Documente Academic
Documente Profesional
Documente Cultură
Abstract – Risk management is a critical part of every Likelihood, Consequence Severity. A low risk
industrial activity. In recent years, due to the involves a very unlikely cause with a low severity
complexity, importance and potential impacts of consequence. A very likely cause with a high severity
industrial processes, risk analysis has taken advantage consequence would produce a high risk value.
of increasing computational availability to deliver tools Different cause likelihoods/consequence severities
at every level of the risk management spectrum. Bow-tie would produce intermediate risk values. During risk
models, so called because of their generalized shape, are analysis the high risk scenarios must be identified and
used at various levels in the risk analysis process, solutions to prevent such scenarios must be found.
fundamentally because their presentation aggregates
complex, real-world scenarios in consistent, reducible
and communicable ways. As a result, vendors have Cause 1 Consequence 1
sought to map additional capabilities onto the Bow-tie Critical
extending their applicability into qualitative, semi- Cause 2 Event
quantitative, and quantitative risk assessment Consequence 2
modalities. In this paper we present a generalized Cause 3
computational framework for risk analysis using Bow-
tie models that simultaneously perform all such
analytical modes. Figure 1. The bow-tie model overview
Cause 1 Prevent 1.1 Prevent 1.2 Mitigate 1.1 Mitigate 1.2 Conseq 1
Escalation
Factor 1.1 Mitigate 2.1 Mitigate 2.2 Conseq 2
Critical
Even
Cause 2 Prevent 2.1
Mitigate 3.1 Mitigate 3.2 Conseq 3
For the diagram in Figure 2 with the notations as In this section we briefly describe how the
described above, the effective likelihood EL1 of computation model illustrated in Figure 2 and
Cause 1 towards producing the Critical Event is: described by equations similar to (1) and (2) can be
implemented in practice in a flexible and extensible
way.
L1*e11*p11*p12 (1)
A. Using XPath/XQuery for path-navigation of trees
Similarly, the effective severity ES1 of XQuery [8] is the de facto query language for
Consequence 1 is: searching Document Object Model (DOM) trees [11]
built from XML data. Since DOM trees can be
S1*m11*m12 (2) virtually built out of any hierarchical data, XQuery can
be used for searching trees, in general. At the core of
Based on effective likelihoods and severities, the the language there is a tree-navigation language
risk is evaluated according to specific risk-analysis (XPath), which traverses and selects sets of tree nodes
engineering rules using a classical logic and/or their attributes.
implication: “If the cause likelihood is L and the A path query for navigating the tree consists of a
consequence severity is S, then the risk category is sequence of /-separated steps and has the following
R”. Depending on the process being analyzed, the syntax:
results of the above logic implication are typically
defined using a 3x3, 5x5 [9], 7x4 [10], or 7x5 [3] Query := /step1/step2/…./stepn
chart (called risk matrix) as shown in Figure 3. The A step consists of a standard tree nodes
risk matrix in the example is clearly not universal, relationship (child, parent, descendant, ancestor,
as each process may have different approaches for sibling, etc), followed by a node name and possibly by
estimating the risk. Moreover, the estimated a filtering condition enclosed in brackets:
likelihood and severity used for risk analysis may
vary between maximum likelihood/severity among step := nodes-relationship::node-name[filter]
all causes/consequences or the averages of these For the purpose of discussion here, we will only
values. consider the simplified version of a step in a path
query:
step := node-name or step := @aname
10-1 TNA NA NA NA NA
where @aname refers to a special leaf node in a DOM
10-2 TNA TNA NA NA NA tree, called attribute.
10-3 TA TNA TNA NA NA
R
Likelihood
-4
10 TA TA TNA TNA NA
1 2 3 4 5 C
C
Severity
Figure 4. A DOM tree example
Figure 3. An example of a risk matrix (A = acceptable;
TA = tolerable-acceptable; TNA = tolerable-non-
acceptable; NA = non-acceptable) Figure 4 shows a DOM tree example where R (the
It is the risk analyst who decides which method(s) root), A, B, and C are node names; @a and @b are
of computation to be used and the computational attributes of the nodes they are connected to.
framework/tool should provide means to A path query like /R/A/B will produce a set of two
accommodate such methods. On top of these nodes (both nodes named “B” from the left hand side
challenges, a computational framework/tool should be of the tree). A path query like /R/B/@a will return a
easily extensible. Naturally, a change of the risk single node, namely the attribute node @a of the node
analysis model in Figure 2 may produce changes in B on the right hand side of the tree. The main purpose
formulas (1) or (2). These changes should be of the path query part of XQuery is to select nodes of
Y-46 Ionut Emil Iacob and Alex Apostolou
the tree. The individual nodes or set of nodes can then likelihood() (lines 1 – 8). This recursive function goes
be manipulated by the language using standard deep on a path to a cause C and multiplies along the
programming concepts: variable assignments, loops, way all reductions of P nodes (and E nodes, if any),
conditional statements, and functions. It is not the and eventually computes the effective likelihood
purpose of this paper to give a full description of the produced by the cause at the bottom of the path. The
language, for which the user is directed to the query eventually returns a sequence of effective
language reference [10]. Next, we will illustrate and likelihoods (one effective likelihood per each cause in
explain a more complex. the diagram), where each effective likelihood for
cause i is eventually computed as:
B. Using XQuery in a bow-tie model
ELi = Li * Πκ=1..ν pik
A typical bowtie diagram (as given in Figure 2) is where ELi is the effective likelihood produce by cause
a directed graph. However, as illustrated in Figure 2, i; Li is the likelihood of cause i; pik are the reduction
the bowtie diagram can be decomposed in a “fault factors of all Prevent nodes (from 1 to n) on the path
tree” and an “event tree”. Each one of these parts can to cause i. The major benefit of this query is the fact
be easily modelled as DOM trees, on which XQuery that a change in the structure (adding/removing
searches can be perform. We illustrate the DOM
Prevent or Cause nodes; changes of likelihood and/or
representation of the fault tree (left hand side of the
reduction factors) would not require adjusting any
diagram) in Figure 5, but the representation of the
event tree is very similar. computation formulas, hence extensibility is
achieved.
CE V. CONCLUSIONS
In this paper we present the bowtie model for risk
P P
analysis and we introduce a general framework for
p quantitative risk assessment in bowtie models using
p
P XQuery. The method allows the risk analyst focus
p p P primary on adjusting the model and its parameters in
P
order to better fit the process, rather than permanently
p adjusting computational formulas required by model
E changes. XQuery is the de facto query standard for
tree data structures and can be naturally used for
C e C L C L processing the Fault Tree and Event Tree components
L of a bowtie model (see Figure 2).
Figure 5. The Fault Tree of a bowtie diagram: CE is the Central
Event node; Ps are the Prevent nodes (with @p attributes holding the REFERENCES
reduction factor values); E is the Escalation Factor node (with @e
the corresponding attribute holding the reduction factor value); Cs [1] Aurélie Léger, Carole Duval, Philippe Weber, Eric Levrat,
are the Cause nodes (with @L being the corresponding likelihoods Régis Farret. Bayesian Network Modelling the risk analysis
stored as attribute nodes). of complex socio technical systems. Workshop on Advanced
Control and Diagnosis, ACD'2006, Nov 2006, Nancy, France.
With the power of XQuery over the Fault and Event [2] Ioannis A. Papazoglou, Ben J.M. Ale, A logical model for
Trees, one can successfully represent many models of quantification of occupational risk, Reliability Engineering &
computation for the effective likelihood or severity the System Safety, Volume 92, Issue 6, June 2007, p 785-803.
Central Event is receiving. Regardless of how the [3] Adam S. Markowski, M. Sam Mannan, Fuzzy risk matrix,
likelihood for producing the central event is computed Journal of Hazardous Materials, Volume 159, Issue 1, 15
(as an average of all cause likelihoods, or as maximum November 2008, Pages 152-157, ISSN 0304-3894.
likelihood among all cause), one needs to compute the [4] B. Tchórzewska-Cieślak, K. Boryczko, I. Piegdoń,
Possibilistic risk analysis of failure in water supply network,
effective likelihoods (after applying preventative Safety and Reliability: Methodology and Applications -
reductions) on each path from the central node CE Proceedings of the European Safety and Reliability
down to each cause C. These likelihoods can be easily Conference, ESREL 2014, Pages 1473-1480.
computed using the following query, for instance: [5] Peter C. Wierenga, Loraine Lie-A-Huen, Sophia E. de Rooij,
Niek S. Klazinga, Henk-Jan Guchelaar, Susanne M.
(1) declare function likelihood($node) { Smorenburg, Application of the Bow-Tie Model in
(2) if ($node/P/E) then Medication Safety Risk Analysis, Drug Safety, 2009, Volume
(3) return $node/P/@p * $node/P/E/@e * likelihood($node/P) 32, Issue 8, pp 663-673.
(4) else if ($node/P)
[6] Meercat RiskView, http://www.meercat.com.au/
(5) return $node/P/@p * likelihood($node/P)
(6) else if ($node/C) return $node/C/@L [7] BowTieXP, http://www.bowtiexp.com.au/
(7) else return 1 [8] XQuery 1.0: An XML Query Language (Second Edition),
(8) }; W3C, http://www.w3.org/TR/xquery/
(9) for $ll in /CE/P [9] B. Ruge, Risk Matrix as Tool for Risk Assessment in the
(10) return $ll/@p * likelihood($ll) Chemical Process Industries, ESREL 2004, paper 0192.
[10] O. Salvi, B. Debray, A global view on ARAMIS, a risk
The main part of the query is in lines 9 – 10: the assessment methodology for industries in the framework of
immediate P child nodes from the central event node the SEVESO II directive, J. Hazard. Mater. 130 (2006) 187–
199.
CE are retrieved. For each P node, the reduction value
[11] Document Object Model (DOM), http://www.w3.org/DOM/.
is multiplied with the result of the recursive function