Risk Analysis, Vol. 37, No. 9, 2017 DOI: 10.1111/risa.

12736

A Flexible Hierarchical Bayesian Modeling Technique

for Risk Analysis of Major Accidents

Hongyang Yu,1,2 Faisal Khan,1,2,∗ and Brian Veitch1

Safety analysis of rare events with potentially catastrophic consequences is challenged by data
scarcity and uncertainty. Traditional causation-based approaches, such as fault tree and event
tree (used to model rare event), suffer from a number of weaknesses. These include the static
structure of the event causation, lack of event occurrence data, and need for reliable prior
information. In this study, a new hierarchical Bayesian modeling based technique is proposed
to overcome these drawbacks. The proposed technique can be used as a flexible technique for
risk analysis of major accidents. It enables both forward and backward analysis in quantitative
reasoning and the treatment of interdependence among the model parameters. Source-to-
source variability in data sources is also taken into account through a robust probabilistic
safety analysis. The applicability of the proposed technique has been demonstrated through
a case study in marine and offshore industry.

KEY WORDS: Event tree; fault tree; hierarchical Bayesian modeling; major accidents; probabilistic risk
analysis

1. INTRODUCTION niques can be used for safety analysis, the focus of

the former is on isolating the potential causes of an
Fault tree analysis and event tree analysis are
undesired event, and the latter on identifying possi-
two popular techniques used for safety analysis. A
ble consequences.(1)
fault tree has a converging structure that links a num-
Fault tree analysis can be used as a qualitative
ber of basic events to a top event. The relationships
tool to assist in creation of a diagnostic manual for
between the basic events and top event are modeled
complex systems.(2) For quantitative analysis, the ba-
using logic gates. However, the event tree has a di-
sic events of the fault tree are assumed to be statisti-
verging structure relating an initial event to its vari-
cally independent. The probabilities of occurrence of
ous consequences. Each consequence is the result of
these basic events can be estimated from past failure
a particular combination of states of the safety bar-
data or based on expert knowledge. Upon obtaining
riers following the initial event. Although both tech-
these probabilities, the probability of the top event
1 Centre
can be calculated by applying Boolean algebra se-
for Risk, Integrity and Safety Engineering (CRISE), Fac-
ulty of Engineering & Applied Science, Memorial University of
quentially on each gate of the whole tree structure
Newfoundland, St John’s, NL, Canada. or on the minimum cut set.(3) Because of the static
2 National Centre for Maritime Engineering and Hydrodynamics, structure and the unidirectional property of the logic
Australian Maritime College, University of Tasmania, Launces- gates of the fault tree, the probability updates of the
ton, TAS, Australia. basic events through backward information propa-
∗ Address correspondence to Faisal Khan, Centre for Risk, In-

tegrity and Safety Engineering (CRISE), Faculty of Engineer- gation from the top event is not possible.(4,5) An-
ing & Applied Science, Memorial University of Newfound- other major limitation of such an analysis exists if
land, St John’s, NL, Canada A1B 3xS; tel: +1 709 864 8939; the top event is a major accident with extremely low
fikhan@mun.ca.

1668 0272-4332/17/0100-1668$22.00/1 
C 2017 Society for Risk Analysis
Risk Analysis of Major Accidents
frequency of occurrence. The data samples for the
basic events might be sparse, leading to highly biased
estimations. Consequently, the computed occurrence
probability of the top event might not represent the
real situation.
Estimating the probability of occurrence of ma-
jor accidents is an indispensable element of prob-
abilistic risk analysis and has become an active
research direction in recent years.(6,7) Major acci-
dents are defined as low-frequency events causing
fatalities and catastrophic environmental or capi-
tal losses. Conventional probability estimation tech-
niques, whether they are parametric or nonpara-
metric, rely heavily on availability of data samples.
The estimated probability asymptotically approaches
the true probability as the number of data samples
increases.(8) However, this property is not applica-
ble to probability estimation of major accidents due
to their low frequency of occurrence: the number
of major accidents may not be adequately large to
yield unbiased and realistic probability estimation.
The use of precursor-based probability estimation
that accounts for the number of occurrences of the
precursory events of the major accidents has been
proposed to overcome this limitation.(9,10)
A major accident and its precursors are con-
sidered to be consequences evolving from the same
initial event in the context of present work. The
precursory events belong to the consequences of
the initial event if at least one safety barrier is in
its working state. However, a major accident is the
consequence of the initial event when all safety
barriers have failed. In this respect, the relationships
between the initial event, safety barriers, and the
final consequences can be represented using an
event tree diagram. To obtain the probability of
occurrence of each consequence, a forward analysis
is conducted on the event tree, which requires the
probability (or rate) of occurrence of the initial event
and the probability of failure of each safety barrier.
Compared to a major accident, the initial event may
have a higher occurrence frequency, making it possi-
ble to estimate its probability through conventional
statistical methods such as maximum likelihood
estimation (MLE). However, the probabilities of
failure of the safety barriers are difficult to obtain
because the number of occurrences of each conse-
quence dictates them, which could be too small (in
the case of major accident) for a reliable estimation.
Furthermore, similar to the fault tree, the event tree
model is static, allowing only forward analysis, that
is, information can only flow from the initial event to
1669
update the probability of each consequence occur-
ring; the reverse is not possible.(11,12) For the same
reason, the estimation of occurrence probability of a
major accident given the occurrence of its precursory
events using backward analysis is not possible either.
To address the above limitations of the fault
tree and event tree analysis, several researchers have
proposed to convert both models into a Bayesian
network (BN) model.(5,13,14) In this particular
conversion, the initial event, safety barriers, and
consequences of the event tree are modeled as
root node, intermediate nodes, and leaf nodes,
respectively. The qualitative relationships between
these nodes in the Bayesian network are extracted
from the event tree diagram. The quantitative rela-
tionships are represented as conditional probability
tables (CPTs). The conversion of a fault tree into a
BN follows a similar procedure: the basic events are
the root nodes and the top event is the leaf node.
One of the major advantages of such a conversion is
that both forward and backward analysis are permit-
ted in BN. This enables the update of probabilities of
safety barriers and basic events given the number of
occurrences of the consequences and the top event,
respectively.
The probability updating performance of BN de-
pends on the accuracy of prior probability distribu-
tion of the root nodes and the reasonableness of the
CPTs. Normally, these two sets of parameters are es-
timated from data or given by expert judgment. In
the first case, data samples for the root nodes are as-
sumed to be observed without uncertainty. However,
this assumption rarely holds in practice. It is often the
case that data samples collected under limited condi-
tions do not contain enough information to allow for
good generalization characteristics. To counteract
this problem, collecting data samples from sources
with varying conditions is necessary. This process
introduces inevitable uncertainty in data samples,
known as the source-to-source variability.(14) Tradi-
tional Bayesian modeling is not able to handle such
uncertainty. In the second case, there is also inher-
ent uncertainty associated with expert judgment, the
rationality of which is subjected to background, train-
ing, and experience.
A hierarchical Bayesian modeling (HBM) tech-
nique is proposed to cope with source-to-source vari-
ability in data samples.(15,16) In HBM, an additional
level of Bayesian modeling is imposed on the pa-
rameters of a base distribution. More specifically,
the parameters of a base distribution are considered
to be drawn from a prior distribution governed by
1670
a set of hyper parameters. These hyper parameters
are also randomly generated from a noninformative
distribution. A prior distribution with its hyper pa-
rameters drawn from a noninformative distribution
is called a noninformative prior. The noninformative
prior is used to ensure uncertainty in data samples is
modeled in the posterior distributions without bias.
In this case, the updated posterior distributions are
also known as the informative posteriors. To obtain
informative posteriors, data samples are first incor-
porated into a likelihood function. In this work, a
multivariate likelihood function is proposed for both
fault tree and event tree. Model parameters of the
fault tree and event tree are also jointly modeled
in the likelihood function. The noninformative prior
and the multivariate likelihood function are then
combined using Bayes’s rule to produce the infor-
mative posteriors of the model parameters. Subse-
quently, the expected values of model parameters
with respect to their corresponding informative pos-
teriors are computed. These expected values are then
fed back to their base distributions to predict the ex-
pected number of occurrences of undesired events in
the next time interval.
There are three major advantages of the pro-
posed technique. (1) Model parameters of the event
tree and fault tree are modeled in a joint likeli-
hood function such that the interdependence be-
tween these parameters is fully explored, leading
to more realistic probability estimations of the top
events and the consequences. (2) The use of joint
likelihood function also precludes the need of a BN
to model parameter interdependence. This also as-
sists in reducing the uncertainty of creating CPTs
based on expert knowledge. Meanwhile, both for-
ward and backward analysis are also permitted. (3)
Source-to-source variability of the data samples is ef-
fectively incorporated in the modeling to further re-
duce the uncertainty in estimation. In summary, the
proposed technique provides a flexible and universal
framework to extend the capability of both event tree
and fault tree, by enabling bidirectional analyses and
handling of data uncertainty.
The remaining parts of this article are organized
as follows. The mechanism of the HBM is first in-
troduced in Section 2. The HBM of the fault tree
and event trees are illustrated in detail in Section 3.
In Section 4, the proposed technique is applied to
two case studies in marine and offshore operations.
The first case study focuses on verifying the applica-
bility of the proposed technique using real industrial
data, whereas a general framework for accident mod-
Yu, Khan, and Veitch
eling of arctic shipping is proposed in the second case
study. Finally, the major findings and conclusions of
this study are summarized in Section 5. In addition,
directions for future work are outlined.
2. BACKGROUND
There are two common ways of estimating the
parameters of a probability distribution from data
samples, namely, the MLE and the Bayesian MLE.
MLE assumes that the observed data samples can
only be generated from a single probability distri-
bution with a fixed parameter. This parameter is
obtained as the one that maximizes the likelihood
of the data samples under the given probability
distribution. However, Bayesian MLE considers a
number of candidate probability distributions whose
parameters are sampled from another generic dis-
tribution, known as the prior. In this case, the op-
timal parameter is obtained as the one that maxi-
mizes the joint likelihood of the data samples and the
prior. A graphic illustration based on the Venn dia-
gram is provided in Fig. 1 (a) and (b) to demonstrate
the difference between MLE and Bayesian MLE,
where D represent the data samples, θ is the param-
eter of interest, and  is the sample space for θ . It
is noted that for MLE, p(θ̄) = 1, indicating there is
only one probability distribution with parameter θ̄
that could explain D. This often leads to a data over-
fitting problem. For Bayesian MLE, there are many
possible probability distributions with their parame-
ters sampled from  and P() = 1. The data overfit-
ting problem is effectively avoided by exploring the
entire sample space of θ .
Although Bayesian MLE is effective in model-
ing uncertainty in θ , it is not able to deal with un-
certainty in D. In fact, both MLE and Bayesian as-
sume that all data samples are collected under strictly
consistent conditions—they are generated from the
same probability distribution. However, this is rarely
true in practice, particularly for accident modeling,
in which data samples are preferred to be collected
from different sources to cover a broad spectrum of
scenarios. This also implies that data samples for rare
accident modeling might be generated from different
distributions.
To cope with source-to-source variability in data,
a two-stage Bayesian procedure was first proposed in
the work of Kaplan,(17,18) which was also the prelim-
inary form of the HBM. Since then, much develop-
ment has been done to improve the performance and
extend the capability of this original form. In recent
Risk Analysis of Major Accidents
(a)
p(θ)
l(D|θ)
θ MLE = arg max l ( D | θ )
θ
θ Bayesian = arg max l ( D,θ | Θ)
Fig. 1. Comparison of MLE, Bayesian MLE, and HBM.
years, with the development of advanced sampling
techniques such as the Markov Chain Monte Carlo
(MCMC) simulation, the improved HBM has be-
come more capable of handling complex likelihood
functions. Despite the state-of-art development, the
fundamental principle of the HBM remains the same
and is briefly introduced in the ensuing paragraphs.
Similar to Bayesian MLE, HBM also models
the uncertainty of data samples in the prior distri-
bution of θ , by means of sampling hyper parame-
ters of θ from a noninformative distribution. Specif-
ically, as shown in Fig. 1(c), if p(θ |α, β) is the prior
distribution of θ , α and β are the hyper parame-
ters and are sampled from a noninformative distri-
bution, P(A, B). A noninformative distribution is a
probability distribution that does not give prefer-
ence to generation of data samples within any par-
ticular range. This enables a wide range of α and β
values to be generated, making p(θ |α, β) as generic
as possible to cover all possible data generation
sources/distributions. More importantly, when used
for Bayesian updating, a noninformative prior does
not have a strong influence on its posterior distri-
bution. This forces the Bayesian update to be com-
pletely dependent on data. The resulting posterior
distribution not only takes into account the uncer-
tainty in data but also accurately reflects their true
nature.
The uniform distribution is typical choice of non-
informative distribution for hyper parameters, due
to its assignment of equal probability to all values
within a certain range. There are two major issues
associated with the use of uniform distribution as a
noninformative distribution. First, the support of the
uniform distribution is finite, allowing only samples
within a certain range to be generated; data gener-
ation is biased. Second, the uniform distribution is
not invariant under reparameterization, which vio-
lates the Jeffrey rule of noninformative prior.(19) non-
informative priors satisfying Jeffrey’s rule are known
as the Jeffrey’s prior.(20) There is only a limited num-
ber of Jeffrey’s priors available for some well-known
1671
(b) (c)
p (θ , D | Θ) P(Θ) p (θ , D | α , β ) P(Α,Β)
l(D|Θ) p(θ|Θ) l(D|θα,β) p(θ|α,β)
α ∈Α
θ ∈Θ β ∈Β
θ
p (θ | D) = Eα ,β P ( Α ,Β ) [ p(θ | α , β ) p(α , β | D)]
likelihood functions. In most cases, the derivation of
Jeffrey’s prior for complex and multivariate likeli-
hood function ends up to be intractable. A diffuse
gamma prior has been proposed in the work of Kelly
et al.(21) and Yan et al.(22) as an alternative to Jeffrey’s
prior for complex likelihood function. In this study,
this diffuse gamma prior is used as the noninforma-
tive prior for modeling data uncertainty.
The noninformative prior can be updated using
data D to form an informative posterior of the pa-
rameter of interest.(23) This informative posterior is
derived through three basic steps. In the first step,
the likelihood function of the hyper parameters is
obtained by computing the expectation of the likeli-
hood function l(D| θ ) with respect to the parameter
of interest, θ .

l(D| α, β) = l(D| θ ) p(θ | α, β)∂θ (1)
One of the major focuses of this study is to con-
struct a multivariate from of l(D|θ ) for both fault tree
and event tree so that all the parameters are jointly
modeled. Upon acquiring the likelihood function of
the hyper parameters, the posterior distribution of
the hyper parameters is determined through Bayes’s
theorem.
p(α, β)l(D| α, β)
p(α, β | D) =   (2)
p(α, β)l(D| α, β)∂α∂β
It is noted that the double integrals in the de-
nominator might be intractable. This issue can be ad-
dressed by first applying MCMC to sample α and
β from their joint distribution p(α, β). Then, the
integrals are approximated by the sample mean of
l(D|α, β). In the third step, the posterior distribu-
tion of θ given data, p(θ |D), is computed through
marginalizing over α and β.

p(θ | D) = p(θ |α, β) p(α, β | D)∂α∂β (3)
Likewise, the solution of the double integrals
could be approximated in a similar way by calculating
1672 Yu, Khan, and Veitch

p (θ | D)

∫∫
α , β p (α , β | D )

3 1
Fig. 2. Graphic illustration of HBM procedure.
p (α , β | D) p (θ | α , β ) p( D | θ )

∫
θ

2
∫∫
α , β ~ p (α , β )
p( D | α , β ) p (α , β )

the sample mean of p(θ |α, β). The posterior distribu-

tion is also referred to as the informative posterior of
θ . The complete HBM procedure for obtaining the
informative posterior of θ is also illustrated in Fig. 2.
In addition, the above procedure can be formu-
lated into a recursive Bayesian estimation problem
for sequentially arriving new data, Dt :
p(θ |D) p(Dt |θ )
p(θ |Dt , D) =  , (4)
p(θ |D) p(Dt |θ )∂θ

where p(Dt |θ ) is recomputed for every time interval Fig. 3. Fault tree example.
t between which new data samples are collected.

3. METHODOLOGY dent of each other. The above limitations of fault tree

in quantitative reasoning can be substantially relaxed
using the HBM approach. This is demonstrated in the
3.1. HBM of Fault Tree
following example where a simple fault tree is consid-
A conventional fault tree has a converging struc- ered.
ture that describes how a group of basic events can The fault tree structure in Fig. 3 has five model
lead to a top event. This structure enables qualitative parameters, including the probabilities of occurrence
reasoning of causality between basic events and top of the basic events (θi , i ∈ {1, 2, 3, 4}) and the top
event; both forward and backward analysis can be event π . The relationship between these model pa-
conducted. For quantitative reasoning, however, sta- rameters can be expressed analytically by applying
tistical information is only allowed to flow from the Boolean algebra on the logic gates.
basic events to the top event. In addition, to calcu-
π = θ1 θ2 (θ3 + θ4 − θ3 θ4 ) (5)
late the probability of occurrence of a top event, the
probabilities of occurrence of the basic events have It is assumed that the only data available for
to be either estimated from historical data samples or estimating these parameters is the number of oc-
specified by expert knowledge. In the case that there currences of the top event in a specific time inter-
is only data available for the top event, the proba- val for a total of T consecutive time intervals, D =
bilities of occurrence of the basic events cannot be {n1 , n2 , . . . , nt=T }, where nt is the number of occur-
estimated using backward analysis. Furthermore, the rences of the top event in tth time interval. It is also
basic events are assumed to be statistically indepen- assumed that the total number of trials for each time
Risk Analysis of Major Accidents
interval is the same and is denoted as N. Putting this
in the context of safety analysis, nt is the number of
accidents in a specific time period, i.e., a year, while N
is the total number of operations in the same period.
Because of the limitation of the fault tree, the estima-
tion of the model parameters θi , i ∈ {1, 2, 3, 4}, given
only the data of the top event, is not possible.
The above parameter estimation problem can be
formulated into the HBM framework for an easy
solution. In this formulation, the basic events and
the top event of the fault tree are considered to
be binomial random variables whose probabilities
of failure are θi , i ∈ {1, 2, 3, 4}, and π , respectively.
In this regard, the number of occurrences for both
the basic events and the top event follow a binomial
distribution:
 
N t t
p(mi |N, θi ) =
t
θ mi (1 − θi ) N−mi , (6)
mit i
 
N t t formative posterior is determined through marginal-
p(nt |N, π ) = π n (1 − π ) N−n ,
nt
where mit is the number of occurrences of basic event
i during the tth interval. The distribution in Equa-
tion (6) is considered to be the base distribution of
the basic event i. To take into account the source-to-
source variability in data samples, a noninformative
prior is imposed on the parameter of interest, θi . It
is noted that a noninformative prior is not assigned
to the top event as the source-to-source variability in
data of the top event originates from the uncertainty
in the basic events, as a result of the fault tree struc-
ture. As θi is the parameter of a binomial distribu-
tion, its prior is then chosen as a conjugate prior of
the binomial distribution, which is a β distribution.
(αi + βi )
p(θi |αi , βi ) = θi αi −1 (1 − θi )βi −1
(αi ) + (βi )
To construct a noninformative prior θi , the
hyper parameters αi and βi are sampled from
the diffuse gamma distribution, αi , βi ∼ gamma
(0.0001, 0.0001). Let θ = { θ1 , θ2 , θ3 , θ4 }, α = { α1 ,
α2 , α3 , α 4 }, and β = { β1 , β2 , β3 , β 4 }, the joint like-
lihood function for θ (as shown in Equation (9)) is
determined by substituting Equation (5) into Equa-
tion (7).
T  
 N t counted for in the estimation process without bias.
p(D|θ) = (θ1 θ2 (θ3 +θ4 −θ3 θ4 )n
nt
t=1
t
× (1−θ1 θ2 (θ3 +θ4 −θ3 θ4 )) N−n
1673
This joint likelihood function is then used to
compute the joint likelihood function of the hyper
parameters.

p(D| α, β) = p(D| θ) p(θ | α, β)∂θ (10)
The integral in Equation (10) is overloaded to
simplify the notations. As described in Section 2, this
overloaded integral can be solved by calculating the
sample mean of p(D|θ). The samples of θ are gen-
erated from MCMC simulations of p(θ |α, β). Subse-
quently, the joint posterior distribution of the hyper
parameters is obtained using Bayes’ theorem.
p(α, β) p(D| α, β)
p(α, β | D) =  (11)
p(α, β) p(D| α, β)∂α∂β
Similarly, the double integral in the denomina-
tor is overloaded and its solution can be approxi-
mated by conducting MCMC simulations on p(α, β).
Finally, the joint posterior distribution of θ , or the in-
(7)
ization.

p(θ | D) = p(θ |α, β) p(α, β | D)∂α∂β (12)
The individual parameter for each of the basic
events can be obtained in an analogous manner, for
instance, as shown in Equation (13).

p(θ1 | D) = p(θ | D)∂θ2 ∂θ3 ∂θ4 (13)
Finally, the estimated number of occurrences for
each basic events for the next interval T + 1 is given
as: 
p(mi |D; N) = p(mi |θi ; N) p(θi |D)∂θi ,

miT+1 = mi p(mi |D; N)dmi . (14)
(8)
As demonstrated in the above procedure, it is
possible to conduct backward analysis on fault tree
using HBM; the parameters of the basic events can
be estimated with only data samples of the top event.
These parameters are also modeled in a joint dis-
tribution that takes into account their interdepen-
dence as opposed to the assumption of complete in-
dependence of the traditional fault tree. In addition,
the use of a noninformative prior in HBM ensures
the source-to-source variability in data samples is ac-
The estimated values better reflect the real situation.
As compared to many works using a Bayesian
(9) network approach to model fault trees,(3,5,24,25) the
1674 Yu, Khan, and Veitch

proposed approach does not require the construction

of CPTs or specifying prior probabilities of the ba-
sic events for conducting inferences. Therefore, it is
more flexible to be used for safety analysis of indus-
trial operations under data scarcity.

3.2. HBM of Event Tree

The event tree is a diverging model linking an ini-
tial event to its possible consequences. Each conse-
quence corresponds to failures of certain safety bar-
riers. The severity of each consequence is related to
the number of failed safety barriers associated with
it. The most severe consequence, which is a result
of complete failure of all safety barriers, is defined
Fig. 4. An event tree example.
as a major accident in this study, whereas the other
less severe consequences are the precursory events
of the major accident. The rationale behind this def-
barriers. For the same reason described in Section
inition is that all the consequences of the event tree
3.1, a noninformative prior is only needed for the
are related to the same cause through the same set
safety barriers. The procedure of obtaining the in-
of safety barriers. It is therefore legitimate to claim
formative posteriors is demonstrated using a simple
that there is a direct link between the consequences
event tree model shown in Fig. 4.
with lower level of severity and the most severe con-
Parameters of the four potential consequences
sequence. In addition, it is not rare that there are
and the two safety barriers are arranged in arrays,
more data available for consequences of low severity,
π = {π1 , π2 , π3 , π4 } and θ = {θ1 , θ2 }, respectively. It
allowing for more accurate estimation of their occur-
is assumed that the only available data for parame-
rence probabilities. The information gathered from
ter estimation are the number of occurrences of each
the low-severity consequences can be used to esti-
of the consequences in a specific time interval for T
mate the probability of occurrence of a major acci-
consecutive intervals D = {d1t , d2t , d3t , d4t }t=1
T
. For the
dent where there is little data available through this
event tree, the base distribution for the failures of
direct link.
each safety barrier is assumed to be a binomial distri-
Both forward and backward analysis are neces-
bution. Therefore, the priors for θ are selected to be
sary to enable the information exchange between the
beta distributions with hyper parameters α = {α1 , α2 }
consequences. However, the event tree shares the
and β = {β1 , β2 }.
same limitation with the fault tree, which allows only
There are two methods of estimating the in-
forward analysis in quantitative reasoning. Addition-
formative posterior failure probability distributions
ally, the forward analysis of the event tree also re-
of the safety barriers. The first method assumes
quires the prior probabilities of the initial event and
that the failures of safety barriers are completely
safety barriers to be specified in advance, which is
independent of each other. The informative pos-
not easily achieved under data scarcity. In the HBM
teriors of these safety barriers are then estimated
framework, estimation of the model parameters of
based on the number of successes and failures
the event tree is broken down into two parts. In the
for each time interval. The causal structure of the
first part, the probabilities of failure of safety barri-
event tree allows the decomposition of the num-
ers and the probabilities of occurrence of the conse-
ber of occurrences of the consequences into the
quences are estimated. In the second part, the results
number of successes and failures of each safety
from the first part can be further used to estimate the
barriers. For instance, the number of successes and
parameter of interest of the initial event.
failures of the SB1 and SB2 in Fig. 4, for a single
time interval t, can be obtained as shown in Table I.
3.2.1. Estimating Probabilities of Failure of
Subsequently, a HBM procedure can be ap-
Safety Barriers
plied independently to each safety barrier to deter-
The main objective of this part is to obtain an in- mine its informative posterior probability of failure.
formative posterior for the parameters of the safety The HBM procedure of SB1 is shown as following.
Risk Analysis of Major Accidents 1675

Table I. Number of Successes and Failures for SB1 and SB2
Number of Successes Number of Failures
SB1 d1t + d2t
SB2 d1t + d3t
Because the number of failures of SB1 is assumed
to follow a binomial distribution, the likelihood func-
tion of SB1 is given as:

T
p(D1 |θ1 ) = p ( f t = d3t +d4t |kt = d1t + d2t +d3t +d4t , θ1 )
t=1
 

T
kt
=
t
θ1 f (1 − θ2 )k − f
t t
ft
t=1
The conjugate prior for Equation (15) is a β
distribution, p(θ1 |α1 , β1 ). In this case, the hyper
parameters α1 and β1 are sampled from the dif-
fuse gamma distribution. Then, Equations (1)–(3)
are used to compute the informative posterior dis-
tribution of the failure probability of SB1. The exact
same procedure is repeated for SB2, C1, C2, C3, and
C4 to obtain their informative posterior distributions.
Although data uncertainty is taken into account
by means of using a HBM procedure independently
for each safety barrier, the interdependence be-
tween SB1 and SB2 is completely neglected in this
method. In reality, the failure of a safety barrier of-
ten has a considerable impact on the operation of
other safety barriers. Neglecting their interdepen-
dence might lead to inaccurate estimation of their
failure probabilities.
To address the issue in the first method, θ1 and
θ2 need to be modeled in a joint likelihood function
and updated simultaneously with data. The joint like-
lihood function of θ1 and θ2 is constructed in the fol-
lowing steps. The occurrence probabilities of the con-
sequences depend on the failure probabilities of the
safety barriers according to the following relation-
ships.
π1 = (1 − θ1 )(1 − θ2 );
π2 = (1 − θ1 )θ2 ;
π3 = θ1 (1 − θ2 );
π4 = θ1 θ2 .
For the event tree, consequences originating
from an initial event are mutually exclusive of each
other and their occurrence probabilities sum up to
4
1, i=1 πi = 1. Under this setting, the joint likelihood
function of these four parameters can be modeled as
d3t + d4t a multinomial distribution function:
d2t + d4t l(D|π1 , π2 , π3 , π4 )

T
kt ! d1t d2t d3t d4t
= t t t t π1 π2 π3 π4 , (17)
d1 !d2 !d3 !d4 !
t=1
where kt is the total number of occurrences during
time interval t, kt = d1t + d2t + d3t + d4t . As a result, the
likelihood function of θ, l(D|θ) is obtained by substi-
tuting Equation (16) into Equation (17).

T
kt ! t
(15) l(D|θ) = (1 − θ1 )(1 − θ2 )d1 (1 − θ1 )
dt !dt !dt !dt !
t=1 1 2 3 4
t t t
× θ2 d2 θ1 (1 − θ2 )d3 θ1 θ2 d4 (18)
To form the noninformative prior for θ ,
the hyper parameters of θ are sampled from
the diffuse gamma distribution, αi , βi ∼ gamma
(0.0001, 0.0001), i ∈ {1, 2}. The noninformative prior
is then updated using this data matrix to obtain the
informative posterior. The procedure for obtaining
the informative posterior is the same as that for the
fault tree, which follows from Equations (11)–(12).
Finally, the individual posterior probability of occur-
rences of each consequence is estimated using for-
ward analysis in Equation (19). Likewise, the data
samples of θ for approximating the overloaded in-
tegral are sampled using MCMC simulations from
p(θ |D).

p(πi |D) = p(πi |θ ) p(θ |D)∂θ, i ∈ {1, 2, 3, 4}

π̂i = πi p(πi |D)dπi (19)
3.2.2. Estimating the Probability of Occurrence
of the Initial Event
The structure of the event tree provides a quick
way of estimating the parameter of interest of the
initial event. Data samples for the number of occur-
rences of consequences can be translated into the ini-
tial event occurrence. According to the property of
(16)
the event tree, for each time interval t, the number
of occurrences of the initial event is simply the sum
of occurrences of all the consequences, kt . Because
the time interval is fixed, the prior distribution for the
1676 Yu, Khan, and Veitch

number of occurrence of the initial event within each

time interval can be modeled using a Poisson distri-
bution with failure rate λ as the parameter of interest.

λk e−tλ
t

p(kt |λ) = (20)

kt !
In turn, the likelihood function for D = {kt }t=1
T
is
constructed as:

T
λk e−tλ
t

p(D|λ) = . (21)
kt !
t=1

In a similar setting to Section 3.1, a noninfor-

mative prior is imposed on the hyper parameters
of λ to account for the uncertainty in data. The
prior distribution of λ is chosen to be a conjugate
prior of the Poisson distribution, which is a gamma
distribution.
β μ μ−1 −νλ
p(λ|μ, ν) = λ e (22)
(α)
To construct a noninformative prior of λ, the
hyper parameters μ and ν are sampled from
the diffuse gamma distribution, μ, ν ∼ gamma
(0.0001, 0.0001). The noninformative prior is then
updated using data to form an informative posterior
for λ. The informative posterior is obtained using
Equations (1)–(3). The informative posterior can be
used to predict the number of occurrences of the ini-
tial event in the next time interval, t = T + 1.

p(k | D) = p(k|λ) p(λ | D)∂λ
 implemented during the drilling operation. These
kT+1 = kp(k | D)dk (23)
Also, the number of occurrences for each conse-
quences can be estimated:
E diT+1 = E kT+1 × π̂i . (24)
The HBM of the event tree allows both forward
and backward analysis. This enables the informa-
tion exchange between a major accident and its pre-
cursory events, which effectively addresses the data
scarcity problem in estimating the probability of oc-
currence of major accidents. Probabilities of failure
of the safety barriers can also be estimated from the
number of occurrences of each consequence. This
deductive reasoning, without the need of specifying
prior probabilities, is not possible to achieve using a
traditional event tree or Bayesian network. Further-
more, the source-to-source variability in data sam-
Fig. 5. Event tree diagram for an offshore blowout.(26)
ples is also considered in the modeling, leading to a
more realistic estimation.
4. CASE STUDY—OFFSHORE BLOWOUT
Offshore blowout is one of most devastating ac-
cidents in marine and offshore operations. Blowouts
are rare but can have significant consequences, such
fatalities, capital losses, and possibly irreversible
damage to environment. An offshore blowout is the
most severe consequence of a kick during the drilling
operation. Detailed information on the mechanism
of a kick can be found in the work of Khakzad
et al.(26) To prevent a kick from developing into a ma-
jor blowout, a number of safety barriers are typically
safety barriers are presented in the form of an event
tree diagram in Fig. 5.
It is noted that in Fig. 5, the failure of either the
kick detection or blowout preventer (BOP) will lead
to a major blowout. In this case, a blowout is con-
sidered a major accident and the consequences from
C1 to C3 are considered to be the precursory events.
In this study, data samples collected for parameter
estimations are the number of occurrences of each
of the above four consequences during development
drilling in the Gulf of Mexico region from 1996 to
2012(27) and are presented in Table II. The estimated
values for the safety barriers can be used to identify
the weak links in the safety system for further im-
provement.
According to the event tree structure, the num-
ber of occurrences for the kick is the sum of the
number of occurrences of all the consequences. Also,
the blowout data in Table II contain the number of
Risk Analysis of Major Accidents 1677

Table II. Major Accident and Precursor Data of Offshore Table III. Comparison of Various Estimators in Estimating
Blowout in Gulf of Mexico.(27) Probability of Failure of Kick Detection

Time Estimated
Intervals Safe Mishap Leak Blowout Kick Estimator Formulae Probability Source

1996 0 0 1 3 4 One-third P= 1
3n 0.0043 Ref. 29
1997 2 1 1 1 5 estimator
1998 0 3 1 3 7 Minimax P= 1
2.5n 0.0051 Ref. 30
1999 1 2 0 2 5 estimator
2000 0 2 4 2 8 1
Median Bayes P = 1 − 0.5 n+1 0.0087 Ref. 29
2001 1 3 1 3 8 estimator
2002 0 2 1 1 4 1
2003 2 1 0 1 4 P2 estimator P = 1 − 0.5 n 0.0088 Ref. 29
2004 0 3 2 0 5 Bayes estimator P= 1
0.0125 Ref. 31
n+2
2005 0 3 0 1 4
2006 0 1 5 2 8 Upper-bound P= 1
n 0.0128 Ref. 29
2007 0 1 0 3 4 estimator
2008 1 1 0 3 5
2009 0 0 0 2 2
2010 0 0 0 1 1
Table IV. Expected Probabilities for the Failure of Safety
2011 0 0 0 2 2
Barriers and Occurrence of Consequences (Offshore Blowout)
2012 0 0 0 2 2
Sum 7 23 16 32
Probability
Total = 46 Total = 32 Grand total = 78
Probability (HBM
(HBM Joint Independent
Event Tree Likelihood Probability Likelihood
Parameters Function) (MLE) Functions)
occurrences of both C4 and C5 consequences. There- Kick detection 0.1817 0.0000 0.0018
fore, it is not possible to decompose the contribu- Kill operation 0.8808 0.9103 0.9176
tion of the failure of the BOP or kick detection to BOP 0.2926 0.4507 0.4639
the occurrence of blowout, making it difficult to es- Casing 0.3843 0.4103 0.5897
timate the failure probabilities of these two barriers C1: Safe 0.0927 0.0897 0.0947
C2: Mishap 0.2964 0.2950 0.2918
using traditional techniques such as a Bayesian net- C3: Leak 0.1848 0.2051 0.1911
work. Khakzad et al.(28) proposed a workaround of C4: Blowout 0.4260 0.4103 0.4191
this issue, which assumed the blowout was solely due
to the failure of the BOP failure. This assumption
rendered a zero failure situation for the kick detec-
tion upon demands. A number of estimators capable mation results of MLE are presented in column 3 of
of handling zero failure events were then applied to Table IV. It is observed that the probability of kick
estimate the probability of failure of the kick detec- detection failing is 0 due to the zero failure assump-
tion. The estimated failure probabilities of the kick tion, which is unrealistic. Moreover, these techniques
detection using these estimators are summarized in simply rely on the total number of demands for
Table III. the kick detection and fail to recognize that there
The value of n in Table III is 78, the sum of is source-to-source variability in data between each
values in the last column of Table II, representing time interval, due to the sporadic conditions under
the total number of demands received by the safety which the drilling operations were carried out.
barrier—kick detection. It is observed that due to The two methods introduced in Section 3.2.1
the radical assumption of zero failures of the kick are used to address the data uncertainty issue in
detection, the estimated values of all the techniques failure probability estimation. In the first method,
are very small and also differ significantly from each the failure of safety barriers and the occurrences of
other; therefore, they might not reflect the real sit- the consequences are considered to be completely
uation. To make this comparison more comprehen- independent. A binomial distribution is assigned to
sive, traditional MLE is also applied to estimate the each safety barrier to model its number of failures
failure probabilities of the safety and the probabil- per time interval. Similarly, a binomial distribution
ities of occurrences of the consequences. The esti- is also given to each consequence for the same
1678
modeling purpose. Because these events are inde-
pendent of each other, it is not possible to discern
the contribution of failure of kick detection from
that of BOP to the occurrences of blowouts. In this
regard, it is also assumed that blowouts are solely
due to failure of BOP. As a result, the same zero
failure issue is also presented to the binomial HBM
model of kick detection. The HBM procedure is
implemented on the OpenBUGS platform.(32) The
estimated failure probability for kick detection based
on the binomial HBM model is shown in column 4 of
Table IV. This result demonstrates that a slight
improvement in flexibility in dealing with zero data
events is achieved by the binomial HBM model as
compared to MLE. This is mainly due to the fact that
HBM is able to take into account the uncertainty
in data. More specifically, the zero occurrence of
an event under the HBM setting is not absolute; it
Yu, Khan, and Veitch
Fig. 6. Estimated distributions of the
safety barriers.
Fig. 7. Estimated distributions of the con-
sequences.
is one of the values of a random variable following
an unknown distribution. The noninformative prior
in the HBM enables an adequate exploration of
the entire sample space of this unknown distribu-
tion, resulting in a more realistic estimation of the
failure probability of kick detection. Despite this
advantage, the interdependence among the safety
barriers is still neglected in modeling. The estimated
failure probability of the kick detection is still
unreasonably small considering there is a direct
relationship between failure of kick detection and
blowouts, which make up to 32 (41%) occurrences
of the undesired consequences.
However, the second method can effectively
avoid the problems of MLE and the binomial HBM
by fully exploring the interdependence between the
consequences and taking into account the uncer-
tainty in data samples. Following the procedure
Risk Analysis of Major Accidents
Fig. 8. Estimated distribution for the occurrence rate of the kick.
presented in Section 3.2, the relationship between
the consequences and the safety barriers are firstex-
tracted from the event tree diagram:
π1 = (1 − θ1 )(1 − θ2 );
π2 = (1 − θ1 )θ2 (1 − θ3 )(1 − θ4 );
π3 = (1 − θ1 )θ2 (1 − θ3 )θ4 ;
π4 = θ1 + (1 − θ1 )θ2 θ3 , (25)
where π = {π1 , π2 , π3 , π4 } and θ = {θ1 , θ2 , θ3 , θ4 } are
the probabilities of occurrence of the consequences
and the probabilities of failure of the safety barriers,
respectively. It is noticed that the probability of oc-
currence of blowout is calculated by adding the prob-
abilities of both C4 and C5. This allows the in-
terdependence between the BOP and kick detec-
tion to be modeled in the joint likelihood function,
which is obtained by substituting Equation (25) into
Equation (17). In this way, the zero event situation
for the kick detection is avoided. Subsequently, the
informative posterior for the failure probabilities of
the safety barriers are computed using Equations
(11), (12), and (19).
The estimated informative posterior density
functions of the failure probabilities are presented
in Fig. 6 and their expected values are presented in
Table IV. As compared to the values in Table III,
the expected probability of kick detection acquired
using the second method is in the same order of
magnitude of the other safety barriers. This proba-
bility estimation is reasonable as the total number
of consequences as a result of successful kick detec-
tion (C1, C2, and C3) is bigger than the total num-
ber of blowouts, not to mention that a portion of the
blowouts (C4) also belongs to the consequences of
successful kick detection. On the other hand, the kill
operation has the highest probability of failure. This
leads to a significantly higher number of C2: mishaps
and C3: leaks compared to C1: safe.
1679
After obtaining the expected probability of fail-
ure of the safety barriers, the probabilities of oc-
currence of the consequences are estimated us-
ing forward analysis. Likewise, the estimated pos-
terior probability distributions of the consequences
are shown in Fig. 7. The expected values of these
probability distributions, as summarized in Table
IV, are the predicted probabilities of occurrence of
the consequences in the next time interval (2013)
and are estimated using Equation (19). It is ob-
served that the probabilities of occurrence of the
consequences C2 to C4 are much higher than the
probability of safe operation. This is primarily due
to the higher failure probability of the kill op-
eration. This piece of information could help the
safety engineers identify the weak link in the safety
system.
The number of kicks from 1996 to 2012 can be
used to predict the number of kicks in 2013. As out-
lined in Section 3.2.2, the occurrence of the initial
event of an event tree during each time interval is
considered to follow a Poisson distribution.
In this respect, using Equations (20)–(24), the
number of occurrences of kick is estimated to be
around 5 (expected value = 4.582), as shown in Fig. 8
and the number of occurrences of each consequence
is 0, 2, 1, 2, respectively.
There are many causes that could lead to a kick
in a drilling operation. Fig. 9 shows the fault tree rep-
resenting a simple causal model of the kick. This ex-
ample is used to demonstrate the capability of the
proposed technique to address the weaknesses of
fault tree analysis.
In fact, this model in Fig. 9 is the same as the
illustrated example presented in Section 3.1. In
a similar setting to the illustrative example, the
number of occurrences for both the basic events
and the top event is considered to follow a binomial
distribution. The only data samples available for
estimating the probabilities of the basic events are
the number of kicks listed in the last column of Table
II. It is noted that the data samples do not include
the number of trials/operations (N) for the binomial
distribution. In this example, N is estimated to be
72 according to the number of new well drilling
permits granted from 2011 to 2014 in the Gulf of
Mexico region.(34) Following the procedure outlined
in Section 3.1, a noninformative prior is constructed
for the parameters of each basic event and is up-
dated using the kick data to become the informative
posterior. The informative posterior distributions of
the probabilities of occurrence of the basic events
1680 Yu, Khan, and Veitch

Fig. 9. Simple fault tree for kick.(33)

Fig. 10. Estimated distributions of the oc-

currence probabilities of basic events (off-
shore blowout).

are shown in Fig. 10 and the expected probabilities Table V. Expected Probabilities of Occurrence of the Basic
for these events are summarized in Table V. Events and Top Event
Upon estimating occurrence probabilities of the Fault tree Parameters Estimated Probabilities
basic events, the occurrence probability of the top
event can be determined using forward analysis. The Power supply failure 0.7873
posterior probability distribution of the top event Technical failure 0.6629
kick is shown in Fig. 11. The expected value of this Insufficient amount of mud 0.0844
Insufficient circulation of seawater 0.1111
distribution is listed in the last row of Table V. This Kick 0.0645
value is the predicted probability of occurrence of a
kick in time interval 2013. The expected number of
occurrences of a kick in 2013 is then computed as
0.0642 × N = 5.0076 ≈ 5, which is the same as the same basis. As a result, the expected number of oc-
number estimated in the event tree example. This currence for 2013 matches with that obtained from
could be explained by considering probability of suc- the Poisson distribution.
cess as a weighting factor in calculating the expected It is demonstrated in this case study that the
value of the binomial distribution. Because N is the proposed techniques are able to address the weak-
same for the number of occurrences of kick across nesses of both event tree and fault tree analysis.
all time intervals, the probability/weighting factor in For the event tree example, by exploring the inter-
each time interval has the same basis. The predicted dependence between the BOP and kick detection,
probability in the next time interval also shares the the zero data event encountered in the traditional
Risk Analysis of Major Accidents
Fig. 11. Posterior distribution of the probability of occurrence of
kick.
probability estimation is avoided. The source-
to-source variability in data is also effectively
incorporated in the estimation process by means of
HBM for a more accurate prediction of occurrence
probability of a major accident in the next time
interval. The proposed technique is also adapted
to modeling a simple fault tree. This enables the
prediction of the probability of occurrence of the
basic events using only data of the top event, which
is not possible to achieve with traditional inference
techniques, such as a Bayesian network.
5. CONCLUSIONS
This article presents a novel HBM-based tech-
nique for risk analysis of major accidents. The pro-
posed technique provides a flexible and universal
framework to extend the capability of traditional
fault tree and event tree analysis techniques. The
static structure of the model developed using these
techniques allows only forward analysis in quantita-
tive reasoning. The proposed technique models all
the model parameters into a joint likelihood func-
tion such that information exchange between these
parameters is allowed in all directions, enabling both
forward and backward analysis. Another major ad-
vantage of using a joint likelihood function is the
modeling of interdependence between model param-
eters, which leads to a more realistic estimation of
probability of occurrence of major accidents. The
third major advantage of the proposed technique
lies in how it is able to cope with data uncertainty,
which is not possible to achieve in the original fault
tree and event tree analysis. The HBM approach is
integrated with the joint likelihood function to ac-
count for source-to-source variability in data to min-
imize uncertainty in parameter estimation. To verify
the effectiveness the proposed technique, an offshore
blowout case study has been used. The results have
1681
shown that the predictions made by the proposed
technique agree well with the pattern in data.
The performance of the proposed HBM tech-
nique relies on precise understanding of logical re-
lationships of cause and effects. These relationships
could be represented in any form, such as event or
fault trees. Without the availability of these relation-
ships, it is not possible to establish a joint likelihood
function of the model parameters, such as probabil-
ities of failure of safety barriers and occurrences of
causes. The development of a complete model inde-
pendent safety analysis technique inheriting all fea-
tures of the presented technique is the focus of the
next work.
ACKNOWLEDGMENTS
We acknowledge the financial support of the
Lloyd’s Register Foundation. Lloyd’s Register Foun-
dation is a charitable foundation helping to protect
life and property by supporting engineering-related
education, public engagement, and the application of
research.
REFERENCES
1. Bucci P, Kirschenbaum J, Mangan LA et al. Construction of
event-tree/fault-tree models from a Markov approach to dy-
namic system reliability. Reliability Engineering & System
Safety, 2008; 93(11):1616–1627.
2. Assaf T, Dugan JB. Diagnostic expert systems from dy-
namic fault trees. Pp. 444–450 in Proceedings of the Annual
Symposium-RAMS on Reliability and Maintainability, IEEE,
2004, Los Angeles, CA, USA .
3. Khakzad N, Khan F, Amyotte P. Safety analysis in process
facilities: Comparison of fault tree and Bayesian network
approaches. Reliability Engineering & System Safety, 2011;
96(8):925–932.
4. Ching J, Leu S-S. Bayesian updating of reliability of civil in-
frastructure facilities based on condition-state data and fault-
tree model. Reliability Engineering & System Safety, 2009;
94(12):1962–1974.
5. Khakzad N, Khan F, Amyotte P. Dynamic safety analysis of
process systems by mapping bow-tie into Bayesian network.
Process Safety and Environmental Protection, 2013; 91(1):46–
53.
6. Bier V, Yi W. The performance of precursor-based estimators
for rare event frequencies. Reliability Engineering & System
Safety, 1995; 50(3):241–251.
7. Quigley J, Bedford T, Walls L. Estimating rate of occurrence
of rare events with empirical Bayes: A railway application. Re-
liability Engineering & System Safety, 2007; 92 (5):619–627.
8. Ibragimov IdA, Has’ minskii RZ. Statistical Estimation:
Asymptotic Theory. New York: Springer Science & Business
Media, 2013.
9. Bier VM, Haimes YY, Lambert JH et al. A survey of ap-
proaches for assessing and managing the risk of extremes. Risk
analysis, 1999; 19(1):83–94.
10. Goossens L, Cooke R. Applications of some risk assessment
techniques: Formal expert judgement and accident sequence
precursors. Safety Science, 1997; 26(1):35–47.
1682
11. Meel A, Seider WD. Plant-specific dynamic failure assessment
using Bayesian theory. Chemical Engineering Science, 2006;
61(21):7036–7056.
12. Kalantarnia M, Khan F, Hawboldt K. Dynamic risk assess-
ment using failure assessment and Bayesian theory. Journal
of Loss Prevention in the Process Industries, 2009; 22(5):600–
606.
13. Bearfield G, Marsh W. Generalising event trees using
Bayesian networks with a case study of train derailment. Pp.
52–66 in Computer Safety, Reliability, and Security. Springer,
2005.
14. Siu NO, Kelly DL. Bayesian parameter estimation in prob-
abilistic risk assessment. Reliability Engineering & System
Safety, 1998; 62(1):89–116.
15. Chen Z, McGee M. A Bayesian approach to zero-numerator
problems using hierarchical models. Journal of Data Science,
2008; 6(2):261–268.
16. Yang M, Khan FI, Lye L. Precursor-based hierarchical
Bayesian approach for rare event frequency estimation: A
case of oil spill accidents. Process Safety and Environmental
Protection, 2013; 91(5):333–342.
17. Kaplan S. On a “two-stage” Bayesian procedure for determin-
ing failure rates from experimental data. IEEE Power Engi-
neering Review, 1983; 1(PER-3):43.
18. Kaplan S. On a two-stage Bayesian procedure for determining
failure rates from experiential data. In Nuclear Power Plant
Risk Management, 1985.
19. Datta GS, Ghosh M. On the invariance of noninformative pri-
ors. The annals of Statistics, 1996; 24(1):141–159.
20. Assoudou S, Essebbar B. A Bayesian model for Markov
Chains via Jeffrey’s prior. Communications in Statistics—
Theory and Methods, 2003; 32(11):2163–2184.
21. Kelly DL, Smith CL. Bayesian inference in probabilistic risk
assessment—The current state of the art. Reliability Engineer-
ing & System Safety, 2009; 94(2):628–643.
22. Yan Z, Haimes YY. Cross-classified hierarchical Bayesian
models for risk-based analysis of complex systems under
sparse data. Reliability Engineering & System Safety, 2010;
95(7):764–776.
Yu, Khan, and Veitch
23. Gelman A. Prior distributions for variance parameters in hier-
archical models (comment on article by Browne and Draper).
Bayesian Analysis, 2006; 1(3):515–534.
24. Abimbola M, Khan F, Khakzad N et al. Safety and risk analy-
sis of managed pressure drilling operation using Bayesian net-
work. Safety Science, 2015; 76:133–144.
25. Bobbio A, Portinale L, Minichino M et al. Improving the
analysis of dependable systems by mapping fault trees into
Bayesian networks. Reliability Engineering & System Safety,
2001; 71(3):249–260.
26. Khakzad N, Khan F, Amyotte P. Quantitative risk analysis of
offshore drilling operations: A Bayesian approach. Safety Sci-
ence, 2013; 57:108–117.
27. BSEE (Bureau of Safety and Environmental Enforce-
ment US). Incident statistics and summaries 1996–2012.
In Series Incident Statistics and Summaries 1996–2012,
Available at: https://www.bsee.gov/stats-facts/offshore-
incident-statistics/incident-stats-and-summaries.
28. Khakzad N, Khan F, Paltrinieri N. On the application of near
accident data to risk analysis of major accidents. Reliability
Engineering & System Safety, 2014; 126:116–125.
29. Bailey RT. Estimation from zero-failure data. Risk Analysis,
1997; 17(3):375–380.
30. Quigley J, Revie M. Estimating the probability of rare events:
Addressing zero failure data. Risk Analysis, 2011; 31(7):1120–
1132.
31. Thorne M, Williams M. A method for estimating failure rates
for low probability events arising in American Nuclear Soci-
ety, Inc., La Grange Park, IL, USA.
32. Lunn D, Spiegelhalter D, Thomas A et al. The bugs
project: Evolution, critique and future directions. Statistics in
Medicine, 2009; 28(25):3049–3067.
33. Podofillini L, Sudret B, Stojadinovic B et al. Safety and Reli-
ability of Complex Engineered Systems. London: Taylor and
France Group, 2015.
34. BSEE (Bureau of Safety and Environmental Enforcement
US). Status of Gulf of Mexico well permits 2011–2014.
In Series Status of Gulf of Mexico Well Permits 2011–
2014, Available at: https://www.bsee.gov/stats-facts/ocs-
regions/status-of-gulf-of-mexico-well-permits.