the
environment.
After the environmental impact limits have been 3 ENVIRONMENTAL SENSITIVITY
defined, the enterprises and their potential environ-
mental accident impacts have to be studied. In this Environmental sensitivity in some specific areas can
case historical accident data has to be analyzed and involve issues with social, economic and environment
the density probability function established to discover impacts in the case of accidents. To facilitate the under-
accident frequency over time. In many cases acci- standing of environmental sensitivity ESI maps were
dent frequency is considered constant over time, but drafted to serve as quick references for oil and chemi-
this is not true in all situations. This concept signifi- cal spill responders and coastal zone managers. They
cantly influences the analysis because some accidents contain three kinds of information:
increase in frequency in a specific period of time, Shorelines are ranked based on their physical and
which in turn allows these accidents to be discussed biological character, then color-coded to indicate their
and in some cases leads to the discovery of their causes sensitivity to oiling.
and the consequent proposal of preventive action in Sensitive biological resources, such as seabird col-
order to avoid future accidents. onies and marine mammal hauling grounds, are
The final step is group all the enterprises and sim- depicted by shaded polygons and symbol icons to
ulate events over time. The Monte Carlo simulation convey their location and extent on the maps.
will be used, with the group of enterprises being rep- ESI maps also show sensitive human-use resour-
resented by the Block Diagram Methodology. This ces, such as water intakes, marinas, and swimming
analysis requires that the group of enterprises be taken beaches.
as a single system. Each enterprise will be repre- In the USA at present project scientists have cre-
sented by a specific block and all blocks will be in ated collections of ESI maps, called ESI atlases, for
series. This means that in the case of accidents the most coastal areas, including Alaska. To do this, vul-
system will impact the environment and the reliability nerable coastal locations have to be identified before
a spill happens, so that protection priorities can be
established and cleanup strategies identified. To meet
this need, NOAA OR&R researchers, working with
1 – Environment Sensitivity colleagues in state and federal governments, have pro-
duced Environmental Sensitivity Index (ESI) maps.
An example section from an ESI map appears in
2 – Critical Events Figure 2 below.
The Environmental Sensitivity Index (ESI) project
team has developed a systematic method for creating
3 – Environment Diagram Block ESI maps. Others are welcome to adopt this method
when it proves useful to them. This section gives
an introduction to the basic elements of ESI maps.
4 – Simulation
ESI maps include three kinds of information, delin-
eated on maps by color-coding, symbols, or other
markings:
5 – Critical analysis • Shoreline Rankings: Shorelines are ranked accord-
ing to their sensitivity, the natural persistence of oil,
and the expected ease of cleanup.
6 – Conclusion • Biological Resources: Oil-sensitive animals, as well
as habitats that either (a) are used by oil-sensitive
animals, or (b) are themselves sensitive to spilled
Figure 1. Environmental reliability analysis methodology. oil (e.g., coral reefs).
958
Table 1. Sensitivity rankings of marine habitats.
Sensitivity
ranking Habitat type
High Saltmarsh
Sheltered Rocky Intertidal
Sheltered Rocky Intertidal
Special Use (endangered
species/marine protected areas)
Medium – High Seagrass Meadow (low intertidal to
shallow subtidal)
Medium Open Water Enclosed Bays and
Harbours
Low – Medium Exposed Sand/Gravel/Cobble Intertidal
Low Exposed Rocky Intertidal
Kelp Forest Subtidal
Open Water, Non-enclosed Nearshore
and Offshore
Soft Bottom to Rocky Subtidal
959
Table 2. Vulnerability index and habitat recovery of a system, subsystem or equipment to work properly
generalizations. for a specific period of time. The reliability func-
tion requires historical data and uses methods like the
Vulnerability Shoreline minimum square to establish the PDF (density prob-
index 1 type Comments
ability function) that best fits the historical data. The
10 Marine Very productive aquatic reliability function is as follows:
Wetlands ecosystems; oil can
persist for decades t
9 Sheltered Tidal Areas of low wave R(t) = 1 − f (t)dt
Flat energy-high
Boulder biological 0
Barricade productivity; oil may
Beach persist for decades Depending on the PDF function the reliability
8 Sheltered Areas of reduced format can differ.
Rocky wave action; oil may The reliability concept can be used in environmen-
Coast persist for over a tal analysis in order to establish the probability of an
decade
environment impact not occurring in a specific period
7 Gravel Beach Same as Index 6; if
asphalt pavement of time. It is possible to stipulate environmental reli-
forms at high spring ability targets to limit the quantity of environmental
tide level it will impacts and increase the level of safety protection in
persist for decades one or more enterprises. Figure 3 represents the envi-
6 Mixed Oil may undergo rapid ronment reliability of oil spills in Japan, in relation to
Sand/Gravel penetration/burial the worst events. Most of the events have occurred in
Beach under moderate to the last 30 years, due to the increase in oil transport.
low-energy conditions; The best PDF that represents the events is Gumbel,
oil may persist for
with a correlation of 0.9484.
decades
5 Exposed Most oil not likely to The remarkable aspect is that the frequency of this
Compacted adhere to or penetrate event is not constant, as is usually assumed in most
Tidal Flat the compacted risk analyses, but changes over time. The frequency
sediments index is:
4 Course Sand Oil may sink and/or be
Beach buried rapidly; under f (t)
moderate to high-energy λ(t) =
R(t)
conditions oil likely
removed naturally
within months Figure 4 below show the frequency index, which
3 Fine Sand Oil does not usually is almost constant until 10 years and then starts to
Beach penetrate far into the increase.
sediment; oil may Environmental reliability can be used to prioritize
persist several months critical areas or enterprises in terms of environmen-
2 Eroding Wave-swept; most oil tal impact risk, which can provide useful support for
Wavecut removed by natural decision making related to the allocation of emergency
Platform processes within weeks resources. It should be noted that priorities will change
1 Exposed Rocky Wave reflection keeps
over time depending on the PDF of the critical events
Headland most oil offshore
Note: 10 = most vulnerable, 1 = least vulnerable, index ReliaSoft Weibull++ 7 - www.ReliaSoft.com Reliability vs Time Plot
is a qualitative rank order. 1,000 Reliability
Derramamento de óleo no japão
Gumbel-2P
RRX SRM MED
FMF=16/S=0
Data Points
0,801 Reliability Line
960
ReliaSoft Weibull++ 7 - www.ReliaSoft.com
4,000
Failure Rate vs Time Plot The concept takes into account the number of envi-
Failure Rate
n
Failure Rate, f(t)/R(t)
2,401 ti
i=1
D(t) =
n
1,602
Ti
i=1
0,802
961
Submarine Surface Underground
962
Table 4. Monte Carlo simulation results.
Multiplos 10 pocos
In some cases certain events will happen many
Failure Rate Line
times but will not impact over time like others which
1,840E-6 happen much less frequently.
Failure Rate, f (t) / R (t)
1,380E-6
7 CONCLUSION
9,200E-7
Environmental reliability is a powerful tool to sup-
port decision making related to environmental pro-
4,600E-7
tection, defining limits for enterprises with reliability
requirements, numbers of enterprises and establishing
Eduardo Calixto Calixto
Petrobras
the most vulnerable areas for the location of emergency
9/12/2007
0,000
0,000 600000,000 1,200E+6 1,800E+6‘ 2,400E+6
11:18:52
3,000E+6
teams.
Time, (t)
Unlike the usual methodology, it is possible
to consider a group of enterprises and critical
Figure 9. Drill blowout frequency. events in simulation over a specific period of time.
The difficultly is obtaining historical data about
events and defining environments limits for specific
ReliaSoft BlockSim 7 - www.ReliaSoft.com
RS FCI
areas.
7,071 Availability In the case of emergency teams it is considered that
100%
0%
delay. In real life this does not happen, therefore the
1 Item(s)
specific model has to be evaluated taking into account
4,242 the performance of emergency teams.
Underground blowout The remarkable point about historical data is
2,828
understanding why accidents happens and if the data
fits well enough to be used in the current simulation
case.
1,414 In this case study only drilling activities which
Eduardo Calixto Calixto
affected a specific area where taken into account, but in
Petrobras
27/6/2008
14:14:10
addition all enterprises and the lifetimes of platforms
and ships have also to be considered.
Figure 10. Critical system events. The next step in the case study is to consider all
enterprise data which has an influence on environ-
mental sensitivity in the area in question. Because of
the whole system. This happens because in the Block the environmental effects of other enterprises drilling
Diagram when a group of blocks is in a series, the sys- limits will probably be reduced in order to keep
tem availability will be lower than the lowest block the number of catastrophic accidents lower than one
availability, in which case the event which has the during the lifetime in question.
963
REFERENCES IEEE Recommended Practice for the Design of Reliable
Industrial and Commercial Power Systems–IEEE Std.
A.M. Cassula, ‘‘Evaluation of Distribution System Relia- 493–1997.
bility Considering Generation and Transmission Impacts’’, Kececioglu, Dimitri, and Sun, Feng-Bin, Environmental
Master’s Dissertation, UNIFEI, Nov. 1998. Stress Screening–Its Quantification, Optimization and
API (American Petroleum Institute). 1985. Oil spill response: Management, Prentice Hall PTR, New Jersey, 1995.
Options for minimizing ecological impacts. American Lafraia, João R. Barusso, Manual de Confiabilidade,
Petroleum Institute Publication No. 4398. Washington, Mantenabilidade e Disponibilidade, Qualimark, Rio de
DC: American Petroleum Institute. Janeiro, Petrobras, 2001.
Ballou, T.G., R.E. Dodge, S.C. Hess, A.H. Knap and Monteiro, Aline Guimarães. Metodologia de avaliação de
T.D. Sleeter. 1987. Effects on a dispersed and undispersed custos ambientais provocados por vazamento de óleo:
crude oil on mangroves, seagrasses and corals. American O estudo de caso do complexo REDUC-DTSE. Rio de
Petroleum Institute Publication No. 4460. Washington, Janeiro, 22/12/03–COPPE/UFRJ.
DC: American Petroleum Institute. Moraes, Giovanni de Araujo. Elementos do Sistema de
Barber, W.E., L.L. McDonald, W.P. Erickson and Gestão de segurança meio ambiente e saúde ocupacional.
M. Vallario. 1995. Effect of the Exxon Valdez oil spill on Gerenciamento Verde Consultoria Rio de Janeiro: 2004
intertidal fish: A field study. Transactions of the American R. Billinton, and R.N. Allan, ‘‘Reliability Evaluation of
Fisheries Society 124: 461–476. Engineering Systems: Concepts and Techniques’’, 1st
Calixto, Eduardo; Schimitt, William. Análise Ram do projeto Edition, Plenum Press, New York, 1983.
Cenpes II. ESREL 2006, Estoril. ReliaSoft Corporation, Weibull++ 6.0 Software Package,
Calixto, Eduardo. ‘‘The enhancement availability methodol- Tucson, AZ, www.Weibull.com.
ogy: a refinery case study’’, ESREL 2006, Estoril. Rolan, R.G. and R. Gallagher. 1991. Recovery of intertidal
Calixto, Eduardo. ‘‘Sensitivity analysis in critical equip- biotic communities at Sullam Voe following the Esso
ments: the distillation plant study case in the Brazilian Bernica oil spill of 1978. Proceedings of the 1991 Oil
oil and gas industry’’. ESREL 2007, Stavanger. Spill Conference, San Diego. American Petroleum Insti-
Calixto, Eduardo. ‘‘Integrated preliminary hazard analysis tute Publication No. 4529: 461–465. Washington, DC:
methodology regarding environment, safety and social American Petroleum Institute.
issues: The platform risk analysis study’’. ESREL 2007, W.F. Schmitt, ‘‘Distribution System Reliability: Chrono-
Stavanger. logical and Analytical Methodologies’’, Master’s.
Calixto, Eduardo. ‘‘The safety integrity level as hazop
risk consistence. the Brazilian risk analysis case study’’.
ESREL 2007, Stavanger.
Calixto, Eduardo. ‘‘The non-linear optimization methodol-
ogy model: the refinery plant availability optimization
case study’’. ESREL 2007, Stavanger.
Calixto, Eduardo. ‘‘Dynamic equipments life cycle analy-
sis’’. 5◦ International Reliability Symposium SIC 2007,
Brazil.
964
Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds)
© 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5
ABSTRACT: Research suggests that public support for natural hazard mitigation activities is distorted due to
choice anomalies. For that reason, preparedness measures are often implemented to an insufficient extent. From
an ex-post perspective the lack of mitigation might result in a necessity for a risk-transfer. On the other hand,
based on the conclusions from the Samaritan’s Dilemma, the anticipation of relief in case of a disaster event
might induce individuals to diminish ex-ante protection activities.
In order to analyze the existence of this phenomenon in an international context, this paper discusses the
impact of expected foreign aid in case of a natural disaster on the level of disaster mitigation activities. The
results suggest that foreign aid in previous disaster years implies future ex-post charity and thus does crowd
out risk-management activities. The paper concludes with propositions on the enlightenment of natural hazards
aiming to counter the crowding-out of prevention.
965
Table 1. Large-scale disasters (1994–2004) and Development AID.
OECD OECD
No. Country Year Type No. Killed Total Aid ∗ Emerg. Aid ∗
the relationship of foreign aid and earthquake fatalities preparedness activities, which cause costs, in fact
is presented. Finally, section 5 concludes. desired by the society from an ex-ante point of view?
In order to answer this question it is first necessary to
understand how people perceive risk.
2 THEORETICAL BACKGROUND
Addressing this problem Slovic et al. (1984) ask:
‘‘How should a single accident that takes N lives be
2.1 Choice anomalies
weighted relative to N accidents, each of which takes a
Whenever natural hazard events cause losses of human single life?’’ In other words: Do people value the sever-
lives or destroy capital, the question of obligation has ity of an event, measured by the death toll, higher than
to be answered. From an ex-post perspective insuf- the probability of events occurring in their decision
ficient early warning systems and mitigation activ- process? The authors show, that in contrast to then-
ities are usually in the centre of criticism. But are research suggestions, it is not the severity, but rather
966
the frequency of occurrence, which dominates the risk of avalanche victims occurs, changes the individual’s
perception of individuals. attitude towards avalanche risks tremendously. The
Based on this result, a society should undertake fifth heuristic is concerned with the ambiguity about
more risk management activities for natural hazards, the probability that a natural disaster might occur. This
which are more probable, and less for the more vague probabilities lead to inefficiencies on the pri-
unlikely ones. Kahneman & Tversky (1974) point vate insurance market. A publication by Kunreuther &
out the complexity of the problem by arguing that Pauly (2004) included this idea into a formal model
individuals’ decisions are subject to choice anoma- of decision making costs under imperfect information
lies. This theory proposes that the standard expected and showed that individuals still refuse to purchase
utility theory does not sufficiently describe and pre- natural hazard insurance even if the premiums are
dict individual behaviour under uncertainty (Frey & attractive. The authors show that the demand-side inef-
Eichenberger 1989). When it comes to natural hazards, ficiency is a problem of a) transaction costs in order
individuals do not base their decisions on calculated to obtain information and b) ambiguity about prob-
probabilities, but rather use inferential rules known ability estimations by different insurance companies.
as heuristics (Kahneman & Tversky 1974). This sug- The search for the optimal insurance imposes costs
gestion has been clearly applied on the market for which are high enough to discourage the individual
natural hazard insurance by Kunreuther (2000) who to engage in any further mitigation activity4 . Addi-
defined the situation as ‘‘natural disaster syndrome’’ tionally the insurance premiums are likely to be much
which is a term that ‘‘links the lack of interest by higher, because of vagueness about the probabilities.
those at risk in protecting themselves against haz- Returning to the initially point of interest, individ-
ards and the resulting significant financial burden on uals preferences concerning risk mitigation, the above
society, property owners, the insurance industry and mentioned results imply that this decision is more com-
municipal, state and federal governments when severe plex than expected and dependent on a multitude of
disasters do occur.’’ He points out that five heuristics features. The probability of occurrence indeed per-
are responsible for anomalies on the natural disaster ceived by the individuals is likely to deviate from
insurance market. One main reason is connected to the actual value, which implies a suboptimal level of
information biases. Individuals misperceive the risk of mitigation activities.
natural disasters, because of extensive media-coverage The above presented results suggest that insuffi-
(‘‘availability bias’’) or they tend to overestimate risks cient mitigation is a consequence of decision anoma-
of being harmed by a natural hazard that has recently lies. In order to get a clearer picture of people’s
occurred. A second very typical heuristic in the area preferences for risk mitigation, Flynn et al. (1999)
of natural hazard insurance is the common attitude: interview 400 inhabitants of Portland/Oregon about
‘‘It won’t happen to me!’’1 . For example, a mountain their assessment of earthquake risk and their willing-
farmer, who has been living his whole live in an area ness to support the implementation of more rigorous
with high avalanche risk (red zone)2 , where almost building-codes aiming to reduce seismic risk. The
every year avalanches impact next to his farm. Nev- results suggest that contrary to expectations, peo-
ertheless, he has no incentives to either move away or ple are well informed about earthquakes and aware
to insure his farm against potential losses. The third of seismic risk. Nevertheless, public support is pri-
heuristic refers to the role of emotions connected to marily aimed at public facilities. The willingness to
catastrophic events. Individuals may purchase insur- support priva