Risk models using fault and event trees can be extended with explicit factors, which are states of the system, its users or its environment that influence event probabilities. The factors act as parameters in the risk model, enabling the model to be re-used and also providing a new way to estimate the overall risk of a system with many instances of the risk. A risk model with parameters can also be clearer

Bearfield, GJ

Marsh, DWR

MASR-2009 Modeling and Analysis of Safety and Risk in Complex Systems

English

Queen Mary Research Online

WHY RISK MODELS SHOULD BE PARAMETERISED D.W.R Marsh, School of Electronic Engineering and Computer Science, Queen Mary, University of London, London, UK, and  G. J. Bearfield, Rail Safety and Standards Board, London, UK ABSTRACT Risk models using fault and event trees can be extended with explicit factors, which are states of the system, its users or its environment that influence event probabilities. The factors act as parameters in the risk model, enabling the model to be re-used and also providing a new way to estimate the overall risk of a system with many instances of the risk. A risk model with parameters can also be clearer. 1 Introduction The safety of a complex system depends on an understanding of the possible accidents of the system, including their causes, probability and severity.  This understanding is captured in risk models, which are used to support decisions about how to design, operate and manage a system, ensuring safety. One form of risk model identifies a ‘hazardous event’ as the starting point of a possible accident and then separately analyses: • the causes of the hazardous event, using a fault tree to specify the combinations of base events that lead to the hazardous event, • the events leading to accidents, starting from the hazardous event, using an event tree. The result of the accident is some loss or harm: the extent of the loss may depend on other factors as well as the outcome of the accident in which case a model of the severity of the loss is also needed. 1.1 Aim Using an example, we show how a risk model represented using fault and event trees can be parameterised.  The parameters are states of a system that influence the probability of the events in the fault and event tree.  We argue that including parameters: • extends the usefulness of a risk model, and • makes the structure of the risk model clearer. We have explained elsewhere [1,2] how a parameterised fault and event tree risk model can be implemented using a Bayesian network (BN). The risk analyst continues to build the core of the model using the standard fault and event tree notations; the underlying BN, which can be derived automatically, is used for calculation. Explicit use of a BN is only required where the fault and event tree notations run out, providing no way to include parameters. The focus of this paper is to present the advantages of adding parameters to fault and event tree risk model. We do this in the context of a simple example (section 2). 1.2 Bayesian Networks A Bayesian network [3] is a directed graph, without cycles (see Figures 3, 4). The nodes are uncertain variables and the arcs represent influence between variables. The parents of a variable X are the variables Y with an arc from Y to X. For each variable, the parents influence the variable’s value is specified as a probability distribution over the states of the variable, given the state of each parent. A variable with no parents has a ‘prior’ probability distribution over its states. When variables have discrete states, a table of conditional probabilities can be used to represent both prior probabilities and the influences of one variable on another.  The network represents the joint probability distribution of a set of uncertain variables efficiently. The values of known variables can be entered and the probability distribution updated, providing a flexible form of reasoning from evidence. BN have been applied to safety and reliability analysis (Section 5). 1.3 Outline The remainder of the paper is organised as follows: the use of parameters in a risk model using fault and event tress is described in section 2, using an example. Section 3 shows how parameters extend the uses of the risk model and section 4 how the construction of the model is made clearer. 2 Example Risk: Falls on Stairs The example risk model concerns falls on stairs. This is a common accident, with ~500 reported incidents a year in the UK [4]. Stair design, maintenance, the users’ characteristics (e.g. age) and behaviour influence safety. The more likely injuries are bruises and bone fractures; more serious are fractures to the skull. Despite the importance of this risk in practice, in this paper it is used only to illustrate the concept of a parameterised risk model. The reader is asked to think of ‘falls on stair’ as representing one of a family of risk models, modelling the possible accidents of a complex system.  2.1 Modelling Causes of the Hazardous Event In this section, we describe the causes of the hazardous event.  Table 1 shows the base events and Figure 1 shows how the base events can combine to cause the hazard. As well as the standard fault tree gates, Figure 1 also shows five factors, which are listed in Table 2. Table 1: Base Events for Loss of Footing              Table 2: Factors influencing the Base Events Base Event Description  Factor Description Values TripHazard Condition of stair creates a trip hazard  Surface The material exposed on the floor. wood / concrete / carpet InAttention Lack of attention to possible trip hazard  Speed The speed of the person (before falling). normal / fast Imbalance Imbalance causes foot to slide on step  Visibility How easy it is to see the steps. enhanced / lighted / poor Slip Lack of friction causes foot to slip  Usage How many people are using the stairs. single / many / rush Misstep Foot not placed correctly on stair  Age Age of the person. young / old     Pitch The pitch of the staircase.  gentle / steep These factors influence the probability of the base events. Instead of each base event having a single probability of occurrence (per descent), different probabilities are used depending on the value of the factors. Table 3 shows an example, for the ‘Inattention’ event. These factors therefore act as parameters, since selecting the value of the parameter determines the event probability that is used. Table 3: Probability (per descent) of Inattention, given Visibility and Usage Visibility Enhanced Lighted Poor Usage Single Many Rush Single Many Rush Single Many Rush Inattention=True 0.001 0.005 0.01 0.002 0.008 0.02 0.0005 0.01 0.03 2.2 Modelling the Outcome of the Hazardous Event Loss of footing does not always lead to a serious fall. Instead a range of outcomes is possible: the most serious scenario is toppling sideways in the stairwell, while the least serious is to grab hold of a banister and avoid falling, with other possibilities between these extremes. This analysis is captured in event tree (Figure 2) containing the events of Table 4. Table 4: Events Following Loss of Footing Events States Description Holds Holds, drops, sideways. The person catches the railing, falls, or overbalances into the stairwell  Falls Forward, backward  Person falls forwards or backwards Breaks Yes, no Person breaks their fall at a landing The events in the event tree are also conditioned by factors. The factors ‘Age’ and ‘Pitch’ that also influence base events occurs, together with two further factors shown in Table 5. Table 5: Factors influencing the Base Events Factor Description Values Design An open staircase has no sidewall. A straight staircase is a single flight, not broken by landings. open / straight / landings Width  The width of the steps (not the width of the tread). wide / narrow The factors influence the probability distribution over the branches of the event tree, replacing fixed probabilities with a table such as the one shown in Table 6.  Lose FootingTripHazardGATE 1ORGATE 2AND ANDMisstepVisibility Usage AgeSpeed SurfacePitchGATE 3Inattention Imbalance Slip Figure 1: Fault Tree with Parameters  Lose Holds Falls BreakyesnoyesnoVerticalForward-shortForward-longBackward-shortBackward-longStartledWidth PitchDesignAgeforwardsbackwardsholdsdropssideways Figure 2: Event Tree with Parameters  AgeLength SurfaceVisibilityUsageDesignWidthPitchSpeedAgeOutcome LengthAISInjury    Figure 3: Model of the Estimated Loss    Figure 4: Relationships between Factors   Table 6: Probability distribution of ‘Breaks’, given Design factor and Falls event Falls Backwards Forwards Design Open Straight Landings Open Straight Landings Breaks=No 60% 50% 10% 50% 25% 5% Breaks=Yes 40% 50% 90% 50% 75% 95% The ‘Breaks’ event in our risk model is notable because its probability depends on the preceding ‘Falls’ event, as well as on the “Design’ factor. Traditional event trees show this dependence only by using different probabilities in different parts of the tree. Figure 2 also shows the six outcomes – in this case, each path through the event tree has a different outcome but this need not be the case.  2.3 Estimate of the Loss The final stage of the model is to estimate the loss. In our example, we model this an expected injury scored on a (simplified) Accident Injury Score (AIS) [5], one of a number of such scores used by doctors. The score has values ‘minor (1-2)’, ‘serious (3-4)’, ‘critical (5)’ and ‘unsurvivable (6)’. Figure 3 shows a BN in which the AIS depends on the outcome of the accident and two other factors. Again, this model is quantified by specifying conditional probability tables for each variable. The overall characteristics of the model are: • It calculates a probability of injury, by AIS, for each stair descent. • It is parameterised by factors, characterising the stairs, the way they are used and the user. 3 How Parameters Extend the Use of the Risk Model The parameterised model can be used in different ways. In section 3.1, we describe how the model can be reused to calculate risk in different situations. In section 3.2, we change focus from specific instances to the problem of estimating the total risk created by many separate instances of the risk. 3.1 Reusing the Risk Model The model can be used to estimate risk by giving a value to each factor, or to only some factors, provided that the others have a prior probability or are influenced by other factors. To illustrate this, we imagine (Figure 4) two factors influenced by other (‘Usage’, ‘Speed’), two with prior probability distributions (‘Age’, ‘Width’), perhaps because data is not available, and the rest observed (shown with dotted boundary in Figure 4). The values observed for 3 staircases are shown in Table 7. Table 7: Observed Values of Factors for Different Stairs Factor Design Length Pitch Surface Visibility Stair1 Landing Short Gentle Carpeted Poor Stair2 Straight Long Steep Wooden Enhanced Stair3 Open Long Gentle Concrete Lighted With this data, the model gives a probability for each AIS score, per stair descent, for each staircase, as shown in Figure 5. 0.00E+00 1.00E-06 2.00E-06 3.00E-06 4.00E-06 5.00E-06 6.00E-06 7.00E-06 8.00E-061-23-456AISProbabilityStair3Stair2Stair1Figure 5: AIS probability Distribution for 3 Staircases 3.2 Risk Profiles and Aggregate Risk Suppose that an estimate is needed of the risk from falls on stairs for an institution, such as a University, with many buildings, each with many staircases. We can use the parameterised model to aggregate the risk for each instance of the risk. To do this, two issues must be addressed: 1. Data must be collected for each instance of the risk. 2. The estimated risks for each instance must be combined coherently. Data could be collected for each staircase, as described in Section 3.2, but other approaches are also possible. Suppose that we do not wish to carry out a full survey of the institution’s staircases, but can instead estimate the probability distribution of the factors for the staircases in each building. This might be done by a sample survey or from knowledge (e.g. of the building style at the time the building was constructed). Table 8 illustrates the form of this data for an imagined mathematics building; similar data is needed for other buildings. Table 8: Characteristics of the Staircases in one Building  Age Design Length Pitch Surface Visibility Maths Young: 80% Old: 20% Landing: 80% Straight: 15% Open: 5% Short: 50% Long: 50% Gentle: 25% Steep: 75% Carpeted: 0% Wooden: 25% Concrete: 75% Poor: 0% Enhanced: 20% Lighted: 80% To combine the risk estimated for each building, we need to estimate how the total stair descent events in the university are distributed between the different buildings. This information is used to combine the separate risk estimates in the correct proportion. The BN implementing the risk model can do almost all this calculation (except a final scaling by the total number of stair descent events) with the following additions: 1. A ‘scenario’ variable in the BN, with one state for each risk scenario (a building, in the example). Arcs from this variable to the factors enable data such as Table 8 to be incorporated into the model. 2. An additional base event in the fault tree, representing the stair descent event. An arc from the ‘scenario’ variable to this event can encode the proportion of stair events for each scenario. The risk model calculates probability distributions, per stair descent, for the whole system (here, the buildings in the institution) weighted by the proportion of stair descents in each building. In our example, with three buildings, we estimate an AIS 1-2 accident rate of approximately 5 / year and AIS 6 accident rate of 0.03 / year.  In the remainder of this section, we describe two advantages of estimating whole system risk by aggregating separate instances of the risk. Having a Risk Profile When the whole system risk is calculated by aggregating separate instances of the risk, we can obtain a risk profile (similar to Figure 5). The whole system risk estimate is useful for acceptance but the risk profile provides much more information indicating how the risk can be reduced. Inaccuracy of Using Averages to Calculate the Aggregate Risk The calculation of the overall system risk by aggregating the contributions of separate risks takes account of correlations between the fault tree and the event tree parts of the model. In our example, suppose that: • one building has steep staircases but is used mainly by young people • another building has older users but the staircases are not steep. In our model, these factors (older age of users and steepness of staircase) increase both the probability of loss of footing and the relative probability of the more serious accidents. The BN calculates the joint probability of the hazardous event and the factors, so the probabilities of the accident outcomes are correctly calculated for each stratum (age and steepness) before being summed. If the fault tree and the event tree are separated, the marginal (or average) probability of the hazardous event is used, effectively over representing the combination ‘old’ and ‘steep’, which is rare. In our example, this leads to an over estimate of the probability of accidents for some AIS values of up to 8%. In general, however, the use of averages can over or under estimate risk. 4 How Parameters Clarify the Structure of the Risk Model 4.1 Assumptions Made Explicit The risk analyst must estimate the probability of each event from data or experience. The probability varies for different instances and it is likely that the analyst evaluates the differences using some causal reasoning – for example, a trip hazard on this staircase would be harder to notice because the lighting is poor. Without explicit factors, the basis for the judgement of probabilities is less clear. 4.2 States and Events Distinguished Suppose that a risk analyst wishes to model the influence of age on the ‘falls’ event, without using explicit parameters. It is possible to do this simply by regarding ‘Age’ as an event (see Figure 6); this confusion quickly increases the size of the event tree as not only the branches for ‘falls’ are duplicated (as required) but also those for ‘break’, which is not influenced by ‘Age’. Similar techniques can be used in the fault tree, e.g. to distinguish fast and slow stair descents, with the same problems.  Lose Holds Falls BreakyesnoyesnoVerticalForward-shortForward-longBackward-shortBackward-longStartledforwardsbackwardsholdsdropssidewaysAgeforwardsbackwardsyoungoldyesnoyesnoForward-shortForward-longBackward-shortBackward-long Figure 6: Event Tree with a Factor Treated as an Event 5 Related Work and Conclusions Others have proposed parameterised risk models. For example [6, 7] describes a risk model of the Irish Railway. BNs have also been used in safety and reliability, for example for the probabilistic risk assessment (PRA) of nuclear waste disposal [8] and air transport [9, 10]. Ways of using BNs to incorporate organisational factors into safety assessment have been proposed, for example in [11] (nuclear power plants) and [12] (maritime transportation). We have used an example to show how a risk model can be made both clearer and more useful by the addition of explicit parameters. The analysis methodology (in this case, using fault and event trees) is unchanged, but more of the analyst’s reasoning is represented explicitly in the model. 6 References 1. D.W.R. Marsh & G.J. Bearfield, “Generalizing event trees using Bayesian networks” in Proc. IMechE, PartO: J. Risk and Reliability vol. 222, no. O2, pp. 105-114, 2008 2. William Marsh & George Bearfield, “Representing Parameterised Fault Trees using Bayesian Networks” in Proceedings of the 26th International Conference on Computer Safety, Reliability and Security, SAFECOMP 2007, LNCS, Vol. 4680, Springer-Verlag, 2007, ISBN: 978-3-540-75100-7 3. F. V. Jensen & T. D. Nielsen, Bayesian networks and decision graphs, Edition: 2, Springer, 2007. 4. Health and Safety Laboratory, “Falls on Stairways – Literature Review”. Report Number, HSL/2005/10, May 2005, available from http://www.hse.gov.uk/research/hsl_pdf/2005/hsl0510.pdf  5. Abbreviated Injury Score (AIS) http://www.trauma.org/index.php/main/article/510/ (accessed April 2009) 6. Sotera, “Developing a Location Specific Risk Model for Irish Rail,” 2007. Available from http://www.sotera.co.uk/pdf/Location%20specific%20risk%20model.pdf (accessed April 2009) 7. P. Dray, G.J. Bearfield & D.W.R. Marsh, “Constructing Scalable and Parameterised System Wide Risk Models” in Proceedings of 25th International System Safety Conference, Baltimore, USA, August 13-17, 2007, System Safety Society, 2007 8. C. Lee and K.J. Lee, “Application of Bayesian network to the probabilistic risk assessment of nuclear waste disposal,” Reliability Engineering & System Safety, vol. 91, May. 2006, pp. 515-532. 9. B Malcolm & R Shaw M Neil, “Modeling an Air Traffic Control Environment Using Bayesian Belief Networks” in 21st International System Safety Conference, August 2003 10. B. Ale, L. Bellamy, R. Cooke, L. Goossens, A. Hale, A. Roelen, and E. Smith, “Towards a causal model for air transport safety – an ongoing research project,” Safety Science, vol. 44, Oct. 2006, pp. 657-673.  11. S. Galan, A. Mosleh, and J. Izquierdo, “Incorporating organizational factors into probabilistic safety assessment of nuclear power plants through canonical probabilistic models,” Reliability Engineering & System Safety, vol. 92, Aug. 2007, pp. 1131-1138. 12. P. Trucco, E. Cagno, F. Ruggeri, and O. Grande, “A Bayesian Belief Network modelling of organisational factors in risk analysis: A case study in maritime transportation,” Reliability Engineering & System Safety,  vol. 93, Jun. 2008, pp. 845-856. 

Why Risk Models should be Parameterised

https://qmro.qmul.ac.uk/xmlui/bitstream/123456789/1145/2/MARSH%20Why%20Risk%20Models%202009%20Accepted.pdf

Why Risk Models should be Parameterised

Abstract

Similar works

Full text

Available Versions

Queen Mary Research Online