Sage Journals: Discover world-class research

Abstract

Syncretic oil pumping–gas compression stations exist because oil and gas pipelines often run parallel to one another. Risk assessment and safety management present challenges in these stations because they house large numbers of devices that perform complicated operations. Quantitative risk assessment is effective in predicting probabilities and consequences of accidents; however, this method does not clearly address accident causation and other important factors that can lead to major accidents. To supplement quantitative risk assessment, this article proposes a safety barrier–based accident model for oil and gas stations based on the Swiss cheese model. An example is employed to illustrate the application of the combined method in safety management. Risk levels for different subsystems are calculated in quantitative risk assessment, and safety barriers with bad performance in high-risk subsystems are identified based on the proposed accident model. These results indicate that the combined method can be efficient for a complicated system since it helps the operators focus on the cells with high risk instead of the whole system.

Keywords

Accident model quantitative risk assessment safety barrier safety management

Introduction

Oil and gas (O&G) are the main sources of energy in use around the world. Most O&G is transported from one location to another through pipelines.¹ As power sources for O&G pipelines, oil pumping stations and gas compression stations play a vital role in ensuring the smooth and reliable operation of O&G distribution systems. However, the flammable and explosive behavior of O&G, along with their polluting properties and adverse effects on human health, creates risks for facility staff, the general public, industrial assets, and the environment. Because of these dangers, comprehensive and systematic risk management and safety planning are important to the O&G industry. Risk assessment and management is more difficult in stations than in pipelines because stations operate larger numbers of devices that perform more complicated processes.

An exhaustive search of the literature in the public domain confirms that O&G companies, governmental agencies, consumers, and other stakeholders who are concerned about risk management concentrate primarily on the integrity of pipelines^2–6 and the effects of fires caused by O&G releases.^7–10 In contrast, risk assessment in stations remains in the exploratory stage, and scant information exists about risk and accident modeling in oil pumping stations, gas compression stations, and especially syncretic oil pumping–gas compression stations.

Recently, researchers in many countries have begun to address risk management based on quantitative risk assessment (QRA).¹¹ QRA is a tool capable of coping with complexity, and it defines a spectrum of risks based on defined scenarios.¹² QRA began in the Rasmussen’s WASH-1400 study published in 1975 for the Nuclear Regulatory Commission,¹³ which introduced the method of probabilistic risk assessment (PRA), equivalent to QRA. In 1981, the Norwegian Petroleum Directorate (NPD) issued the first formal requirement for offshore QRA according to its “Guidelines for Safety Evaluation of Platform Conceptual Design.”¹⁴ Many QRA developments have occurred during the subsequent three decades, and QRA is now applied worldwide to provide quantitative information on the risks associated with accidents in chemical and process plants.^15–17 However, the definition of risk used in QRA is quite narrow.¹⁸ QRA describes risk in terms of probabilities and possible consequences, which limits notions of causality and inadequately expresses uncertainty. Skogdalen and Vinnem¹⁹ suggested using the available information from a precursor incident as an input for the QRA methodology in order to identify all accident scenarios as well as factors that might produce surprising outcomes. They called this method Quantitative Risk Analysis Precursor Incident Investigation (QRA PII).

This article builds on the Swiss cheese model to construct a conceptual accident model that allows for precursor incident investigation in O&G distribution stations. The proposed model is then combined with QRA to identify hazards, probabilities, safety barriers, possible consequences, and other effects.

This article is organized as follows. Section “Swiss cheese model and its variations” provides a general overview of the Swiss cheese model and its variations. Section “Safety barriers and the bow-tie model” introduces the concept of safety barriers and their classifications, along with the conceptual safety barrier–based model. This is followed by the combination of the proposed model and QRA in section “Combing safety barrier–based accident modeling and QRA.” Section “Case study” illustrates the application of the combined method in a syncretic oil pumping–gas compression station. Finally, section “Conclusion” presents conclusions.

Swiss cheese model and its variations

Accident investigation methods are usually based on different causation models that help to establish a shared understanding of how and why accidents happen.²⁰ Many accident models exist for other O&G facilities, and these can provide references for accident modeling in oil pumping stations and gas compression stations. The available accident models differ depending on the individuals or teams performing the analysis as well as the objects analyzed.²¹ In general, however, accident models can be classified into three major categories.^22–24 The first category comprises simple linear system models, also known as sequential models, which adopt a sequential notion of causality and regard an accident as the result of a chain of discrete events that occur in a specific order. These models include domino theory,²⁵ sequential timed events plotting (STEP),²⁶ and the loss causation model.²⁷ The second category is made up of complex linear system models or epidemiological models. These models present an accident as the outcome of a combination of factors, analogous to the spread of a disease; examples include the Swiss cheese model (SCM)²⁸ and Bayesian belief networks (BBN).²⁹ The third category, systematic models, works on a systems level and describes an accident as the consequence of a coincidence of events rather than a deterministic succession of events. Examples of this type of model include the systems-theoretic accident model and process (STAMP)³⁰ and the functional resonance analysis method (FRAM).

Figure 1 illustrates the conceptual framework for SCM, in which slices of Swiss cheese represent successive safety barriers, and holes in the slices represent latent or precursive failures.³¹ Intuitively, safety is maximized when there are more barriers, smaller holes, and fewer holes. Accidents will not occur until all of the slices fail, which conveys the idea that an accident involves the convergence of events and conditions.

Figure 1.

Swiss cheese model adapted from Reason et al.³⁰

Based on Reason’s model, the universities of Leiden and Manchester developed the TRIPOD method for Shell’s Exploration and Production function.^32,33 This model pays special attention to failures at both the individual and the organizational levels, and it introduces the idea of latent failures as potential causes of future accidents. In 2007, Licu et al.³⁴ used the principles of SCM to propose the systematic occurrence analysis methodology (SOAM), which aims to broaden the focus of an investigation beyond human involvement issues by investigating latent conditions rooted in the organization. Kujath et al. proposed a special version of SCM that uses the safety barrier concept to prioritize the prevention of process accidents in an offshore environment. Later, Rathnayaka et al.³⁵ further developed the work of Kujath et al. by establishing a model that represents logical relationships among the barriers (see Figure 2). Rathnayaka also proposed the system hazard identification, prediction, and prevention (SHIPP) methodology, which describes the steps of process safety assessment and provides a guide to possible improvements at every step of the accident process.

Figure 2.

The process accident model adapted from Rathnayaka et al.³⁵

This study proposes a model that identifies vulnerabilities in a station’s safety barrier system, allowing operators to prevent an oil or gas leakage as well as to control and mitigate its consequences. This process is analogous to SCM. In order to apply SCM to a specific accident, all safety barriers and their potential failures must be identified at the very beginning of the process. The next section introduces the knowledge relevant to performing this task.

Safety barriers and the bow-tie model

As industry has developed, various safety barriers with different functions have been implemented to prevent accidents, which are mainly caused by human-induced hazards.³⁶ The concept of safety barriers is often related to the energy model (see Figure 3), which was first proposed by Gibson³⁷ and further developed by Haddon.³⁸

Figure 3.

The energy model (based on Haddon³⁸).

However, no universal definition exists for the safety barrier concept, and various industries, sectors, and countries employ similar terms like defense-in-depth,³⁹ layer of protection,^40,41 and safety function.^42–46 According to Hollnagel,⁴⁷ in daily language use, the term barrier often refers to a barrier function, which Sklet defined as follows based on a literature survey:

A barrier function is a function planned to prevent, control, or mitigate undesired events or accidents.

Correspondingly, Sklet defined safety barriers as follows:

Safety barriers are physical and/or non-physical means planned to prevent, control, or mitigate undesired events or accidents.

According to this definition, prevention barriers, detection and control barriers, and mitigation barriers should all be considered as possible components of a safety barrier system. In addition to these factors, this work also considers intrinsic safety barriers. The conceptual safety barrier–based accident model consists of four barrier subsystems, illustrated in Figure 4. Intrinsic safety barriers are implemented to counteract intrinsic defects and external hazards and reduce the likelihood of initiating events occurring. Prevention barriers are implemented to prevent threats from leading to a major event, like a gas or oil leak. Detection and control barriers limit the extent or duration of an event in order to prevent escalations such as a fire or explosion, while mitigation barriers reduce the severity of consequences.

Figure 4.

Safety barrier–based accident model.

In order to provide an easily understood visualization of the relationships among hazards, threats, controls, and consequences, a safety barrier diagram can be specially designed to resemble a bow-tie.⁴⁸ The bow-tie model is an adapted combination of fault tree and event tree diagrams linked to a critical event that represents a hazard.^49–51 The basic events and logic relating to safety barriers in bow-tie diagrams are encapsulated in a single item, reducing the number of symbols in the graph and yielding diagrams that are much easier for non-experts to understand.⁵² In a bow-tie diagram, the fault tree on the left helps to identify the prevention barriers that reduce the likelihood of a critical event occurring, while the event tree on the right allows for the identification of detection and control barriers that prevent the escalation of such an event, as well as the mitigation barriers that limit the consequences. Figure 5 shows a simplified bow-tie diagram.

Figure 5.

Basic bow-tie model.

Combing safety barrier–based accident modeling and QRA

O&G stations house numerous installations with very complex operations, creating myriad opportunities for something to go wrong. Unfortunately, developing a comprehensive overview of all possible scenarios and identifying root accident causes represent QRA’s Achilles heel. The bow-tie model includes a painstaking analysis of safety barriers, which is helpful in scenario development and causality identification. Therefore, the bow-tie model can supplement QRA in the safety management of a syncretic oil pumping–gas compression station, as illustrated in Figure 6.

Figure 6.

The combined structure of safety barrier–based accident modeling and QRA.

The first step in implementing this approach is to define a system and its boundaries. In general, a syncretic oil pumping–gas compression station is a complex system consisting of different subsystems. The initiating events and safety barriers vary across different subsystems, making it more effective to conduct QRA and analyze safety barriers on a subsystem basis. Once the subsystem is defined, a potential major incident, usually a hazard release, is determined. The next step is using QRA to calculate the probabilities and severities of the major incidents and their potential consequences. Table 1 illustrates the consequence categories used in this study, grouped by severity (China National Petroleum Corporation (CNPC)). The aggregate consequences of an O&G system failure include individual injury, property loss, production interruption, and environmental pollution. Consequence severity varies along a five-level scale: very low (VL), low (L), medium (M), high (H), and very high (VH).

Table 1.

Consequence categories (CNPC).

Category	Severity	Consequences
A	Very low (VL)	Individual injury (II)	No injuries or minor injuries
		Property loss (PL) (10⁴ yuan)	<10
		Production interruption (PI)	No influence
		Environmental pollution (EP)	Tiny pollution
B	Low (L)	Individual injury (II)	Significant injuries or toxic injuries/poisonings
		Property loss (PL) (10⁴ yuan)	10–100
		Production interruption (PI)	Short-term production interruption with alternative supply sources
		Environmental pollution (EP)	Slight pollution
C	Medium (M)	Individual injury (II)	1–2 deaths or 3–9 toxic/significant injuries
		Property loss (PL) (10⁴ yuan)	100–500
		Production interruption (PI)	Short-term production interruption or continuous limited supply
		Environmental pollution (EP)	Medium pollution
D	High (H)	Individual injury (II)	3–9 deaths or 10–49 toxic/significant injuries
		Property loss (PL) (10⁴ yuan)	500–1000
		Production interruption (PI)	Continuous production interruption or long-term limited supply
		Environmental pollution (EP)	Severe pollution
E	Very high (VH)	Individual injury (II)	10 or more deaths or 50 or more toxic/significant injuries
		Property loss (PL) (10⁴ yuan)	>1000
		Production interruption (PI)	Long-term production interruption
		Environmental pollution (EP)	Tremendous pollution

CNPC: China National Petroleum Corporation.

Next, a matrix from CNPC can be applied (see Figure 7) to estimate risk, which is the product of a probability and the severity of its consequences. The probability value is classified into five levels: (1) <1/10,000, (2) 1/10,000–1/1000, (3) 1/1000–1/100, (4) 1/100–1/10, and (5) >1/10. The risk value is divided into three levels linked to the three colors in the risk matrix; specifically, red indicates the highest risk, yellow represents a medium level of risk, and green denotes the lowest risk.

Figure 7.

Risk matrix adapted from CNPC.

Based on the QRA results, safety barrier–based accident modeling of high-risk subsystems can be performed using bow-tie diagrams. This process can identify defective, failed, and missing barriers, as well as produce recommendations for safety management and risk reduction.

Case study

This section describes the safety management of a syncretic oil pumping–gas compression station using the proposed safety barrier–based accident model combined with QRA. This station includes both an oil system and a gas system. As Figure 8 shows, four subsystems exist in the station: the gas system (orange area), the oil system (yellow area), the common facilities (purple area), and the administrative department (green area). The gas system includes four function zones, R1 through R4, and the oil system includes five function zones, R5 through R9. The nine function zones are labeled as follows:

R1: gas in/out area;

R2: gas process area;

R3: air cooler area;

R4: compressor area;

R5: oil in/out area;

R6: oil process area;

R7: group valve before oil tank;

R8: oil tank area;

R9: oil pump house.

Figure 8.

Functional zoning map of a syncretic oil pumping–gas compression station.

The probabilities of oil or gas release in every function zone can be calculated using LEAK software, with the effects of different scenarios analyzed using PHAST software. Both LEAK and PHAST were developed by Det Norske Veritas (DNV). Table 2 shows the QRA results.

Table 2.

QRA results.

Function zone	Failure frequency (1 year)	Frequency level	Consequence severity				Risk
Function zone	Failure frequency (1 year)	Frequency level	II	PL	PI	EP	Risk
R1	1.08 × 10⁻³	3		D	D		3D
R2	2.54 × 10⁻³	3		E	D		3E
R3	5.83 × 10⁻⁴	2		B	B		2B
R4	6.62 × 10⁻⁴	2	D	E	E		2E
R5	3.71 × 10⁻⁴	2	C	D	D		2D
R6	5.54 × 10⁻⁴	2	C	D	D		2D
R7	7.95 × 10⁻⁴	2	C	D	D		2D
R8	3.08 × 10⁻⁴	2	C	E	E	E	2E
R9	2.28 × 10⁻²	4	C	C	D	C	4D

QRA: quantitative risk assessment; II: individual injury; PL: property loss; PI: production interruption; EP: environmental pollution.

The risk levels of zones R2 and R9 are located in the red blocks of the risk matrix, indicating unacceptably high risk. Therefore, safety barrier–based accident modeling must be performed for R2 (gas process area) and R9 (oil pump house). Figures 9 and 10 show corresponding bow-tie diagrams for these two areas. The bow-tie diagrams describe barrier performance using different colors. Green represents more effective barriers, blue barriers are average or neutral, orange barriers are less effective, and white barriers are missing or absent.

Figure 9.

Bow-tie diagram of gas tank leakage in R2.

Figure 10.

Bow-tie diagram of oil leakage in R9.

The bow-tie diagrams for R2 and R9 identify some barriers with neutral or less-effective performances, which may present pathways for accidents. Therefore, actions are recommended to improve the performance of these barriers and reduce the risks (see Table 3).

Table 3.

Recommendations based on bow-tie analyses.

Barrier	Records	Action steps for improvement
Operation procedures	Operation procedures are not updated	Regularly review and update operation procedures; establish Management of Change (MOC) procedure
Staff training	Insufficient staff ability; insufficient staff training	Develop post-appraisal system; develop training program and plan
High-pressure alarm	High-pressure alarm devices are not tested	Instrument and equipment testing twice a year
Routine inspection and monitoring	No specific monitoring plan	Regular foundation settlement assessment
Security system	Only one gathering place is set for emergencies; only one person is on duty at night	Add an alternative gathering place; increase the site staff on duty at night; strengthen site supervision
Emergency measures for abnormal conditions	No emergency measures for abnormal conditions	Regularly review and update the emergency measures for abnormal conditions; identify a variety of abnormal conditions and determine responses
Ventilation	Water calibration area and oily water treatment area may form limited spaces	Adapt the water calibration area and oily water treatment area into unenclosed construction
Emergency management	No detailed procedures in the emergency plan; the emergency evacuation routes are not signposted; no oil spill emergency supplies; no emergency lighting in the process areas; emergency drill is conducted in a long cycle	Regularly review and update emergency procedures; consider emergency procedure updates in the MOC procedure; ensure that first aid equipment and medicine are available in accordance with actual needs; ensure that oil spill emergency supplies are in place; mark emergency evacuation routes; install emergency lighting; conduct desktop exercise once a week and practice once a month
Fire extinguishing system	Only two fire water tanks of 1500 m³ are available; the quality of fire water is poor	Check fire extinguishers and fire hydrants once a month; add alternative water supply source for fires; ensure that quantity and quality of water conform to the requirements for fire protection; assess the effectiveness of fire fighting in case of a large pool fire in oil transfer pump area
Closed-circuit television	Closed-circuit television cannot cover the whole pump area	Install industrial television in the oil transfer pump area
Human inspection	Short-staffed	Periodic inspection in a fixed route
Alarm and emergency shutoff	No control system of combustible gas detectors in the central control room; no broadcasting system	Install an acousto-optic alarm system and broadcasting system

Conclusion

Limited sources exist that provide useful information about accident models for stations in O&G distribution systems. This article has proposed a conceptual safety barrier–based accident model that can identify both potential accident scenarios and barriers that exist in different phases of accident evolution, including intrinsic safety barriers, prevention barriers, detection and control barriers, and mitigation barriers. Intrinsic safety depends on the system’s design and construction, and it is the primary requirement to guarantee system reliability. Secondary barriers are necessary to prevent initial factors or events from leading to an oil or gas leakage. Once a leak occurs, the primary safety concern is to reduce the possibility of accident escalation; corresponding measures should be taken to mitigate the effects of the leakage, especially when there is a fire or an explosion. In order to make the accident model concrete and practical, the proposed method employs bow-tie diagrams to perform safety barrier analyses.

The safety barrier–based accident modeling is combined with QRA to compensate for some of QRA’s weaknesses. The case study confirms that the combined method can be effective in the safety management of a syncretic oil pumping–gas compression station. QRA provides quantitative risk and singles out high-risk subsystems that require more attention, while safety barrier analysis identifies less-effective, neutral, or missing barriers and discusses potential improvements. Thus, the safety management workload would be reduced since the safety barrier analysis is carried out only for the high-risk subsystems instead of the whole system. In addition, the system security is also guaranteed because the managers can make improvements for barriers with bad performance according to the safety barrier analyses. The combination of quantitative analysis and qualitative analysis based on an accident model is an important innovation in the safety management of a complex system. Further theoretical and applied research should be conducted on this topic.

Footnotes

Academic Editor: Jun Ren

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the National Key R&D Program of China (2016YFC0802100).

References

Shahriar

Sadiq

Tesfamariam

. Risk analysis for oil & gas pipelines: a sustainability assessment approach using fuzzy based bow-tie analysis. J Loss Prevent Proc 2012; 25: 505–523.

Chattopadhyay

Dutta

Vaze

. Development of new correlations for improved integrity assessment of pipes and pipe bends. Nucl Eng Des 2014; 269: 108–115.

Ding

Liu

Zhang

. High-frequency interference in low strain integrity testing of large-diameter pipe piles. Sci China Technol Sci 2011; 54: 420–430.

Qing

Beard

Shen

et al . Development of a real-time active pipeline integrity detection system. Smart Mater Struct 2009; 18: 269–273.

Kishawy

Gabbar

. Review of pipeline integrity management practices. Int J Pres Ves Pip 2010; 87: 373–380.

O’Grady

Harte

. Localised assessment of pipeline integrity during ultra-deep S-lay installation. Ocean Eng 2013; 68: 27–37.

Bonvicini

Antonioni

Morra

et al . Quantitative assessment of environmental risk due to accidental spills from onshore pipelines. Process Saf Environ 2015; 93: 31–49.

Cheng

et al . Fire spread simulation using GIS: aiming at urban natural gas pipeline. Safety Sci 2015; 75: 23–35.

Yang

Crittenden

. Use of CFD to determine effect of wire matrix inserts on crude oil fouling conditions. Heat Transfer Eng 2013; 34: 769–775.

10.

Zhu

Lin

Pan

. A CFD (computational fluid dynamic) simulation for oil leakage from damaged submarine pipeline. Energy 2014; 64: 887–899.

11.

Ahn

. A method of quantitative risk assessment for transmission pipeline carrying natural gas. J Hazard Mater 2005; 123: 1–12.

12.

Pasman

Rogers

. Bayesian networks make LOPA more effective, QRA more transparent and flexible, and thus safety more definable! J Loss Prevent Proc 2013; 26: 434–442.

13.

Rasmussen

. Reactor safety study: an assessment of accident risks in U.S. commercial nuclear power plants. Report, United States Nuclear Regulatory Commission, Rockville, MD, October 1975.

14.

Brandsæter

. Risk assessment in the offshore industry. Safety Sci 2002; 40: 231–269.

15.

Center for Chemical Process Safety (CCPS). Guidelines for chemical process quantitative risk assessment. 2nd ed. New York: American Institute of Chemical Engineers, 2000.

16.

Mannan

. Lees’ loss prevention in the process industries. 3rd ed. Oxford: Elsevier, 2005.

17.

Cozzani

Antonioni

Landucci

et al . Quantitative assessment of domino and NaTech scenarios in complex industrial areas. J Loss Prevent Proc 2014; 28: 10–22.

18.

Aven

. On how to define, understand and describe risk. Reliab Eng Syst Safe 2010; 95: 623–631.

19.

Skogdalen

Vinnem

. Combining precursor incidents investigations and QRA in oil and gas industry. Reliab Eng Syst Safe 2012; 101: 48–58.

20.

Sklet

. Methods for accident investigation. Trondheim: Gnist Tapir, 2002, p.7.

21.

Kujath

Amyotte

Khan

. A conceptual offshore oil and gas process accident model. J Loss Prevent Proc 2010; 23: 323–330.

22.

Hollnagel

. Barriers and accident prevention. Hampshire: Ashgate, 2004, p.45.

23.

Lundberg

Rollenhagen

Hollnagel

. What-you-look-for-is-what-you-find—the consequences of underlying accident models in eight accident investigation manuals. Safety Sci 2009; 47: 1297–1311.

24.

Xue

Fan

Rausand

et al . A safety barrier-based accident model for offshore drilling blowouts. J Loss Prevent Proc 2013; 26: 164–171.

25.

Heinrich

. Industrial accident prevention. New York: McGraw-Hill, 1941, p.13.

26.

Hendrick

Benner

. Investigating accidents with STEP. New York: Marcel Dekker, Inc., 1987, p.1.

27.

Bird

Germain

. Practical loss control leadership. Loganville, GA: Det Norske Veritas, 1996.

28.

Reason

. The contribution of latent human failures to the breakdown of complex systems. Philos T Roy Soc B 1990; 327: 475–484.

29.

Pearl

. Non-Bayesian formalisms for managing uncertainty. In: Pearl

(ed.) Probabilistic reasoning in intelligent systems: networks of plausible inference. San Francisco, CA: Morgan Kaufmann, 1988, pp.415–466.

30.

Reason

Carthey

De Leval

. Diagnosing “vulnerable system syndrome”: an essential prerequisite to effective risk management. Qual Health Care 2001; 10(Suppl II): ii21–ii25.

31.

Leveson

. A new accident model for engineering safer systems. Safety Sci 2004; 42: 237–270.

32.

Hudson

PTW

Groeneweg

Reason

et al . Application of TRIPOD to measure latent errors in north sea gas platforms: validity of failure state profiles. In: Proceedings from the 1st international conference on health, safety and environment, The Hague, 11–14 November 1991, paper no. SPE-23293-MS, pp.372–375. The Hague: Society of Petroleum Engineers.

33.

Hudson

PTW

Reason

Bentley

et al . Tripod delta: proactive approach to enhanced safety. J Petrol Technol 1994; 46: 58–62.

34.

Licu

Cioran

Hayward

et al . EUROCONTROL—systemic occurrence analysis methodology (SOAM)—a “reason”-based organisational methodology for analysing incidents and accidents. Reliab Eng Syst Safe 2007; 92: 1162–1169.

35.

Rathnayaka

Khan

Amyotte

. SHIPP methodology: predictive accident modeling approach. Part I: methodology and model description. Process Saf Environ 2011; 89: 151–164.

36.

Sklet

. Safety barriers: definition, classification, and performance. J Loss Prevent Proc 2006; 19: 494–506.

37.

Gibson

. Behavioral approaches to accident research. New York: Association for the Aid of Crippled Children, 1961.

38.

Haddon

. The basic strategies for reducing damage from hazards of all kinds. Hazard Prevent 1980; 16: 8–12.

39.

International Atomic Energy Agency (IAEA). Basic safety principles for nuclear power plants. Vienna: IAEA, 1999, p.17.

40.

Center for Chemical Process Safety (CCPS). Layer of protection analysis simplified process risk assessment. New York: American Institute of Chemical Engineers, 2001, p.11.

41.

Duijm

Andersen

Hale

et al . Evaluating and managing safety barriers in major hazard plants. In: Spitzer

Schmocker

Dang

(eds) Probabilistic safety assessment and management: PSAM 7—ESREL ’04, Berlin, 14–18 June 2004. London: Springer, 2004, pp.110–115.

42.

Harms-Ringdahl

. Assessing safety functions–results from a case study at an industrial workplace. Safety Sci 2003; 41: 701–720.

43.

Johnson

. MORT safety assurance systems. New York: Marcel Dekker, 1980.

44.

Kecklund

Edland

Wedin

et al . Safety barrier function analysis in a process industry: a nuclear power application. Int J Ind Ergonom 1996; 17: 275–284.

45.

Rosness

. Ten thumbs and zero accidents? About fault tolerance and accidents. Kjeller: Institute for Energy Technology, 2005.

46.

Svenson

. The accident evolution and barrier function (AEB) model applied to incident analysis in the processing industries. Risk Anal 1991; 11: 499–507.

47.

Hollnagel

. Memo—accident analysis and barrier functions. Halden: Institutt for Energiteknikk, 1999, p.3.

48.

Purton

Clothier

Kourousis

. Assessment of technical airworthiness in military aviation: implementation and further advancement of the bow-tie model. Procedia Engineer 2014; 80: 529–544.

49.

Chevreau

Wybo

Cauchois

. Organizing learning processes on risks by using the bow-tie representation. J Hazard Mater 2006; 130: 276–283.

50.

Cockshott

. Probability bow-ties: a transparent risk management tool. Process Saf Environ 2005; 83: 307–316.

51.

Mokhtari

Ren

Roberts

et al . Application of a generic bow-tie based risk analysis framework on risk management of sea ports and offshore terminals. J Hazard Mater 2011; 192: 465–475.

52.

Duijm

. Safety-barrier diagrams as a safety management tool. Reliab Eng Syst Safe 2009; 94: 332–341.

Combining accident modeling and quantitative risk assessment in safety management

Abstract

Keywords

Introduction

Swiss cheese model and its variations

Safety barriers and the bow-tie model

Combing safety barrier–based accident modeling and QRA

Case study

Conclusion

Footnotes

Declaration of conflicting interests

Funding

References