Dennis C. Bley
Presented at the 38th Annual Conference
Challenges of the Changing Arctic:
Continental Shelf, Navigation and Fisheries
Bergen, June 25-28th 2014
Buttonwood Consulting, Inc. &
The WreathWood Group
[email protected]





What is different about risk assessment?
Characteristics of a modern PRA
Examples related to the sea
PRA as a language for addressing uncertainty
PRA can support policy and legal decisions
2



Risk is probability AND consequences
Integrated model accounting for interactions
Beginnings—WASH-1400 Rasmussen Report
 Fault tree deductive logic of failure
 Event tree on critical safety functions



Serendipity: the solution to difficulties of single,
large fault trees leads to a scenario-oriented
approach that reaps benefits
Expanded scope to external events, human
interactions, rigorous uncertainty treatment
Can understand importance to issues of interest
3
The “Risk Triplet”— <Si, pi, Ci>
• Si – a scenario
• Pi—the likelihood that the scenario occurs
• Ci—the consequences of the scenario
4
5
The Irish Government commissioned
an assessment by an independent
Team to determine the potential risks
to Ireland associated with the
Sellafield Site and the Low-Level Waste
Repository.
Decision driven by the site’s location,
its history, and the amount and type
of radioactive materials there.
The information in this analysis will
help the Irish Government better
understand the risk posed by current
activities at Sellafield and the LowLevel Waste Repository and provides
a baseline to support understanding
of future activities there.
Activity eased tensions between the
governments.
6
7
Colors match the
severity categories of
the International
Nuclear & Radiological
Event Scale (INES)
8
9
10
11
12
• Blind shear ram in blowout preventer can
completely seal off well &
• At least one rig worker hit emergency
button in first minutes—failed
• Risk analysis commissioned by the
manufacturer identified multiple single
failures, including shuttle valve
• Do we need PRA? In mid-1980’s an ACRS
member challenged that many of the failure
sets we identified would have been found by
any good engineer.
Yes, but…
13
Later reports identified additional specific
causes. See NAS Report; Bureau of Ocean
Energy Management, Regulation and
Enforcement Report; U.S. Chemical Safety and
Hazard Investigation Board Report, etc.
14
15
• Vessel: Malaysian-registered Bulk Carrier, 738 ft, 40,000 gross tons
• Carrying: 60,000 tons of soybeans and 1,000 tons of fuel oil
• Casualty: lost power; vessel ran aground & broke up after drifting 100 miles
• Location: north shore of Unalaska Island
• Consequences: six fatalities, one serious injury; $12 million vessel loss; rescue
helicopter crashed; 336,000 gal of heavy fuel oil spilled
• Causal factors:
– Main engine failure, crew unable to repair and restart
– Severe weather, high winds and seas contributing to problems with repair work
and with rescue operations
– Failure to notify authorities and seek assistance in a timely manner
– Lack of adequate emergency towing/anchoring gear
– Inadequate prior engine maintenance
– Lack of adequate rescue/towing vessel and equipment in the region
– Lack of proper survival equipment for crew
16
17

Phase A: focused/ scoping analysis
 Traffic study, spill baseline study, identification of high-
risk accidents, limited consequence analysis, accident
scenario and causality study
 Result: qualitative assessment of risk reduction options

Phase B: extend analysis based on Phase A
 Support robust decisions on the selection, design, and
implementation of risk control measures
 Quantitative analysis to the extent possible
▪ More detailed causal modeling; consideration of human factors;
evaluation of rare, high-consequence events; formal use of
expert opinion; and rigorous uncertainty and sensitivity analyses
18
Ship Type
Accident
Categories
Location
(Area)
Immediate
Damage
Conditions
Opportunity
for Control
Causes
Environmental
Consequences
Opportunity
for Control
Remediatio
n
Illustrative zones
19
20
21




Zion & Indian Point nuclear plant hearings
South Coast Air Quality Management District
court case concerning regulation of petrochemical plants in California
Ireland’s concerns about risk to Ireland and
Irish interests from Sellafield in UK
Congressional concerns about the U.S.
Army’s program to destroy obsolete chemical
weapons
22
24
25
Aleutian Shipping PRA
Hazardous Substances to Consider
26
27
28
M/V Kuroshima
• Vessel: Japanese-registered freighter, 367 ft
• Carrying: fisheries cargo and bunker fuel oil
• Casualty: Vessel dragged anchor in harbor and ran aground
• Date: November 1997
• Location: Dutch Harbor
• Consequences: one fatality; vessel damage; 40,000 gal of heavy
fuel oil spilled onto
beach and freshwater lake
• Causal factors:
– Severe storm, high winds and seas
– Inadequate emergency anchoring system
– Lack of adequate tow/rescue tug in region
29
M/V Cougar ACE
• Vessel: Singapore-registered car carrier, 654 ft
• Carrying: 4,800 vehicles, 180,000 gal of fuel
• Casualty: vessel heeled over 80 degrees, was adrift without power for a few days
• Date: July 2006
• Location: south of Aleutians
• Consequences: one fatality; vessel damage; vessel able to be towed to Dutch Harbor
for repairs; near-miss polluting event
• Causal factors: investigations under way
T/B Foss 256
• Vessel: U.S.-registered tug-barge unit
• Carrying: fuel oil cargo for Navy facility in western Aleutians
• Casualty: high winds pushed barge over rocks while oil was being transferred to
shore; vessel ran aground, and several cargo tanks were penetrated
• Date: January 1989
• Location: Amchitka Island, western Aleutians
• Consequences: 84,000 gal of diesel oil spilled; no cleanup
• Causal factors:
– Severe weather
– No emergency response equipment in the area
– Other factors unknown
30
F/V Phoenix
• Vessel: U.S.-registered fishing vessel out of Dutch Harbor
• Carrying: 7,000 gals diesel fuel
• Casualty: vessel lost power and control when fishing gear became entangled in
rudder; vessel drifted to Unimak Island shore, grounded, and was penetrated
• Date: April 1993
• Location: Unimak Island just west of Unalaska
• Consequences: all 7,000 gal of diesel fuel spilled; no cleanup
• Causal factors:
– Inadequate care paid to handling of fishing gear
– Heavy weather
– Lack of available emergency response
31
32
33
The New View of Human Error:
Human error is a symptom of trouble
deeper inside a system
To explain failure, do not try to find
where people went wrong
Instead, investigate how people’s assessments
and actions would have made sense at the time,
given the circumstances that surrounded them
*The Field Guide to Human Error Investigations, Sidney Dekker
34
ErrorForcing
Context
Plant Design,
Operations
and
Maintenance
Performance
Shaping
Factors
Plant
Conditions
35
PRA
Logic
Models
Human Error
Error
Mechanisms
Unsafe
Actions
Human Failure
Events
Scenario
Definition
Risk
Management
Decisions
1. Define & interpret
the issue
Nominal
Context
2. Define the scope
of analysis Many
of the steps in ATHEANA are
typical good practices and so are
not really additional or unique steps
3. Describe PRA in performing an HRA. However
4. Define potential
scenario & its these good practices are formalized
HFEs & UAs
nominal context
as specific steps in the
methodology.
5. Assess human
performance information
& characterize factors
that could lead to
potential vulnerabilities
6. Search for plausible
deviations from the
PRA scenario
Error-Forcing Context
7. Evaluate potential to
recover from the
HFE
36
8. Estimate
P(HFE|context)
9. Incorporate
results into PRA
37