Is Probabilistic Risk Assessment the Answer?

By: Andrew J. Foote

Editors Note: The following article is taken from the 11th International Process & Power Plant Reliability Conference, Houston, TX on November 13-14, 2002, organized by Clarion Technical Conferences.

Introduction

Incomplete knowledge of the field is an inherent limitation of those designing reliability into a system. Traditional engineering education focuses on how systems work, rather than on understanding the way in which they fail, the effects of failure, and aspects of design, manufacture, maintenance and use affecting the likelihood of failure. This is understandable it is necessary to understand how a product works before considering how it may fail. Moving from a deterministic environment (engineering education) to a variability and chance-based environment (reliability) is often a big hurdle for practitioners. Familiarity with statistics and the causes and effects of variability is required to produce reliable systems and solve problems related with unreliability.

Traditionally, reliable systems were the result of the expertise and knowledge of the designers and manufacturers. However, the need to excel amidst the challenges of competition, schedules and timelines, the cost of failures, the rapid evolution of new materials, methods and complex systems, the need to reduce products costs and safety considerations all increase the risks of product development [1]. Figure 1 illustrates the challenges a system faces that contribute to its overall risk.

Figure 1. Perception of Risk [1] (Click to Zoom)
The application of reliability engineering methods to design, development, and management can control the risks associated with a system. These methods should not replace best practices, but instead ensure that new risks do not pose a threat to the success of the system. The uncertainty that surrounds potential risks offers a threat that an understanding of reliability principles and methods can limit in modern engineering.

Probabilistic Risk Assessment (PRA) is a comprehensive, structured, and logical analysis method aimed at identifying and assessing risks in complex technological systems for the purpose of cost-effectively improving their safety and performance [2]. PRA not only accounts for the reliability of a system, but also ensures that the risk to human, environment, property, or equipment from safety-related hazards is evaluated. Hopefully, the increased popularity of PRA techniques results from industry realizing the potential for providing cost-to-benefit evaluations and not from going through the motions to satisfy requirements specified for the particular system.



General Concepts

Risk is defined as the measure of a hazard that combines a measure of the occurrence of an undesirable event and a measure of its consequences [3]. Risk management can be defined as the processes of risk analysis and risk evaluation.

Risk analysis is concerned with using available data to determine the risk posed by safety hazards and usually consists of steps such as scope definition, hazard identification, and risk determination. The phase in which the decision process is inundated with metrics and judgments is called the risk evaluation [4].

A situation is a hazard if it can be harmful to man, the society, or the environment. The occurrence of an undesirable event is usually measured by its occurrence probability over a given period or by its frequency (number of events occurring per unit of time), or even by its rate of appearance [5]. The undesirable event can be manifested into various consequences:

• Human: injuries or loss of life, diseases, etc.
• Economic: production loss, cost of repair, etc.
• Environmental: environmental damage, pollution, injured/dead animals, etc.

Societys willingness or unwillingness to accept risk can be expressed as voluntary or involuntary activities (a voluntarily nature of accepting risk leads to a greater risk to be assumed). Voluntary and involuntary activities can be defined as:

• Voluntary Activity: The person decides of his own free will to engage in a particular activity according to their experience and tastes (i.e., bungee jumping, smoking).
• Involuntary Activity: The person is subject to a risk they have not chosen or can control (i.e., diseases, earthquakes).

Other factors that contribute to the acceptance of risk are the immediate or delayed effect of a hazard, the presence or absence of alternatives, the degree to which the risk is known, the shared or personal character of the danger, the reversibility or irreversibility of the consequences [3]. Three criteria, illustrated in Figure 2 [6], have emerged for judging the tolerability of risk:

• Equity-based: The premise is individuals have absolute rights to certain levels of protection and if the levels are passed, the risk is intolerable no matter the benefits.
• Cost/benefit-based: Comparison between a value placed on the benefits of reducing risk of injury or detriment, and the costs of preventing and reducing the risks.
• Technology-based: A satisfactory level of risk prevention is attained when relevant best or good practices, or stateof-the-art technology are utilized.

Figure 2. Levels of Risk and As Low As Is Reasonably Practicable (ALARP) [6] (Click to Zoom) In western industrialized countries, disease results in a death rate of approximately 10^-2 per year (1 in every 100 are at risk of death from disease), a high-level risk involuntarily accepted by society. On the other end of the spectrum, natural events such as lightning, flood, and insect bites produce a death rate around 10^-6 per year, the lowest level of involuntarily accepted risk.

Therefore, society accepts risks to which it is involuntarily exposed based on the benefit received from the activity. The following conclusions have been reached regarding the various levels of annual death rates and the risks that produce them [3].

• 10^-3 per year: Unacceptable measures are taken to mitigate the risks to more desired levels.
• 10^-4 per year: Society requires that public expenditures be directed towards controlling and reducing the risks (i.e., traffic, fires, etc.) at this level.
• 10^-5 per year: Public awareness of these risks (i.e., drowning, firearms, etc.) is evident and usually results in guidance aimed at reducing these risks (i.e., warning signs of imminent danger).
• 10^-6 per year: The average individual accepts that these risks pose a threat, but tolerates them by believing that they happen only to others.

As already discussed, the benefit of participating in a risky activity is a significant factor in determining the level of risk one may willingly encounter. Figure 3 shows the relationship between benefit and risk.

Figure 3. Benefit-Risk Pattern of Involuntary Exposure [3] (Click to Zoom)


PRA Process

Risk can only be effectivtly managed if it is fully understood; therefore a multi-disciplinary approach is ofter needed to assemble the required knowledge in areas such as probability and statistics, engineering, systems analysis, health sciences, social sciences, and physical, chemical, or biological sciences. A risk assessment must be included in all phases of a system's life cycle to be effective. The life cycle of a system can be divided into three phases as illustrated in Figure 4. The objective of each phase of the system life cycle are outlined in Table 1 [4].

Figure 4. Major Phases of System Life Cycle [4] (Click to Zoom)
Table 1. Objectives of Life Cycle Phases [4]

Life Cycle Phase	Objective
I: Concept and definition, design, and development phase	Identify major contributors to risk. Provide input to design process. Assess overall design adequacy. Provide input to establish procedures for normal and emergency conditions. Provide input to evaluate the acceptability of proposed potentially hazardous facilities or activities.
II: Construction and production, operation, and maintenance phase	Gauge and assess experience to make comparisons between actual performance and relevant requirements. Update information on major risk contributors. Provide input on risk status in operational decision-making. Provide input to optimization of normal and emergency procedures.
III: Disposal (decommissioning) phase	Provide input to disposal (decommissioning) policies and procedures. Assess the risk associated with process disposal (decommissioning) activities so that appropriate requirements can be effectively satisfied.

PRA is composed of the six functions shown in Figure 5. The following five basic steps are involved in establishing PRA scope definition [4].

1. Describe the problems leading to PRA and then form objectives of PRA on basis of major highlighted concerns.
2. Define the system under consideration by including factors such as system general description, environment definition, and defining physical and functional boundaries.
3. Outline assumptions and constraints for the PRA.
4. Highlight the decisions to be made.
5. Document the total plan.

Figure 5. Probabilistic Risk Assessment Process Functions [4] (Click to Zoom)
The primary purpose of the identifying hazards step of the PRA is to recognize those hazards that will result in risk to the system and provide a preliminary evaluation of the significance of the identified hazardous sources. The third step, estimating risk, involves accounting for the following seven items of interest [4].

1. Investigate hazard sources to determine the probability of occurrence of the originating hazard and associated consequences.
2. Conduct pathway analysis to identify the mechanisms and likelihood through which the receptor under consideration is influenced.
3. Select risk estimation methods/approaches to be used.
4. Recognize data needs.
5. Discuss assumptions/rationales associated with methods, approaches, and data being used.
6. Estimate risk to evaluate the degree of influence on the receptor under consideration.
7. Document the risk estimation study.

Documenting the risk being analyzed involves effectively documenting the PRA plan, the preliminary evaluation, and risk estimation to obtain the following information: title, abstract, conclusions, table of contents, objectives and scope, assumption and limitations, system description, analysis methodology description, results of hazard identification, model description and associated assumptions, quantitative data with associated assumptions, results of risk estimation, references, appendices, discussion of results, and sensitivity analysis. The fifth step, verifying end results, is a review process used to determine the integrity and accuracy of the PRA process (step is completed by someone other than PRA analyst). Finally, periodic updates of the PRA ensure the analysis remains current [4].



PRA Techniques

Various methods of conducting risk analysis (assessment) have been developed over the years. They should be carefully considered for relevance and suitability before their techniques are applied as part of a PRA process. Some of the factors to consider are appropriateness to the system being studied, scientific defensibility, format of results in reference to improving the understanding of the risk occurrence and risk controllability, and simplicity. Additional factors that might be considered include: study objectives, development phase, level of risk, system type and hazard being analyzed, information and data requirements, manpower needed, required level of expertise, updating flexibility, and resource requirement [4]. PRA techniques are grouped into two categories: (1) hazard identification and (2) risk estimation. These techniques are briefly discussed in Tables 2 and 3.



PRA Applications

Nuclear Industry. Early in the history of nuclear power, it became clear that the ability to build the safest and most reliable kind of nuclear plant would depend on the ability to predict the potential consequences of a severe nuclear plant accident.

Therefore, the Brookhaven National Laboratory at the request of the Atomic Energy Commission produced the first published analysis of nuclear power plant accident consequences in 1957. The published report, WASH-740, considered the probability rate range for several potential accidents, but did not specifically assign the probabilities to specific accident scenarios [9]. WASH-740 led to the first Probabilistic Risk Assessment ever performed, which was conducted by the Nuclear Regulatory Commission (NRC) on the Surry 1 and Peach Bottom 2 nuclear power plants in the United States. The results of this study were referred to as the Reactor Safety Study (RSS), published in 1975 as WASH-1400. The RSS [10] had two primary conclusions.

Probability of a core melt in a nuclear reactor was estimated to be 5 X 10-5 per year and its consequences on the environment minimal (less than one death). The optimistic metrics result from the available time (several hours to several dozen hours) between the core melt and the release of radioactive products into the environment, enabling evacuation of the population at risk [3].

The hazards to the environment and the populations at risk are very small, which are illustrated in Figures 6 and 7. These figures compare the risks from the operation of 100 nuclear power plants with natural hazards or mancaused events.

Figure 6. Comparison of Risks for Fatalities (Man-Caused Events) [3] (Click to Zoom)

Figure 7. Comparison of Risks for Fatalities (Natural Hazards) [3] (Click to Zoom)
The publication of WASH-1400 caused both immediate and renewed controversy among both critics and supporters of nuclear power. Where critics could not accept that nuclear risks were small in comparison to other every day risks, the NRC believed that accident probabilities were too high and consequences too small to match preconceived notions. The controversy severely limited the application of PRA techniques in the nuclear community, but the Three Mile Island (TMI) accident that occurred in March of 1979 led to renewed interest in PRA techniques. The WASH-1400 report identified an accident sequence in which the relief valve on the primary coolant system opened on high system pressure but failed to close when pressure was reduced [10]. This situation happened during the TMI accident and, since plant operators did not realize it, they inadvertently exposed the core enabling radioactive gas to escape into the environment [9].

Following the TMI accident, two important independent studies recommended greater use of PRA techniques in assessing nuclear plant risks and making decisions about nuclear safety: the Presidents Commission on Three Mile Island (The Kemeny Report) and the so-called Rogovin Report prepared by the NRCs Special Study Group. The NRC proposed both quantitative and qualitative safety objectives aimed at laying the foundations of safety regulations to help the public to understand and accept risks and serve as an aid to decision-making in nuclear power plant design and operation [3].

Table 2. Hazard Identification PRA Techniques

Technique	Explanation
Failure Modes and Effects Analysis	The failure modes and effects analysis is a reliability evaluation and design review technique that examines the potential failure modes within a system or lower indenture level, in order to determine the effects of failures on equipment or system performance [6].
Fault Tree Analysis	A FTA is a systematic, deductive methodology for defining a single specific undesirable event (top event) and determining all possible reasons (failures) that could cause that event to occur [7].
Event Tree Analysis	A bottom up approach used to identify the possible outcomes when an initiating events occurrence is known. Event trees are often a complement to fault trees [4].
Hazard and Operability Study	A form of FMEA developed for applications within the chemical industries. HAZOP is a systematic approach used to identify hazards and operational problems throughout a facility [4].
Master Logic Diagram	A hierarchical depiction of the potential means that system failures can occur. An MLD starts with a top event that is a damage state of interest (e.g., catastrophic failure) with events that contribute but are not sufficient alone to cause the top event identified with further detail as lower levels of the hierarchy are built [7].
Worst-Case Analysis	The objective of this analysis is to determine whether a system will still work under the worst possible conditions. Worst-case analysis can also be used to quickly determine the effects of engineering changes prior to widespread implementation [8].

Table 3. Risk Estimation PRA Techniques

Technique	Explanation
Consequence Analysis	The purpose of a consequence analysis is to estimate the impact of the undesired event on adjacent people, property, or the environment. If safety is the primary goal of a risk estimation the consequence analysis will consist of calculating the probability that people at different distances (and in different environments) from the undesired event source will suffer injury or illness [4].
Frequency Analysis	The purpose of a frequency analysis is to estimate the occurrence frequency of each undesired event or accident scenario. The analysis can be completed through two common approaches; using frequency data from past relevant undesired events to predict the frequency of their future occurrences, or utilizing methods such as FTA to calculate the occurrence frequencies of undesired events [4].

The NRC asked the US Department of Energy and electric utilities, which form the Electric Power Research Institute (EPRI), to draft a guide for applying PRA methods to nuclear power plants. The guide identified three main levels in a PRA [3]:

First Level: Analysis and identification of accident sequence aimed at assessing the core melt probability.

Second Level: Analysis of the physical processes of core melt and of the containment failure modes aimed at inventorying the radioactive products released to the environment and assessing their amounts as well as estimating the corresponding occurrence probabilities.

Third Level: Analysis of the transport of radioactive products in the environment and its consequences aimed at characterizing the effects of accidents on the environment and populations as well as assessing the probability of such accidents.

During the PRA of the Seabrook nuclear power plant, it was recognized that a systematic method for identifying and evaluating the impact of human errors that occur during accidents needed to be developed. The resulting methodology utilizes two principal performance shaping factors (PSFs) to identify the context of human errors. The PSFs are stress level and the potential for misdiagnosis (possibility that symptoms of a particular event are confused with those of another event). The available time for diagnosis and action is generally considered to be one factor that has a major influence on both the stress level and the potential for misdiagnosis. For each human error it is possible to rank, on a scale of 0-10, the difficulty in diagnosing the need for action, as well as the stress level on the operators. The rankings are compiled from studies of each individual event with special attention given to the time that would be available to the operators, the rankings are given in Table 4 (the medium stress level is considered to provide near optimum conditions for operator performance) [11].

Table 4. Human Error Rankings [11]

Stress Level	Ranking
Routine	0-2
Low	2-4
Medium	4-7
High	7-9
Very High	10

Since the WASH-1400 study was published, there has been a remarkable growth of the use of PRA in the USA nuclear industry, both commercial and government. With approximately 80 PRAs completed during this time with a variety of objectives, methods, applications, and levels of detail, a large body of data has been developed, which offers several valuable lessons to be learned and re-applied in the future. The Individual Plant Examination (IPE) program is the source of a majority of the PRA data. This program requests that all existing nuclear utilities employ PRA methods to identify plant vulnerabilities and all future applications for commercial nuclear power licenses require a comprehensive PRA be completed prior to design certification. PRA methods have been used to support additional safety requirements (and reduce unnecessary requirements), provide a risk perspective to operation and maintenance activities, increase the comprehension of complex systems, perform online maintenance, and assist in the decision making process [12].

The variability of the data collected from previous PRAs presents problems when it is to be applied to Risk-Based Regulations (RBR). Therefore, the need for more standardization in the PRA process could enable the role of risk assessments to increase in supporting risk-based regulatory applications. The following areas of the PRA process could most benefit from standardization [12]:

Loss-of-Coolant Accident (LOCA) Break Sizes & Frequencies: A generic approach should be implemented to provide a credible, comparable evaluation of the LOCA sequences as well as improve the consistency of LOCArelated risk profiles between plants.

Human Reliability Assessment: The human element of identifying recovery actions in the PRA process could be more dependable if lower and upper bound human-error probabilities were established for specific actions.

Common-Cause Failure (CCF): Since several different CCF databases exist, CCF analysis can result in many core damage frequencies (CDF) and associated uncertainties. Therefore, effort should be taken to synchronize or standardize the CCF probability values.

PRA Applications, Configuration Control & Management: The following elements of a risk-based assessment should be considered: level of quality assurance requirements, level of PRA modeling details, consistent decision-criteria for accepting PRA results as part of the justification for licensing decisions, economic issues, data validation & verification, consistency in the regulatory decision process & decision making, and risk communication.

Petrochemical Industry. One of the first non-nuclear PRAs was completed in the United Kingdom (UK) on chemical and oil plants on Canvey Island. The UK Atomic Energy Authority performed the PRA for the Health and Safety Executive, starting in 1976, primarily to answer the concerns being expressed by the public that lived near the chemical and oil plants on Canvey Island in the wake of other industrial disasters. The published report identified the methane terminal and ammonium nitrate factory as presenting the highest level of risk. Due in large part to the great interest the analysis received within the scientific and technical community, a reassessment was performed on the methane terminal to determine the extent of risk it posed. The conclusions of the second PRA were that the allowable risk levels in the nuclear industry were lower and the methane terminal did not constitute an unacceptable risk. The repercussions of theses assessments were that plant operators were more cognizant of safety, the study showed the merits and feasibility of the PRA approach in the nonnuclear industry, and the results squelched public concern with potential major hazards at Canvey Island facilities [3].

PRA methods also have been used for offshore oil rigging. The Norwegian Petroleum Directorate (NPD) was the first group to develop an approach for ensuring safety during the licensing of offshore oil rigs operating in the Norwegian sector of the North Sea. The NPD issued recommendations for assessing risks on offshore platforms that required designers to create a list of potential accidents that could cause significant loss of production or human life. The list of potential accidents includes, but is not limited to: blow-outs (uncontrolled gushing of hydrocarbon), fires, objects falling, collision between ships, helicopter crashes, earthquakes, extreme weather conditions, and combinations of the previously listed. The three main safety functions that should be considered during an analysis of an offshore platform are [3]:

Areas of refuge: Area must remain intact several hours after the occurrence of an accident until a totally safe evacuation can be conducted.

Emergency exits: At least one emergency exit from the center of the oil rig must remain undamaged for at least one hour after an accident.

Main structure: The structure must continue to support its load for a given period of time following an accident.

The quantified safety goal can be defined as improbable accidental events are not considered in the design if the total probability of each type of accidental event does not exceed 10-4 per year for any of the safety functions. The designer identifies all potential accidents with their initiating events, statistically assesses the probability of their occurrence, develops and assesses accident sequences for probability of occurrence, evaluates their consequences focusing on their safety functions, and classifies the accident sequences jeopardizing the safety functions forming a list of residual accidental events. If the total probability of each class of residual events exceeds 10-4 per year per safety function, redesign is warranted.

Reliability engineering and risk assessment techniques offer plant managers opportunities for increasing the profitability of their facilities. Operating refinery process units with a minimum amount of downtime is key to profitability in the petrochemical industry. Success in reducing process unit downtime can be measured by tracking the increase in historical unit on-steam time or average unit availability (defined as the ratio of unit operating hours to the total hours in a time period). Improving refinery availability begins by estimating the economic risk associated with potential shutdowns by combining the frequency of events that reduce full-production operation and the consequences of those events. The importance of different sections of the overall refinery or of an individual unit can be estimated using an economic-based PRA, providing the basis of recommendations for improving unit availability. The overall availability improvement analysis must examine all potential threats to unit operation, which can be classified as either (1) loss of containment events (release of flammable material) or (2) loss of function events (equipment failures that do not results in containment losses [13].

The economic-based PRA was based on the frequencies and consequences of over 4200 loss of containment accidents through the use of fault tree and event tree techniques. The methods used to perform the PRA included those used in the Canvey Island study. The economic-based PRA used a four-step approach: (1) accident sequence model development, (2) accident sequence frequency estimation (using industry-average data, refinery experience, and engineering judgment), (3) economic consequence of accident sequence (based on unit outage costs and equipment damage estimates), and (4) evaluate frequency and consequence values for each accident sequence. Table 5 identifies the summary of refinery absolute and concern risks as a function of generic component types for the over 4,200 loss of containment accident sequences analyzed [13].

Table 5. Economic Risk Summary by Refinery Process Section Component Type [13]

Component Type	Contribution to Absolute Risk (%)	Contribution to Concern Risk (%)
Compressor	36.00	54.00
Heater	17.00	25.00
Heat Exchanger	16.00	5.70
Pump	12.00	2.20
Reactor	7.40	7.30
Piping	5.60	2.90
Vessel	4.80	2.00
Tower	0.43	0.22

Originally PRA methods were used in the offshore oil industry to show regulatory agencies that a tolerable level of risk had been achieved, but the methods are now showing their worth in assessing alternatives and providing active decision support. PRA has helped modern offshore oil installations offer a high degree of protection to personnel, but it has not addressed the exorbitant cost of losses in material damage and the environment. Studies have shown that in the UK Continental Shelf alone, the value of accidental material damage to installations from 1980-91 was approximately £80 million annually, whereas the amount of oil accidentally spilled averaged 700 metric tons per year. Therefore, PRA techniques have a vast potential in supporting decisions on the best measures to choose to protect the asset or the environment for offshore installations, as the potential benefits include [15]:

Identification of cost-effective and safe solutions.

Focusing resources on improving areas where the impact from accidents could be most detrimental in terms of damage and/or production delay.

Supporting the design of key systems to improve their ability to survive following a hazardous occurrence.

Demonstration of reduced risk of asset loss as a result of implementing safety measures to support the negotiation of insurance terms.

An obstacle to applying PRA techniques to reduce the risk of material damage is the data and information available to complete the analysis. Specific areas that need to be further addressed include the following [1, 4]

The impact of fire damage on process vessels, piping, instrumentation and electrical systems in relation to fire duration and size.

The loss of process equipment that accounts for criticality of different systems to production.

Production losses due to repair time, which accounts for sparing situation and lead time for supply of components.

Quantification of intangible effects like loss of reputation or costs associated with production delay due to accident investigation.

Cost estimates for repair that reflect alternative solutions to rebuilding the existing operation by utilizing space capacity for other processes, modification of undamaged equipment, etc.



Conclusions

Risk is a function of the severity of an accident and its probability of occurrence. Risk is best managed if one can anticipate what can go wrong and consistently attempt to overcome failures through redesign. Therefore, risk management must consist of the following steps [8].

1. Identify the failures likely to occur by proactive analyses such as design reviews, preliminary hazard analysis, and FMEA.


2. Develop alternatives to control the failures, keeping in mind that control by design is normally less expensive than through testing.


3. Implement the acceptable solution without producing additional risks. 4. Implement a closed-loop system to control the risk.

Probabilistic Risk Assessment offers a systematic approach to managing the risk to humanity, environment, property, or equipment from safety-related hazards. There are several characteristics that quantify the risk that is acceptable to society, but the risk can usually be evaluated by the following three criteria: equity (level of protection offered to individual rights), cost/benefit (relationship between benefit of risk management and cost to do so), and technology (level of scientific knowledge needed to eliminate/reduce risk).

PRA has been used to manage risk for over 40 years, but unfortunately some of the largest gains in popularity associated with PRA techniques are as a result of highly publicized accidents. The TMI accident led to numerous PRAs being performed on existing and all subsequent nuclear facilities within the United States to evaluate the risk posed by each facility. Similar mishaps led to increased use of PRA techniques in the petrochemical, aviation, and environmental protection industries, but one of the most recognizable thrusts that brought PRA popularity to its current level was the Challenger disaster in 1986. The National Aeronautics and Space Administration may now be the most prevalent source of technologies, databases, and knowledge of the PRA principles that will ensure it maintains a predominant tool for managing risk in the future.

PRA techniques offer a vast capability in terms of cost-to-benefit analysis, but this potential seems to be seldom used or used incorrectly, or incompletely. The costs associated with potential risks must include system implementation and operation, which consists of component purchase costs, system downtime costs, costs to restore external environmental conditions and refund from losses in case of an accident. PRA techniques should attempt to account for the following elements of the risk: the potential safety concerns as a result of managing the risk, the affect on reliability posed by the risk, the maintainability associated with mitigating the risk, and the costs associated with effectively managing the risk throughout the system life cycle. PRA in itself may not provide the answer for all of these elements, but it can be part of an integral approach to managing risks when combined with other tools of the RMSQ disciplines. In the end, PRA is only as effective as the individual performing the analysis and the extent to which they are willing to perform the analysis.



References

1. OConnor, P.D.T, Newton, D., and Bromley, R.; Practical Reliability Engineering, 3rd Edition, Revised; John Wiley & Sons; New York; 1995.


2. Stamatelatos, Dr. Michael et al; Probabilistic Risk Assessment Procedure Guide for NASA Managers and Practitioners; Office of Safety and Mission Assurance; Washington; 2002.


3. Villemeur, Alain; Reliability,Availability, Maintainability and Safety Assessment, Volume 2; John Wiley & Sons; New York; 1992.


4. Dhillon, B.S.; Design Reliability, Fundamentals and Applications; CRC Press; New York; 1999.


5. Kumamoto, Hiromitsu, Henley, Ernest J.; Probabilistic Risk Assessment and Management for Engineers and Scientists, Second Edition; IEEE Press; New York; 1996.


6. Guen, J.M.; Incorporating Risk Assessment and Its Results In The Decision-Making Process; European Safety & Reliability International Conference 1997.


7. Maggio, Gaspare; Space Shuttle Probabilistic Risk Assessment: Methodology & Application; Proceedings Annual Reliability & Maintainability Symposium; IEEE; 1996.


8. Raheja, Dev G.; Assurance Technologies Principles and Practices; McGraw-Hill, Inc.; New York; 1991.


9. Fussell, Jerry; Nuclear Power System Reliability: A Historical Perspective; IEEE Transactions on Reliability; IEEE; April 1984.


10. Levine, S., Joksimovich, V. and Stetson, F.; Probabilistic Risk Assessment in the US; Reliability Engineering; December 23, 1983.


11. Apostolakis, George; On the Assessment of Human Error Rates Using Operational Experience; Reliability Engineering; October 22, 1984.


12. Zamanali, Jalal; Probabilistic Risk Assessment Applications in the Nuclear Power Industry; IEEE Transactions on Reliability; IEEE; September 1998.


13. Arendt, J.S., Casada, M.L., and Lorenzo, D.K.; Economic Risk Assessment of a Petroleum Refinery; Proceedings Annual Reliability & Maintainability Symposium; IEEE; 1985.


14. Brennan, Gerry et al; Modeling of Material Damage and Production Loss due to Accidents on Offshore Installations; European Safety & Reliability International Conference 1997.