3

Inaugural Lecture

Safety and risk: models and reality

J Wolfram, BSc, PhD, CEng, FRINA
Total Oil Marine Professor of Offshore Research and Development
Department of Civil and Offshore Engineering, Heriot-Watt University, Edinburgh

This paper provides a summary of how engineering safety practices have been built up over many centuries by hard-won experience
through trial and error. Because engineers design new structures there was no way of deciding whether a structure was safe so methods
had to be devised to increase the factor of safety. Today models are used to test for safety and a Code of Practice has been established
to set standards. Reliability theory and risk assessment are used to estimate failure rates and prescriptive and goal-setting regulations
have been introduced to reduce the risk ofaccidents. The paper also discusses how the public perceive risk and how training can be
given to reduce accidents and improve safety and reliability.

1 INTRODUCTION taking up a struggle with the forces of nature without the

Safety offshore has received considerable attention from
the media and the public at large since the Piper Alpha
disaster in 1988. The recovery of oil and gas from
beneath the North Sea requires innovative multi-
disciplinary engineering and involves a wide range of
new and evolving technologies. It is very much at the
frontiers of engineering knowledge, and ensuring safety
is a demanding task. In what follows I will be looking at
safety both generally and with reference to North Sea
activities.
Safety is a curious thing: we are all aware if it, but
have markedly different views of what it means, depend-
ing on the circumstances and our own perspective.
What do we mean by ‘safe’ and ‘safety’? A similar sort
of question was asked, but about games, of the modern
philosopher Ludwig Wittgenstein. After months of deep
thought and reflection Wittgenstein pronounced ‘the
common property of all games is that they are called
games’.
I am not a philosopher, I am an engineer and I will
be giving you an engineer’s view and a personal view of
safety. Like many engineers I will start by looking back-
wards. I will not reminisce on past glories but catalogue
some of the failures that have punctuated the develop-
ment of engineering.
However, before I start I wish to distinguish between
science and engineering, so that the blame for these fail-
ures is not miscast. The well-known twentieth century
engineer Von Karman made the distinction most suc-
cinctly when he said, ‘Scientists discover what is: engi-
neers create what never has been.’
assurance of emerging as the victor after the first attack.
Well before Navier’s day, engineers learned that if they
did not get it right first time the penalty could be severe.
Xerxes, the King of Persia in the fifth century B.c.,
ordered the engineers to be beheaded when a storm
destroyed a bridge at Hellespont needed for the army to
cross to the west. Needless to say, the next bridge was
heavily overdesigned and proved to be safe.
Of course, engineering has advanced a great deal. In
the early years engineering progressed slowly and engi-
neers passed on their hard-won experience from gener-
ation to generation. Construction practices were
established for buildings, bridges, ships and other arte-
facts. Even when the workmanship was good and the
materials selected with care, failures could still occur.
The principal materials, stone and timber, both showed
considerable variability in strength, which could not be
anticipated even with careful inspection. The problem
still exists today and Fig. 1 shows the variation in
strength of 1373 Sitka spruce specimens with no visible
defects (1).
It was in ships where the greatest rate of loss
occurred. Of course ships can capsize, leak and sink,
I Sitka

2 LEARNING FROM FAILURES

G I
Whenever something new is created there is always a
risk that it might fail to perform its intended function.
Engineering has evolved through a history of trial and
error, its experimental nature being expressed by the
great French engineer Navier (1785-1 836): --
To undertake a great work, and especially a work of a 0 4000 6doo
novel type, means carrying out an experiment. It means Strength
Ib/in2
This paper was presented at Q I I inaugural
lecture held at Heriot- Watt University
in Edinburgh on 30 October 1991. The M S WQS received on 16 December 1991 and Fig. 1 Variation in strength of unseasoned Sitka spruce.
WQS accepted for publication on 9 September 1992. [From Pugsley (l)]
E02291 OlMechE 1993 0954-4089/93 $3.00 + .05 Proc Instn Mech Engrs Vol 207

Downloaded from pie.sagepub.com at RMIT UNIVERSITY on July 28, 2015

4 J WOLFRAM
catch fire, as well as break up either at sea or on rocks.
By the sixth century (A.D.) the risks associated with ship-
ping were well recognized by the Phoenicians, mer-
chants who traded in the central Mediterranean. They
sought to insure their vessels against loss and this led to
a flourishing insurance market.
It was to the glory of God to which many engineers
next devoted their efforts-in the construction of great
cathedrals. Cathedrals continuously pushed at the fron-
tiers of engineering knowledge and building technology,
with each new one attempting to be more splendid than
the previous one. This led to many collapses; for
example at Beauvais in the thirteenth century the tower
fell once and the roof twice during construction.
In more recent centuries it has been commercial
rather than religious fervour that has driven engineers
closer to the edge of failure. The relationship between
increasing cost and increasing safety was well recog-
nized and engineers would always wish to ensure safety
both to protect their reputations and out of a sense of
duty. However, the need to keep costs down to a
minimum and make a profit was also well recognized as
an essential element of business survival. The dilemma
which the engineer faced is illustrated in Fig. 2.
In some cases the engineer could turn to successful
past practice for guidance, but when the design was
novel, the scale of the enterprise different or the
materials new engineers would have to rely entirely on
their own judgement. They might make a few simple ad
hoc model tests but until less than three hundred years
ago they would have no theory or theoretical models to
guide them and would be unaware of the results of any
systematic scientific experiment.
By the seventeenth century systematic investigations
had been made by Leonard0 Da Vinci into the strength
of iron wires and Galileo had undertaken experiments
into the strength of beams. Towards the end of that
century Hooke made the first tentative steps in the
theory of the strength of materials. This theory gathered
momentum in the eighteenth century, notably in France
where the military academy and Grand Ecoles were a
great focus for developments in mechanical science. A
little of this new knowledge and understanding was
being applied in engineering but standards in design,
construction and maintenance still varied greatly.
d
.
u with a similar beam showed 20 tonnes was needed to
Ethical pressure
-
I
> ‘factors of ignorance’.
Strength and safety
Increasing risk of failure
Fig. 2 Cost versus strength and safety: the engineer’s
dilemma
Part E: Journal of Process Mechanical Engineering
Downloaded from pie.sagepub.com at RMIT UNIVERSITY on July 28, 2015
In 1760, the first ship classification society evolved
from Lloyd’s coffee house in London (2). Lloyd’s Regis-
ter of Shipping, as it became known, employed a group
of surveyors who regularly inspected ships and classified
them according to their quality and soundness. Lloyd’s
Underwriters, a separate organization but emanating
originally from the same coffee house, would use these
classifications when deciding whether or not to accept a
risk. Soon Lloyd’s Register of Shipping was to be found
supervising the construction of new ships and setting
standards for naval architects, marine engineers and
shipbuilders. They provided the first systematic and
independent checks in engineering and ‘A1 at Lloyd’s’
has been an expression of quality ever since.
The end of the eighteenth century saw the increased
use of iron as a structural material and in 1779 the
world’s first iron bridge was built over the River Severn.
This was successful but a number of iron bridges failed
due to lack of strength before this new material and the
variability in its quality was thoroughly understood.
Indeed, some of the early iron probably had greater
variability in strength than good timber. However, the
routine measuring of the strength of materials grew and
more reliable iron was developed.
In iron, the engineer finally had a material that would
allow the construction of efficient steam powered
machinery and the start of the nineteenth century saw
the rapid growth of the machinery industry and the
development of mechanical engineering. The harnessing
of steam power provided the potential for high energy
explosions for the first time outside the military sphere.
This potential was frequently realized and nowhere
more than on American steamboats plying for trade on
the great rivers of the Midwest. In this competitive
trade, speed was of the essence and safety valves were
disabled to keep up steam pressure. Between 1816 and
1848 there were 233 explosions, killing 2563 people.
One explosion in Cincinnati in 1838 on the Moselle
killed 151 people and there were demands that the Gov-
ernment do something about it.
In France, where engineering science had advanced
most rapidly, they already had. Boiler safety standards
based on sound scientific and engineering principles
were introduced by the state between 1823 and 1830. It
was not until 1852 that Congress finally introduced
regulations for boilers in America.
In the nineteenth century, considerable attention was
focused on the forces or loads acting on structures and
produced in machines, and the use of safety factors
became more widespread. A safety factor is the ratio of
the force required to break something to the maximum
force it is likely to experience during its operational life.
For example, if the maximum force or weight on a
beam is likely to be, say 10 tonnes and an experiment
cause collapse then the factor of safety would be 2. This
is illustrated in Fig. 3.
When there was uncertainty or doubt about the
strength of a structure or the loads to which it would be
subjected then the cautious engineer would increase the
factor of safety. Indeed, they are often referred to as
A regulation or standard specifying a factor safety
helped the engineer address the problem of how safe to
make things. However, almost invariably an attempt
OIMechE 1993
 SAFETY A N D RISK: MODELS AND REALITY
Safety factor = C/D
IJ Y By the beginning of this century the internal com-
0 Force (load)
Fig. 3 The factor of safety concept
would be made to provide just the regulation factor of
safety and no more. The objective often became more a
matter of satisfying the regulations than thinking funda-
mentally about the safety of a design. Figure 2 is modi-
fied and shown as Fig. 4 to reflect this development.
An important practical check of structural safety
introduced in the nineteenth century was the ‘proof
load’ in which a beam or boiler, for example, was delib-
erately overloaded by anywhere up to 50 per cent
before being introduced into service. This provides not
only a check on the design calculations but also on the
quality of construction. Proof tests are still used today
and can lead to spectacular explosions of boilers that
have some significant flaw.
One of the greatest contributions to safety came in
the mid-nineteenth century with the gradual replace-
ment of iron by steel. When iron breaks it gives no fore-
warning like timber which creaks and bends excessively
before snapping. Iron fractures in a brittle and often
catastrophic manner, particularly under impact load.
Steel, on the other hand, is ductile and bends out of
shape on overload, which gives some warning of an
impending collapse and an added margin of safety.
However, it is still susceptible to another, difficult to
predict, mode of failure: fatigue. Fatigue is the slow,
incremented growth of cracks in materials subject to a
fluctuating load. It is the source of the majority of
mechanical failures even today and can be readily
demonstrated by bending a steel paper clip, or wire coat
t
Limit imposed by
Fdactor of safetv I struction errors.
i Region of most design activitj
Strength and reliability
Fig. 4 Designing down to a factor of safety
@ IMechE 1993
Downloaded from pie.sagepub.com at RMIT UNIVERSITY on July 28, 2015
5
hanger, backwards and fowards until it breaks. The
term fatigue was probably introduced by the French-
man, Poncelet, and it is not difficult to see its origin.
Fatigue presented a major problem for engineers who
had to estimate the lifetime of anything they designed
which was subject to a fluctuating load. Estimating how
long something will last before a fatigue failure occurs is
still a major problem and fatigue experiments, which
started in 1877, still continue today.
bustion engine and oil, gas and chemical industries had
emerged. On the transport side there were huge steam
ships, motor cars and later aeroplanes. Clearly the
scope for accidents and engineering failures was greatly
increased. However, engineering science and good
engineering practice was being disseminated widely
from institutions such as the Watt College, one of the
forerunners of this university, and codes of practice and
standards existed for many areas of engineering activity.
It is perhaps from the early part of this century that
we begin to see the gradual bifurcation of engineering
and scientific knowledge. The rapid and widespread
developments in engineering theory and practice have
also led to the more pronounced separation of engineer-
ing into the different sub-disciplines of mechanical, civil,
electrical, chemical, maritime, aeronautical and quite
recently offshore engineering-to name but a few. What
these various branches of engineering produce is so
diverse that one engineer could not be expected to
operate effectively in more than one or two areas, unlike
their nineteenth century counterparts who could turn
their hands to designing any engineering artefact.
However, the pressure on the engineer to produce
safe but economic structures has not reduced over the
centuries. Striving for a healthy safety margin can also
bring the engineer problems. The pressures to be both
simultaneously safe and economic exist under any poli-
tical system and not surprisingly failures still occur,
even when engineers use codes of practice.
Blockley (3) had listed some of the reasons for struc-
tural failure as:
(a) overload,
(b) understrength,
(c) movement, such as foundation settlement, etc.,
(d) deterioration, such as fatigue, corrosion, erosion,
etc.,
(e) random hazards, such as fire, floods, explosions, etc.,
(f) human-based errors, such as design errors or con-
I would add operator errors to the end of this list. In
some respects almost all types of failure could be said to
have a human cause inasmuch as they stem from our
failure to anticipate eventualities and predict how both
the natural and man-made worlds behave. Engineers,
however, have usually learned from their failures and
frequently significant improvements in engineering
practice have occurred as a direct result of failures.
Wide publicity and quick action may sometimes
prevent other, similar failures. Such was the case with
the Tacoma Narrows bridge which collapsed dramat-
ically in 1940. The collapse was filmed and the film seen
by many engineers. This together with an elegantly
simple analysis by Von Karman of why this failure
occurred encouraged the modification of other similar
Proc Instn Mech Engrs Vol 207
6 J WOLFRAM
bridges. They were substantially stiffened to prevent any
occurrence of the large amplitude torsion vibrations
that caused the Tacoma Narrows bridge to fail. Inter-
estingly, before its failure the flexible behaviour of this
bridge had prompted some academic engineers to make
a wind-tunnel model. This was being tested at the time
of the failure.
2.1 Engineering, science and models
The practice of engineering revolves around the use of
models. Models are used to predict how a proposed
design will behave when built-whether it will meet its
design specification or fail. Only when the models
predict that the proposed design will be successful will it
be built. A measure of the quality of an engineering
model is how accurately it predicts what actually
happens. Traditionally there have been two principal
types of models: physical or experimental, simple exam-
ples of which would include train sets and model boats,
and theoretical, a well-known example of which is Ein-
stein’s scientific model relating energy ( E ) , mass (m)and
the speed of light (c&E = mc’. In recent years a third
modelling approach has blossomed: numerically based
computer simulation models, lay examples of which
include the ubiquitous video games beloved of many
children (and not so few adults). Sometimes constructs
are made using all three types and very frequently there
are inputs from one kind of modelling into another.
Indeed, the philosophy of science, certainly as
expounded by Kuhn and Popper, sees experiments
proving or disproving a theoretical model or hypothesis
as the way science progresses.
Engineering draws heavily on the theoretical models
of science, Newton’s laws of mechanics being perhaps
the most frequently utilized. However, there are many
areas of interest to engineers to which scientists have
given scant attention in their headlong rush to the fron-
tiers of scientific knowledge and discovery. Now engi-
neers frequently view the modelling process very
differently from scientists. They are less concerned with
comprehensive models that can explain a broad range
of different but linked phenomena and much more con-
cerned with explaining (to a sufficient accuracy) part of
a particular phenomenon or process that is central to
something they are about to design and make. The
majority of models produced by engineers come either
from experiments with physical models or prototypes,
observations on the real world or from computer-based
simulations.
Being engineers their approach to model making is
not always scientific, as illustrated by the contrasting
two approaches below. The first is that of Professor
Kalman whose approach to designing digital filters has
had a huge impact on the design of control systems. He
stated that if the data describing a system is complete
and exact then there exists a unique model to describe
the system. This is known as the Uniqueness Principle.
The second approach, which is more common, deals
with the following situations. The data derived from
experiments are neither complete nor exceptionally
accurate. They are analysed by a particular engineer (or
group of engineers), often academics, who frequently
perceive the need to make a name for themselves and
who decide to fit a new empirical model (usually some
Part E: Journal of Process Mechanical Engineering
Downloaded from pie.sagepub.com at RMIT UNIVERSITY on July 28, 2015
form of equation) to the data. This is almost invariably
claimed to be a better model than a previous one
derived from a similar set of data. I will call this the
Frank Sinatra Approach (‘I did it my way’) and offer
the following example as an illustration.
When designing the joints of tubular members in off-
shore structures the possibility of fatigue cracking due
to the cyclic action of wave forces must be considered.
At the joint there is a concentration of stress (known as
the hot spot stress) due to the abrupt angle at which the
tubulars meet. To estimate this local increase in stress
the designer uses a stress concentration factor, which
measures how many times greater the hot spot stress is
than the average stress in the tubular. To find the stress
concentration factor the research engineer can use a
physical scale model which may be made from acrylic
plastic tube or steel tube. Alternatively, the engineer
may produce a theoretical model which will involve
using a computer and the so-called finite element
method for the associated calculations. Figure 5 shows
stress concentration factors estimated for a simple
T-joint bending using three different models: one
experimental and two theoretical (4).
Clearly the predictions from these models are very
different. If we take a joint where the two tubes have the
same diameter and predict how long the joint will last
before breaking we get very different answers. If the esti-
mated life using Gibstein’s formula is 30 years then
using Smedley’s formula it is just 4.6 years. While the
difference in these predictions is large it is by no means
untypical for certain aspects of engineering. The
problem of course is we do not know which prediction
is correct or whether the fatigue life is going to be some-
what smaller or larger than either prediction.
Unfortunately, the engineer cannot wait until the
matter is resolved definitively before designing an off-
shore structure. Indeed, with hundreds of tubular struc-
tures already in the North Sea the problem of
accurately predicting the fatigue life of joints still
remains. To obtain guidance, the offshore engineer will
6-
5-
.8.
0
c
..z 4-
.Ec.
I
3 3-
VI
.2.
L?
8 2-
2
m
I-
01 I I I I 1 I
0 0.2 0.4 0.6 0.8 I .o 1.2
Brace-leg diameter ratio
Fig. 5 Estimates from various models for the stress concen-
tration factor at a tubular T’Joint. [From UEG (4)]
@IMechE 1993
 SAFETY AND RISK: MODELS AND REALITY
turn to a code of practice or standard. This will tell the
engineer which models to use and in what way, to
ensure that the structure would not be threatened by
the cracking of one joint, that the estimated fatigue life
must well exceed the life required of the platform and
that all critical joints should be regularly inspected and,
if necessary, repaired.
The question arises, How does one establish a Code
of Practice? This is done by gathering a group of
experts from around the country, or increasingly from
Europe for EC Codes of Practice or regulations, and
charging them with producing a written document.
These experts review the models and the data on which
they are based. They also examine the risks involved in
any possible failure, both to human life and property.
The greater the potential loss the higher the factor of
safety; thus, for example, lift cables will have much
higher factors of safety than, say, carrier bags. The
factor of safety will also be increased when the model-
ling is poor or subject to great uncertainty.
2.2 Reliability theory and risk assessment
Recently code makers have started to use two newer
techniques, reliability theory and quantitative risk
assessments (QRA) in establishing their Codes. Reliabil-
ity theory is used to predict how reliable a system or
structure is and also the probability or likelihood that it
will fail. The theory has been developed over the last 50
years and is now used widely in all branches of engin-
eering. To illustrate the underlying concept consider a
trivial example.
Students visiting a beer festival are told they can take
out as many free bottles of beer as they can carry in one
carrier bag. The number of bottles chosen by each
student will vary. There will also be some variation in
the strength of the carrier bags. This is illustrated in Fig.
6. If the student trying to carry out the largest number
of bottles happens to pick one of the two weakest
carrier bags then that bag will fail. The probability of
this happening can be calculated by the theory. A high
probability can be accepted when just beer is spilt, but
an extremely low failure rate, indeed as close to zero as
practicable, is required for a lift cable where failure may
put human life at risk.
4
-I Strength of carrier bag
8 I--)
i J
2 .$
I 1 First cost + maintenance costs. etc.
O
0 1 2 3 4 5 6
h
7 8 9 1 0 1
Weight of bottledstrength of carrier bags
Fig. 6 Illustration of the reliability theory approach
0 IMechE 1993
Downloaded from pie.sagepub.com at RMIT UNIVERSITY on July 28, 2015
7
Failure rates can be established for items such as light
bulbs, valves and other small components. The varia-
tion in strength of materials can similarly be established
by testing. All large structures and systems are built up
from basic components. If the reliability of the basic
components is known then the reliability of the whole
structure or system can be predicted.
The great advantage of reliability theory is that it
admits the possibility of failure and estimates the likeli-
hood, whereas the older safety factor approach does
not. True, if a safety factor is increased we know that a
failure is less likely but we have no idea how much less
likely.
The second technique, quantitative risk assessment,
looks not only at failure rates but also at the conse-
quences of a failure. In this way a risk cost can be
obtained where:
risk cost = probability of failure
x consequences of failure
This kind of approach has been used for many years by
the insurance industry actuaries when calculating prem-
iums for both property insurance and life assurances. It
does require attaching a cost to the loss of a human life.
Indeed, such calculations date back to the seventeenth
century when Sir William Petty estimated the loss to
England '. . . from the plague, by the slaughter of men in
war, and by sending them abroad in the service of
foreign princes'.
The total cost of an engineering project is the first
cost plus the risk cost, plus the cost of maintenance,
repair, etc. By plotting the total cost for similar designs
of increasing reliability we produce Fig. 7. This shows
that designs of low reliability are not worth while
because the risk cost is so high. Indeed, there appears to
be an economically optimum level of reliability and
safety. However, this is misleading. Models are used to
predict the reliability and probability of failure. Of
course, models do not reflect reality precisely and the
extent of the error involved is uncertain. Figure 8 rep-
resents the situation when this uncertainty is included.
In the face of this uncertainty there is a tendency to
be conservative and move towards higher predicted
levels of reliability. This is the same as selecting larger
/
\ Apparent economically optimum
1
2 f---
Increasing risk of failure
Strength. safety
and reliability
Fig. 7 Total cost versus reliability: a simple model
Proc Instn Mech Engrs Vol 207
8 J WOLFRAM
2
Where is the economically
optimum reliability level?
+----
Increa\ing risk of failure
Strength. d c t y
and reliabiliry
r
Fig. 8 Total cost versus reliability, with uncertainty (and
realism) added
safety factors when there is ignorance about how a
structure or system will behave. The penalty for this
ignorance is a substantial increase in first cost and
weight. This is very significant for weight-sensitive
structures like oil rigs and, in particular, aeroplanes. To
increase strength, weight increases. To keep it in the air
the aeroplane’s engines must be bigger and more fuel
must be carried. This increases weight, and before long
this vicious cycle cuts down the number of passengers
that can be carried so much that the whole project
becomes uneconomic.
There is therefore a strong desire to develop good
models that reflect reality as closely as possible. The
models do not need to explain wide-ranging pheno-
mena, just the areas relevant to the design. The fact that
engineering models should be most precise close to the
region where failures may occur is frequently
overlooked-by engineers and others who develop
models !
2.3 Prescriptive and goal-setting regulations
It is not a difficult matter to produce codes of practice
or standards for the design and construction of bicycles
or domestic heating systems. The range of feasible
designs is limited, as are the circumstances under which
each will reasonably be operated.
In other cases, however, the variety of designs is
much wider, as are the operating conditions, and the
technology involved is developing rapidly. A good
example is the offshore oil and gas industry. There is a
substantial and continuous programme of research and
development so the design, construction and operation
of one offshore installation may be very different from
the previous one. In these cases prescriptive regulations
stating that the designer should make such an item so
big or so strong may be totally inappropriate if the item
has been designed out of the system or could be
replaced by a newer and better item to which the regu-
lations do not refer.
In some cases simple compliance with regulations can
encourage the designer to avoid making sensible safety
arrangements. For example, the Titanic was equipped
with the regulation number of lifeboats: only enough to
Part E: Journal of Process Mechanical Engineering
Downloaded from pie.sagepub.com at RMIT UNIVERSITY on July 28, 2015
carry half the people on board at the time when it sank.
A regulation which clearly stated something like ‘the
ship operators must demonstrate that they have policies
and arrangements to deal with all foreseeable emer-
gencies’ may actually have led to more lifeboats being
carried and better training for their use. This is an
example of a goal-setting type of regulation.
After the explosion and fire at the Flixborough
chemical plant in 1974, the first steps were taken
towards the introduction of goal-setting regulations
which put the onus on the plant operators to demon-
strate the safety of their activities. The introduction of
the Control of Industrial Major Accident Hazards
Regulations (CIMAH) in 1984 in the United Kingdom
required the production of a Safety Case for all major
plants (5). The Safety Case addresses qualitatively and,
where appropriate, quantitatively all the potential
hazards in a plant and its operation and must demon-
strate a strategy (both managerial and technical) to
ensure safety and deal with emergencies.
The Cullen report produced in 1990 following the
Piper Alpha disaster in 1988 strongly advocated that
the offshore industry should adopt the goal-setting
regulation approach (6). This approach is now being
implemented by the new Offshore Division of the
Health and Safety Executive who were given
responsibility for offshore safety in 1991.
Even with goal-setting regulations applied well, there
is still a risk of accidents occurring. The principle
adopted is to make these ‘as low as reasonably
practicable’-the so-called ALARP principle. In the
Norwegian offshore sector where goal-setting regula-
tions were introduced following the Alexander Kielland
disaster, this has widely been taken to mean aiming for
an annual accident probability of less than 1 in 10 000
for all types of serious accidents.
To give some idea of how this accident rate compares
with that which exists onshore, I turn to the Mortality
Statistics for 1989 (England and Wales), the latest year
for which they have been published by HMSO. These
show that for men there were 4.6 fatalities per 10 OOO
due to accidents and violence. If we look at the figure
for the UK offshore sector for the same year it was 1 in
10 000. It therefore appears that men now may be
somewhat safer offshore than they are at home.
Looking at one year’s figures for a particular industry
can be misleading as there are significant fluctuations
from year to year. What is important, however, is the
commitment to safety in the offshore industry and the
widely accepted aim of bringing accident fatalities
down. It is worth noting that the offshore industry has
spent El billion on safety in the last 3 years.
2.4 Public perception of risk
Despite these endeavours many of the public still view
the offshore industry as risky. However, the public per-
ception of safety and risk is changing. When I was
younger the expression ‘safe as houses’ was in common
usage. Since the collapse in the housing market in 1988
and the collapse of houses under falling trees in the
gales that swept south-east England in 1989 I have not
heard that expression.
I also remember interviewers on the radio and tele-
vision asking ‘Is it absolutely safe? That question has
OIMechE 1993
 SAFETY AND RISK: MODELS AND REALITY
since been replaced by ‘How safe is it? or ‘What are the
risks involved? No one nowadays is under the delusion
that anything man-made is indestructible or completely
without risk.
The public’s perception of the risk involved in an
industry depends very much on how that industry com-
municates with and treats the public. Consider the
nuclear reprocessing industry. Both the transport of
nuclear waste and the plant at Windscale in Cumbria
were a cause of substantial public disquiet and almost
continuous media attention a few years ago. Windscale
changed its name to Sellafield and the public were
invited to visit in an intensive press and television
advertising campaign. The concern about the containers
used to transport nuclear waste being damaged in an
accident and leaking radiation was addressed in a tele-
vised experiment. A container was placed across a
railway track and a train (remotely operated) driven
into it at 100 miles per hour. The crash was spectacular,
the train was wrecked but the nuclear container
remained intact. These efforts served to allay the fears of
some of the public and, in the latter case, provide some
useful engineering knowledge.
The public response to accidents is very much a func-
tion of how extensively they are reported in the media.
In its turn political response is similarly conditioned.
Following the Flixborough disaster in 1974 in which 28
people were killed the Advisory Committee on Major
Hazards was established, leading to a radical rethink of
safety in the chemical industry. Since the Piper Alpha
disaster in 1988, in which 167 people died, a new Off-
shore Division of the Health and Safety Executive has
been established and far-reaching changes are underway
for offshore safety.
By contrast, also in 1988, 4639 people were killed in
accidents on the roads of England and Wales. The
national media coverage was comparatively minimal
and no major political initiative was taken in road
safety.
Communication is clearly a vital factor in the public
perception of risk and any industry that devotes con-
siderable attention to safety and minimizing the risks
associated with its activities should address this ques-
tion. It forms a key element in any comprehensive risk
management strategy.
3 FUTURE DEVELOPMENTS
3.1 Human reliability
In the future both the scope and precision of engineer-
ing modelling will increase in the pursuit of safety and
reliability. One area in particular has received scant
attention from engineers given its importance: human
behaviour. People are crucial components in most large
engineering systems. They are also, historically, the
most unreliable.
People are the source of the vast majority of acci-
dents that occur-not from malicious intent, but from
ignorance, oversight, overstress, misinterpretation and
fatigue, among other factors. While you cannot change
the physical characteristics of people you can certainly
study them and design a system around them. Human
factors and human reliability are now receiving increas-
ing attention from the engineering profession and par-
ticularly from the offshore industry.
0 IMechE 1993
Downloaded from pie.sagepub.com at RMIT UNIVERSITY on July 28, 2015
9
The behaviour of people can, of course, be greatly
altered by education and training. Safety is very much a
matter of attitude and a way of thinking. In any safety
management system, training will provide a substantial
and important part.
Considerable attention has already been devoted by
psychologists to the person-machine interface, but as
yet very little to people-machine interfaces. In any large
system, such as an offshore oil and gas platform, a
chemical plant or a ship, several people will be involved.
There will be individual interaction between each
person and the system; there will also be interaction
between people prompted by the perceived behaviour of
the system. In an emergency, this interaction is most
important.
In my view, far more attention will be devoted to
studying this in the future.
3.2 Data
Knowledge of human responses is gained from experi-
ments by psychologists and from observing people at
work. Knowledge of how man-made systems and struc-
tures actually work, and fail, can be gained in a similar
way. These data, as they are called, are the lifeblood of
good engineering models. Without this our models are
prone to drift away from the reality they are trying to
represent. Let me consider one example.
The environment in the North Sea in winter can be
very hostile and in storms wind and waves can give rise
to tremendous forces on offshore platforms. Fortu-
nately, very severe storms are not particularly frequent.
However, this infrequency means we have few data on
which to base our models of these events. This is the
largest source of uncertainty facing the designers of off-
shore structures. The current approach is to estimate
the largest wave expected to occur in a 50 year period.
The same is done for the wind and current. It is then
assumed that the extreme wave, the extreme wind and
extreme current will occur simultaneously and from the
same direction. This approach leads to very strong off-
shore structures. However, many are probably over-
designed, which is expensive, and the offshore industry
in the North Sea will not survive if it is uneconomic.
To improve our understanding and modelling of
extreme storms more good data from these events are
required. The collection of data, already practised in the
offshore industry, needs to be more widespread. More
importantly, individual companies should be persuaded
to release their data to a general pool and this larger
quantity of data would be available and of benefit to
the whole industry.
I have recently been looking with Total Oil Marine
at the analysis of extreme wave data collected at Alwyn
North. These show some very interesting trends.
However, enquiries to see whether analysis of other
similar data showed similar trends found that much of
the other data that exist have not been processed.
3.3 Statistical versus probabilistic models
It is perhaps the absence of a plentiful supply of good
data that has led to the largely independent develop-
ment of structural reliability theory. Structural reliabil-
ity theory has developed based on probability theory
Proc Instn Mech Engrs Vol 207
10
with little attention to the data with which it must be
used for practical purposes. Data analysis using sta-
tistical methods has been undertaken as a quite separate
activity.
In structural reliability theory the current approach is
to assume that a particular distribution can represent
the variability in the strength characteristics of a
material. A parallel assumption is made concerning the
loads acting on the structure. Having made these
assumptions the theory can be used to make an assess-
ment of the probability of failure. The models widely
used in this theory are ones that were originally devel-
oped for deterministic analysis and little attention has
been focused on their statistical robustness. In some
cases the output can vary substantially with small
changes to the sample of input data used. It is my per-
sonal view that we should move towards a more inte-
grated statistical approach to reliability modelling, as
indicated in Fig. 9.
3.4 Environmental impact
In addition to improved modelling a broader approach
to safety will continue to emerge in the future with not
just the risk to human life but also that to the environ-
ment being assessed. The offshore industry has long
since embarked on this road and environmental impact
studies are an integral part of their design and planning
processes. This is not true of many other industries, as
one can see by looking at some of our rivers and
beaches.
In 1991 the then Secretary of State for Energy, Mr
Colin Moynihan, indicated that goal-setting regulations
may well be used to protect some areas of the environ-
ment in the future. How widely this will, or can, be done
remains to be seen. One problem with goal-setting regu-
lations is that their use requires a level and breadth of
technical and managerial expertise not found in the
smaller companies of some industries.
3.5 Software reliability
To cope with the increasing complexity of safety and
reliability assessments use is being made of computers.
E Reliability
f safety and reliability and a clear understanding of the
Probability based assessment
reliability theory
outputs
4 In my view this will make engineering design more
fi Distribution
Integrated
statistically
based
reliability
theory
Statistical
data analysis input
Current popular model Proposed model
Fig. 9 Probabilistic versus statistical reliability models
Part E: Journal of Process Mechanical Engineering
Downloaded from pie.sagepub.com at RMIT UNIVERSITY on July 28, 2015
J WOLFRAM
The question arises: ‘How reliable are the safety and
reliability programs? This is a very important question
as systems become more complex and we rely on com-
puters increasingly for design, construction and oper-
ation.
The output of some computer programs can be
checked against results from model experiments or
manual theoretical calculations. In many complex cases,
however, this is not feasible.
Two independently developed computer programs
can have their outputs compared. However, if they
differ, how d o we know which is right, and even if they
appear to agree, how do we know that they are not
both wrong?
These questions and ways of obtaining answers to
them will be of particular interest to those involved in
safety and reliability in the next few years.
3.6 Education
To undertake these tasks we require able and well-
educated engineers. Ideally safety, reliability and risk
assessment should be taught to all undergraduate engi-
neers as an integral part of their design education.
However, at the moment only the Institution of
Chemical Engineers explicitly requires safety to be for-
mally taught at the undergraduate level to students who
hope to become Chartered Engineers. This may well be
related to the fact that the chemical industry was the
first to be subject to goal-setting regulations. The other
engineering institutions would like to see safety taught
in courses, but, as they do not insist on it, it is frequent-
ly omitted from an already crowded syllabus.
We do teach some safety and reliability to our off-
shore engineering undergraduates, but there is now such
a body of material in this area we decided to mount a
new MSc course. The MSc in Reliability Engineering
and Safety Management at Heriot-Watt University is
the first full-time course of its type in the United
Kingdom and is open to all types of graduate engineers.
It has attracted considerable interest both from appli-
cants and industry.
However, for the majority of engineers design educa-
tion is orientated towards using prescriptive regulations
that can be applied in a systematic and, dare I say it,
often unthinking manner. The shift to goal-setting regu-
lations will require the more explicit consideration of
underlying principles involved in design.
difficult but much more rewarding. There will be greater
scope for innovation coupled with greater responsibility
and concern for safety and reliability. This will be par-
ticularly true of the offshore oil and gas industry which
involves the broadest range of engineering skills and
already has a tremendous history of innovation.
These opportunities should be grasped by our bright-
est and most creative youngsters and then we can look
forward to a fascinating and safer future.
REFERENCES
1 Pugsley, Sir A. The safety of structures, 1966 (Edward Arnold,
London).
2 Blake, C . Lloyd’s register of shipping 1760-1960 (Lloyd’s Register of
Shipping, London).
QIMechE 1993
 SAFETY A N D RISK: MODELS AND REALITY 11

3 Blockley, D. 1. The nature of structural design and safety, 1980 (Ellis
Horwood Limited, Chichester).
4 Design of tubular jointsfor ofshore structures, Vol. 2, 1985, Pub-
lication UR33 (UEG, London).
5 A guide to the control of industrial major accident hazards regula-
tions 1984, HS (R)21,1985 (HMSO, London).
6 Cullen, The Hon. Lord The public inquiry into the Piper Alpha disas-
ter, November 1990, Department of Energy (HMSO, London).
BIBLIOGRAPHY
Development of the oil and gas resources of the United Kingdom, April
1991, Department of Energy (HMSO, London).
Risk analysis in the offshore industry, Notes from a three day work-
shop, 2-4 October 1990, Byfleet, Surrey (IBC).
The assessment and perception of risk, 1981 (The Royal Society,
London).
Gordon, J. E. The new science of strong materials, 1968 (Penguin
Books).
Lewis, E. E. Introduction to reliability engineering, 1987 (McGraw-
Hill, New York).
MacFarlane, C. J. Resolving conflicts: engineering attitudes to safety.
Inaugural lecture, University of Strathclyde, March 1990.
Martin, M. W. and Schinzinger, R. Ethics in engineering, 2nd edition,
1989 (McCraw-Hill).
O’Hear, A. An introduction to the philosophy of science, 1989
(Oxford University Press, Oxford).
Timoshenko, S. History of strength of materials, 1953 (McGraw-Hill).
Wolfram, J. A statistically based fatigue crack growth model for off-
shore structures. Appl. Ocean Res., April 1986,8(2).

@ IMechE 1993 Proc lnstn Mech Engrs Vol 207

Downloaded from pie.sagepub.com at RMIT UNIVERSITY on July 28, 2015