Professional Documents
Culture Documents
Yu Et Al-2017-Risk Analysis
Yu Et Al-2017-Risk Analysis
Yu Et Al-2017-Risk Analysis
12736
Safety analysis of rare events with potentially catastrophic consequences is challenged by data
scarcity and uncertainty. Traditional causation-based approaches, such as fault tree and event
tree (used to model rare event), suffer from a number of weaknesses. These include the static
structure of the event causation, lack of event occurrence data, and need for reliable prior
information. In this study, a new hierarchical Bayesian modeling based technique is proposed
to overcome these drawbacks. The proposed technique can be used as a flexible technique for
risk analysis of major accidents. It enables both forward and backward analysis in quantitative
reasoning and the treatment of interdependence among the model parameters. Source-to-
source variability in data sources is also taken into account through a robust probabilistic
safety analysis. The applicability of the proposed technique has been demonstrated through
a case study in marine and offshore industry.
KEY WORDS: Event tree; fault tree; hierarchical Bayesian modeling; major accidents; probabilistic risk
analysis
tegrity and Safety Engineering (CRISE), Faculty of Engineer- gation from the top event is not possible.(4,5) An-
ing & Applied Science, Memorial University of Newfound- other major limitation of such an analysis exists if
land, St John’s, NL, Canada A1B 3xS; tel: +1 709 864 8939; the top event is a major accident with extremely low
fikhan@mun.ca.
1668 0272-4332/17/0100-1668$22.00/1
C 2017 Society for Risk Analysis
Risk Analysis of Major Accidents 1669
frequency of occurrence. The data samples for the update the probability of each consequence occur-
basic events might be sparse, leading to highly biased ring; the reverse is not possible.(11,12) For the same
estimations. Consequently, the computed occurrence reason, the estimation of occurrence probability of a
probability of the top event might not represent the major accident given the occurrence of its precursory
real situation. events using backward analysis is not possible either.
Estimating the probability of occurrence of ma- To address the above limitations of the fault
jor accidents is an indispensable element of prob- tree and event tree analysis, several researchers have
abilistic risk analysis and has become an active proposed to convert both models into a Bayesian
research direction in recent years.(6,7) Major acci- network (BN) model.(5,13,14) In this particular
dents are defined as low-frequency events causing conversion, the initial event, safety barriers, and
fatalities and catastrophic environmental or capi- consequences of the event tree are modeled as
tal losses. Conventional probability estimation tech- root node, intermediate nodes, and leaf nodes,
niques, whether they are parametric or nonpara- respectively. The qualitative relationships between
metric, rely heavily on availability of data samples. these nodes in the Bayesian network are extracted
The estimated probability asymptotically approaches from the event tree diagram. The quantitative rela-
the true probability as the number of data samples tionships are represented as conditional probability
increases.(8) However, this property is not applica- tables (CPTs). The conversion of a fault tree into a
ble to probability estimation of major accidents due BN follows a similar procedure: the basic events are
to their low frequency of occurrence: the number the root nodes and the top event is the leaf node.
of major accidents may not be adequately large to One of the major advantages of such a conversion is
yield unbiased and realistic probability estimation. that both forward and backward analysis are permit-
The use of precursor-based probability estimation ted in BN. This enables the update of probabilities of
that accounts for the number of occurrences of the safety barriers and basic events given the number of
precursory events of the major accidents has been occurrences of the consequences and the top event,
proposed to overcome this limitation.(9,10) respectively.
A major accident and its precursors are con- The probability updating performance of BN de-
sidered to be consequences evolving from the same pends on the accuracy of prior probability distribu-
initial event in the context of present work. The tion of the root nodes and the reasonableness of the
precursory events belong to the consequences of CPTs. Normally, these two sets of parameters are es-
the initial event if at least one safety barrier is in timated from data or given by expert judgment. In
its working state. However, a major accident is the the first case, data samples for the root nodes are as-
consequence of the initial event when all safety sumed to be observed without uncertainty. However,
barriers have failed. In this respect, the relationships this assumption rarely holds in practice. It is often the
between the initial event, safety barriers, and the case that data samples collected under limited condi-
final consequences can be represented using an tions do not contain enough information to allow for
event tree diagram. To obtain the probability of good generalization characteristics. To counteract
occurrence of each consequence, a forward analysis this problem, collecting data samples from sources
is conducted on the event tree, which requires the with varying conditions is necessary. This process
probability (or rate) of occurrence of the initial event introduces inevitable uncertainty in data samples,
and the probability of failure of each safety barrier. known as the source-to-source variability.(14) Tradi-
Compared to a major accident, the initial event may tional Bayesian modeling is not able to handle such
have a higher occurrence frequency, making it possi- uncertainty. In the second case, there is also inher-
ble to estimate its probability through conventional ent uncertainty associated with expert judgment, the
statistical methods such as maximum likelihood rationality of which is subjected to background, train-
estimation (MLE). However, the probabilities of ing, and experience.
failure of the safety barriers are difficult to obtain A hierarchical Bayesian modeling (HBM) tech-
because the number of occurrences of each conse- nique is proposed to cope with source-to-source vari-
quence dictates them, which could be too small (in ability in data samples.(15,16) In HBM, an additional
the case of major accident) for a reliable estimation. level of Bayesian modeling is imposed on the pa-
Furthermore, similar to the fault tree, the event tree rameters of a base distribution. More specifically,
model is static, allowing only forward analysis, that the parameters of a base distribution are considered
is, information can only flow from the initial event to to be drawn from a prior distribution governed by
1670 Yu, Khan, and Veitch
a set of hyper parameters. These hyper parameters eling of arctic shipping is proposed in the second case
are also randomly generated from a noninformative study. Finally, the major findings and conclusions of
distribution. A prior distribution with its hyper pa- this study are summarized in Section 5. In addition,
rameters drawn from a noninformative distribution directions for future work are outlined.
is called a noninformative prior. The noninformative
prior is used to ensure uncertainty in data samples is
2. BACKGROUND
modeled in the posterior distributions without bias.
In this case, the updated posterior distributions are There are two common ways of estimating the
also known as the informative posteriors. To obtain parameters of a probability distribution from data
informative posteriors, data samples are first incor- samples, namely, the MLE and the Bayesian MLE.
porated into a likelihood function. In this work, a MLE assumes that the observed data samples can
multivariate likelihood function is proposed for both only be generated from a single probability distri-
fault tree and event tree. Model parameters of the bution with a fixed parameter. This parameter is
fault tree and event tree are also jointly modeled obtained as the one that maximizes the likelihood
in the likelihood function. The noninformative prior of the data samples under the given probability
and the multivariate likelihood function are then distribution. However, Bayesian MLE considers a
combined using Bayes’s rule to produce the infor- number of candidate probability distributions whose
mative posteriors of the model parameters. Subse- parameters are sampled from another generic dis-
quently, the expected values of model parameters tribution, known as the prior. In this case, the op-
with respect to their corresponding informative pos- timal parameter is obtained as the one that maxi-
teriors are computed. These expected values are then mizes the joint likelihood of the data samples and the
fed back to their base distributions to predict the ex- prior. A graphic illustration based on the Venn dia-
pected number of occurrences of undesired events in gram is provided in Fig. 1 (a) and (b) to demonstrate
the next time interval. the difference between MLE and Bayesian MLE,
There are three major advantages of the pro- where D represent the data samples, θ is the param-
posed technique. (1) Model parameters of the event eter of interest, and is the sample space for θ . It
tree and fault tree are modeled in a joint likeli- is noted that for MLE, p(θ̄) = 1, indicating there is
hood function such that the interdependence be- only one probability distribution with parameter θ̄
tween these parameters is fully explored, leading that could explain D. This often leads to a data over-
to more realistic probability estimations of the top fitting problem. For Bayesian MLE, there are many
events and the consequences. (2) The use of joint possible probability distributions with their parame-
likelihood function also precludes the need of a BN ters sampled from and P() = 1. The data overfit-
to model parameter interdependence. This also as- ting problem is effectively avoided by exploring the
sists in reducing the uncertainty of creating CPTs entire sample space of θ .
based on expert knowledge. Meanwhile, both for- Although Bayesian MLE is effective in model-
ward and backward analysis are also permitted. (3) ing uncertainty in θ , it is not able to deal with un-
Source-to-source variability of the data samples is ef- certainty in D. In fact, both MLE and Bayesian as-
fectively incorporated in the modeling to further re- sume that all data samples are collected under strictly
duce the uncertainty in estimation. In summary, the consistent conditions—they are generated from the
proposed technique provides a flexible and universal same probability distribution. However, this is rarely
framework to extend the capability of both event tree true in practice, particularly for accident modeling,
and fault tree, by enabling bidirectional analyses and in which data samples are preferred to be collected
handling of data uncertainty. from different sources to cover a broad spectrum of
The remaining parts of this article are organized scenarios. This also implies that data samples for rare
as follows. The mechanism of the HBM is first in- accident modeling might be generated from different
troduced in Section 2. The HBM of the fault tree distributions.
and event trees are illustrated in detail in Section 3. To cope with source-to-source variability in data,
In Section 4, the proposed technique is applied to a two-stage Bayesian procedure was first proposed in
two case studies in marine and offshore operations. the work of Kaplan,(17,18) which was also the prelim-
The first case study focuses on verifying the applica- inary form of the HBM. Since then, much develop-
bility of the proposed technique using real industrial ment has been done to improve the performance and
data, whereas a general framework for accident mod- extend the capability of this original form. In recent
Risk Analysis of Major Accidents 1671
α ∈Α
θ ∈Θ β ∈Β
years, with the development of advanced sampling likelihood functions. In most cases, the derivation of
techniques such as the Markov Chain Monte Carlo Jeffrey’s prior for complex and multivariate likeli-
(MCMC) simulation, the improved HBM has be- hood function ends up to be intractable. A diffuse
come more capable of handling complex likelihood gamma prior has been proposed in the work of Kelly
functions. Despite the state-of-art development, the et al.(21) and Yan et al.(22) as an alternative to Jeffrey’s
fundamental principle of the HBM remains the same prior for complex likelihood function. In this study,
and is briefly introduced in the ensuing paragraphs. this diffuse gamma prior is used as the noninforma-
Similar to Bayesian MLE, HBM also models tive prior for modeling data uncertainty.
the uncertainty of data samples in the prior distri- The noninformative prior can be updated using
bution of θ , by means of sampling hyper parame- data D to form an informative posterior of the pa-
ters of θ from a noninformative distribution. Specif- rameter of interest.(23) This informative posterior is
ically, as shown in Fig. 1(c), if p(θ |α, β) is the prior derived through three basic steps. In the first step,
distribution of θ , α and β are the hyper parame- the likelihood function of the hyper parameters is
ters and are sampled from a noninformative distri- obtained by computing the expectation of the likeli-
bution, P(A, B). A noninformative distribution is a hood function l(D| θ ) with respect to the parameter
probability distribution that does not give prefer- of interest, θ .
ence to generation of data samples within any par-
ticular range. This enables a wide range of α and β l(D| α, β) = l(D| θ ) p(θ | α, β)∂θ (1)
values to be generated, making p(θ |α, β) as generic
as possible to cover all possible data generation One of the major focuses of this study is to con-
sources/distributions. More importantly, when used struct a multivariate from of l(D|θ ) for both fault tree
for Bayesian updating, a noninformative prior does and event tree so that all the parameters are jointly
not have a strong influence on its posterior distri- modeled. Upon acquiring the likelihood function of
bution. This forces the Bayesian update to be com- the hyper parameters, the posterior distribution of
pletely dependent on data. The resulting posterior the hyper parameters is determined through Bayes’s
distribution not only takes into account the uncer- theorem.
tainty in data but also accurately reflects their true p(α, β)l(D| α, β)
nature. p(α, β | D) = (2)
p(α, β)l(D| α, β)∂α∂β
The uniform distribution is typical choice of non-
informative distribution for hyper parameters, due It is noted that the double integrals in the de-
to its assignment of equal probability to all values nominator might be intractable. This issue can be ad-
within a certain range. There are two major issues dressed by first applying MCMC to sample α and
associated with the use of uniform distribution as a β from their joint distribution p(α, β). Then, the
noninformative distribution. First, the support of the integrals are approximated by the sample mean of
uniform distribution is finite, allowing only samples l(D|α, β). In the third step, the posterior distribu-
within a certain range to be generated; data gener- tion of θ given data, p(θ |D), is computed through
ation is biased. Second, the uniform distribution is marginalizing over α and β.
not invariant under reparameterization, which vio-
lates the Jeffrey rule of noninformative prior.(19) non- p(θ | D) = p(θ |α, β) p(α, β | D)∂α∂β (3)
informative priors satisfying Jeffrey’s rule are known
as the Jeffrey’s prior.(20) There is only a limited num- Likewise, the solution of the double integrals
ber of Jeffrey’s priors available for some well-known could be approximated in a similar way by calculating
1672 Yu, Khan, and Veitch
p (θ | D)
∫∫
α , β p (α , β | D )
3 1
Fig. 2. Graphic illustration of HBM procedure.
p (α , β | D) p (θ | α , β ) p( D | θ )
∫
θ
2
∫∫
α , β ~ p (α , β )
p( D | α , β ) p (α , β )
where p(Dt |θ ) is recomputed for every time interval Fig. 3. Fault tree example.
t between which new data samples are collected.
interval is the same and is denoted as N. Putting this This joint likelihood function is then used to
in the context of safety analysis, nt is the number of compute the joint likelihood function of the hyper
accidents in a specific time period, i.e., a year, while N parameters.
is the total number of operations in the same period.
Because of the limitation of the fault tree, the estima- p(D| α, β) = p(D| θ) p(θ | α, β)∂θ (10)
tion of the model parameters θi , i ∈ {1, 2, 3, 4}, given
only the data of the top event, is not possible. The integral in Equation (10) is overloaded to
The above parameter estimation problem can be simplify the notations. As described in Section 2, this
formulated into the HBM framework for an easy overloaded integral can be solved by calculating the
solution. In this formulation, the basic events and sample mean of p(D|θ). The samples of θ are gen-
the top event of the fault tree are considered to erated from MCMC simulations of p(θ |α, β). Subse-
be binomial random variables whose probabilities quently, the joint posterior distribution of the hyper
of failure are θi , i ∈ {1, 2, 3, 4}, and π , respectively. parameters is obtained using Bayes’ theorem.
In this regard, the number of occurrences for both p(α, β) p(D| α, β)
the basic events and the top event follow a binomial p(α, β | D) = (11)
p(α, β) p(D| α, β)∂α∂β
distribution:
Similarly, the double integral in the denomina-
N t t
p(mi |N, θi ) =
t
θ mi (1 − θi ) N−mi , (6) tor is overloaded and its solution can be approxi-
mit i
mated by conducting MCMC simulations on p(α, β).
Finally, the joint posterior distribution of θ , or the in-
N t t formative posterior is determined through marginal-
p(nt |N, π ) = π n (1 − π ) N−n , (7)
nt ization.
where mit is the number of occurrences of basic event p(θ | D) = p(θ |α, β) p(α, β | D)∂α∂β (12)
i during the tth interval. The distribution in Equa-
tion (6) is considered to be the base distribution of The individual parameter for each of the basic
the basic event i. To take into account the source-to- events can be obtained in an analogous manner, for
source variability in data samples, a noninformative instance, as shown in Equation (13).
prior is imposed on the parameter of interest, θi . It
is noted that a noninformative prior is not assigned p(θ1 | D) = p(θ | D)∂θ2 ∂θ3 ∂θ4 (13)
to the top event as the source-to-source variability in
data of the top event originates from the uncertainty Finally, the estimated number of occurrences for
in the basic events, as a result of the fault tree struc- each basic events for the next interval T + 1 is given
ture. As θi is the parameter of a binomial distribu- as:
tion, its prior is then chosen as a conjugate prior of p(mi |D; N) = p(mi |θi ; N) p(θi |D)∂θi ,
the binomial distribution, which is a β distribution.
(αi + βi ) miT+1 = mi p(mi |D; N)dmi . (14)
p(θi |αi , βi ) = θi αi −1 (1 − θi )βi −1 (8)
(αi ) + (βi )
As demonstrated in the above procedure, it is
To construct a noninformative prior θi , the possible to conduct backward analysis on fault tree
hyper parameters αi and βi are sampled from using HBM; the parameters of the basic events can
the diffuse gamma distribution, αi , βi ∼ gamma be estimated with only data samples of the top event.
(0.0001, 0.0001). Let θ = { θ1 , θ2 , θ3 , θ4 }, α = { α1 , These parameters are also modeled in a joint dis-
α2 , α3 , α 4 }, and β = { β1 , β2 , β3 , β 4 }, the joint like- tribution that takes into account their interdepen-
lihood function for θ (as shown in Equation (9)) is dence as opposed to the assumption of complete in-
determined by substituting Equation (5) into Equa- dependence of the traditional fault tree. In addition,
tion (7). the use of a noninformative prior in HBM ensures
T
the source-to-source variability in data samples is ac-
N t counted for in the estimation process without bias.
p(D|θ) = (θ1 θ2 (θ3 +θ4 −θ3 θ4 )n
nt The estimated values better reflect the real situation.
t=1
t
As compared to many works using a Bayesian
× (1−θ1 θ2 (θ3 +θ4 −θ3 θ4 )) N−n (9) network approach to model fault trees,(3,5,24,25) the
1674 Yu, Khan, and Veitch
Table I. Number of Successes and Failures for SB1 and SB2 other and their occurrence probabilities sum up to
4
1, i=1 πi = 1. Under this setting, the joint likelihood
Number of Successes Number of Failures
function of these four parameters can be modeled as
SB1 d1t + d2t d3t + d4t a multinomial distribution function:
SB2 d1t + d3t d2t + d4t l(D|π1 , π2 , π3 , π4 )
T
kt ! d1t d2t d3t d4t
= t t t t π1 π2 π3 π4 , (17)
Because the number of failures of SB1 is assumed d1 !d2 !d3 !d4 !
t=1
to follow a binomial distribution, the likelihood func-
where kt is the total number of occurrences during
tion of SB1 is given as:
time interval t, kt = d1t + d2t + d3t + d4t . As a result, the
T
likelihood function of θ, l(D|θ) is obtained by substi-
p(D1 |θ1 ) = p ( f t = d3t +d4t |kt = d1t + d2t +d3t +d4t , θ1 ) tuting Equation (16) into Equation (17).
t=1
T
T
kt kt ! t
=
t
θ1 f (1 − θ2 )k − f
t t
(15) l(D|θ) = (1 − θ1 )(1 − θ2 )d1 (1 − θ1 )
ft dt !dt !dt !dt !
t=1 t=1 1 2 3 4
t t t
The conjugate prior for Equation (15) is a β × θ2 d2 θ1 (1 − θ2 )d3 θ1 θ2 d4 (18)
distribution, p(θ1 |α1 , β1 ). In this case, the hyper
parameters α1 and β1 are sampled from the dif-
To form the noninformative prior for θ ,
fuse gamma distribution. Then, Equations (1)–(3)
the hyper parameters of θ are sampled from
are used to compute the informative posterior dis-
the diffuse gamma distribution, αi , βi ∼ gamma
tribution of the failure probability of SB1. The exact
(0.0001, 0.0001), i ∈ {1, 2}. The noninformative prior
same procedure is repeated for SB2, C1, C2, C3, and
is then updated using this data matrix to obtain the
C4 to obtain their informative posterior distributions.
informative posterior. The procedure for obtaining
Although data uncertainty is taken into account
the informative posterior is the same as that for the
by means of using a HBM procedure independently
fault tree, which follows from Equations (11)–(12).
for each safety barrier, the interdependence be-
Finally, the individual posterior probability of occur-
tween SB1 and SB2 is completely neglected in this
rences of each consequence is estimated using for-
method. In reality, the failure of a safety barrier of-
ward analysis in Equation (19). Likewise, the data
ten has a considerable impact on the operation of
samples of θ for approximating the overloaded in-
other safety barriers. Neglecting their interdepen-
tegral are sampled using MCMC simulations from
dence might lead to inaccurate estimation of their
p(θ |D).
failure probabilities.
To address the issue in the first method, θ1 and
p(πi |D) = p(πi |θ ) p(θ |D)∂θ, i ∈ {1, 2, 3, 4}
θ2 need to be modeled in a joint likelihood function
and updated simultaneously with data. The joint like-
lihood function of θ1 and θ2 is constructed in the fol- π̂i = πi p(πi |D)dπi (19)
lowing steps. The occurrence probabilities of the con-
sequences depend on the failure probabilities of the
safety barriers according to the following relation- 3.2.2. Estimating the Probability of Occurrence
ships. of the Initial Event
π1 = (1 − θ1 )(1 − θ2 ); The structure of the event tree provides a quick
way of estimating the parameter of interest of the
π2 = (1 − θ1 )θ2 ;
initial event. Data samples for the number of occur-
π3 = θ1 (1 − θ2 ); rences of consequences can be translated into the ini-
tial event occurrence. According to the property of
π4 = θ1 θ2 . (16)
the event tree, for each time interval t, the number
of occurrences of the initial event is simply the sum
For the event tree, consequences originating of occurrences of all the consequences, kt . Because
from an initial event are mutually exclusive of each the time interval is fixed, the prior distribution for the
1676 Yu, Khan, and Veitch
λk e−tλ
t
p(D|λ) = . (21)
kt !
t=1
Table II. Major Accident and Precursor Data of Offshore Table III. Comparison of Various Estimators in Estimating
Blowout in Gulf of Mexico.(27) Probability of Failure of Kick Detection
Time Estimated
Intervals Safe Mishap Leak Blowout Kick Estimator Formulae Probability Source
1996 0 0 1 3 4 One-third P= 1
3n 0.0043 Ref. 29
1997 2 1 1 1 5 estimator
1998 0 3 1 3 7 Minimax P= 1
2.5n 0.0051 Ref. 30
1999 1 2 0 2 5 estimator
2000 0 2 4 2 8 1
Median Bayes P = 1 − 0.5 n+1 0.0087 Ref. 29
2001 1 3 1 3 8 estimator
2002 0 2 1 1 4 1
2003 2 1 0 1 4 P2 estimator P = 1 − 0.5 n 0.0088 Ref. 29
2004 0 3 2 0 5 Bayes estimator P= 1
0.0125 Ref. 31
n+2
2005 0 3 0 1 4
2006 0 1 5 2 8 Upper-bound P= 1
n 0.0128 Ref. 29
2007 0 1 0 3 4 estimator
2008 1 1 0 3 5
2009 0 0 0 2 2
2010 0 0 0 1 1
Table IV. Expected Probabilities for the Failure of Safety
2011 0 0 0 2 2
Barriers and Occurrence of Consequences (Offshore Blowout)
2012 0 0 0 2 2
Sum 7 23 16 32
Probability
Total = 46 Total = 32 Grand total = 78
Probability (HBM
(HBM Joint Independent
Event Tree Likelihood Probability Likelihood
Parameters Function) (MLE) Functions)
occurrences of both C4 and C5 consequences. There- Kick detection 0.1817 0.0000 0.0018
fore, it is not possible to decompose the contribu- Kill operation 0.8808 0.9103 0.9176
tion of the failure of the BOP or kick detection to BOP 0.2926 0.4507 0.4639
the occurrence of blowout, making it difficult to es- Casing 0.3843 0.4103 0.5897
timate the failure probabilities of these two barriers C1: Safe 0.0927 0.0897 0.0947
C2: Mishap 0.2964 0.2950 0.2918
using traditional techniques such as a Bayesian net- C3: Leak 0.1848 0.2051 0.1911
work. Khakzad et al.(28) proposed a workaround of C4: Blowout 0.4260 0.4103 0.4191
this issue, which assumed the blowout was solely due
to the failure of the BOP failure. This assumption
rendered a zero failure situation for the kick detec-
tion upon demands. A number of estimators capable mation results of MLE are presented in column 3 of
of handling zero failure events were then applied to Table IV. It is observed that the probability of kick
estimate the probability of failure of the kick detec- detection failing is 0 due to the zero failure assump-
tion. The estimated failure probabilities of the kick tion, which is unrealistic. Moreover, these techniques
detection using these estimators are summarized in simply rely on the total number of demands for
Table III. the kick detection and fail to recognize that there
The value of n in Table III is 78, the sum of is source-to-source variability in data between each
values in the last column of Table II, representing time interval, due to the sporadic conditions under
the total number of demands received by the safety which the drilling operations were carried out.
barrier—kick detection. It is observed that due to The two methods introduced in Section 3.2.1
the radical assumption of zero failures of the kick are used to address the data uncertainty issue in
detection, the estimated values of all the techniques failure probability estimation. In the first method,
are very small and also differ significantly from each the failure of safety barriers and the occurrences of
other; therefore, they might not reflect the real sit- the consequences are considered to be completely
uation. To make this comparison more comprehen- independent. A binomial distribution is assigned to
sive, traditional MLE is also applied to estimate the each safety barrier to model its number of failures
failure probabilities of the safety and the probabil- per time interval. Similarly, a binomial distribution
ities of occurrences of the consequences. The esti- is also given to each consequence for the same
1678 Yu, Khan, and Veitch
modeling purpose. Because these events are inde- is one of the values of a random variable following
pendent of each other, it is not possible to discern an unknown distribution. The noninformative prior
the contribution of failure of kick detection from in the HBM enables an adequate exploration of
that of BOP to the occurrences of blowouts. In this the entire sample space of this unknown distribu-
regard, it is also assumed that blowouts are solely tion, resulting in a more realistic estimation of the
due to failure of BOP. As a result, the same zero failure probability of kick detection. Despite this
failure issue is also presented to the binomial HBM advantage, the interdependence among the safety
model of kick detection. The HBM procedure is barriers is still neglected in modeling. The estimated
implemented on the OpenBUGS platform.(32) The failure probability of the kick detection is still
estimated failure probability for kick detection based unreasonably small considering there is a direct
on the binomial HBM model is shown in column 4 of relationship between failure of kick detection and
Table IV. This result demonstrates that a slight blowouts, which make up to 32 (41%) occurrences
improvement in flexibility in dealing with zero data of the undesired consequences.
events is achieved by the binomial HBM model as However, the second method can effectively
compared to MLE. This is mainly due to the fact that avoid the problems of MLE and the binomial HBM
HBM is able to take into account the uncertainty by fully exploring the interdependence between the
in data. More specifically, the zero occurrence of consequences and taking into account the uncer-
an event under the HBM setting is not absolute; it tainty in data samples. Following the procedure
Risk Analysis of Major Accidents 1679
are shown in Fig. 10 and the expected probabilities Table V. Expected Probabilities of Occurrence of the Basic
for these events are summarized in Table V. Events and Top Event
Upon estimating occurrence probabilities of the Fault tree Parameters Estimated Probabilities
basic events, the occurrence probability of the top
event can be determined using forward analysis. The Power supply failure 0.7873
posterior probability distribution of the top event Technical failure 0.6629
kick is shown in Fig. 11. The expected value of this Insufficient amount of mud 0.0844
Insufficient circulation of seawater 0.1111
distribution is listed in the last row of Table V. This Kick 0.0645
value is the predicted probability of occurrence of a
kick in time interval 2013. The expected number of
occurrences of a kick in 2013 is then computed as
0.0642 × N = 5.0076 ≈ 5, which is the same as the same basis. As a result, the expected number of oc-
number estimated in the event tree example. This currence for 2013 matches with that obtained from
could be explained by considering probability of suc- the Poisson distribution.
cess as a weighting factor in calculating the expected It is demonstrated in this case study that the
value of the binomial distribution. Because N is the proposed techniques are able to address the weak-
same for the number of occurrences of kick across nesses of both event tree and fault tree analysis.
all time intervals, the probability/weighting factor in For the event tree example, by exploring the inter-
each time interval has the same basis. The predicted dependence between the BOP and kick detection,
probability in the next time interval also shares the the zero data event encountered in the traditional
Risk Analysis of Major Accidents 1681
11. Meel A, Seider WD. Plant-specific dynamic failure assessment 23. Gelman A. Prior distributions for variance parameters in hier-
using Bayesian theory. Chemical Engineering Science, 2006; archical models (comment on article by Browne and Draper).
61(21):7036–7056. Bayesian Analysis, 2006; 1(3):515–534.
12. Kalantarnia M, Khan F, Hawboldt K. Dynamic risk assess- 24. Abimbola M, Khan F, Khakzad N et al. Safety and risk analy-
ment using failure assessment and Bayesian theory. Journal sis of managed pressure drilling operation using Bayesian net-
of Loss Prevention in the Process Industries, 2009; 22(5):600– work. Safety Science, 2015; 76:133–144.
606. 25. Bobbio A, Portinale L, Minichino M et al. Improving the
13. Bearfield G, Marsh W. Generalising event trees using analysis of dependable systems by mapping fault trees into
Bayesian networks with a case study of train derailment. Pp. Bayesian networks. Reliability Engineering & System Safety,
52–66 in Computer Safety, Reliability, and Security. Springer, 2001; 71(3):249–260.
2005. 26. Khakzad N, Khan F, Amyotte P. Quantitative risk analysis of
14. Siu NO, Kelly DL. Bayesian parameter estimation in prob- offshore drilling operations: A Bayesian approach. Safety Sci-
abilistic risk assessment. Reliability Engineering & System ence, 2013; 57:108–117.
Safety, 1998; 62(1):89–116. 27. BSEE (Bureau of Safety and Environmental Enforce-
15. Chen Z, McGee M. A Bayesian approach to zero-numerator ment US). Incident statistics and summaries 1996–2012.
In Series Incident Statistics and Summaries 1996–2012,
problems using hierarchical models. Journal of Data Science,
Available at: https://www.bsee.gov/stats-facts/offshore-
2008; 6(2):261–268.
incident-statistics/incident-stats-and-summaries.
16. Yang M, Khan FI, Lye L. Precursor-based hierarchical 28. Khakzad N, Khan F, Paltrinieri N. On the application of near
Bayesian approach for rare event frequency estimation: A accident data to risk analysis of major accidents. Reliability
case of oil spill accidents. Process Safety and Environmental Engineering & System Safety, 2014; 126:116–125.
Protection, 2013; 91(5):333–342. 29. Bailey RT. Estimation from zero-failure data. Risk Analysis,
17. Kaplan S. On a “two-stage” Bayesian procedure for determin- 1997; 17(3):375–380.
ing failure rates from experimental data. IEEE Power Engi- 30. Quigley J, Revie M. Estimating the probability of rare events:
neering Review, 1983; 1(PER-3):43. Addressing zero failure data. Risk Analysis, 2011; 31(7):1120–
18. Kaplan S. On a two-stage Bayesian procedure for determining 1132.
failure rates from experiential data. In Nuclear Power Plant 31. Thorne M, Williams M. A method for estimating failure rates
Risk Management, 1985. for low probability events arising in American Nuclear Soci-
19. Datta GS, Ghosh M. On the invariance of noninformative pri- ety, Inc., La Grange Park, IL, USA.
ors. The annals of Statistics, 1996; 24(1):141–159. 32. Lunn D, Spiegelhalter D, Thomas A et al. The bugs
20. Assoudou S, Essebbar B. A Bayesian model for Markov project: Evolution, critique and future directions. Statistics in
Chains via Jeffrey’s prior. Communications in Statistics— Medicine, 2009; 28(25):3049–3067.
Theory and Methods, 2003; 32(11):2163–2184. 33. Podofillini L, Sudret B, Stojadinovic B et al. Safety and Reli-
21. Kelly DL, Smith CL. Bayesian inference in probabilistic risk ability of Complex Engineered Systems. London: Taylor and
assessment—The current state of the art. Reliability Engineer- France Group, 2015.
ing & System Safety, 2009; 94(2):628–643. 34. BSEE (Bureau of Safety and Environmental Enforcement
22. Yan Z, Haimes YY. Cross-classified hierarchical Bayesian US). Status of Gulf of Mexico well permits 2011–2014.
models for risk-based analysis of complex systems under In Series Status of Gulf of Mexico Well Permits 2011–
sparse data. Reliability Engineering & System Safety, 2010; 2014, Available at: https://www.bsee.gov/stats-facts/ocs-
95(7):764–776. regions/status-of-gulf-of-mexico-well-permits.