some (critical) comments on risk analysis
TRANSCRIPT
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 1/12
Some critical comments on risk analysis Page 1C MacFarlane; 11 November 1994
Some (critical) Comments On Risk Analysis
A paper to be delivered at a conference
on
OFFSHORE SAFETY IN A COST CONSCIOUS ENVIRONMENT
atStavanger, Norway November 15/16 1994
by
Professor Colin MacFarlane, Strathclyde University, Glasgow, Scotland
&
Ms Catherine Parry, RM Consultants Ltd., Warrington, England
(Formerly at Strathclyde University)
1. Introduction
I have a rather critical view of risk analysis as used in concept design and safety case arguments.
Events are taken in isolation from their true environment and judged on a basis which seems
absolute but which disguises subjectivity and misconception. The decisions made are flawed.
I have gathered a selection of criticisms together in sections as follows,
Incompleteness
The failure to attack those events which do occur and which do cause loss and hurt. Theemphasis is on disaster mitigation rather than accident prevention. This will be
highlighted by considering the annual averaged losses due to small accidents and the
extent to which these can be reduced by design.
The incompleteness of the cases used to justify the results. Risk analysis as used at
present is only justified in dealing with consequences of defined events and is
inapplicable for definition of initiating events. Problems that arise when trying to
quantify the reliability of software or to justify its integrity can be used to throw light on
this.
Assumptions made about the independence of events at conceptual levels is at odds withthe known interdependence of circumstances in accident initiation and escalation.
Non absoluteness/inequality
The application of ALARP which gives different results depending on when remedial
measures are taken. It is shown that companies that do not design properly can benefit
from this principle and justify lower standards than those who are more comprehensive
in their safety process.
Reliance on organisational solutions
An ol d paper t hat I t houghtwor t h r e- i ssui ng as I ’ ve been
t hi nki ng about r e- wor ki ng someof t he i deas C MacF 2012
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 2/12
Some critical comments on risk analysis Page 2C MacFarlane; 11 November 1994
The problems arising when 'organisational' fixes are used to cover for the failure to fix
safety problems by physical means - essentially a criticism of self regulation based on
Tversky & Kahneman's 'prospect theory'. This will be exemplified by discussion of
measurements of stability in service on drilling semi-submersibles and by consideration
of the introduction of automated drilling in the UK and Norwegian sectors
The conclusion is that risk analysis as it stands is flawed. It does not address critical aspects of
offshore safety and, where it does address problems it does not do so rigorously, or completely
or on any absolute basis. It is suggested that the essentially complementary tool of cost benefit
analysis is equally flawed unless all organisations are at the same level of control and industry
self regulation provides no easy way out: modern safety theory concludes that safety matters
will, on average, always lose out to commercial interest. The inescapable conclusion is that
measures of prescriptive legislation are essential and emphasis on discrete work areas and on
'local' management of safety must be high until further developments are made in risk analysis
and design project management.
That is the case put in this paper. It is intended to provoke discussion and the author would
welcome any comments or criticisms.
2.0 Incompleteness
2.1 Misdirected effort
Risk analysis as it is commonly understood is the process of identifying hazards, quantifying
their likelihood of realisation and either selecting form options or seeking to mitigate the effects
of occurrence. In the UK safety framework risk analysis is strongly linked to the Safety Case
Regulations which are, of course, concerned with major accidents and it is with this meaning of
risk analysis that we are concerned here - the techniques used to justify the design and operation
of offshore production systems.
Risk or reliability analysis is also used, however, in a more general sense in structural design and
fire and explosion analyses, for example; both of which are concerned with a number of small
initiator events (fatigue cracks, gas leaks) with the potential to escalate to disaster. Moreover, it
has always been the case that it is the engineer's job to avoid accidents being turned into disasterand probabilistic techniques have been available for some time in a wide range of industries so
that little has been changed at a technical philosophical level by the emphasis put on quantitative
risk assessment within safety cases.
It is this emphasis, however, which disguises a very real imbalance of effect. In a paper on the
problems 'left behind' by Project Teams I attempted to quantify the losses arising from major
disasters and from 'day to day' accidents [1]. I tried to get an estimate of the cost of accidents
with relatively small effects where faulty project design work has contributed, by using
published information on the costs of accidents and other incidents and by analysing court cases
in which I had been involved so that I could obtain a percentage of incidents that had been
affected by design.
Very roughly the figures for annual average costs for a UK platform are shown in Table 1.
UPDATE af t er Macondo£3 mi l l i on/ pl at f or m year
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 3/12
Some critical comments on risk analysis Page 3C MacFarlane; 11 November 1994
Major accidents £1 million/platform year
Accidents/incidents with a
contribution from flawed design
£1.2 million/'platform year
Other accidents/incidents due to
poor operational mngt. or other
causes
£2.5 million/platform year
Losses due to non-compliance
with specification
Not known, but large
Table 1: Coarse estimates of annual average losses per UK platform [1]
I could not obtain costs for commercial losses caused by failure to produce a design within
specification, but I believe these to be very substantial and that the causes of such losses are
related generically to the design flaws which cause accidents.
Thus, regulations and analyses which over-emphasise 'major' events may be criticised because
they detract attention and funds from approaches which attempt to minimise 'pathogenic' design
flaws as defined by Reason and others [2].
Figure 1 shows in a simplified way where effort can be applied to avoid accidents.
Taking the points of action in turn it is noted that point C is in the region of operation of Safety
Case style risk analysis. This relies on the identification of events and then seeks to engineer
away the escalation to disaster. Where engineering solutions are not judged economically
justified (a topic which is discussed further below), then point B is activated. Point B, in any
event, is clearly in the region where operational safety management and 'safety cultures' operate
to reduce in some way the number of 'events' which occur.
Over the past few years, however, the concept of a safety culture and its linkage to the idea that
workers are in some way 'responsible' for accidents has been criticised. Safety specialists suchas Brehmer [3] have pointed out that there is little or no evidence that workers at lower levels in
an organisation consciously and deliberately choose unsafe actions. Their behaviour is very
much controlled by higher level decisions (or lack of decision). The same author has also
suggested that there are very clear and well attested reasons why such higher level decisions will
not give safety a high priority. That also is discussed further below.
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 4/12
Some critical comments on risk analysis Page 4C MacFarlane; 11 November 1994
initiator 1
initiator 2
.
.
.
.
.
initiator n
.
.
set of circumstances
'triggered' to eventEvent
escalates toMajor outcome
neglected area of action possible management actions possible engineering actions
to minimise to mitigate/control
A B C
Figure 1: The progression from initiator to disaster
These relatively new ideas on 'human error' have had little impact on safety thinking in the UK
where there is a strong mind set to numeric/technocratic thinking.
Indeed, in the UK, the latest fashion is to place great emphasis on human errors under the
heading of 'violations' with the implicit picture of an individual transgressing some well
developed and defined and sensible rule.
There is still great potential for action at point B, but it is not 'safety culture' which will produce
most effect. That will come from emphasis on the middle and senior management decision
makers.
Point A lies in a very neglected region of safety management. As far as I can judge, around 30%
to 40% of small accidents and incidents are related to initiators which can be removed in detailed
(not conceptual) engineering design. This suggests that there is scope for both cost saving and
safety improvement by concentration on the more detailed aspects of project engineering such as
the establishment of communication channels and information assimilation. There is a need to
concentrate more time and effort at the project stage of offshore system development in order to
save time, money and lives later.
Recognition of this has obviously influenced some thinking in Norway [4] where it is heartening
to find some effort to influence and extend the design processes in a major project.
Unfortunately, in the UK, design is usually seen as the first target of cost cutting exercises and
very significant cuts in the time apportioned for detailed engineering were made long before
CRINE.
The fact that risk analysis concentrates on major losses and ignores the small events which cause
most loss might be acceptable if it was applied to complement other efforts instead of as an
alternate to them and if it performed the function of deflection major loss adequately. It is not
clear, however, that it does that job well and that is a very serious criticism.
2.2 Lack of rigour in application
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 5/12
Some critical comments on risk analysis Page 5C MacFarlane; 11 November 1994
An HSE paper by McIntosh and Birkinshaw [5] sorts hazards into 4 groups
(i) those filtered out by the level of consequential harm,
(ii) those adequately covered by existing codes and standards,
(iii) those which are the 'null' set of items 1 & 2 - that is live and 'important' hazards,
(iv) a residual set which should be covered by standards but for which experience is
missing.
The first filter is an incomplete one. Some events are a priori catastrophic, but most
catastrophes have arisen from small events interacting with other circumstances. Risk analysis
cannot, therefore, hope to identify and neglect as inconsequential any particular set of initiating
events because it cannot know the circumstances in which they might be realised. Theunderlying assumption is that events are independent of circumstances so that each can be taken
in isolation and the outcomes are predictable - this is false.
A supporter of risk analysis would then point to the broad band filter imposed by codes and
standards to justify an assumption that certain events will not occur within the life of the
structure. This is the regime of quality control and it is built on far from satisfactory
foundations. It is noted in [5] that structural design standards can have up to 10% of their
contents revised in a year - not all of it, by any means, as an enhancement of standards. Indeed,
attempts to increase safety through standards and codes will almost always be resisted by
industry. A system of 'equivalent safety' for reduced cost prevails and it is also never clear
whether a standard represents a minimum or a level of best practice [6].
Reliance cannot be placed, therefore, on codes and standards to filter out the occurrence of low
consequence events.
In fact, risk analysis, does not even attempt to consider all possible initiator events. It starts from
the opposite end and selects in a fairly arbitrary way a set of major events which are considered
'live' and of 'high consequence'.
A useful analogy can be made with the 'dependability' assessment of software. Figure 2 is the
classical description or visualisation of software faults. Areas Ai on the input field map throughthe software onto the output field areas Bi. For example A1 and A2 map through correctly, A3
and A4 do not. A3 is an obvious boundary value where an error might be intuitively suspected.
A4 on the other hand is a state dependent value, scarcely distinguishable from A2, but having
markedly different output characteristics. How does one test for A4?
How also can we be sure that our input set is complete and there is not an A5 lurking outside our
assumed input range and mapping onto an unsafe output B5?
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 6/12
Some critical comments on risk analysis Page 6C MacFarlane; 11 November 1994
A
A
A
A
4
2
1
3
B
B B
B
2
4 1
3
INPUT S ETS
SAFE OUTPUT
UNSAFE OUTPUT
A
B
5
5
ASS UMED
KNOWN
Figure 2 Mapping of inputs to outputs for software
Similar visualisations or maps can be produced for any complex system. The analogy with
software is, however, not precise. Software, once written, is fixed for ever: the same input will
map to the same output every time and yet there are still these very real problems with detection
of errors. . If there is state dependency in software - which is a fixed and finished tool then there
is very definite state dependency in the complex socio-technical system which is an offshore
platform.
Table 2 is also derived from work with safety critical software. It is based on a draft British
Standard and describes the ways that the input for tests of safety critical software can be
partitioned [7]. the various techniques are,
Random selection (Table 2) relies on a most accurate and rigorous definition of the
environment within which the system works. Without this it has no validity.
Equivalence partitioning is an attempt to reduce the extent of random selection by groupingevents into classes. It adds uncertainty in the classification to a need for rigorous definition of
the environment.
Boundary value selection is often added to equivalence partitioning. It relies on an ability to
relate the magnitude of output to the value of the input. That is, to apply this there must be 'a
priori' knowledge of the input/output relationship to be tested.
Fault guessing is a sort of 'expert system' approach which relies on experience. If enough
experts are used over sufficient time this is equivalent to random selection in the same way
that monkeys can write Shakespeare.
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 7/12
Some critical comments on risk analysis Page 7C MacFarlane; 11 November 1994
PARTITION TYPE RELIABILITY
RELATIONSHIP
ADVANTAGES DISADVANTAGES
Random selection weighted to thedefined
environment
accuracycredibility
large number of testsand depends on
accurate & complete
environment
definition
Equivalence
partitioning
/ boundary value
selection
model relates
equivalence class to
reliability
performance or
consequence
efficiency of
sampling and
concentration on
failure causes
effort in vigorously
demonstrating
equivalence and
associated risk of
assumptions
Fault guessing model relates 'guesses'
to general case and
environment
efficiency of
concentration on
error causes
risks in assumptions
and non completeness
Table 2 Input partitioning for testing of safety critical systems [7]
Before considering where the offshore industry's approach lies in such a scheme it is noted that itis accepted by those engaged in producing and applying safety critical software that there are
clear and presently intransigent difficulties in proving the reliability of even relatively small
pieces of code.
A quote from a document on this subject is of interest [8],
" The two major schools of thought concerning risk analysis and assessment.
qualitative and quantitative, are often at odds with each other. In fact this
represents a confusion between the goal of achieving dependability and that of
measuring what has been achieved. Any claims for efficacy can only be
substantiated scientifically if they can be shown quantitatively to deliver thatwhich they promise.
Safety assessments should ideally be quantitative and empirical evidence about
systems is normally quantified probabilistically via reliability growth modelling
or random testing. However, it is easy to demonstrate that these techniques are not
plausible ways of acquiring confidence that a program is ultra-reliable: the testing
times needed become astronomically large as a result of a law of diminishing
returns and the issue of whether the test inputs are truly representative of those the
system will meet in operational use becomes serious.
There are also problems with a qualitative approach and there is evidence thathuman judgement even from expert subjects shows fairly consistent bias when
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 8/12
Some critical comments on risk analysis Page 8C MacFarlane; 11 November 1994
unaided by a formal framework that can check for such errors. Unfortunately,
current practice is perceived to be overly dependent upon this sort of informed
engineering judgement, which includes expert subjective opinion and is often
conducted in a very informal manner. The approach is primarily process and
resource based, implying that having the right people and using the right methods
will enable one to have confidence in the dependability of a system. Unfortunatelythere is almost no empirical evidence to confirm that specific recommended
techniques can ensure an adequate level of safety. "
Now the offshore industry do not apply random selection from a defined equivalent environment
in their risk analysis quantification. They do not take the necessary care to develop a full
'demand' environment nor do they have any proof that their assumed map of events at the
extreme boundaries of their classes will adequately 'test' the system and identify potential flows.
In fact, what they are involved in is a system of 'fault guessing' using general past experience and
accepted 'common' knowledge without any proof that they are achieving an adequate level of
safety nor, indeed, any formally complete ways to demonstrate it.
Clearly as a means of rigorously defining and partitioning the 'demand' space offshore risk
analysis does not match up well. How well does it perform at the interface between a realised
event and its consequences?
2.3 The independence assumption
A difficulty arises in the early stages of design when major conceptual decisions are made about
the configuration of the offshore system. At this stage, so far in the UK, it has been specialist
'risk analysts' who have been involved - not a group who can be accused of much offshore
operational experience and it is here that the assumption of the independence of the postulated
events and the real environment in which they occur becomes very critical. There appears to me
to be tremendous potential for these risk analysts not only to ignore situations where major
hazards are generated by a sequence of trivial circumstances, but also to make decisions which
require very costly alteration at later stages in the design as the operating environment becomes
clearer and as operators become more closely involved.
In the second case the potential is very high for the changes to be made in an unstructured and
unsatisfactory way which introduces new 'pathogenic' flaws into the system.
3.0 Inequitable ALARP
The question of changes at a later stage in design or even in operation brings us to the next item
of criticism - that risk analysis and the ALARP principle which in the UK and Europe is
inseparable from it are inequitable and non-absolute. Such criticism should be fatal for a key
area of legislation.
It seems that in the UK, the industry maximum justifiable expenditure to avert one fatality is
settling around the £6M mark: a value that is used irrespective of the time period of risk. This
figure is, however, presented in a number of ways and presentation of cost-benefit calculations inthe Safety Cases I have seen so far has caused difficulties, particularly with respect to time.
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 9/12
Some critical comments on risk analysis Page 9C MacFarlane; 11 November 1994
Let us consider costs first. I am not aware that any standard discounting convention is applied
throughout the UK industry and yet standardisation of all costs to a net present value with
assumptions of time and interest rates made explicit is essential for equitable comparisons to be
made. There will be expenditure which is spread over time and equally there will be expenditure
which is heavily concentrated in time posing different economic problems for differentOperators. The essence of an ALARP presentation, however, should be the justifiable cost to
reduce a unit of risk with modifiers attached to that primary information to account for the nature
of the expenditure.
The risk side of the equation is also presented in different ways. If we consider an event which
has a certain probability of occurring in any one year then, obviously, the chance of it happening
in the 20 year life of a big field is higher than for the 5 year life of a small field. The risk per
year for the worker on each production unit is, however, the same. I have seen cost benefit
analyses presented in terms of the likelihood of an event occurring in the life of the platform and
also in terms of reduction of a unit increment of risk per year. The second way is a more
coherent and rational method which allows equality of exposure to risk to be considered.
It is also a fact that changes in operation cost more than changes during construction which
themselves cost much more than changes at the design stage so that if a cost benefit sum is
performed on a finished platform it will show vastly increased expenditure for treatment of the
same annual average level of risk than for a platform in the construction or design stage. One
can quite easily envisage a situation where a problem may be allowed to remain under ALARP
for an existing platform whereas it would most certainly be removed in the design stages - even
during construction- of a new platform. This has been considered to some extent in a recent
paper from the UK HSE/OSD [9]
In the safety case arguments where decisions have been founded upon the length of time the
hazard might exist as opposed to the annual average risk at present, the argument of what is
reasonable expenditure is set against a short period of financial return. This obviously requires
mobilisation of auxiliary arguments concerning the likelihood of the time period being exceeded
and, if such auxiliary arguments are offered and accepted then they cannot be extended. For
example, if additional products were to be brought into a platform, the cost-benefit need for a
previously rejected system, say a sub-sea safety valve, should be considered with the inclusion of
the history of non-protected risk. Auxiliary arguments, in general, must retain their status asone-off exemptions from a naturally occurring outcome.
The point, however, is that the same level of risk is being treated differently depending on the
position of the platform in its life cycle and the length of that life cycle so that no account is
taken of a past period of risk exposure nor is the Operator credited for any efficiency in finding
problems at a stage where the cost of changes allow changes to be made.
It seems that by keeping the same 'price' over different periods of time it is risk which is being
discounted and the result is inequitable both for the workers on different platforms and for the
Operators themselves. If it could be assumed that all organisations were at equal levels in their
control of risk and if a unified price were set for a unit reduction of risk per year then the field
might be level and the game fair.
In principle it is possible for an Operator who is not very good at safety engineering to constructa platform for a short life field and then discover a hazard. The commercial constraints will then
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 10/12
Some critical comments on risk analysis Page 10C MacFarlane; 11 November 1994
be used to justify reliance on 'management' of the risk through organisational solutions rather
than by removal of the problem. A more concerned and efficient Operator might have spent
money at the design stage to produce an inherently safer platform.
Both sell their oil in the same market so they compete at cost level. The company with the
poorer safety engineering performance is the one which is having to rely on its safetymanagement to ensure safe operation. Something of a 'Catch 22'.
4.0 Reliance on organisational solutions
How acceptable is that reliance on organisational or safety management solutions? Brehmer has
suggested [3] that, in general it is impossible for an organisation to place equal weight on safety
goals and production goals. His arguments are based on Prospect Theory [10] and its twin
characteristics of'
o over-weighting of certainty which places known loss from safety spending againstuncertain gains,
o under-weighting of gains compared to losses which is an essentially careful
characteristic of humans and has allowed us to survive as a race.
They are powerful arguments and he concludes that there is a need for legislation and for the
legislator to ensure that the losses from devaluing safety exceed the gains from emphasising
production and arise with equal certainty. A very significant problem because, in work I have
done with Michael Bradley on the measurement of the stability of drilling and other semi-
submersibles we have been able to show [11] that there is no significant correlation between the
Certifying/Classification body and the standard of stability safety achieved. There is, however, a
correlation significant at 95% between the stability results and a characterisation of the
companies on a scale of their attitudes to safety management. In that paper we have remarked
that good companies don't need regulators and poor safety managers don't need them either
because they ignore them.
It is interesting, however, that we have found that neither the good nor the bad companies can
use their self-regulation to maintain the stability of their vessels within acceptable limits withoutapplying regular measurement of the control variables. What are the control variables used in
the offshore industry to measure and manage their performance - they are usually past records of
accidents which are post facto and (in the UK at least) have some dubiety.
In her paper presented at this Conference, Catherine Parry will discuss some results from the
drilling industry which will show some of the difficulties in learning lessons from measurements
of accident rates in one specific area of the offshore industry [12]. She also then discusses the
difficulty of legislating without prescription and her comments amplify the case put in this paper.
She has also prepared a critique of UKOOA's (United Kingdom Offshore Operators'
Association) very flawed presentation of the industry's safety record [13] which has been used
recently by Ronnie MacDonald of OILC to demonstrate that safety in the UK sector is at best
staying more or less at the same level - or perhaps rising,
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 11/12
Some critical comments on risk analysis Page 11C MacFarlane; 11 November 1994
5.0 Conclusions
At present my work in the field of safety is based on measuring safety performance in the
Scottish whisky industry and in the testing of safety critical software for the marine and offshore
industries.
The management work is founded on my belief that the greatest effect can be achieved by
working with middle managers and supervisors to modify their decision making processes by
providing them with adequate tools to apply safety measures and record their effect. It is only
partly based on my love of whisky.
The work on safety critical software has confirmed my view that the present techniques used in
the offshore industry to demonstrate acceptable levels of risk hide very imprecise assumptions
behind a cloak of technology. As a subsea engineer I can perform probabilistic reliability
calculations reasonably well, but I know their limitations. I particularly know the problems in
assuming independence of events. I do not know, and nobody else does, the limitations of the
arguments on which approval is given to produce oil.
We should not stop performing such work - it is very valuable. We must, however, correct an
over-emphasis on risk studies as opposed to ensuring that detail design is performed properly.
More emphasis is needed on the project stages of offshore design and construction - considerable
economic loss is built into offshore systems at this stage.
The biggest problem that the UK regulators have is applying the necessary cost pressures to
ensure that safety goals are given weighting against commercial goals without appearing to be
'prescriptive' even though they must be. Parry's work on drilling emphasises this dichotomy
[12].
With regard to cost-benefit sums and ALARP, we are still, at present, locked in the 'Who
benefits? ....Who pays?' argument because unequal exposure of workers to risk is set against the
profitability of the company. When the benefit to the burglar equals the loss to the householder
then the cost-benefit sum is in balance!
ALARP must be regularised so that there is equality of exposure to risk for the workforce rather
than an accountant's equivalence of discounted cost. It is unfair to everyone that a poor companycan gain from their poor performance and it is a harsh irony that the worst companies will rely
most on their operational safety management.
References
1 MacFarlane, C J 'Maximising Safety Through Better Project Management: Understanding
the problems that Projects leave behind"; presented at an IIR Conference, Aberdeen 1993.
2 Reason J, 'Risk management and resident pathogens'; World Bank workshop on safety
control and risk management, Washington DC, 1988
3 Brehmer, B; 'Cognitive aspects of safety'; contained in Reliability and safety in hazardous
work systems, edited Wilpert & Qvale, published L Erlbaum, 1993.
7/31/2019 Some (Critical) Comments on Risk Analysis
http://slidepdf.com/reader/full/some-critical-comments-on-risk-analysis 12/12
Some critical comments on risk analysis Page 12C MacFarlane; 11 November 1994
4 Qvale, T; 'Design for safety and productivity in large scale industrial projects: the case of
the Norwegian offshore oil development'; contained in Reliability and safety in hazardous
work systems, edited Wilpert & Qvale, published L Erlbaum, 1993.
5 McIntosh A R & Birkinshaw M; 'The Offshore Safety Case: Structural Considerations' ;
Int. Conference on 'Structural Design against Accidental Loads'; London, Sept 1992.
6 Birkinshaw M, Kam J C P & McIntosh A R; 'The applications of risk and reliability
management to offshore structural integrity assessment'; presented at the Engineering
integrity assessment conference in Glasgow, 1994.
7 British Standard draft for public comment 94/408553 'Draft BS guide to test methods for
dependability assessment of software'.
8 'A framework for developing Credible Evidence for a Safety Case based on Testing'; a
document produced within the CONTESSE project on the testing of safety critical
software. Doc. No. 1ED4/1/9021, 1994. Although this document is confidential to theCONTESSE partners this full quotation is relevant and can be treated as authoritative.
9 Birkinshaw M; 'Some experiences with harmonisation' source not known.
10 Kahneman d & Tversky A; 'Prospect theory; an analysis of decision under risk';
Econometrica, 47, 263-291.
11 Bradley, M S & MacFarlane C J; 'Some lessons to be learned from the stability control of
semi-submersibles'; paper to be presented at the Institute of marine engineers, London,
1995.
12 Parry C H & MacFarlane C J; ' ' paper presented at this conference
13 Parry C H; MSc thesis, University of Strathclyde, 1994
__________________________