Introducing the STAMP method in road tunnel safety assessment

Safety Science 50 (2012) 1806–1817

Contents lists available at SciVerse ScienceDirect

Safety Science journal homepage: www.elsevier.com/locate/ssci

Introducing the STAMP method in road tunnel safety assessment Konstantinos Kazaras ⇑, Konstantinos Kirytopoulos, Athanasios Rentizelas National Technical University of Athens, Mechanical Engineering School, Sector of Industrial Management and Operational Research, Zografou Campus, Heroon Polytechniou 9, 15780 Zografou, Greece

a r t i c l e

i n f o

Article history: Received 7 October 2011 Received in revised form 29 February 2012 Accepted 18 April 2012 Available online 27 May 2012 Keywords: Road tunnels Safety assessment STAMP Systems theory Quantitative Risk Assessment

a b s t r a c t After the tremendous accidents in European road tunnels over the past decade, many risk assessment methods have been proposed worldwide, most of them based on Quantitative Risk Assessment (QRA). Although QRAs are helpful to address physical aspects and facilities of tunnels, current approaches in the road tunnel field have limitations to model organizational aspects, software behavior and the adaptation of the tunnel system over time. This paper reviews the aforementioned limitations and highlights the need to enhance the safety assessment process of these critical infrastructures with a complementary approach that links the organizational factors to the operational and technical issues, analyze software behavior and models the dynamics of the tunnel system. To achieve this objective, this paper examines the scope for introducing a safety assessment method which is based on the systems thinking paradigm and draws upon the STAMP model. The method proposed is demonstrated through a case study of a tunnel ventilation system and the results show that it has the potential to identify scenarios that encompass both the technical system and the organizational structure. However, since the method does not provide quantitative estimations of risk, it is recommended to be used as a complementary approach to the traditional risk assessments rather than as an alternative. Ó 2012 Elsevier Ltd. All rights reserved.

1. Introduction Over the last two decades there has been a great increase in the number of road tunnels worldwide and all the indications are that this number will continue to increase in the coming years. The improvement of tunnel construction technology has rendered tunnels as a cost-effective solution to connect steep mountainous regions and traverse urban areas (Zhuang et al., 2009). However, the increasing number of these infrastructures is a double-edged sword also raising upfront an endogenous problem, which is the severity of accidents that may occur. Although accident rates appear to be slightly lower in tunnels than on open road, an accident in a tunnel may have much greater impact (Beard and Cope, 2008), especially in the event of fire, where the enclosed space hinders the dissipation of smoke and poses difficulty in ensuring safe escape route of the tunnel users. Apart from human losses and injuries, accidents in road tunnels can also result in considerable financial losses and prejudicial consequences for the Tunnel Manager, so it is only natural that tunnel safety is now considered as being one of the key elements in tunnel design, development and operation. Indeed, it was the spate of tunnel fires in Europe over the past decade, resulting in many human and financial losses that ⇑ Corresponding author. Tel.: +30 210 7723575. E-mail addresses: [email protected], [email protected] (K. Kazaras), [email protected] (K. Kirytopoulos), [email protected] (A. Rentizelas). 0925-7535/$ - see front matter Ó 2012 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.ssci.2012.04.013

highlighted safety in these infrastructures as a matter of utmost importance. Accidents in Mont Blanc, Tauren and St. Gottard resulted in 58 fatalities over a period of just two years, and forced the European Commission to embark upon a major review of road tunnel safety (Beard and Cope, 2008). In this context, the European Commission launched the Directive 2004/54/EC that sets minimum safety requirements and suggests, apart from the measures imposed based on tunnel characteristics, the implementation of a risk assessment in several cases. The aim of the risk assessment, as indicated by the Directive, is to form a basis for decision-making and to demonstrate and document a sufficient safety level to authorities (EU, 2004). However, even if the objectives are clearly defined, the EU Directive does not indicate either the method for performing the risk assessment or the criteria for risk acceptance. Therefore, a wide range of methods have been proposed, most of them based on Quantitative Risk Assessment (PIARC, 2008a). Although QRA contribution to manage safety has been great in many fields (Kontogiannis et al., 2000), such as the nuclear power industry (where it is called Probabilistic Risk Assessment—PRA) and chemical processing industry (Nivolianitou et al., 2004), it has been argued that QRA results should not form the sole basis for safety-related decision making, since there are several items that might not be handled well by the QRA modeling (Apostolakis, 2004). Briefly, the main challenges to the acceptance of QRA concern: (a) the treatment of human performance, including not only human error per se but also management and organizational

K. Kazaras et al. / Safety Science 50 (2012) 1806–1817

factors, (b) understanding the kinds of failure modes that may be introduced when using software to control safety critical systems and (c) capturing the adaptation of the system (i.e. the slow, incremental migration of the system to the boundaries of its safety envelope). It seems that with the arrival of the socio-technical approach and the recognition of multiple non-technical aspects in accidents’ occurrence, the challenges to the acceptance of QRAs have been significantly stressed, particularly when trying to capture the overall risk picture of complex socio-technical systems (Leveson, 2011b). As a result, many efforts have been made to cope with these challenges, and in some industries QRA models have become sophisticated enough to incorporate organizational factors (e.g. Mohaghegh and Mosleh, 2009; Pate-Cornell and Murphy, 1996) or to cope with the context dependence of software behavior (e.g. Garret and Apostolakis, 1999). In parallel, new safety approaches have emerged, deviating from the QRA paradigm. For example, safety approaches which are based on the systemstheoretical assumptions are now considering a promising way to understand and manage safety (Larsson et al., 2009; Leveson, 2004,2011a; Woods et al., 2010). Rather than adopting a ‘‘normative view’’ that decomposes systems into separate processes that are likely to fail, the systems theoretic perspective regards safety as a control problem (i.e. inadequacy to enforce safety constraints) and accidents are viewed as the result of performance variability of human behaviors and organizational processes whose complex interactions and coincidences are not adequately handled (Hollnagel, 2004; Leveson, 2004; Rasmussen, 1997). Some notable systemic accident models that have been proposed are the Functional Resonance Accident Model (FRAM; Hollnagel, 2004), Accimaps (Svedung and Rasmussen, 2002) and Leveson’s (2004) Systems-Theoretic Accident Model and Processes (STAMP). It must be mentioned that although some of these models have been introduced as accident analysis techniques, STAMP can also drive a safety assessment process (Leveson, 2011b). Taking into account that road tunnels are not merely technical, engineering systems but also have intrinsic organizational, social and managerial dimensions that impact or contribute to their safety (PIARC, 2007), this article’s objective is twofold. The first objective is to highlight the fact that the challenges of QRAs, as they have been pinpointed in the literature, have not been addressed adequately in the road tunnels field. Therefore, even if QRA methods are essential to assess physical aspects and facilities of tunnels, they neglect an important part of non-technical factors and they do not transfer results into identification of safety–critical systems and actions, for which performance criteria (and subsequent management responsibility) need to be established. To cope with these limitations, the second objective of this work is to propose an innovative method that has the ability to provide decision-makers with scenarios that even though they have not been considered by the traditional road tunnel QRAs they have the potential to lead to accidents. The method introduced in this paper draws upon the STAMP accident model; hence, it has the potential to consider organizational factors, software behavior and the dynamics of the tunnel system integrally. By using the proposed method the analyst (i.e. tunnel safety officer or tunnel safety engineer) can identify a notable number of scenarios that have the potential to lead to accidents, assess (in a qualitative manner) the current safety level of the tunnel and propose additional measures, if the safeguards in place are not adequate. The scope for using a STAMP-based road tunnel safety assessment method is thoroughly explored through a case study. The remainder of this paper is organized as follows. In Section 2, the concept of QRA in the road tunnels field is briefly presented and the weaknesses of current road tunnel QRAs are mentioned. Section 3 pinpoints the need to enhance the safety assessment

1807

process of road tunnels with a complementary method based on the systems theory paradigm, whereas Section 4 introduces and demonstrates the proposed STAMP-based road tunnel safety assessment method through a case study example of a tunnel ventilation system. Section 5 discusses the method and finally, Section 6 concludes this work.

2. QRA in the road tunnels field 2.1. The concept of current road tunnel QRAs QRA methods have been adapted to the road tunnels field in order to cope with the limitations of prescriptive standards and regulations that traditionally and globally have controlled the safety issue of these critical infrastructures (Beard and Cope, 2008; Dix, 2004; PIARC, 2008a). Such regulations and standards, even if they manage to ensure a minimum level of safety, are implemented more or less without taking into account the special characteristics of a tunnel, or the interactions among different parts of the tunnel system (PIARC, 2008a). As a result, a risk-based approach is also needed to provide a structured and transparent assessment of risks for each particular tunnel. In this perspective, the ultimate purpose of a QRA is to calculate and evaluate the risk level of a tunnel and then determine whether the desired safety level has been accomplished. In order to evaluate the risk level two criteria are mainly used. The first criterion is the personal (i.e. individual risk) which indicates the risk of the most exposed average individual, using fatality rate per year or per tunnel km. The second is the societal risk (or group risk) which expresses the probability of large accidents with multiple fatalities and addresses society’s perception of large accidents (i.e. risk aversion). Societal risk is usually presented by the popular F–N curve that is a cumulative presentation of accident frequencies as function of the severity of accidents. An extended literature review of the QRA methods currently applied in the road tunnels field can be found in PIARC (2008a). The models that are presented in this report are the Austrian tunnel risk model TuRisMo, the Dutch TUNPRIM model, the French specific hazard investigation, the Italian risk analysis model and the OECD/PIARC DG-QRA model which is the most widely used decision aiding tool for the transportation of hazardous materials through a road tunnel. A detailed risk assessment with the OECD/PIARC DGQRA method can also be found in Kirytopoulos et al. (2010). Other QRA methods that have been proposed in the road tunnels domain can be found in the relevant literature (Holicky, 2009; Ny´vlt et al., 2011; Weger et al., 2001; Xiaobo et al., 2011). All the aforementioned QRA methods consider different accident scenarios since they have been developed for different types of routes and tunnels (i.e. unidirectional or bidirectional tunnels, longitudinally or transverse ventilated tunnels, etc.). The considerable number of parameters used in the QRA model also differs. However, the great majority of current road tunnel QRA methods consist of the same following modeling steps (Hoj and Kröger, 2002; Xiaobo et al., 2011): 1. Identification of all possible accidents such as fire, explosions, leaks and flood as critical events. 2. Fault tree and event tree analysis for each defined critical event. Event tree consists of a number of particular scenarios triggered by the critical event and fault tree analysis is used to estimate the probability of the critical event. Then, consequence estimation models can be applied to calculate the expected number of fatalities for the various scenarios involved in the event tree. 3. After obtaining probability and fatality of each scenario, the societal risk and the expected value is estimated. Smoke dispersion calculations are particularly used for fire scenarios in order

1808

K. Kazaras et al. / Safety Science 50 (2012) 1806–1817

to estimate the extent of the areas where the consequences may cause fatalities to the exposed population. The smoke movement modeling varies from simple empirical relationships to complex CFD models. Moreover, evacuation calculations are employed in order to predict the expected number of people in those areas, varying also from empirical relationships to complex simulation models. 4. Having estimated the risk level of the tunnel, the last step is to evaluate the results and determine if additional risk reduction measures are needed. Therefore, what seems to be clearly common in current QRAs applied in the road tunnels field is their event-based accident model (i.e. fault and event trees) combined with simulation tools so as to estimate the expected number of fatalities. Then, perhaps the simplest means of decision-making is to accept the situation only if the risk is below a certain specified upper limit based on the ALARP (as low as reasonably practicable) principle. The ALARP limits are based on the rationale that there is a low risk region, below a specific frequency of occurrence, where risk may be considered tolerable, or equivalently the risk may be considered negligible. There is also a high risk region, over a specific frequency, where the risk is considered intolerable and therefore unacceptable. Between these two limits lies the ALARP region, where the operation of the tunnel is not prohibited, but measures that may reduce the risk should be examined. Although the current road tunnels risk assessment methods are helpful in providing an understanding of some basic risk-related processes, they are also subjected to many limitations. In contrast with the QRA methods used in chemical industry or nuclear power, current approaches applied in the road tunnels field are mostly ‘‘hardware-driven’’ (i.e. focusing on the technical equipment), concentrating mainly on the ‘‘proximal’’ causes of accidents. They do not take into account the more ‘‘distal’’ contributors and they do not model weaknesses in the safety management system. Therefore, even if they are particularly helpful in addressing physical aspects of the tunnel, they do not identify many other safety critical elements that should be subject to safety management. In the next paragraph, aspects that are not handled adequately by the majority of current road tunnel QRAs are briefly presented. 2.2. Weaknesses of current QRAs applied in the road tunnel field QRAs have to deal with challenges mainly related with: lack of data (Aven, 2003), human behavior and organizational aspects (Apostolakis, 2004; Bier, 1999; Leveson, 2004), dysfunctional interaction among system components and the adaptation of systems over time (Leveson, 2004). The current QRAs in the road tunnel field, mainly focusing only on the technical and physical part of the system, have not addressed sufficiently the ensuing aspects: 2.2.1. Lack of data and uncertainties In order to perform a QRA, specific data is needed as input, since such an approach is usually based on calculating historical databased probabilities (Steen and Aven, 2011). By decomposing the system as a whole into subsystems and components, where substantial amounts of data are available, the behavior of the whole system is supposed to be predictable. However, in the road tunnel field such kind of data (i.e. accident frequencies, reaction time of tunnel users, reliability of the tunnel equipment, etc.) is often either incomplete or subjected to a high degree of uncertainty (Ny´vlt et al., 2011). Apart from the lack of statistical data and the difficulty to calculate the probability of a tunnel accident, it is also very difficult to estimate the consequences of such accidents (Haack, 2002). It is hard to predict exactly how a fire may develop in a road tunnel due to the numerous specific conditions that

influence the situation (number and type of burning vehicles, location of fire, number and behavior of tunnel users, time to activate appropriate actions, etc.). In this context, it is obvious that a QRA as described in Section 2.1 is difficult to establish a reliable risk picture, especially when it is used as the standalone method to evaluate the overall tunnel safety. 2.2.2. ‘‘Human errors’’ and human behavior The driver error has been regarded as the causal factor in many road accidents (Larsson et al., 2009) and the tunnel operator’s behavior is considered as a safety critical element of the tunnel system (PIARC, 2007). Hence, it is only natural to wonder whether the potential of such errors and behaviors are incorporated into current road tunnel QRAs. ‘‘Human errors’’ in general are divided in errors of omission (neglecting to perform a well-defined procedure) and errors of commission (deliberately undertaking an action not specified in procedures) (Reason, 1990, 1997). Errors of commission are regarded difficult to be analyzed with the simple engineering-style models used in QRA since it is difficult to capture some of the important influences on error probabilities, sometimes referred as ‘‘the error-prompting context’’ (Apostolakis, 2004). In this perspective, in many high risk industries QRAs have been enhanced with sophisticated Human Reliability Analysis. However, in the road tunnel field, current QRAs have not been enhanced with such instruments. As far as modeling the motorists’ evacuation behavior in case of an emergency is concerned (a crucial step in current QRA models), research has shown that this subject remains elusive (Nilsson et al., 2009). Zarboutis and Marmaras (2007) have proposed an agentbased modeling as an effective approach to capture a number of psychological crowd effects on individual psychomotor behavior, which in turn influence crowd behavior in tunnels. However, this method is aiming at designing plans for emergency rescue rather than predicting the evolution of the evacuation process. Experimental results (Nilsson et al., 2009) have shown that social influence is particularly important during evacuation in road tunnels, (i.e. people are influenced by the behavior of others). Other aspects such as evacuation messages, the magnetism of emergency exits (e.g. flashing lights) and the kind of information provided to the motorists during the evacuation, also affect the evacuation process (PIARC, 2008b). Notwithstanding, all the aforementioned aspects are not taken into account by QRAs currently applied in the road tunnel field. 2.2.3. Organizational aspects Management shortcomings and organizational aspects have been recognized as major factors in the occurrence of accidents in complex systems (Leveson, 2004; Rasmussen, 1997; Reason, 1997; Turner and Pidgeon, 1997). As a result, the effect of organizational factors on QRAs has attracted great research effort and still poses a challenging research agenda at the interface of engineering and social science. In many industries notable attempts have been made in order to quantify organizational aspects (e.g. Duijm and Goosens, 2006; Mohaghegh and Mosleh, 2009; Papazoglou et al., 2003; Pate-Cornell and Murphy, 1996). In the road tunnels field, a framework to describe organizational factors has not been proposed yet. Organizational responsibilities in the tunnels field may vary from country to country; however, common organizational aspects that greatly affect safety include (PIARC, 2007): (1) traffic management and decisions concerning e.g. the speed limits, alternative routes and the transportation of hazardous materials through a tunnel, (2) maintenance and inspection of the tunnel, (3) recruitment of the tunnel staff and its training procedures, (4) preparation of emergency plans, (5) planning of emergency exercises and co-operation with the emergency services, (6) analysis of past incidents and organizational learning from past events.

K. Kazaras et al. / Safety Science 50 (2012) 1806–1817

All the aforementioned activities are undeniably safety critical aspects and the fact that they are not included in current road tunnel QRAs may hinder an accurate safety assessment process. 2.2.4. Dysfunctional interactions among system components As the design of tunnel equipment systems has become more reliable, the causes of accidents are more likely to be attributed to the interactions among the tunnel’s equipment systems, rather than due to individual systems failure. Examples of unpredicted and hazardous interactions that may occur in a road tunnel are the following: – Unsafe interaction between fire-fighting and ventilation system (i.e. water droplets may be affected by the air flow provided by the tunnel ventilation system). – The tunnel or emergency services’ communication systems may be disturbed due to high noise resulting from the operation of the ventilation system. – High ventilation velocity in the tunnel may affect the ability of fire detection systems to quickly detect smoke (Arralt and Nilsen, 2009). In the aforementioned examples none of the components fails to fulfill its requirements. Instead, it is the interaction among functioning components that may create hazardous system states. Nevertheless, the accuracy of the resulting estimated accident frequency depends critically on the accuracy of the QRA model itself. Since such crucial ‘‘failure’’ modes are omitted by the majority of current road tunnels methods, the resulting estimate can be substantially lower than the actual accident frequency. Furthermore, the introduction of Supervisory Control and Data Acquisition (SCADA) systems poses an extra challenge when trying to control and estimate such dysfunctional interactions. QRAs that focus only on classic type of ‘‘random’’ failure events (as current road tunnels methods do) fail to investigate which actions of the SCADA software might lead to the occurrence or to the escalation of an accident, since they do not account for uncertainty in SCADA software behavior which results from the context in which the SCADA is operating. 2.2.5. Adaptation of the tunnel system over time The contemporary view of risk assessments in the road tunnel domain is that it is an activity carried out at the beginning of the system’s lifecycle, providing a ‘‘snapshot’’ of the risk associated with the system design. Additionally, in order to fulfill regulatory requirements (e.g. EU, 2004) risk assessments should be updated every six years. However, road tunnels that were initially designed and built with adequate safety margins may migrate to a state of increasing risk over time. This is mainly due to potential lack of management commitment (e.g. poor maintenance) or because the system changes over time (different traffic volume, different portion of dangerous goods vehicles in the traffic, etc.; Beard and Cope, 2008; Lacroix, 2001). In both cases the dynamic feedback processes that may cause risk to increase over time must be defined and a static model does not provide this type of information. 3. Enhancing road tunnel safety assessment with a systems theoretic approach 3.1. The need for a complementary method in road tunnel safety assessment Awareness of risk is a major component of safety-related decision making and in the previous section it was deduced that current road tunnel QRAs do not handle adequately some important

1809

factors that influence safety, such as: human and organizational aspects, dysfunctional interaction among system components and adaptation of the tunnel system over time. On the one hand, it seems that there is ample space for improvements in tunnel QRAs in order to cope with some of the aforementioned aspects. For example, they can be enhanced with human reliability analysis (HRA) and common-cause-failure analysis (CCF). HRA deals with methods that attempt to model ‘‘human error’’ while CCF deals with methods for evaluating the effect of inter-system and intrasystem dependencies which tend to cause simultaneous failures (Skogdalen and Vinnem, 2011). In addition, with regard to the accident rates estimates and other failure rate needed as input, maybe it would be better to be obtained using Bayesian rather than classical statistical methods, due to the sparsity of such data. However, in this paper, in order to augment and complement the safety assessment of road tunnels we follow a totally different paradigm than reliability engineering and QRA. We adopt Aven’s (2003) viewpoint who claims that ‘‘the risk cannot be adequately described and evaluated simply by reference to summarizing probabilities and expected values.’’ Steen and Aven (2011) also stress that in order to analyze accidents there is a need for concepts and tools that see beyond the probabilistic world, since relying only on arbitrary risk indices, such as the expected value formulation, is not a sufficient safety effort. Following this line of thought, systemic accident models have proved particularly useful in helping analysts probing into the complicated interactions among system components that may lead to unfortunate events. Hence, the aim of this paper is to augment the road tunnel safety assessment process with an innovative method, which is based on systems theory and can be used to reveal several scenarios that even though they have not be considered by the current tunnel QRAs, they have the potential to lead to adverse events. The endeavor is of particular importance in order to identify safety critical systems and procedures for which several actions must be established in the safety management system of a road tunnel organization. Since the method must overcome the limitations of current road tunnel QRAs, the model underlying the proposed method must fulfill the following criteria: (a) not rely on statistical data and probabilities, (b) reveal organizational patterns that may lead to accidents, (c) identify dysfunctional interactions among system components (including software) and (d) consider the feedback mechanisms that describe the adaptation of the tunnel system. STAMP is an accident model fulfilling the aforementioned criteria that has not been applied to the road tunnel safety field up to now. Moreover, STAMP has been recently used for proactive safety assessments successfully (i.e. STPA; Leveson, 2011b), therefore it meets all the prerequisites to form the basis of the proposed method. 3.2. The STAMP approach The STAMP is a systemic accident model that has been proposed by Leveson (2004) and is based on the two major pairs of ideas underlying systems theory and systems thinking (Checkland, 1981): (1) emergence and hierarchy, (2) communication and control. In this systems-theoretic approach, STAMP views accidents as the result of inadequate control rather than strictly failure events. In STAMP-terms safety is an emergent property that is achieved through the enforcement of constraints. This perspective allows safety problems to be transformed into control problems for which sophisticated tools can be employed. Safety control structures represent the components of the socio-technical system that enforce the aforementioned safety constraints. A hierarchical multilevel model of stakeholders is posited in STAMP, similar to the model of Rasmussen (1997), but more expanded. Control loops operate between the hierarchical levels of each control structure that have a downward channel providing the information or

1810

K. Kazaras et al. / Safety Science 50 (2012) 1806–1817

commands necessary to impose the constraints in the level below and a measuring channel to provide feedback measurements about how effectively the constraints were enforced. Finally, each controller at all levels of the hierarchical safety control structure must have a process model of the process being controlled (i.e. a model of the system). Briefly, whether the model is embedded in an automated controller or in the mental model maintained by a human controller ‘‘it must contain the same type of information: the required relationship among the system variables (the control laws), the current state of the process and the ways the process can change state’’ (Leveson, 2004). STAMP, as presented in Fig. 1, provides a useful framework that describes how inadequate control actions, violating safety constraints, may occur. STAMP has been used mainly to analyze past accidents (e.g. Quyang et al., 2010), but apart from accident analysis the model can also drive successfully a safety assessment process, as in Dulac and Leveson (2005), Leveson (2011b) and Hardy and Guarnieri (2010). It must be mentioned that such type of safety assessment cannot provide risk indices as a function of probabilities and consequences of events (Kaplan and Garrick, 1981). On the contrary, a STAMP-based assessment is a function of the effectiveness of the whole system to enforce the safety constraints. Therefore, the main aim of STAMP in a proactive analysis is to examine and evaluate the potential of inadequate control actions. Then, if the current safety management system is found not to be able to handle the potential of such actions, more refined safety measures should be proposed and established. In a nutshell, STAMP can contribute to a priori safety assessment by providing an in depth analysis about the potential causes of accidents and the state of controls implemented to prevent them. The more accurate the information provided by the analysis, the more accurate will be the perception

of the safety level and risk. Furthermore, the classification of control flaws presented in Fig. 1 provides a structural way to identify scenarios that may lead to accidents. 4. STAMP in road tunnel safety assessment 4.1. The general concept The STAMP-based road tunnel safety assessment method follows the typical steps of a STAMP-based analysis, as summarized in Fig. 2. The ultimate goal of the proposed method is to provide a set of scenarios (i.e. control flaws) that should be examined and evaluated during the safety assessment process. The scenarios should include not only component failure events, as current road tunnel QRAs do, but also scenarios stemming from organizational deficiencies and feedback relationships. The assessment begins with identifying hazardous system states (i.e. states that could lead to losses) and translating them into safety constraints. Next, a basic safety control structure is defined. A safety control structure diagram depicts the components of the tunnel system enforcing the safety constraints and the paths of control and feedback. It is through this structure diagram that the socio-technical system becomes alive and the dynamic relationships between different levels (i.e. hierarchies) within the system (e.g. blunt ends and sharp ends; Reason, 1997) are modeled. By using the safety control structure diagram as a guide for conducting the assessment, each path of control and feedback is examined for potential inadequate control actions which can contribute to the hazardous states. Then, the identified inadequate control actions are used to refine safety constraints and determine the safety functions that must be enforced in the tunnel system by

Fig. 1. A classification of control flaws (Leveson, 2004).

1811

K. Kazaras et al. / Safety Science 50 (2012) 1806–1817

The STAMP-based road tunnel safety risk assessment Step 1: Identify accidents, hazardous system states and the safety constraints

Step 2: Determine the safety control structure and identify inadequate control actions

Table 1 Main characteristics of the examined road tunnel. Main characteristics Construction data

Technical measures Ventilation

Length (m) Type Lanes (per direction) Width (m) Emergency exits Normal operation (m3/s) Emergency operation (m3/s)

2000 Twin-bore 2 9.5 Every 500 m 120 220

Step 3: Identify possible control flaws

Step 4: Evaluate the road tunnel safety Fig. 2. Steps of the STAMP-based road tunnels safety assessment.

a combination of measures that can be both technical and organizational. Finally, the analyst should augment the safety control structure with process models in order to identify (by using the classification presented in Fig. 1) possible control flaws that can lead to the inadequate control actions and therefore, to inadequate enforcement or violation of the defined safety functions. It must be mentioned that inadequate enforcement or violation can result from both the technical and the organizational system. After this stage, the safety level can be evaluated. For each control flaw adequate safety measures should be present, since such flaws have the potential to lead to accidents. If the safety measures in place are inadequate to handle the identified control flaws, recommendations should be made. In a nutshell, the proposed approach involves identifying the safety constraints and the safety functions that must be enforced and ensuring that the technical and organizational tunnel system adequately enforces them through various types of safety measures. In order to present the scope for using the STAMP in road tunnels, the proposed framework is illustrated through a case study in the next paragraph. Due to space limitations and in order to present the method as thoroughly as possible the case study is focusing on the analysis of a tunnel’s ventilation system. 4.2. Case description The examined road tunnel is a typical tunnel designed and constructed after the enforcement of the Directive 2004/54/EC. The road tunnel will be referred to as ‘‘the examined road tunnel’’ throughout this paper. Its main technical characteristics are presented in Table 1. The examined road tunnel is a twin bore unidirectional tunnel supervised by a SCADA system and a manned control center (i.e. Tunnel Operator). In particular, the SCADA controls: the power supply system, the tunnel ventilation system, the firefighting system, the fire detection system, the traffic management system, the tunnel CCTV system and the tunnel communication system. In order to achieve the goals established for operation and maintenance, there is a Tunnel Management System (TMS) that supports the planning of the necessary operation work, optimizes the tunnel maintenance activities and provides technical feedback on the tunnel and its installed systems. The TMS is comprised of an inventory manual of the tunnel equipment (describing the systems installed in the tunnel and their location), a technical operation manual (describing how the systems are used in normal and specific situations) and a maintenance manual (describing maintenance intervals for each installation). Furthermore, the tunnel’s safety documentation includes an Emergency Response Plan which

defines how the tunnel operating body organizes its staff and the tasks that are assigned to them in various situations that might affect the safety of people. In this section the analysis concentrates mainly on the tunnel ventilation system which is of the longitudinal type. In such type of ventilation, the airflow moves the pollutants/smoke along with the incoming fresh air provided through a set of ceiling mounted jet fans, as presented in Fig. 3. The system is designed on the provision of minimum longitudinal air velocity to avoid back-layering, the so-called critical velocity. The examined ventilation system is controlled by the SCADA system as follows: In the normal operating mode, the system works in an automated mode, without any intervention of the Tunnel Operator. The control in this ventilation mode is associated with measured pollution and opacity levels (e.g. CO, dust and NO thresholds). When measurements get over the predefined threshold, the SCADA activates a particular number of jet fans in order to reduce the concentration of CO and other pollutants. On the other hand, if a fire is detected, the ventilation is turned into the fire ventilation mode which is a pre-programmed sequence of actions. Then, a validation of the fire by the tunnel operator is equivalent to a launch of commands to start and execute the right operation procedure, which is a function of the fire position. Finally, the jet fan starting procedure is based on a star delta start system, meaning that the SCADA is managing the time between each start of the installation, to limit an electrical overload. 4.3. STAMP implementation in road tunnel safety assessment 4.3.1. Step 1: Identify accidents, hazardous system states and the safety constraints The first thing to be done in any safety effort involves agreeing on the types of accidents to be considered. With the term accident we consider an undesired or unplanned event that results in a loss (Leveson, 2011b; Sklet, 2006). In the road tunnel field, accidents are related to human losses and infrastructure damage that mainly occur due to (PIARC, 2008a): (1) a fire in the tunnel, (2) an explosion in the tunnel, (3) a release of toxic gas in the tunnel, (4) traffic accidents (e.g. vehicle collisions) and (5) flooding. Then, hazardous system states or conditions that have the potential to lead to each particular accident must be determined. In this paper we focus on the accident of fire in a tunnel that leads to human losses/injuries and/or tunnel damages. The hazardous system states leading to the aforementioned losses/damages are related to the main processes in the safety chain, including: traffic management, incident control, self-rescue and emergency assistance. Hence, the hazardous system states can be formulated as follows: 1. Dangerous driving in the tunnel (e.g. speeding, lane hopping, users failing to keep their distance from the vehicle in front). 2. Inadequacy of the tunnel ventilation system to control smoke and fire in the initial (self-rescuing) phase of a fire. 3. Inability of the road tunnel users to rescue themselves.

1812

K. Kazaras et al. / Safety Science 50 (2012) 1806–1817

Fig. 3. Longitudinal ventilation control.

Table 2 Safety constraints for the examined road tunnel. Safety constraints 1 2 3 4 5

A safe and steady flow of traffic, prevention of traffic incidents and response to traffic disruption The ventilation system should provide escape routes with tenable levels of temperature, toxicity and visibility The available egress time is sufficient for users to escape The personnel is educated and trained enough and has the necessary resources to intervene in case of an emergency Emergency assistance should be given effectively

4. Inability of the tunnel operator to effectively intervene and provide the appropriate actions. 5. Inability of the emergency services to control the incident. Then the aforementioned hazardous states can be simply turned into the safety constraints, as presented in Table 2. It is mentioned that safety constraints constitute the non-hazardous states of the system (Leveson, 2004). 4.3.2. Step 2: Determine the safety control structure and identify possible inadequate control actions Having identified the safety constraints the next step is to determine the safety control structure (refer to Fig. 4) responsible for enforcing these constraints and examine the potential for inadequate control actions. This step must be done for all the identified safety constraints presented in Table 2; however, the rest of this section is focused on the safety constraint: ‘‘The ventilation system should provide escape routes with tenable levels of temperature, toxicity and visibility in the self-rescuing phase of the fire’’. It must be mentioned that Leveson (2011b) has proposed criteria in

order to help the analyst determine the actors that must be included in a safety control structure diagram. Nevertheless, in the case study, the structure includes all basic elements of the tunnel system (e.g. human, organizational and automation) that play a significant role in the enforcement of the particular safety constraint. The roles and responsibilities for each component in the structure are: – The Tunnel Manager is responsible for the day to day operation of the tunnel. He forms working instructions, draws up the maintenance strategy and is responsible for the training of the Tunnel Operator. – The Safety Officer takes part in the implementation and evaluation of emergency operations and he examines whether the tunnel’s ventilation system is well maintained. – The maintenance personnel’s role is to intervene on the technical facilities of the tunnel in a preventive and corrective way as it has been planned by the Tunnel Manager. – Designers also affect the tunnel safety to a great extent. Tunnels safety during operation greatly depends on the original design and development of the tunnel system. – In the operating process the two main controllers are the Tunnel Operator (often named traffic operator if the tunnel is included in a controlled high way section) and the SCADA system. Taking into account that all the aforementioned actors have the authority and the responsibility to enforce the safety constraints, it is only natural to consider that they also have the potential to violate these safety constraints. Therefore, in this second step of the assessment, the analyst should use the safety control structure diagram as a guide to identify inadequate control actions that have the potential to violate the safety constraints. In STAMP terms, inadequate control actions occur when (Leveson, 2011b):

Fig. 4. The examined road tunnel safety control structure.

K. Kazaras et al. / Safety Science 50 (2012) 1806–1817

1813

1. A required control action is not provided (i.e. control actions are inadequately executed). 2. An incorrect or unsafe control action is provided (i.e. controller issues inadequate control actions). 3. There is inadequate feedback for the control action and thus, a potentially correct control action is provided at the wrong time (e.g. too late) or it is stopped too early.

3. The Tunnel Operator waits too long to validate the alarm or the SCADA system is inadequate to activate the ventilation system (i.e. fire mode) quickly enough (i.e. control action provided too late). 4. The emergency ventilation mode is stopped before the fire event has been declared closed (i.e. control action stops too late).

Applying the above generic inadequate control actions to the case study, leads to the following specific inadequate control actions: In control loop 1 (i.e. from the Tunnel Manager and the Safety Officer):

The information provided at this step of the analysis should be used to define the safety functions necessary to prevent the aforementioned inadequate control actions. Leveson (2011b) terms such functions as ‘‘more refined safety constraints’’ but in this paper the widely accepted notion of safety function is adopted. Particularly, Dianous and Fiévez (2006) define a safety function as ‘‘ what is needed to assure, to increase or to promote safety’’, and they also claim that a safety function is a technical or organizational action, not a physical system. In line with this definition, in the STAMPbased road tunnel safety assessment a safety function is a technical or organizational action that is intended to achieve or maintain a safe state for the tunnel system, in respect to an inadequate control action. The safety functions that must be enforced in the examined case are presented in Table 3. At this step a first assessment of safety functions SF1-SF3 enforced at the higher organizational level (i.e. loops 1 and 2) can be made. The analyst should examine the Emergency Response Plan, the Maintenance Manual and other organizational procedures to conclude whether the particular safety functions are adequately enforced or not. For this purpose the STAMP-based road tunnel safety assessment can be integrated with an inspection safety audit. However, for safety functions SF4–SF9 the assessment is more complex and in order to evaluate the safety measures in place more critical aspects should be identified.

1. Working instructions, specific safety plans and training are not provided by the Tunnel Manager and Safety Officer to the Tunnel Operator concerning the operation of the ventilation system (i.e. control action not provided). 2. Wrong/misleading working instructions are provided (i.e. incorrect control action is provided). 3. There are no feedback channels relating to the effectiveness of the ventilation-related safety plans and the training (i.e. missing feedback). In control loop 2 (i.e. from designers/maintainers): 1. The operating assumptions and the operational limitations for the ventilation system have not passed from the designers of the system to the Tunnel Operators (i.e. control action not provided). Similarly, safety critical components of the tunnel ventilation system are not given by the designers to the maintainers for prioritization of effort. Even if this seems difficult to happen, one should keep in mind that road tunnels have a very long operating life and very few of those involved with the original planning and construction works will be available to share their knowledge with those coming after them to operate and maintain the tunnel. In control loop 3 (i.e. from Tunnel Operator and SCADA system): 1. The Tunnel Operator and/or the SCADA system do not activate the tunnel ventilation system for the emergency (i.e. control action not provided). 2. The ventilation system creates high longitudinal velocities downstream the fire, the tunnel users have not evacuated that area and therefore they are affected by the fire. Moreover, high longitudinal velocities feed the fire with oxygen enhancing heat release rate (i.e. unsafe control action is provided).

4.3.3. Step 3: Identify possible control flaws Step 3 identifies the scenarios or paths that have the potential to lead to the inadequate enforcement or violation of the safety functions defined in the previous step. In this third step, the classification of control flaws developed by Leveson (2004) and presented in Fig. 1 can be adjusted into the examined loop 3 (see Fig. 5) as follows. Thus, by working around the loop, the following control flaws can be identified: 4.3.3.1. Control inputs or external information wrong or missing. The Tunnel Operator and the SCADA system co-operate with other components in the tunnel system. As a result, actions and outputs from other system components are needed in order to control the fire ventilation process. Control flaws identified in this category are:

Table 3 Safety functions to be enforced. Safety function

Description of the safety function

SF1 SF2

The working instructions provided to the tunnel operator must enable a quick response in case of an emergency Rigorous and ongoing training must be provided to the tunnel personnel in conjunction with a feedback mechanism which tests the effectiveness of the training procedures The operating assumptions and the operational limitations for the ventilation system must be recorded and passed from the designers of the system to the tunnel operators and maintainers Fire ventilation mode must be always activated if a fire exists in the tunnel The airflow provided by the ventilation system must prevent back-layering and smoke de-stratification for at least the first 10–15 min from the onset of the fire If people are situated downstream the fire they must not get fired The application of forced ventilation could assist the fire since it feeds the fire with oxygen. Thus, the Tunnel Operator must be able to identify the fire type, the exact situation and adjust the ventilation strategy accordingly The full operation of the smoke control must be achieved within 2–3 min from the onset of the fire The fire ventilation mode must not stop until the smoke is under control

SF3 SF4 SF5 SF6 SF7 SF8 SF9

1814

K. Kazaras et al. / Safety Science 50 (2012) 1806–1817

Control input missing or wrong Tunnel operator/ SCADA

b.

Inadequate Control Process Model Algorithm inconsistent, (Flaws ίη creation, incomplete, or process changes, incorrect incorrect modification Οr adaptation) Inappropriate control action

c. Inadequate feedback Inadequate Operation of Sensor

Inadequate Operation of jet fans

Measurement inaccuracies

Delayed operation Fire ventilation process Unidentified or out of range disturbance

Fig. 5. The examined control loop of the fire ventilation process.

a. The power supply has failed; the ventilation system has not the necessary input to start the fire ventilation process. b. Fire detection has failed. Consequently, the fire ventilation mode is not activated (inadequate sensor operation). c. Frequent false alarms (wrong inputs) have created complacency during the tunnel operation. As a result, fire alarms do not activate immediately emergency procedures.

d.

e.

result the SCADA system has an incorrect process model of the tunnel longitudinal ventilation velocity and inadequate air flow is provided (inadequate sensor operation). The buoyant fire plume that is moving within the tunnel environment affects the anemometers operation; wrong airflow values are provided to the SCADA (measurement inaccuracies not accounted for). The Tunnel Operator does not have sufficient feedback of the tunnel environment and the controlled process. The fire incident tunnel team, the sensors and communication with tunnels users do not provide the necessary information in order to update his mental model of the controlled process. The displays and the human machine interface of the SCADA might be not ergonomic enough. As a result, the pre-programmed scenario proposed by the SCADA system is validated although it is not the appropriate. For example, the scenario is based on the assumption that people downstream the fire have evacuated and applies forced ventilation (inadequate coordination, flaws in creation of process model). When a fire occurs, it might cause an increase in dust and CO levels. Before the levels are high enough to define a fire, the ventilation (normal operating mode) will have increased the ventilation rate. This rise in airflow will affect the time to detect the fire and turn the ventilation in a fire mode (time lags). The fire ventilation mode stops because of the CO, NO2 thresholds (incorrect adaptation).

4.3.3.4. Inadequate operation of the actuators. The scenarios in which control commands cannot be executed include: 4.3.3.2. Inadequate control algorithm of SCADA system and Tunnel Operator (flaws in creation, incorrect modification or adaptation). Algorithms are the procedures designed by engineers for the SCADA system and the procedures that the Tunnel Operator follows for the emergency ventilation process. Scenarios that may violate the safety functions belonging to this category are: a. The predefined number of jet fans to run in order to avoid backlayering fails to achieve the necessary critical velocity (flaws in creation process). b. The fire ventilation mode cannot override the normal operation mode. Consequently, the SCADA avoids starting particular safety critical jet fans because they have reached the maximum number of starts per hour or because of the vibration threshold (flaws in creation process). c. The non-incident ventilation tube is inappropriately set up leading to smoke recycling due to the pressure differences between the two tubes (flaws in creation process). d. The traffic volume has changed considerably during time. Although the ventilation system was initially effective, it is presently insufficient to control the fire (asynchronous evolution).

4.3.3.3. Process model of SCADA system and Tunnel Operator inconsistent or incomplete, inadequate or missing feedback. The process model is the way both SCADA and the Tunnel Operator get informed about the fire ventilation process progress. When both the SCADA and the Operator have a different perception of the tunnel environment than the real state, erroneous control commands may be provided. Scenarios which may lead to the violation of the safety functions are the following: a. Anemometers coherency test performed by SCADA system has failed to detect that anemometers are out of order or that they have not been calibrated due to poor maintenance policy. As a

a. Ventilation command transmission network fails; ventilation fans are not activated (inadequate actuator operation). b. The jet fan starting procedure (as has already been mentioned is based on star-delta start system) brings about the delayed operation of safety critical jet fans (time lags). c. Lack of operation and poor maintenance policy has resulted to the degradation of the ventilation equipment. d. The pre-programmed scenario proposed by SCADA is the appropriate but the Tunnel Operator cannot validate the scenario. This may be due to his absence of the control room without someone to stand in for him or due to his panic (inadequate execution of control action). 4.3.4. Step 4: Evaluating the road tunnel safety After the end of step 3, the information of the STAMP-based road tunnel safety assessment should be provided to the Tunnel Manager and Safety Officer in order to evaluate the current tunnel design -if the tunnel is under operation- or to establish and enforce a proactive safety strategy – if the tunnel is under development. The previous steps followed a top-down approach that ‘‘investigated the accident before it occurs’’ with the goal to identify potential causes, that is, scenarios that have the potential to lead to losses. At this step, the analysis concentrates on determining whether the identified scenarios can emerge in the current system and what additional safety measures should be taken before damage occurs. It must be mentioned that many of the identified scenarios (i.e. control flaws) by the STAMP-based method may be adequately handled by the current design. If this is the case, it is important to consider how the current controls could degrade over time and build in protections. Such type of protection may include a safety inspection audit where the assumptions underlying the STAMP-based road tunnel safety assessment could form the preconditions for the audit. Nevertheless, this fourth step follows a bottom-up process that determines the potential for safety

K. Kazaras et al. / Safety Science 50 (2012) 1806–1817

functions to be inadequately enforced and thus, for a failure to emerge. It must be mentioned that this potential is not expressed quantitatively (e.g. by probabilities), it is only mentioned in a qualitative manner. In the case study, we concluded that the ventilation-control routines and organizational procedures do not ensure adequate response for the ensuing conceivable scenarios identified by the STAMP-based method: 1. The ventilation-control routines do not account that when a fire occurs in the tunnel it will cause an increase in CO levels. In cases this increase is not high enough to raise an alarm the SCADA will only increase the normal ventilation airflow mode with aiming to dilute the CO. This time lag identified by the STAMPbased method can significantly affect the time of the SCADA system to detect the fire and turn the ventilation into the fire mode. Therefore, it is possible that the safety function SF8 presented in Table 3 can be inadequately enforced. 2. Another critical aspect discovered is that the ventilation-control routines do not adapt safely to the CO thresholds. During the normal operating mode the jet fans are activated when the CO levels are measured over a reference threshold (e.g. 70 ppm) and are switched off when the levels are adjusted under this value. However, during a fire this threshold must be de-activated since it can result to switching off the ventilation during the fire ventilation mode and violate safety function SF9. 3. The link between the traffic volume and the ventilation capacity has been ignored in the tunnel organization. There are no feedback mechanisms for evaluating whether the ventilation system is still efficient when significant changes in the traffic volume occur. Therefore, it is possible that the traffic volume has increased considerably enough to render the ventilation system inadequate to control smoke in a fire event (i.e. inadequate enforcement of safety function SF5). 4. In the examined road tunnel the pre-programmed scenarios proposed by the SCADA system during the fire ventilation mode are executed only if they are validated by the Tunnel Operator. In case of his absence from his position, the necessary actions cannot be issued. Hence, there is the potential for inadequate enforcement of safety function SF4. 5. False alarms are frequently issued by the fire detection system and this may result in making common practice the de-activation of particular fire detection sensors which are prone to such mistakes. Hence, if a fire occurs in a section of the tunnel monitored by de-activated sensors there is potential to violate safety function SF4. 6. A training program and feedback mechanisms that evaluate the effectiveness of the training of the tunnel personnel are not provided. Thus, there is the potential for inadequate enforcement of safety function SF2.

the majority of technical-related control flaws identified by the STAMP-based method in Section 4.3.3 (e.g. failure of power supply, failure of fire detection system, malfunctions of anemometers, ventilation command transmission network failure, etc.) have been considered well in the examined road tunnel and the ventilation system’s architecture has been built to compensate vital element failures by the redundancy concept. On the contrary, the analysis revealed that organizational aspects and the SCADA’s software behavior have not been handled adequately for the scenarios presented in Section 4.3.4. Therefore, this first attempt to incorporate STAMP in the safety assessment process of road tunnels suggests that the STAMP-based method has the potential to identify critical aspects that encompass both the technical system and the organizational structure, also considering feedback relationships. However, to better prove this statement, future work should concentrate on analyzing other critical elements of the tunnel system. In this case, all the safety constraints presented in Table 2 should be examined for potential violation, and inadequate control actions and control flaws are expected to vary accordingly to the controlled processes examined (e.g. traffic management, fire detection, fire-frightening, incident response and evacuation process). Such controlled processes are always presented at the lower level of the safety control structure (e.g. loop 3, Fig. 4). On the contrary, at the higher level (e.g. loop 1, Fig. 4) inadequate control actions are not expected to differ considerably, since they are related to some common ‘‘organizational deficiencies’’ that affect the majority of the safety critical processes, as depicted in Fig. 6. For example inadequate enforcement of control actions may be related to missing safety plans whereas inadequate feedback may be related to insufficient safety audits, accident analyses and ineffective reporting schemes. When examining particular safety constraints where external intervention is essential (e.g. safety constraints 3 and 5, Table 2) the co-ordination with emergency services should also be assessed. It is believed that a complete assessment of the whole tunnel system can result in a sophisticated check-list (e.g. catalogue) that includes a notable number of hazardous scenarios for each safety constraint presented in Table 2. Such a check-list may help the Tunnel Manager and/or the Safety Officer to identify and evaluate which scenarios have an insufficient level of control. To further enhance the STAMP-based method, future work should focus on proposing particular criteria to evaluate the performance of safety measures in place to enforce the safety functions. For this objective, it might be useful to adjust findings from the ARAMIS project (Dianous and Fiévez, 2006; Duijm and Goosens, 2006) which proposes effectiveness, response time and level of confidence as adequate criteria for the evaluation process.

5. Discussion The analysis in the previous section showed how a ventilation system can be proven insufficient to provide the tunnel escape routes with tenable levels of temperature, toxicity and visibility and highlighted aspects that should be evaluated during the safety assessment process. The hazardous scenarios identified by the STAMP-based method included not only failure events, but also events relating to the system design, to organizational aspects and to the adaptation of the ventilation system over time (i.e. feedback relationships). Thus, the method succeeded in identifying critical aspects that encompass both the technical system and the organizational structure. In particular, the STAMP-based method identified six specific weaknesses which have been passed unnoticed in the case study. It must be mentioned that, as expected,

1815

Fig. 6. Other critical processes to be examined.

1816

K. Kazaras et al. / Safety Science 50 (2012) 1806–1817

6. Concluding remarks This paper reviews the challenges of current QRAs in the road tunnels field and proposes the STAMP method as a complementary support tool for the safety assessment process of these critical infrastructures. As presented, current road tunnel QRAs do not handle well organizational aspects, software behavior and the adaptation of the tunnel system over time, so a complementary tool to analyze such factors is necessary. Furthermore, a QRA model that considers organizational aspects needs to include statistical data of the occurrence of deficiencies in safety management systems in the absence of accidents. Until now, such type of data has not been provided in the road tunnel domain. Following this line of thought and taking into consideration that many researchers have highlighted the need to assess tunnels safety in a systemic perspective (Beard and Cope, 2008; Kirytopoulos and Kazaras, 2011; Santos-Reyes and Beard, 2005), this paper presents the scope of introducing an innovative road tunnel safety assessment process that builds upon a systemic accident model. The STAMP-based method introduced in this work focuses on a tunnel ventilation system and the method succeeded in identifying critical aspects that encompass both the technical system and the organizational structure. However, to better prove the utility of the STAMP-based method, future work should concentrate on analyzing other critical elements of the tunnel system. A critical question is whether the application of the STAMP-based method can replace a QRA. In comparison with current road tunnel QRAs, the STAMPbased method investigates ‘‘internal’’ aspects of the tunnel safety management system, i.e. how the organizational processes and the technical system may be inadequate to enforce safety functions and constraints. The events that precede a loss and their (time) sequence are not described by such an approach. On the contrary, QRAs explicitly represent the chain of events leading to accidents. Therefore, it seems that the one method can complement the other. Moreover, if risk must be quantified in accurate estimates (i.e. expected number of fatalities) a STAMP-based approach will certainly be unable to provide the required results. Safety in STAMP-terms is not a function of probabilities and consequences of events but a function of the effectiveness of controls to enforce a safe system. However, the aforementioned limitations do not contradict the fact that the presented method has the potential to provide a detailed understanding of aspects that may affect the overall tunnel safety. Acknowledgments The authors are grateful to two anonymous reviewers for useful comments and suggestions to an earlier version of the paper. References Apostolakis, G., 2004. How useful is quantitative risk assessment? Risk Analysis 24, 515–520. Arralt, T.T., Nilsen, A.R., 2009. Automatic fire detection in road traffic tunnels. Tunnelling and Underground Space Technology 24, 75–83. Aven, T., 2003. Foundations of risk analysis: a knowledge and decision oriented perspective. Wiley, New York. Beard, A.N., Cope, D., 2008. Assessment of the Safety of Tunnels. Commissioned by the European Parliament. Report IP/A/STOA/FWC/2005-28/SC22/29. Published in February 2008 on the European Parliament Web-site Under the Rubric ‘Science and Technology, Options Assessment’ (STOA). Bier, V., 1999. Challenges to the acceptance of probabilistic risk analysis. Risk Analysis 19, 703–710. Checkland, P., 1981. Systems Thinking, Systems Practice. John Wiley & Sons, New York. Dianous, V., Fiévez, C., 2006. ARAMIS project: a more explicit demonstration of risk control through the use of bow-tie diagrams and the evaluation of safety barriers performance. Journal of Hazardous Materials 130, 220–233. Dix, A., 2004. Risk management takes on a key role. Tunnel Management International 7, 29–32.

Duijm, N., Goosens, L., 2006. Quantifying the influence of safety management on the reliability of safety barriers. Journal of Hazardous Materials 130, 284–292. Dulac, N., Leveson, N.G., 2005. An approach to incorporating safety in early concept formation and system architecture evaluations. In: Lacoste, H. (Ed.), Proceedings of the First IAASS Conference on Space Safety, A New Beginning, pp. 221–226. EU Directive 2004/54/EC, 2004. Directive 2004/54/EC of the European Parliament and of the Council on Minimum Safety Requirements for Tunnels in the TransEuropean Road Network. European Commission, Directorate-General for Energy and Transport, Brussels. Garret, C., Apostolakis, G., 1999. Context in the risk assessment of digital system. Risk Analysis 19, 23–32. Haack, A., 2002. Current safety issues in traffic tunnels. Tunnelling and Underground Space Technology 17, 117–127. Hardy, K., Guarnieri, F., 2010. Modelling and hazard analysis for contaminated sediments using stamp model. Chemical Engineering Transactions 25, 737–742. Hoj, N.P., Kröger, W., 2002. Risk analyses of transportation on road and railway from a European Perspective. Safety Science 40, 337–357. Holicky, M., 2009. Probabilistic risk optimization of road tunnels. Structural Safety 21, 260–266. Hollnagel, E., 2004. Barriers and accident prevention. Ashgate Publishing Limited, England. Kaplan, S., Garrick, B., 1981. On the quantitative definition of risk. Risk Analysis 1, 11–28. Kirytopoulos, K., Kazaras, K., 2011. The need for a new approach in road tunnels risk analysis. In: Berenguer, C., Grall, A., Soares (Eds.), Advances in Safety, Reliability and Risk Management. Proceedings of European Safety and Reliability Conference 2011 (ESREL 2011), Trojes, France (18–22 September). Kirytopoulos, K., Rentizelas, A., Kazaras, K., Tatsiopoulos, I., 2010. Quantitative operational risk analysis for dangerous goods transportation through cut and over road tunnels. In: Ale, B., Papazoglu, I., Zio, E. (Eds.), Back to the Future. Proceedings of European Safety and Reliability Conference 2010 (ESREL 2010), Rhodes, Greece (5–9 September). Kontogiannis, T., Leopoulos, V., Marmaras, N., 2000. A comparison of accident analysis techniques for safety critical man-machine systems. International Journal of Production Ergonomics 25, 327–347. Lacroix, D., 2001. The Mont Blanc Tunnel fire: what has happened and what has been learned. In: Proceedings of the 4th International Conference on Safety in Road and Rail Tunnels, Madrid, pp. 3–16 (2–6 April). Larsson, P., Dekker, W.A., Tingvall, C., 2009. The need for a systems theory approach to road safety. Safety Science 48, 1167–1174. Leveson, N.G., 2004. A new accident model for engineering safer systems. Safety Science 42, 237–270. Leveson, N.G., 2011a. Applying systems thinking to analyze and learn from events. Safety Science 49, 55–64. Leveson, N.G., 2011b. Engineering a Safer World: Systems Thinking Applied to Safety (Engineering Systems). MIT Press, Cambridge, MA. Mohaghegh, Z., Mosleh, A., 2009. Incorporating organizational factors into probabilistic risk assessment of complex socio-technical systems: principles and theoretical foundations. Safety Science 47, 1139–1158. Nilsson, D., Johansson, M., Frantzich, H., 2009. Evacuation experiment in a road tunnel: a study of human behaviour and technical installations. Fire Safety Journal 44, 458–468. Nivolianitou, Z., Leopoulos, V., Konstantinidou, M., 2004. Comparison of techniques for accident scenario analysis in hazardous systems. Journal of Loss Prevention in the Process Industries 17, 476–475. Ny´vlt, O., Prívara, S., Ferkl, L., 2011. Probabilistic risk assessment of highway tunnels. Tunnelling and Underground Space Technology 26, 71–82. Papazoglou, I., Bellamy, L., Hale, A., Aneziris, O., Ale, B., Post, J., Oh, J., 2003. I-Risk: development of an integrated technical and management risk methodology for chemical installations. Journal of Loss Prevention in the Process Industries 16, 575–591. Pate-Cornell, E., Murphy, D., 1996. Human and management factors in probabilistic risk analysis: the SAM approach and observations from recent applications. Reliability Engineering and System Safety 53, 115–126. PIARC, 2007. Integrated Approach to Road Tunnel Safety. World Road Association (PIARC), France. PIARC, 2008a. Risk Analysis for Road Tunnels. World Road Association (PIARC), France. PIARC, 2008b. Human Factors and Road Tunnel Safety Regarding Users. World Road Association (PIARC), France. Quyang, M., Hong, L., Yu, M., Fei, Q., 2010. STAMP-based analysis on the railway accident and accident spreading: taking the China–Jiaoji railway accident for example. Safety Science 48, 544–555. Rasmussen, J., 1997. Risk management in a dynamic society: a modelling problem. Safety Science 27, 183–213. Reason, J., 1990. Human Error. University Press, Cambridge, UK. Reason, J., 1997. Managing the risks of organizational accidents. Ashgate Publishing Ltd., Aldershot Hants. Santos-Reyes, J., Beard, A.N., 2005. A systemic approach to tunnel fire safety management. In: Beard, Alan., Carvel, Richard. (Eds.), The Handbook of Tunnel Fire Safety. Thomas Telford, London, pp. 389–406. Sklet, S., 2006. Safety barriers: definition, classification and performance. Journal of Loss Prevention in the Process Industries 19, 494–506. Skogdalen, J., Vinnem, J., 2011. Quantitative risk analysis offshore—human and organizational factors. Reliability Engineering and System Safety 95, 468–479.

K. Kazaras et al. / Safety Science 50 (2012) 1806–1817 Steen, R., Aven, T., 2011. A risk perspective suitable for resilience engineering. Safety Science 49, 292–297. Svedung, I., Rasmussen, J., 2002. Graphic representation of accident scenarios: mapping system structure and the causation of accidents. Safety Science 40, 397–417. Turner, B.A., Pidgeon, N.F., 1997. Man-made Disasters, second ed. ButterworthHeinemann, London. Weger, D., Kruiskamp, M., Hoeksma, J., 2001. Road tunnel risk assessment in the Netherlands-TUNprim: a spreadsheet model for the calculation of the risks in road tunnels. In: Piccinni (Ed.), ESREL;Proc. International Conference in Safety and Reliability, Torino (16–20 September).

1817

Woods, D., Dekker, S., Cook, R., Johannesen, L., Sarter, N., 2010. Behind Human Error, second ed. Asghate Publishing Limited, England. Xiaobo, Q., Quiang, M., Vivi, Y., Yoke, H.W., 2011. Design and implementation of a quantitative risk assessment software tool for Singapore road tunnels. Expert Systems with Applications 38, 13827–13834. Zarboutis, N., Marmaras, N., 2007. Designing of formative evacuation plans using agent-based simulation. Safety Science 45, 920–930. Zhuang, M., Chun-fu, S., Sheng-rui, Z., 2009. Characteristics of traffic accidents in Chinese freeway tunnels. Tunnelling and Underground Space Technology 24, 350–355.