Integrating Real-Time Monitoring Data in Risk Assessment for Crane Related O ﬀ shore Operations

: The oil and gas sector is one of the most dangerous and stringent workplaces, due to the hazardousness of materials involved as well as the critical tasks that workers have to perform. Cranes are widely used in this sector for several activities. A wrong load lifting or handling often is due to a limited visibility of working area and could bring to severe accidental scenarios, for this reason safety of these operations becomes of paramount importance. The use of safety devices, that provide an augmented vision to the crane-operator, is essential to avoid potential accidents, moreover risk analysis could beneﬁt from the acquisition of real time information about the process. This work aims to extrapolate and adapt dynamic risk assessment concepts for crane-related operations of a typical oil and gas industry by means of the support of safety devices. To achieve this objective, a set of risk indicators, reporting continuous information about the operations that are carried out, will be deﬁned; successively, a technique of aggregation of these indicators will also be applied with the aim to update the frequency of critical events by a proper Risk Metric Reduction Factor that accounts for the e ﬀ ect of the use of safety barriers.


Introduction
The oil and gas sector is one of the most dangerous and stringent workplace as inherent hazards are difficult to deal with at times. This is due to the hazardousness of materials involved as well as the critical tasks that workers have to perform. The use of cranes in this field is common for several activities, such as moving equipment, maintenance activities, management services for offshore platforms, etc. Therefore, safety and performance of lifting operations become of paramount importance, given the evidence that a wrong load lifting or handling could bring to severe accidental scenarios such as fires, explosions, and toxic dispersions [1]. Particular attention is paid to Floating Production Storage and Offloading (FPSO) platforms, where risk is related to the handling of heavy loads from and to supply vessels, barges, or semi-submersibles. While performing such high hazards operations, safety cannot be ensured by design alone, as it also depends on human skills, maintenance personnel and inspectors, as well as the numerous technical parameters relating to the crane and its operating environment [2]. As analyzed by several authors [3,4], the limited visibility of the working area is a relevant cause contributing to the occurrence of accidents in crane-related operations, which usually involves both loads and objects located in the workspace (i.e., workers or other close equipment). A list of examples of this type of accident, from the oil and gas sector, is given in Table 1. These accidents have been collected worldwide [5,6] and a brief description for them is also provided. Accidental reports highlight that, in addition to the limited visibility, sometimes also a wrong task execution Paltrinieri and Khan [10] state that it is important to recognize small deviations from normal operability for better management of process safety and accident prevention. In fact, they believe that, acting on these, the chain of events would break and lower the probability of associated impacts. This can be extrapolated to crane-related operations. As an example, if one imagines a load lifting along a trajectory, a deviation could be a small displacement with respect to that trajectory, i.e., a typical event in which the crane-operator fails in exactly quantifying the displacement and that could lead to a collision of the load with an obstacle present in the workspace. Therefore, the early identification of a small deviation, by using a visual guidance device, is a useful element for accident prevention, in particular if it occurs in a workplace where hazardous substances are handled.
Dynamics Risk Analysis (DRA) approaches allow improving decision-making and supporting critical risk communication [11][12][13]. The integration of real-time monitoring data in risk assessment offers the opportunity to achieve a more effective control of activities in the workplace in view of worker's safety, thus DRA methods can be particularly useful to manage hazards associated with crane-operations (i.e., prevention of collisions and the timely implementation of protective actions). DRA is mainly based on the use of models integrating time-dependent parameters, which affect both frequency and consequence of accidents [14]. Its use is widespread in the management of several risk typologies, i.e., environmental risks due to marine oil spills [15][16][17], risks due to the use of toxic substances in terrorist actions [18], industrial risk due in operating chemical [19,20], environmental pollution from heavy off-road vehicles [21], etc. In recent years, Khan et al. [22] and Villa et al. [23] discussed research trends in using dynamic risk analysis and provided a review about methods and models developed for process safety and risk management. Tools providing real time monitoring of safety have also been proposed, as an example Kanes et al. [24], based on pre-identified risk factors and process safety related data, quantified increases in risk level in oil and gas industry by using Bayesian Networks. Dynamic risk assessment techniques based on proactive indicators, such as those suggested by Paltrinieri et al. [25], Scarponi et al. [26], Scarponi and Paltrinieri [27], can bring additional benefits, since risk analysis is supplemented by information related to early warnings of unwanted events. The integration of a set of collected indicators may provide risk assessment with dynamic and proactive features. Data collection and processing, for the purpose of DRA, take advantage of information technology. Paltrinieri et al. [25] classified dynamic risk assessment techniques based on proactive indicators in four levels by referring to the basic theory and provided results. The first level concerns the use of safety indicators and takes into account the effect of technical, human, and organization factors. The second level is related to the use of risk indicators, where the application of risk models is needed. The third level refers to the application of techniques for frequency updating. Finally, the fourth level concerns the use of techniques for the aggregation of data provided by indicators.
This work aims extrapolating and adapting DRA concepts for crane operations carried out by the support of safety devices. To achieve this objective, a set of risk indicators, reporting continuous information about the operations carried out in a typical oil and gas industry, is defined. The dynamic approach for risk assessment is based on the application of the bowtie method. The paper is structured as follows. In Section 2, the description of the proposed methodology for the dynamic risk assessment is given. It integrates risk indicators for the load lifting and handling in the bowtie approach; such indicators are derived by means of the Health and Safety Executive (HSE) approach [28]. Section 3 shows the description of a case study from the oil and gas context in which the application and validation of the approach is carried out. Section 4 reports the results obtained from this study. Finally, the conclusions of the work are presented in Section 5.

Methodology
The proposed methodology encloses dynamic features into the risk assessment procedure with respect to the conduction of load lifting or handling by using cranes in the oil and gas sector. Such an approach is schematized in Figure 1. The main steps are:

1.
Definition of a set of appropriate risk indicators analyzing the hazard due to the interaction between the normal activity of the plant and the operations made by cranes; 2.
Application of the bowtie method for frequency assessment; 4.
Data collection for the calculation, review, and update of indicators.
The HSE approach [28] has been used to derive risk indicators. In their derivation, the use of the Visual Guidance System (VGS), as an innovative safety device to prevent accidents due to collisions, has also been assumed in the form of a safety barrier. The acquisition of information about the load trajectory, prevented collisions and near-misses allows for a continuous updating of risk indicators. As mentioned above, the reason suggesting the introduction of the VGS is one of the most common situations leading to crane accidents, in which the operator has partially or completely hindered view of the workspace and he/she needs to be supported by an intermediary in navigating the load [1]. Given that the HSE approach is used to derive indicators associated with the chemical process safety, here the main innovation concerns the use of the same approach to derive indicators for crane-related operations accounting for the hazardousness of substances used in the workplace.
The application of the bowtie allows quantifying the frequency of occurrence of hazard scenarios. Once safety barriers and a number of risk indicators at the facility or process level have been defined, these must be hierarchically combined to reflect the effects of the success of each barrier in reducing the risk. This combination is named "aggregation". The aggregation of risk indicators allows continuously The HSE approach [28] has been used to derive risk indicators. In their derivation, the use of the Visual Guidance System (VGS), as an innovative safety device to prevent accidents due to collisions, has also been assumed in the form of a safety barrier. The acquisition of information about the load trajectory, prevented collisions and near-misses allows for a continuous updating of risk indicators. As mentioned above, the reason suggesting the introduction of the VGS is one of the most common situations leading to crane accidents, in which the operator has partially or completely hindered view of the workspace and he/she needs to be supported by an intermediary in navigating the load [1]. Given that the HSE approach is used to derive indicators associated with the chemical process safety, here the main innovation concerns the use of the same approach to derive indicators for crane-related operations accounting for the hazardousness of substances used in the workplace.
The application of the bowtie allows quantifying the frequency of occurrence of hazard scenarios. Once safety barriers and a number of risk indicators at the facility or process level have been defined, these must be hierarchically combined to reflect the effects of the success of each barrier in reducing the risk. This combination is named "aggregation". The aggregation of risk indicators allows continuously updating frequency, again by means of the application of the bowtie approach. Data collection for the definition of indicators and their calculation is used to review and update them.

Definition and Calculation of Indicators
The methodology of HSE [28] is based on the development of lagging and leading indicators for facilities/processes. A lagging indicator represents a form of a reactive monitoring of the effectiveness of a system adopted to control risk, given that they provide feedback after the occurrence of a negative event; whereas, a leading indicator represents a form of proactive monitoring of the effectiveness of the same system, by the provision of a feedback before an incident occurs.
Each facility/process has one or more systems to prevent, control and mitigate major accidents; these are the so-called safety barriers or barrier systems or simply barriers [29]. Operational procedures and inspections are also considered safety barriers by the MIRAS methodology [30]; on the contrary, the HSE refers only to technical systems (named risk control systems) that are associated with the previous identified hazard events [28]. Figure 2 gives a schematic view of the approach used to derive risk indicators for the prevention and mitigation of accidents due to the interaction between chemical processes and the load lifting made by cranes. It is a modification of the HSE approach that,

Definition and Calculation of Indicators
The methodology of HSE [28] is based on the development of lagging and leading indicators for facilities/processes. A lagging indicator represents a form of a reactive monitoring of the effectiveness of a system adopted to control risk, given that they provide feedback after the occurrence of a negative event; whereas, a leading indicator represents a form of proactive monitoring of the effectiveness of the same system, by the provision of a feedback before an incident occurs.
Each facility/process has one or more systems to prevent, control and mitigate major accidents; these are the so-called safety barriers or barrier systems or simply barriers [29]. Operational procedures and inspections are also considered safety barriers by the MIRAS methodology [30]; on the contrary, the HSE refers only to technical systems (named risk control systems) that are associated with the previous identified hazard events [28]. Figure 2 gives a schematic view of the approach used to derive risk indicators for the prevention and mitigation of accidents due to the interaction between chemical processes and the load lifting made by cranes. It is a modification of the HSE approach that, being inspired by MIRAS methodology, includes operational procedures and uniforms terminology by replacing risk control system with safety barriers [31]. By referring to Figure 2, the main steps to develop indicators are the following (to be applied for each safety barrier): 1) identification of the scope of indicators; 2) setting of lagging indicators; 3) setting of leading indicators; 4) selection of the most relevant indicators for the activity under consideration. The procedure also includes data collection and the revision of developed indicators, these are not mentioned in this section as included as a further step in the whole procedure of Figure 1.
by replacing risk control system with safety barriers [31]. By referring to Figure 2, the main steps to develop indicators are the following (to be applied for each safety barrier): 1) identification of the scope of indicators; 2) setting of lagging indicators; 3) setting of leading indicators; 4) selection of the most relevant indicators for the activity under consideration. The procedure also includes data collection and the revision of developed indicators, these are not mentioned in this section as included as a further step in the whole procedure of Figure 1. The first step of Figure 2 is the definition of the scope of indicators (step 1) that, in this case, is the prevention of some hazard scenarios. For this reason, the description of the evolution of the event is necessary to identify potential scenarios leading to major accidents. The HSE methodology suggests focusing on the primary failure mechanism and paying attention to data recorded about past near-misses and accidents. The description of hazard scenarios allows the definition of the safety outcomes that the plant management would like to reach. Thus, a list of barriers preventing or mitigating the consequences of each hazard scenario has to be drawn. A desired safety outcome represents the success of a barrier; therefore, it should be clearly identified in terms of success or failure. A set of lagging indicators for each barrier (step 2) highlights whether the desired outcomes are actually achieved. After, a leading indicator for each safety barrier reveals if it is operating as desired, i.e., it indicates the achievement of the goal, which is preventing the undesired event (step 3). To complete this step, two furthers activities are suggested by the HSE approach: (i) to set a range of tolerance for each indicator, warning the analyst in case of deviations from normal performance; (ii) to revise indicators, based on the clear evidence that two indicators from the same barrier do not have to give conflicting results. Finally, the selection of the most relevant indicators should be made to help the manager to have a simpler and immediate comprehension of the risk level at the site (step 4). This will be better described below. Figure 3 shows how the HSE method has been adapted to include potential interference between the crane operability and the normal activity for the plant. The first step of the modified approach includes the hazard investigation. The load lifting/handling with the crane could generate collisions, impacts, or other hazardous events, which lead to losses of containment and related cascading events. The identification of proper safety barriers and the set of proper indicators (lagging and leading) for each of them represents the following step. The first step of Figure 2 is the definition of the scope of indicators (step 1) that, in this case, is the prevention of some hazard scenarios. For this reason, the description of the evolution of the event is necessary to identify potential scenarios leading to major accidents. The HSE methodology suggests focusing on the primary failure mechanism and paying attention to data recorded about past near-misses and accidents. The description of hazard scenarios allows the definition of the safety outcomes that the plant management would like to reach. Thus, a list of barriers preventing or mitigating the consequences of each hazard scenario has to be drawn. A desired safety outcome represents the success of a barrier; therefore, it should be clearly identified in terms of success or failure. A set of lagging indicators for each barrier (step 2) highlights whether the desired outcomes are actually achieved. After, a leading indicator for each safety barrier reveals if it is operating as desired, i.e., it indicates the achievement of the goal, which is preventing the undesired event (step 3). To complete this step, two furthers activities are suggested by the HSE approach: (i) to set a range of tolerance for each indicator, warning the analyst in case of deviations from normal performance; (ii) to revise indicators, based on the clear evidence that two indicators from the same barrier do not have to give conflicting results. Finally, the selection of the most relevant indicators should be made to help the manager to have a simpler and immediate comprehension of the risk level at the site (step 4). This will be better described below. Figure 3 shows how the HSE method has been adapted to include potential interference between the crane operability and the normal activity for the plant. The first step of the modified approach includes the hazard investigation. The load lifting/handling with the crane could generate collisions, impacts, or other hazardous events, which lead to losses of containment and related cascading events. The identification of proper safety barriers and the set of proper indicators (lagging and leading) for each of them represents the following step.

Application of the Bowtie Approach
A bowtie is a risk evaluation technique, based on the use of a scheme that permits to analyze and demonstrate causal relationships. It is an easy graphical representation ( Figure 4) that visualizes events which must be dealing with [32] and indicates all plausible accidental scenarios around a certain hazard. It also allows identifying control measures to manage such scenarios and the ways in which they fail. All bowties converge in a central event which is usually defined as the loss of control. This event represents the Critical Event (CE) or Top Event. On the left side of the CE, the event evolution is described by the Fault Trees Analysis (FTA) and, on the other side, by the Event Tree Analysis (ETA). Both of them are enriched with barriers. Being inspired by the ARAMIS project [30], the use of the bowtie methodology is promoted in this work to investigate critical events in order to identify their initial causes and consequent scenarios. Therefore, the actual procedure consists of the following steps: initially, the definition of the worst accidents that likely occur at the installation, by assuming that no safety barriers are installed (Methodology for the Identification of Major Accident Hazards, MIMAH approach); second, the analysis of the influence of safety barriers adopted by the company, which allows defining the Reference Accident Scenarios, representing the real hazardous potential of the installation (Methodology for the Identification of Reference Accident Scenarios, MIRAS approach). Safety barriers and related indicators represent essential elements in reducing the frequency of occurrence

Application of the Bowtie Approach
A bowtie is a risk evaluation technique, based on the use of a scheme that permits to analyze and demonstrate causal relationships. It is an easy graphical representation ( Figure 4) that visualizes events which must be dealing with [32] and indicates all plausible accidental scenarios around a certain hazard. It also allows identifying control measures to manage such scenarios and the ways in which they fail. All bowties converge in a central event which is usually defined as the loss of control. This event represents the Critical Event (CE) or Top Event. On the left side of the CE, the event evolution is described by the Fault Trees Analysis (FTA) and, on the other side, by the Event Tree Analysis (ETA). Both of them are enriched with barriers.

Application of the Bowtie Approach
A bowtie is a risk evaluation technique, based on the use of a scheme that permits to analyze and demonstrate causal relationships. It is an easy graphical representation ( Figure 4) that visualizes events which must be dealing with [32] and indicates all plausible accidental scenarios around a certain hazard. It also allows identifying control measures to manage such scenarios and the ways in which they fail. All bowties converge in a central event which is usually defined as the loss of control. This event represents the Critical Event (CE) or Top Event. On the left side of the CE, the event evolution is described by the Fault Trees Analysis (FTA) and, on the other side, by the Event Tree Analysis (ETA). Both of them are enriched with barriers. Being inspired by the ARAMIS project [30], the use of the bowtie methodology is promoted in this work to investigate critical events in order to identify their initial causes and consequent scenarios. Therefore, the actual procedure consists of the following steps: initially, the definition of the worst accidents that likely occur at the installation, by assuming that no safety barriers are installed (Methodology for the Identification of Major Accident Hazards, MIMAH approach); second, the analysis of the influence of safety barriers adopted by the company, which allows defining the Reference Accident Scenarios, representing the real hazardous potential of the installation (Methodology for the Identification of Reference Accident Scenarios, MIRAS approach). Safety barriers and related indicators represent essential elements in reducing the frequency of occurrence Being inspired by the ARAMIS project [30], the use of the bowtie methodology is promoted in this work to investigate critical events in order to identify their initial causes and consequent scenarios. Therefore, the actual procedure consists of the following steps: initially, the definition of the worst accidents that likely occur at the installation, by assuming that no safety barriers are installed (Methodology for the Identification of Major Accident Hazards, MIMAH approach); second, the analysis of the influence of safety barriers adopted by the company, which allows defining the Reference Accident Scenarios, representing the real hazardous potential of the installation (Methodology for the Identification of Reference Accident Scenarios, MIRAS approach). Safety barriers and related indicators represent essential elements in reducing the frequency of occurrence of undesired events. If such indicators are continuously updated, a simultaneous frequency updating is achieved.
The FTA of Figure 5 represents the left part of the bowtie. It has been developed for a loss of containment of a hazardous substance from a tank, which could occur during the activity of the plant or due to an interference with the crane operability. Some barriers (B) have been included to prevent, control or mitigate major accidents due to the loss of containment, these are summarized below: 1.
Plant operating procedures (B1)-set of procedures that regulate plant operability.

2.
Crane operating procedures (B2)-set of procedures that regulate the crane operability.

4.
Work permit procedures (B4)-procedures to perform certain tasks that are outside the routine activities, e.g., maintenance operations.

5.
Emergency procedures (B5)-set of procedures that must be implemented during an emergency. 6.
Visual Guidance System VGS (B6)-innovative tool, developed by Ancione et al. [34], supporting crane-operators in situation in which they have a hindered view of the workspace during the load lifting/handling. 7.
Plant design (B7)-criteria adopted to design measures controlling or mitigating potential hazard scenarios.
In Figure 5, the breach on the shell of the vessel, containing a hazardous substance, brings to a loss of containment (LOC), representing the hazard scenario here analyzed. Going backwards, it is possible to investigate direct causes leading to this event and, further on the left side of the graph, their initial causes. The scheme is divided in two blocks highlighted by grey dashed lines. The first block (upwards in the figure) shows the branches of the FTA concerning the plant operativity, whereas the second one (downwards in the figure) analyses the crane operation. The main barriers, to avoid the occurrences of the LOC, are given. There are many causes (branches) that could lead to the hole on the vessel, several are also their initial events; the barriers, that allow preventing each event, are indicated below in brackets.
The branches, associated with the plant operability, have been developed as discussed in the following. An overpressure could be generated by filling the vessel beyond the normal level or its threshold limit of pressure (design value), depending on if it is liquid or gaseous; this excessive transferring of substance, in turn, could be triggered by a technical failure of the control system (B5) or a design error (B7) and a human error (the operator does not act the manual actuator-B1). The occurrence of a brittle rupture has to be included given the nature of the material inside the vessel, which is due to a brittle structure, the failure of inspection, and maintenance procedures (B3) and an impact on the structure. An overloading could be caused by a natural phenomenon (as snow, ice, etc.-B7) or by a load on the roof of the vessel (B7) or even by a failure of its support (B3, B7). High amplitude vibrations have to be included due to natural causes (earthquakes-B7) or are due to motors vibrations (B7) or defects or maintenance errors, etc. (B3). A dilatation of the material would be the effect of a fire coming from a neighbor equipment (domino effect) or from the outside of the facilities (B5), it could be also the effect of a hot work or a wrong execution of a special work (B4). A mechanical rupture is due to a shear stress (which represents a mechanical stress due to natural causes or process anomalies) and the failure of the plant design procedure (B7). The use of wrong material for the equipment manufacturing could be the consequences of a design error or a human error (wrong material ordered, delivered, etc.); it could also be the consequences of the use of a bad quality material during the construction, which has previously been delivered or resulting from storage (or transport) conditions or from a manufacturing error (B7). An inappropriate sizing could be due to a design error (B7). An inappropriate assembling could be due to a wrong assembling procedure that means a design error (B7) and a human error due to a not respected assembling procedure (B7). An impact could be caused by missiles originated by domino effects (B7) or by moving an object close to the facilities (B7). In Figure 5, the breach on the shell of the vessel, containing a hazardous substance, brings to a loss of containment (LOC), representing the hazard scenario here analyzed. Going backwards, it is possible to investigate direct causes leading to this event and, further on the left side of the graph, their initial causes. The scheme is divided in two blocks highlighted by grey dashed lines. The first block (upwards in the figure) shows the branches of the FTA concerning the plant operativity, whereas the second one (downwards in the figure) analyses the crane operation. The main barriers, The branches, associated with the interference between the crane operations and the plant operability, have been developed by considering two potential events, i.e., dropped object and struck by load. An object could drop from the crane due to a loss of integrity of a part of the equipment, caused by deterioration mechanisms (i.e., corrosion, etc.-B3) or a human error, such as distraction, wrong communication, etc. (B2, B6). The vessel could be struck by the handled load or a moving part of the crane (boom, hook, etc.); related causes are human error (wrong communication, distraction, hindered view, or other-B2, B6) or high amplitude of load vibrations, due to a natural phenomenon (i.e., strong wind-B5) or a wrong handling made by the operator (B2, B6).

Importance of Barriers
After the definition of the barriers and the set of indicators associated with them, the importance of each barrier should be evaluated in order to select the most relevant in term of risk reduction. This is obtained by a sensitivity analysis, which examines how the results of the model vary due to changes of individual variables, i.e., input parameters (failure rates, probabilities, repair times, etc.), and assumptions in the analysis and structure of the model. The sensitivity analysis allows identifying elements that have the highest impact on the risk and, thus, to study the effect of proposed risk-reducing actions.
A sensitivity model is the Birnbaum's measure I B [35], which calculates the relative importance of a basic event k in a fault tree (in this case a barrier's failure): where P CE = probability of the critical event CE; P k = probability of an input event k; t = time. This measure represents the difference between the probability of the occurrence CE when the event k occurs and the probability the same when the event k does not occur. According to this, Equation (1) can be also written as: Therefore, if I B (k|t) is large, a small change in P k (t) will lead to a comparatively large change in the probability of the critical event P CE at time (t).

Aggregation of Indicators
The aggregation represents the process of integration of the most relevant indicators of one or more barriers in the risk metric. In general, aggregation is a very hard task for the risk analyst. In this work, reference to the aggregation rules proposed by Scarponi et al. [26] has been made; these are briefly described below.
Assuming that the probability of occurrence of an event, which has to be prevented by means of j barriers, is P H and i is the number of indicators assigned to the barrier. The process of aggregation can be described by referring to a hierarchy of levels, which is schematized in Figure 6 and comprises: j barriers, is PH and i is the number of indicators assigned to the barrier. The process of aggregation can be described by referring to a hierarchy of levels, which is schematized in Figure 6 and comprises: -Level 1 => Indicators for the barriers (Ii,Bj), which assume value vi,Bj -Level 2 => Global indicators for the barriers (Bj) -Level 3 => Barrier function (BH), which collects the global indicators for all the barriers, preventing the same event (i.e., barriers placed on the same branch of the FTA). As an example, in Figure 6 there are two barriers (j =1, 2), three indicators are associated with each barrier (Ii,Bj). A barrier could be composed by more elements (sub-barriers), which can be identified by associating j with a letter (a, b, …). The steps of aggregation are the following: 1. The value of each indicator vi,Bj must be converted in a score (si,Bj), ranging from 1 to 6; this helps to compare scores of different indicators for the same barrier at the level 1. In converting results in scores, the value 1 represents the most positive score (the barrier works as desired) and 6 the most negative one. 2. A percentage weight (wi,Bj) must be assigned to each indicator reflecting its relative importance with respect to the other indicators associated with the same barrier (level 2). 3. The score of each barrier (sBj) is obtained by means of a weighed summation of the scores of the indicators associated with the same barrier.
In case of barriers composed by more elements, an intermediate level must be used to group the scores of these elements for each barrier. The same rules from 1 to 3 are used. As an example, in Figure 6 there are two barriers (j =1, 2), three indicators are associated with each barrier (I i,Bj ). A barrier could be composed by more elements (sub-barriers), which can be identified by associating j with a letter (a, b, . . . ). The steps of aggregation are the following: 1.
The value of each indicator v i,Bj must be converted in a score (s i,Bj ), ranging from 1 to 6; this helps to compare scores of different indicators for the same barrier at the level 1. In converting results in scores, the value 1 represents the most positive score (the barrier works as desired) and 6 the most negative one.

2.
A percentage weight (w i,Bj ) must be assigned to each indicator reflecting its relative importance with respect to the other indicators associated with the same barrier (level 2). 3.
The score of each barrier (s Bj ) is obtained by means of a weighed summation of the scores of the indicators associated with the same barrier.
In case of barriers composed by more elements, an intermediate level must be used to group the scores of these elements for each barrier. The same rules from 1 to 3 are used.

4.
All barriers that aims preventing the same event are grouped in an upper level (level 3) to obtain the barrier function (B H ).

5.
A percentage weight (w Bj ) is assigned to each barrier. This weight reflects its relative importance in relation to the others belonging at the same barrier function. 6.
The sum (s H ) of the products of the scores for each barrier and related weight (w Bj ) gives the barrier function.
s H assumes a value from 1 to 6; again 1 expresses the most positive result, whereas 6 is the most negative one.

7.
The scores of each barrier function must be translated into a probability of failure (P H ) by means of a direct proportionality in the range of variation of failure probability. Alternatively, other mathematical functions may be also applied by the analyst.

Data Collection and Review
A systematic data collection of indicators guarantees that the company has updated information to quantify barriers' performance. The updated information allows performing dynamic risk analysis, and also highlights any deviation from set tolerances through an alarm. Such information should be presented in as simple a form as possible. Furthermore, it is very important to review the whole safety management system to make sure that barriers continue to operate as desired and continuously improve the safety. A continuous review of indicators allows verifying their usefulness and efficiency for the prevention of hazard scenarios. This step is important as indicators could not reflect a compliant conduction of the activities due to an alteration in plant design, the improvement of programs, the loss of competence in specific areas, or even the introduction of new risk processes/activities, etc.

Case Study
The case study refers is a fictitious oil and gas installation, i.e., a Floating Production Storage and Offloading (FPSO) platform. FPSOs are utilized in newly established offshore oil regions, where there is no pipeline infrastructure in place or in remote locations, where its building is cost-prohibitive. The installation, investigated in this paper, has a diameter of approximately 100 m and features submarine drilled wells, connected to a complete FPSO structure (the name is not mentioned because confidential). The well delivers stabilized crude oil and rich wet gas; the production and processing of hydrocarbons is also made. Oil can also be stored on the platform, until it can be transferred to a tanker to be transported toward its destination.
All platforms include a central shaft, a riser area, a main deck, a process area, a utility area, and a living area. This FPSO is equipped with a platform-crane, which is used to lift heavy objects, such as material supply, equipment, spare parts, and other heavy loads that need to be moved. A typical platform-crane is given in Figure 7; it includes a machinery house, a pedestal, a cabin, a hoisting winch, a luffing winch, a lattice boom, and other elements. Several operations are performed by using the platform-crane and a high rate of accidents is recorded each year. That was of one event per 13.5 installations in 2017, based on a total count of 2108 installations in the continental shelf of the United States [36]. The high incidental rate motivated the choice of this case study.  Figure 8 gives a schematic view of the crane lifting zones for the case study, where three different areas can be observed: an operational forbidden zone (red area), an operational restricted zone (orange area), and a free lifting zone (grey area). Process accidents start as a leak of hydrocarbons from carrying equipment between the risers in the production area and of crude oil from distribution lines and the blanket gas system on the main deck. Hence, the zones relevant for process accidents are the process area and the main deck area. Hydrocarbon leak hazard is also present in the pump  Figure 8 gives a schematic view of the crane lifting zones for the case study, where three different areas can be observed: an operational forbidden zone (red area), an operational restricted zone (orange area), and a free lifting zone (grey area). Process accidents start as a leak of hydrocarbons from carrying equipment between the risers in the production area and of crude oil from distribution lines and the blanket gas system on the main deck. Hence, the zones relevant for process accidents are the process area and the main deck area. Hydrocarbon leak hazard is also present in the pump room, the central shaft, and the offloading station area. Concerning crane-operations, there are no lifting above pressurized hydrocarbon equipment. All platform areas, except the dedicated lift zones and laydown areas, are defined as restricted areas and special lifting procedures have to be applied. In the offshore platform, there is a tote tank area (Figure 9), which is a chemical storage area including liquid fuels and various hazardous substances, such as methyl alcohol and monoethylene glycol, that are usually used for hydrate removal [37]. Several load lifting operations could involve this area (≈500 lift/year in a typical platform) and the load could even be a tank containing a dangerous substance. As an example, this area is supplied with methyl alcohol and monoethylene glycol, which are offloaded directly with their container from the supply boat and then lifted to the dedicated area of the deck (tote tank area).    Based on historical data, the dropped object hazard occurs: (i) in the utility area, due to the impact of dropped objects on the roof protecting generators and the multivalve deluge skid, however Based on historical data, the dropped object hazard occurs: (i) in the utility area, due to the impact of dropped objects on the roof protecting generators and the multivalve deluge skid, however these scenarios are not expected to cause subsequent fires or explosions (ii) in the process and the spare storage areas, due objects lifted over them, even if the systems are reinforced, depending on the strength of the impact, a release of flammable materials could occur with the following potential occurrence of a fire or an explosion; and (iii) in the tote tank area, again due objects lifted over it or hit with the moving object.

Hypothesis (H1):
Drop of a tank containing methyl alcohol or monoethylene glycol and consequent release of the containment substance due to the hole generated from the impact.

Hypothesis (H2):
Drop of an object such as a crossbeam or other lifted object on a tank or a pipe in the process area, with the following release of hydrocarbons.

Hypothesis (H3):
Impact of the lifted object with a tank or a pipe in the process area, with the following release of hydrocarbons.

Hypothesis (H4):
Impact of the tank containing methyl alcohol or monoethylene glycol (moving object) with a pipeline during the positioning phase inside the tote tank area.
Hypothesis (H1) has been excluded by the analysis due to the use of protective cage for the tank; hypotheses 2 and 3 are the most frequent case, having a total frequency of 1.41 · 10 −3 event/year; finally, hypothesis 4 has a negligible occurrence. According with these considerations, this investigation has been focused on the hypotheses (H2) and (H3); the equipment under analysis is a tank containing hydrocarbons.

Results
The methodology proposed in the Section 2 has been applied to the case study, by focusing on the critical event (CE) associated with the hypotheses 2 and 3, i.e., a breach on the shell of a tank containing hydrocarbons. The CE is due to the drop of an object during its lifting or the impact of the moving object. The bowtie approach allowed identifying its initial causes and related major accidents. By investigating the FTA of Figure 5, the barriers that are in place to prevent or mitigate the LOC have been identified. Figure 10 shows only the branches concerning the crane operability at the FPSO platform. Each cause of the breach on the tank (dropped object and struck by load) has been split up to the identification of their primary initial causes. In the same figure, these events have been also associated with related barriers, described in Table 2. The barrier B2 "Crane operating procedures" has been split in its elements that have been indicated as B2a, B2b, and B2c.
Hypothesis (H1) has been excluded by the analysis due to the use of protective cage for the tank; hypotheses 2 and 3 are the most frequent case, having a total frequency of 1.41·10 -3 event/year; finally, hypothesis 4 has a negligible occurrence. According with these considerations, this investigation has been focused on the hypotheses (H2) and (H3); the equipment under analysis is a tank containing hydrocarbons.

Results
The methodology proposed in the Section 2 has been applied to the case study, by focusing on the critical event (CE) associated with the hypotheses 2 and 3, i.e., a breach on the shell of a tank containing hydrocarbons. The CE is due to the drop of an object during its lifting or the impact of the moving object. The bowtie approach allowed identifying its initial causes and related major accidents. By investigating the FTA of Figure 5, the barriers that are in place to prevent or mitigate the LOC have been identified. Figure 10 shows only the branches concerning the crane operability at the FPSO platform. Each cause of the breach on the tank (dropped object and struck by load) has been split up to the identification of their primary initial causes. In the same figure, these events have been also associated with related barriers, described in Table 2. The barrier B2 "Crane operating procedures" has been split in its elements that have been indicated as B2a, B2b, and B2c.

B2a
Crane operating procedures (Procedure for the positioning operation)

B2b
Crane operating procedures (Communication rules between the crane-operator and the intermediary (worker) during the positioning phase) B2c Crane operating procedures (Procedure for lifting/handling operations) B3 Inspection and Maintenance procedure B5 Emergency procedure B6 VGS

Risk Indicators for the Crane-Related Operations
A set of reactive and proactive indicators has been defined for each barrier of Table 2, this is given in Table 3. Each lagging indicator controls the achievement of a specific desired scope of the barrier and each leading indicator specifies, in term of success/failure, if the barrier faces to any deviation in performance. With respect to Table 3, the desired outcome is the aim of the barrier and the lagging indicator the parameter measuring the achievement of the desired outcome; the term critical items refers to the elements to be controlled for the success of each barrier and the leading indicators specify the percentage of control that has been reached. According to the HSE approach one lagging indicator and two leading indicators have to be fixed [28].   Figure 11 is the core of the bowtie. On the left side of the scheme, only the causes concerning the crane operability have been reported; on the right one, an ETA should be developed, from which the breach on the vessel evolves and gives a loss of containment, whose escalation identifies major accidents. The focus of this study was only the FTA. The initial frequencies, used to estimate the frequency of the LOC, are shown in the figure. Such values have been taken from the report containing the Quantitative Risk Analysis (QRA) of the FPSO. Figure 12 shows two detailed fault trees associated with the crane operability that, respectively, refer to the conduction of lifting operations without any technological device, by means of the support of an intermediary (worker) in navigating the load (Figure 12a), and with the inclusion of the VGS as a further barrier (Figure 12b). The LOC could be originated by a dropped load from the crane on the tank or because it is struck by the load. The event dropped object might be due to the loss of integrity of a part of the crane, which is associated with the failure of the barrier B3, i.e., inspections and maintenance, or to a wrong execution of the positioning, linked to the failure one of two barriers B2a and B2b, i.e., an error in following the positioning procedure or a communication error between the crane-operator and the intermediary (worker) in the case of limited visibility of the working area. The event struck by load could be caused by a high amplitude of vibration for strong winds, associated with the failure of the barrier B5, i.e., emergency procedure, or to a human error due a high velocity execution of the lifting, connected with the failure of barrier B2c, i.e., error in executing the lifting procedure. In Figure 12b, the failure of B2b has been mitigated by using the VGS (B6).

18
connected with the failure of barrier B2c, i.e., error in executing the lifting procedure. In Figure 12(b), Figure 11. Frequency of main causes originating the breach due to the crane activity. The traditional Boolean algebra has been used to derive the Minimal Cut Sets (MCSs) for the fault trees of Figure 12, i.e., the sets of basic events, whose simultaneous occurrence ensures that the breach of the shell of the tank, have been determined. Equations (5) and (6) give, respectively, the The traditional Boolean algebra has been used to derive the Minimal Cut Sets (MCSs) for the fault trees of Figure 12, i.e., the sets of basic events, whose simultaneous occurrence ensures that the breach of the shell of the tank, have been determined. Equations (5) and (6) give, respectively, the MCSs and the probability of the LOC for the first FTA, while equations (7) and (8) give the same for the second one: LOC without tech. device = B2a + B2b + B2c + B3 + B5 (5) P LOC without tech. device = P B2a + P B2b + P B2c + P B3 + P B5 (6) P LOC with VGS = P B2a + P B2b + P B2c + P B3 + P B5 + P B6 After the identification of the MCSs, a sensitivity analysis has been made to determine the importance of each barrier by means of the use of Equation (2). Given the use only of gate OR, all barriers have the same importance (I B = 1). The Birnbaum's importance measure gives the maximum variation of the LOC probability with respect to each variable that, in turn, is the probability of failure of each barrier. Obviously, these variable range between their minimum and maximum value, i.e., between 0, corresponding to the certain success of the barrier, and 1, representing its certain failure. Table 4 gives the probabilities of failure of each barrier: the probability of failure in the load positioning due to a limited visibility of working area (P B2a ) has been found in Milazzo et al. [1]; the probability of structural failure of the crane (P B3 ) has been taken from Halme and Aikala [38]; the probability for struck by load due to strong winds (P B5 ) has been derived from data found in the QRA report of the FPSO; finally, the probability of failure of the VGS (P B6 ) is a value fixed during tests made by the developers of the device [7]. Finally, the probability of failure of the procedure of communication with the operator P B2b and the probability of failure of the procedure of lifting P B2c have been derived by using both the frequencies of dropped object and struck by load, used in the QRA report of the FPSO and the FTA of Figure 12a.

Aggregation of Indicators and Frequency Updating
The process of aggregation has been developed according to the three levels described in Section 2.3; it has been applied to both the events leading to the CE, i.e., event 1 = dropped object or DROP ( Figure 13) and event 2 = struck by load or STRUCK (Figure 14). Two barriers function have been defined, respectively, B H1 for DROP and B H2 for STRUCK. In Figure 13, B2 includes two elements that are B2a and B2b, while in Figure 14, B2 refers to B2c.  At the first level of the aggregation process, the values (si,Bj) of the indicators of each barrier (Ii,BJ), identified in Section 4.1 have been properly translated in scores (ranging 1 ÷ 6) and, then, weighted to reflect their relative importance with respect to the other indicators associated with the same barrier. The scores have been assigned by using the criteria of Table 5, which in turn have been derived from the analysis of the trend of accidents and near-misses in crane-related operations for Norwegian offshores [39]. The weights have been allocated to each indicator after a discussion with expert risk analysts. Scores (si,Bj) and weight percentages (wi,Bj) of each indicator for the case study are shown in Table 6.  At the first level of the aggregation process, the values (si,Bj) of the indicators of each barrier (Ii,BJ), identified in Section 4.1 have been properly translated in scores (ranging 1 ÷ 6) and, then, weighted to reflect their relative importance with respect to the other indicators associated with the same barrier. The scores have been assigned by using the criteria of Table 5, which in turn have been derived from the analysis of the trend of accidents and near-misses in crane-related operations for Norwegian offshores [39]. The weights have been allocated to each indicator after a discussion with expert risk analysts. Scores (si,Bj) and weight percentages (wi,Bj) of each indicator for the case study are shown in Table 6. At the first level of the aggregation process, the values (s i,Bj ) of the indicators of each barrier (I i,BJ ), identified in Section 4.1 have been properly translated in scores (ranging 1 ÷ 6) and, then, weighted to reflect their relative importance with respect to the other indicators associated with the same barrier. The scores have been assigned by using the criteria of Table 5, which in turn have been derived from the analysis of the trend of accidents and near-misses in crane-related operations for Norwegian offshores [39]. The weights have been allocated to each indicator after a discussion with expert risk analysts. Scores (s i,Bj ) and weight percentages (w i,Bj ) of each indicator for the case study are shown in Table 6.  At the second level, each item of the sets of barriers, associated with the event 1 and event 2 (identified by the branches of the tree), has been assigned by a proper score (s Bj ), which is given by the weighed summation of the values of the indicators associated with each barrier, i.e.,s Bj = (s i,Bj · w i,B j ) and represents the global indicator for the barrier B j . Table 7 gives the scores and weight percentages for the barriers; the weight for the barrier is derived by the sensitivity analysis. Finally, at the third level, all barriers that aims preventing the same event have been grouped in an upper level to obtain the barrier function (B H ); this has been made by calculating the weighted summation of the score for the global indicator of the barrier, i.e., s H = (s Bj · w Bj ). By using the results obtained at the third level of the aggregation method, i.e., the scores for the barrier functions, the frequency of the event 1 and event 2 has been modified by means of a Risk Metric Reduction Factor (RMRF). The RMRF has been properly defined by assuming a directly proportional relationship between it and the score of the barrier function, which is shown in Figure 15 on the left axis, whereas on the right one there is the efficiency of barriers in reducing the LOC. It has been assumed that RMRF is equal to 0 when the score for the barrier function is 1, that is the maximum theoretical reduction of risk corresponding to the 100% of efficiency of the barriers; on the contrary, the value of 1 has been set when the score is 6, in this case that is the minimum theoretical reduction of risk corresponding to the 0% of efficiency of the barriers.
Given that the S H1 is 1.84 (dropped object) and S H2 is 2 (struck by load), the RMRF has, respectively, the values 0.17 (83% of efficiency for the barriers on the first branch) and 0.20 (80% of efficiency for the barriers on the second branch). Table 8 gives the results of frequency updating for the critical event, calculated by means of the following relation: Given that the SH1 is 1.84 (dropped object) and SH2 is 2 (struck by load), the RMRF has, respectively, the values 0.17 (83% of efficiency for the barriers on the first branch) and 0.20 (80% of efficiency for the barriers on the second branch). Table 8 gives the results of frequency updating for the critical event, calculated by means of the following relation:  It can be observed that the initial frequency of the loss of containment (critical event), as well as that of its initial causes has been considerably reduced by the introduction of a new safety barrier (B6). The reduction reaches about the 80% for events associated with the drop of objects ( Figure 16). The new barrier is in fact an innovative safety device that allows preventing falls of lifted objects, thanks to an increase in the visibility of the work area provided to the crane operator. The use of VGS and the acquisition of data in real time also offers the advantage of a periodic updating of the frequency, i.e., each time a crane operation is performed.  It can be observed that the initial frequency of the loss of containment (critical event), as well as that of its initial causes has been considerably reduced by the introduction of a new safety barrier (B6). The reduction reaches about the 80% for events associated with the drop of objects ( Figure 16). The new barrier is in fact an innovative safety device that allows preventing falls of lifted objects, thanks to an increase in the visibility of the work area provided to the crane operator. The use of VGS and the acquisition of data in real time also offers the advantage of a periodic updating of the frequency, i.e., each time a crane operation is performed. whereas an approach evaluating risk, based on constant information updating, allows taking In this work, a methodology has been proposed for the integration of dynamic features into the 111 risk assessment procedure by taking into account the interaction between the plant activity and crane 112 operations. The method has been based on the approach proposed by Scarponi et al. [26]. Firstly, it 113 consisted of the definition of a set of risk indicators for the load lifting and handling in a typical oil 114 and gas industry, by adapting the HSE approach. In this way, by following the principle for which 115 few significant indicators allow a properly focus on actual criticalities, the most relevant indicators 116 for the activity under analysis have been selected and aggregated by means a proper risk model.

117
Then, a dynamic risk assessment has been performed by means of the bowtie method, which allowed 118 estimating frequencies of the events and their updating, by including the effect of safety barriers.

119
Furthermore, a new safety barrier (VGS) preventing crane accidents due to a hindered view, has been 120 also integrated in the assessment. It allowed a strong reduction of the risk level, as well as a plausible

Conclusions
Classical quantitative risk analysis provides a static risk picture of major hazard installations, whereas an approach evaluating risk, based on constant information updating, allows taking advantage of early warning indicators to lower the probability of occurrence of undesired events. Moreover, the continuous updating of information supports decision-making and risk communication. These concepts have been already acquired in chemical process industry, but they need to be adapted in contexts where activities, other than chemical context, are performed. This is case of the use of equipment for lifting/handling load.
In this work, a methodology has been proposed for the integration of dynamic features into the risk assessment procedure by taking into account the interaction between the plant activity and crane operations. The method has been based on the approach proposed by Scarponi et al. [26]. Firstly, it consisted of the definition of a set of risk indicators for the load lifting and handling in a typical oil and gas industry, by adapting the HSE approach. In this way, by following the principle for which few significant indicators allow a properly focus on actual criticalities, the most relevant indicators for the activity under analysis have been selected and aggregated by means a proper risk model. Then, a dynamic risk assessment has been performed by means of the bowtie method, which allowed estimating frequencies of the events and their updating, by including the effect of safety barriers. Furthermore, a new safety barrier (VGS) preventing crane accidents due to a hindered view, has been also integrated in the assessment. It allowed a strong reduction of the risk level, as well as a plausible updating of probability by means of a real time data acquisition during crane operations.  Acknowledgments: Giuseppa Ancione acknowledges the NTNU and Nicola Paltrinieri for the opportunity to work in Trondheim as visiting researcher.

Conflicts of Interest:
The authors declare no conflict of interest. Loss of containment due to crane operation without any technological device P LOC without tech.device Probability of LOC without tech.device B2a

Nomenclature
Barrier system -Crane operating procedures (Human error due to wrong positioning) B2b Barrier system -Crane operating procedures (Human error due to wrong communication)

B2c
Barrier system -Crane operating procedures (Human error due to lifting at high velocity) B3 Barrier system-Inspection and maintenance procedures B5 Barrier system-Emergency procedures B6 Barrier system-VGS LOC with VGS Loss of containment due to crane operation with the VGS P LOC with VGS Probability of LOC with VGS P B2a Probability of B2a P B2b Probability of B2b P B2c Probability of B2c P B3 Probability of B3 P B5 Probability of B5 P B6 Probability of B6 P Bj Probability of barrier j S H1 Score of the barrier function 1 (branch dropped object) S H2 Score of the barrier function 2 (branch struck by load) F updated Frequency updated RMRF Risk Metric Reduction Factor F initial Initial frequency F LOC Frequency of the LOC F Drop Frequency of the DROP F Struck Frequency of the STRUCK