Risk and Safety


Risk and safety

The concept of risk and its relation to other concepts such as safety, uncertainty and probability is discussed in depth in previous DNV position papers [1] and [2]. Briefly, we define risk as the consequences of an activity, with associated uncertainty [3]. By activity we here mean the operation of a system, and consequence is used for unwanted effects of the activity (e.g. damage to life, property or the environment). By associated uncertainty we mean imperfect or incomplete knowledge about what the consequences of the activity will be, including uncertainty about their occurrence, frequency and severity.

Based on the risk definition above, we define safety as freedom from risk which is not tolerable [4]. What constitutes tolerable risk may be stipulated by legislation or defined by the system operator or other stakeholders.

Use of probabilities in risk assessment

The reason that probabilities are often used in risk assessments is that they can express uncertainty. To be more precise, probabilities allow one to express the existence of different possibilities, as well as varying degrees of belief in these. For example, the statement “There is 1% probability that the component fails within the next year” indicates that there is a possibility that the component may fail during the next year, but it is believed to be much more likely that it doesn’t fail. To interpret such probability statements, it is useful to relate it to some standard [5]. For example, the preceding statement can be interpreted to mean that our confidence that the component will fail during the next year is similar to the likelihood of drawing a red ball from an urn containing 1 red and 99 blue balls in a hypothetical random experiment.

Probability theory provides the machinery to consistently combine and update beliefs in light of evidence. Note, however, that any probability assignment relies on assumptions, which are not conveyed by the probability values or probability distributions themselves. The strength of the knowledge supporting probability assignments determines how much weight can be given to probabilistic risk results when making decisions.

Digital twins that contain vast amounts of updated and specific information about an asset may allow more confident probability assignments than what is possible without a digital twin, and thereby provide better decision support to decision makers. Digital twins may also allow us to monitor assumptions, to inform us when probabilistic models can or should not be trusted.

The dynamics of risk

Risk assessments are used to gain understanding of risks and inform decisions related to safety. In the desing and concept phase, the purpose of risk assessments is to identify unwanted consequences of operating a system, and evaluate if these are acceptable when weighting their severity, frequency and uncertainty of occurrence against other benefits of the activity. For example, in many high-risk industries, such as oil and gas, or nuclear energy, quantitative risk assessments (QRAs) are conducted to identify risks, and to assess the need for, reliability of, and effect of, risk reducing measures. Similarly, structural reliability analysis (SRA) is used to estimate the capacity or strength of engineered structures and compare it to possible future load-conditions, and in this way judge the likelihood of structural failure and determine adequate design parameters.

During operations, operators are faced with more short-term decisions, e.g.:

  • Will the structure hold, given its loading history and short-term forecasted loads?
  • Is it safe to continue operating or perform a planned activity under prevailing or forecasted conditions?
  • How long is it safe to operate after a degraded safety barrier is detected?
  • How may operations be adjusted to compensate for other risk-increasing factors?

Risk models used in design may not be suitable to inform decisions about such short-term questions. For example, since QRAs are intended to support long-term decisions, they describe a time-averaged risk picture, typically in terms of expected losses per year and estimated frequencies of adverse events. QRA results are usually based on historical data from similar assets and simulations of selected pre-defined accident scenarios. However, going into operations, the baseline risk from the QRA may not give a sufficiently precise risk picture to inform day-to-day operational decisions:

  • The potential for adverse consequences is not constant, because conditions continuously vary, including activity levels, environmental conditions and the presence of risk sources.
  • New knowledge becomes available, while other knowledge expires. This affects uncertainty and therefore also the current risk level.
  • The tolerability of risk may change depending on the business, or regulative and political context, thereby altering judgements of what is safe.

Similarly, SRAs conducted in design make assumptions that may not be reasonable during operation or suitable in an operational decision context:

  • The uncertainty about future loads depends on the time period considered. When designing a structure, one is concerned with all possible load-conditions the structure may be exposed to over its life time. However, in operation, conditions may be known, or are expected to vary less during the time window of interest.
  • The uncertainty about structural strength represents different possible system realizations. However, the real asset represents a specific system realization, and knowledge of past loading history and information from inspections and tests may either reduce or increase uncertainty about its strength.
  • Over time, the strength of the structure may decrease due to various degradation mechanisms, or due to impacts suffered.

In summary, risk models are adapted to specific decision contexts, and any risk assessment relies on a set of assumptions, informed by the knowledge available at the time of the analysis. In design one is concerned with everything that can happen to a system in the future, without explicitly considering the time evolution of the system. In operation the timing of consequences also becomes important: what can happen today, the next month or the next year? This requires forecasting.

The difference in decision context and risk dynamics between design and operation is illustrated in Fig. 2.


Fig. 2 In the design phase, the focus of the risk assessment is on what can happen during the entire lifetime of the asset, and present risk in a static manner (light blue shaded area, where the colour intensity indicates the likelihood or frequency of conditions). In operations, the conditions follow a specific trajectory, and the possible future conditions depend on the past and on the time horizon considered.

Digital twins provide new opportunities for assessing and managing risk in operations: Firstly, probability assignments made in the design risk assessments, based on data from other assets and simulations, may be updated with asset-specific knowledge accumulated in the digital twin during operations. Secondly, digital twins may allow short-term forecast based on simulations of the asset under actual current conditions.

To provide better decision support regarding safety during operations, risk models should be integrated with digital twins.


[1]DNV, “Enabling confidence - Addressing uncertainty in risk assessments,” 2016. link
[2]DNV, “Maintaining confidence - Dynamic risk management for enhanced safety”, 2017. link
[3]Petroleum Safety Authority Norway, “Guidelines regarding the framework regulations - section 11,” last updated 18 December 2017. link
[4]International Organization for Standardization, and International Electrotechnical Commission, “ISO/IEC Guide 51:2014: Safety aspects - Guidelines for their inclusion in standards” 2014.
  1. Aven and G. Reniers (2013), “How to define and interpret a probability in a risk and safety setting”, Safety Science, Volume 51, Issue 1, 223-231. link