Download to read offline
![Students of Ephesians, moreover, are coming to hear in it more and
more clearly, if we mistake not, the voice of the Apostle and the
expression of his mature Christian experience, and of that doctrine
of the church in which Royce sees the essence of Paulinism. A. C.
Headlam says that it is the careful study of a book that will often
solve the question of its origin, and remarks: "To me Ephesians is
Pauline through and through, and more even than Romans
represents the deepest thought of the Apostle."[260] The important
fact is that, when all the disputed epistles are excluded, the progress
of criticism has placed beyond reasonable doubt the great body of
the Apostle's teaching and the bulk of his writings. The practical
question now at issue, as Ramsay has observed, is not, "What did
Paul write?" but "What did Paul teach?"[261]
In Paul's acknowledged writings we have a solid basis in fact from
which to estimate the Gospel narratives and the Acts. The epistles of
Paul carry us back into the circle of the earlier apostles and of the
Jerusalem church, and throw light upon various events and aspects
of the life, character, words, death, and resurrection of Christ.
II. The Acts of the Apostles
The book of Acts, while secondary in interest to the Gospels,
occupies a central place in New Testament criticism. It is the bridge
between the Ascension and the time thirty years later when Nero
persecuted "a great multitude called Christians at Rome." It covers
the period in which doctrinal evolution took place. Through its
authorship it bridges the gap between the Gospels and the Pauline
church among the Gentiles.
The course of the history in the early chapters of Acts is so different
from that which the imagination of a later age would have pictured,
that it bears upon its face the marks of early origin and of
trustworthiness. To a later writer, without contact with the actors,
and writing after the destruction of the Temple and the final breach](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-56-2048.jpg)
![of the Christians with the Jews and the assured success of the
Gentile mission, it would seem exceedingly improbable (1) that the
apostolic company should have continued to worship in the Temple;
(2) that they should at first have found favour with the people; and
(3) that they should have remained in Jerusalem with no apparent
intention of leaving until scattered by persecution; and perhaps (4)
that the Sadducees should have been the first to start the
persecution. The recorded history, improbable to a later age, bears
upon its face the stamp of truth. The imagination of a post-Pauline
writer would have given us, we may be sure, a very different picture
of church history. It would scarcely have conceived of the primitive
Christology of Peter's speeches, the use of the term, "child," or
"servant" of God (παῖς [pais]) in place of the Pauline term, "Son of
God" (υἱός [huios]), yet with the same attitude, shared by Christians
of earlier and later time, of adoration, worship and love.
The presumption in favour of credibility is strengthened by the
author's full and detailed treatment of persons and places. "A man
who would venture to introduce ninety-five persons and a hundred
and three places into a history of his own times must have been
pretty sure of his ground. The majority of these persons were still
living when he wrote; into every one of these places his volume
shortly penetrated.... The correctness of his geography upholds the
truth of his history."[262]
A great many of the statements of the Acts can be checked by
comparison with Paul's epistles, as has been shown by Paley's "Horæ
Paulinæ," and more recently, for the first part of the Acts, by
Harnack. In case of apparent conflict, it has been said, "we are
confronted by the task of reconciling the differences between two
first-century documents, each of which has, admittedly, very
powerful claims."[263] More than half of the Acts is taken up with the
labours of the Apostle Paul, and yet the Acts does not mention or
show knowledge of his epistles. This fact, used by some to throw
doubt upon the genuineness of the epistles, may be an indication of
the early date of the Acts, and of so close a relationship between the](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-57-2048.jpg)
![author and the Apostle that the evidence of letters would be
unnecessary.
Important alike in its bearing upon the questions of credibility and
authorship, is the evidence of the so-called "we-sections." A prima
facie case is made out that the author of the Acts was an eye-
witness of some of the scenes it records, and a companion in travel
of the Apostle Paul. This evidence has of late been greatly
strengthened by linguistic investigation. While critical attempts are
still made to divide the Acts into documents, the "we-sections" (xvi.
10-17; xx. 5-15; xxi. 1-18; xxvii. 1-xxviii. 16), as Sir J. Hawkins says,
show an "immense balance of internal and linguistic evidence in
favour of the view that the original writer of these sections was the
same person as the main author of the Acts and of the Third
Gospel."[264]
No living writers have done more to stimulate interest in the book of
Acts than have Sir W. M. Ramsay and Harnack, and the writings of
both have materially strengthened the case alike for its Lukan
authorship, and, in the main, for its historical accuracy. Ramsay,
starting, as he says, from the standpoint of the Tübingen school,
"with the confident assumption that the book was fabricated in the
middle of the second century, and studying it to see what light it
could throw on the state of society in Asia Minor, was gradually
driven to the conclusion that it must have been written in the first
century and with admirable knowledge."[265]
Harnack's defense, in his four monographs,[266] of the Lukan
authorship, integrity, historical reliability (where the supernatural is
not in question) and early date of the Acts is the most outstanding
and significant achievement of the age in New Testament criticism.
Harnack's work has been so thorough and convincing that it may be
said to have carried the theological world by storm. At least his
powerful argument for Lukan authorship does not appear to have
been successfully met. The attempt to turn its flank by asserting that
the Paul of Acts, in making a vow, shaving his head and entering](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-58-2048.jpg)
![into the Temple, was not the defender of Gentile liberty who wrote
Galatians, and so that the author of the Acts was not the companion
of Paul, is met by Harnack in the fourth of his monographs. Paul, he
declares, not only was a Jew, but remained so, whether consistently
or not. Harnack thinks that Paul shrank back from taking the last
logical step,[267] but that in this the author of the Acts represents
the relation of Paul to Judaism precisely as do his letters.[268]
Stanton well remarks that the difficulty of accounting for alleged
discrepancies between the Acts and the Epistles is equal or greater
on the supposition that the author wrote 100 a. d., or later, than if
the author was the companion of Paul.[269] The very fact, for
example, that Luke says that Paul worshipped in the Temple is an
indication that we have here no conception of a later age to which
such an act would have seemed unnatural.
In his "Date of the Acts and of the Synoptic Gospels" (IV), Harnack
reverses his former opinion and strongly defends a date for the Acts
within the lifetime of Paul and before the end of his trial at Rome.
Reviewing his former arguments for a later date, he finds them
inconclusive, and thinks that the earlier date is required by the
abrupt close of the Acts. Minor considerations favouring an early
date are (1) the titles for Christ in the early chapters, and for
Christians, and the description of the Jews as "the people of God";
(2) the fact that the Jews are the persecutors and not the
persecuted; (3) the absence of any indication of the use of Paul's
letters such as would be expected in a later writer; (4) the use of the
"first day of the week," instead of the "Lord's Day," and of the
names of Jewish feasts, in which Luke stands with Paul against later
writers. And (5) even the prediction, Acts xx. 25, which looks
primarily to Jerusalem, not Rome, would not have been written, if
the second imprisonment be accepted, after its apparent falsification
by I Timothy i. 3 and 2 Timothy i. 18. H. Koch develops these
arguments independently,[270] and it can no longer be said that the
early dating of the Acts is "a pre-critical theory which rests on
sentimental or subjective grounds."[271]](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-59-2048.jpg)
![Why should the author follow so carefully the fortunes of the Apostle
on his voyage to Rome, and describe so fully the initial stages of his
trial, and yet leave the reader in doubt concerning its outcome?
Commentators have been puzzled by the seemingly inordinate space
which Luke devotes to the details of the voyage and shipwreck.
Sometimes it is said that the voyage marks the final rejection of the
Jewish people; or in the description is seen a literary device intended
to intensify the suspense of the reader; or allegorical interpretations
are resorted to by those who think that Luke would not thus
descend from the level of the philosophical historian to that of the
novelist.
In the minute description of the voyage and shipwreck, Koch sees
evidence that the writer's experiences as Paul's companion on the
voyage were still fresh in his mind. The details would scarcely have
been remembered and recorded so vividly after twenty-five years.
Even if a journal had been kept, it is still strange that the minutiæ of
the story should have been retained in the perspective of the
finished history. "The author still stands under the fresh impression
of the wonderful divine guidance through which Paul, in spite of all
dangers and hindrances, reached his long sought goal." "What
interest would a reader of later times have in details such as that on
an Alexandrian ship precisely two hundred and seventy-six men were
found?" In the seventh or eighth decade more important
contemporary events would have stood in the foreground of interest.
[272] A striking parallelism has been observed between the Third
Gospel and the Acts, while, supposing Paul's death to have occurred,
it is urged that Luke has missed "the finest—the most essential—
point of the whole comparison, the death of Paul."[273]
The assumed intention of the author to write a third treatise does
not help the matter much. It is absurd, Ramsay admits, to relate the
earlier stages of the trial at great length, "and wholly omit the final
result which gives them intelligibility and purpose"; but his
conclusion is that "it therefore follows that a sequel was
contemplated by the author," a sequel which the "first" (prôtos) of](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-60-2048.jpg)
![Acts i. 1 implies, if Luke "wrote as correct Greek as Paul wrote."[274]
But the intention of writing a sequel does not explain the failure to
mention the outcome of the trial. Luke would have no motive like
the writer of a continued story for keeping the reader in suspense,
and the simple addition of the words "until his release or acquittal"
would have relieved the suspense, and given "intelligibility and
purpose" to the detailed description of the earlier stages of the trial.
The account of the Ascension is not omitted from Luke's Gospel
although given in greater detail in the Acts. There is nothing un-
philosophical in the abrupt ending of a history which brings the
record down to the date of writing.
The leading argument against an early date for the Acts is drawn
from the possible use by Luke of the writings of Josephus, and the
crux of the question is in the words put into the mouth of Gamaliel
(Acts v. 36, 37). The coincidence of the names of Theudas and
Judas of Galilee (Acts v. 36, 37; Antiq. xx. v. 1 and 2) is striking and,
if the two men named Theudas be
(1) Luke had from Paul, whether or not Paul was present at the
meeting of the Sanhedrin, the best means of knowing what
Gamaliel, his teacher and the spokesman of the Pharisaic party,
actually said. (2) The assumption that Luke was quoting Josephus is
in itself very difficult when we compare the passages. Luke speaks of
about four hundred under Theudas while Josephus mentions a great
part of the people; Luke speaks of Judas while Josephus speaks of
the sons of Judas. To quote thus loosely from his assumed authority
and then to commit the further blunder of making Gamaliel allude to
an event which occurred at least a dozen years later is, while
possible, strangely out of keeping with Luke's proved care and
accuracy in most of his historical allusions. The difficulty is
acknowledged by those who make Luke dependent on Josephus.
Why did Luke diverge from a correct narrative if he had one before
him? Writers who affirm (Holtzmann) and those who deny (Schürer)
the dependence on Josephus practically agree that if Luke had read
Josephus he had forgotten him. (3) In the narrative of the death of](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-61-2048.jpg)
![Herod (Acts xii. 20 f.; Antiq. xix. viii. 2), where the two authors most
obviously come together, both are plainly describing the same event,
and yet seem to be quite independent both in the use of words and
in the details of the description. (4) The cumulative evidence of an
early date for Luke weighs heavily in the scale against the
hypothesis of dependence upon the "Antiquities" written about 93 or
94 a. d.
The question of date cannot be said to be absolutely settled, but the
tendency of criticism as illustrated by Harnack is to the acceptance
of an early date, as well as to that of the Lukan authorship of the
entire book. It is difficult to see how Harnack, with his present
defense of a date before Paul's release from prison, can consistently
maintain his skepticism where the supernatural events recorded in
the Acts are concerned. It is idle to say that his "revolution in
chronology" has no effect upon the question of reliability. It is an
established principle of historical method that the nearer a tradition
is to the event it professes to describe, the more likely it is to be
trustworthy. The resources of Harnack's learning have been used in
support of the reliability of Luke in his geographical and
chronological references,[275] and his treatment of persons and
reports of their speeches.[276] He has shown that Luke was in touch
with the leaders of the Jerusalem church, and that his statements
are abundantly confirmed by the writings of Paul. If Luke wrote
within the lifetime of Paul, the Acts was published while the main
actors were still living, and, by inference, it recorded events as Peter
and Barnabas and Apollos and Philip and Mark thought that they
happened. If further, as Harnack argues, it was written during Paul's
imprisonment there seems no room for doubt that it was written
under the eye and with the full endorsement of its principal actor,
and that we have thus the implicit guarantee not only of Luke but of
Paul also for the accuracy of its record.
III. The Synoptic Problem](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-62-2048.jpg)
![It has been said that the two most important questions for religion
are those of the rational foundations of theism and of the
trustworthiness of the Four Gospels.[277] The Gospel records have
always been regarded as the citadel of the Christian Faith. Not only
do they contain the record of works of power and words of grace,
and of a transcendent Personality, but they have always been
considered to have been themselves supernatural in origin and
character. They have been regarded as "a house not made with
hands" (Robertson Nicoll), "a miracle of the Holy Ghost" (Stier), "the
heaven-drawn picture of Christ, the living Word." The criticism of the
past century, in its quest for the historical Jesus, has taken a very
different attitude towards the Evangelical records. By many critics
they have been regarded as a patchwork of traditions, a work of
pious but credulous men, whose idealization and exaggeration, in
the supposed interest of faith, it is necessary to discount in order to
reach the bed-rock of historical fact.
The literary relation of the Synoptic Gospels to one another has
furnished to the New Testament student a problem of great intricacy
and singular fascination. Its importance for our present purpose is in
its bearing upon the trustworthiness of our canonical Gospels. The
school of Baur, under the influence of the Hegelian dialectic, saw in
Matthew, the Jewish Gospel, the thesis; in Luke, the Gentile Gospel,
the antithesis; and lastly in Mark, the neutral Gospel, the synthesis
or last term of the development. Criticism since the time of Baur
has, with much unanimity, seen in Mark not the latest but the first of
the Gospels, and has made Matthew and Luke dependent upon
Mark.
The theory which has for some years held the field is the so-called
"two-document" theory. According to this Matthew and Luke, usually
regarded as independent of each other, are both dependent, for
much of their narrative portion and for the framework of their
history, upon Mark, and, for the non-Markan discourse material
which they have in common, upon a collection of the sayings of
Jesus, formerly designated as "the Logia" but now usually called by](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-63-2048.jpg)
![the letter "Q." The importance of the Synoptic Problem, for our
present purpose, is in its historical rather than its literary features.
Assuming the priority of Mark, and assuming that Matthew and Luke
were dependent upon him alone in those parts of their narratives
which have Markan parallels, it is clear that we must regard all
deviations made by the other Synoptists from the Markan narrative
as of only secondary value. Variations from Mark, if Mark be the sole
source, whether these consist of additions, omissions or
modifications in the narrative, obviously add nothing to our
knowledge of the facts, but simply represent changes which the later
writers have made in their source from subjective reasons. It is
important, then, to ask whether, in the present state of opinion upon
the inter-Synoptic relations, there is reason to believe that Matthew
and Luke are following Mark as their sole authority for the narratives
which have Markan parallels.
There is now a quite general recognition of the fact that the literary
problem presented by the Synoptic Gospels is exceedingly intricate,
and that the "two-document" hypothesis in its simplicity has not
solved all the difficulties. It is recognized that it must be modified in
one of three directions.
(1) There may be said to be a growing appreciation of the part
which oral transmission has played in the composition of the
Gospels. This is shown for example in the volume of Oxford "Studies
in the Synoptic Problem" (1911),[278] and by the statement of Sir
John Hawkins, who, in the second edition of his "Horæ Synopticæ"
(1909), expresses the strong opinion "that at least the Second and
Third Evangelists had provided themselves with written documents
as their main sources, but that they often omitted to refer closely to
them, partly because of the physical difficulties which there must
have been in consulting manuscripts, and partly because of the oral
knowledge of the life and sayings of Jesus Christ which they had
previously acquired as learners and used as teachers, and upon
which therefore it would be natural for them to fall back very
frequently."[279] It is natural to suppose, with Schmiedel, that oral](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-64-2048.jpg)
![tradition continued for a considerable time after the first documents
were written.[280]
(2) A considerable number of scholars, finding that Mark condenses
his account of such incidents as the Baptism and Temptation of
Jesus and the discourse concerning Beelzebub, and that Matthew
and Luke are parallel in matter which they add at these points to the
Markan account, have concluded that Mark must have used Q, the
assumed source of the Matthew-Luke agreements. A moderate
statement is that of Dr. Sanday: "I do not think that Q was used by
Mark regularly and systematically, as the later Evangelists use his
own narrative; but he must have known of its existence, and
reminiscences of it seem to have clung to him and from time to time
made their way into his text." [281]
(3) Another group of scholars, basing their view on the agreement of
Matthew and Luke against Mark in matter with Markan parallels, and
on the difficulty of accounting for some omissions from Mark in the
later Evangelists (such as the omission in Luke, where it would be
most appropriate, of the story about the Syro-Phœnician woman),
have framed a theory of different recensions in Mark, one being
used by Matthew, a different one by Luke, and a final recension,
whether the work of the Evangelist himself or of an editor,
representing our canonical Mark. This theory in different forms has
been advocated by Stanton in his "Gospels as Historical Documents,"
Part II (1909), and more recently by Holdsworth in his "Gospel
Origins" (1913). When the two-document theory is held in this form,
the priority of Mark belongs only to the assumed earlier editions, for
whose extent and contents there is no objective evidence except the
assumed dependence, while our canonical Mark is later than either
Matthew or Luke.
There is a growing tendency to find secondary elements in Mark as
well as in Matthew or Luke. Hawkins, it will be recalled, gives a list
of passages in Mark "which may have been omitted or altered (by
the other Evangelists) as being liable to be misunderstood, or to give](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-65-2048.jpg)
![offense, or to suggest difficulties."[282] Of the passages which seem
(a) to limit the power of Jesus, or (b) to be otherwise derogatory to,
or unworthy of Him, the more noteworthy of the twenty-two
instances given by Hawkins are as follows: under (a),
1. Mark i. 32-34, "He healed many that were sick." Matthew viii. 16,
"He healed all"; cf. Luke iv. 40, "Every one of them."
3. Mark vi. 5, "He could there do no mighty work, save etc."
Matthew xiii. 58, "He did not many mighty works there because of
their unbelief."
Under (b),
2. Mark i. 12, "The Spirit driveth him forth." Matthew and Luke use
words meaning to "lead."
4. Mark iii. 21, "They said he is beside himself." This is omitted by
Matthew and Luke.
10. Mark x. 17, 18, "Good Master" and "Why callest thou me good?"
appear in Matthew xix. 16, 17 (R. V.) as "Master" and "Why askest
thou me concerning that which is good?" Luke follows Mark.
Over against these passages may be placed others where the
change, if any, and whether made unconsciously or for reasons of
style or with conscious tendency, would seem to be in the other
direction.
1. In the Parable of the Vineyard, Matthew xxi. 37, "My son." Luke
xx. 13, "My beloved son." Mark xii. 6, "He had yet one, a beloved
son."
2. Matthew x. 42, "A cup of cold water only in the name of a
disciple." Compare Mark ix. 41, "In name because ye are of Christ."
3. Luke xxiii. 47, "Certainly this was a righteous man." Mark xv. 39,
"Truly this man was the Son of God," or "a son of God." Matthew
xxvii. 54 follows Mark.](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-66-2048.jpg)
![4. (According to Bousset) Mark's abbreviation of Q in iii. 27 makes it
appear that it was Jesus who bound the strong man, instead of God.
[283]
5. Matthew xiii. 55, "Is not this the carpenter's son?" Compare Luke
iv. 22, "Is not this Joseph's son?" Mark vi. 3, "Is not this the
carpenter, the son of Mary?" Belief in the Virgin Birth is perhaps
safeguarded by Mark.
6. Mark x. 45, "The Son of man came not to be ministered unto,
etc." Here Bousset sees a dogmatic working over of Luke xxii. 27, "I
am among you as one that serves."[284] Matthew xx. 28 follows
Mark.
So far as tendency to Christological heightening is concerned, critics
of the school of Bousset are now especially severe against Mark. It
appears that "Luke's Gospel in the Passion history has preserved a
series of primary traditions over against Mark."[285] Holdsworth finds
a number of secondary elements, mostly stylistic, in Mark where the
three Gospels have a common narrative. Among these are the vivid
touches of the second Gospel, considered to be "distinctly secondary
features," the fuller descriptions in many instances, and the use of
the noun "gospel" not found at all in Luke although the verb is used,
and not found in Matthew in its absolute sense.[286]
Taking, then, the present state of opinion as to the relation of our
Mark to the other Gospels, we see that while in general the "priority
of Mark" is in some sense defended, yet the relation between any
given passage in Matthew or Luke and its parallel in Mark may be
variously construed. When Matthew, for example, deviates from
Mark, this modification according to current theories may arise (1)
from the first Evangelist's fancy or his dogmatic tendency, and will in
either case be historically worthless. It may arise (2) from reliable
oral tradition, and in this case be as worthy of credence as the
Markan source. It may be derived (3) from the source Q, but may be
for some reason omitted by Mark, whose knowledge of Q is](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-67-2048.jpg)
![assumed. The deviation in Matthew may (4) have been found in a
proto-or deutero-Mark, but have been omitted in his final edition.
The difference in this case between Matthew and Mark is no greater
than that between two editions of the same work.
The point to be emphasized is that, in the present state of opinion
upon the Synoptic problem, the difference of one Evangelist from
another does not in itself invalidate the testimony of either. The
Synoptic problem, while primarily a literary problem, is indeed
"fraught with momentous issues which the Church, and not scientific
criticism only, is concerned to face";[287] but in the present state of
the discussion, the fact that Matthew adds to or modifies the
narrative of Mark does not necessarily place the Matthean
modification upon a lower plane of credibility than the Markan
statement. The Matthean modification may be an exact copy of an
earlier edition of Mark, or may be derived from one of Mark's
sources, Q, or may be taken from that stream of oral tradition
coming from "eye-witnesses and ministers of the word," which Luke
in his preface evidently regarded as the touchstone of historical
truth, whatever his use of written sources.
Passing over the vexed question of Q, we may observe that the
acceptance of Harnack's early dating of the Acts and Luke would
further complicate the two-document theory. He agrees that Luke
was written before the Acts, and the Acts before Paul's trial at Rome
was decided; further that Mark is one of the sources of Luke, and
that Mark was written at Rome. "Tradition asserts no veto against
the hypothesis that Luke, when he met Mark in the company of Paul
the prisoner, was permitted by him to peruse a written record of the
Gospel history which was essentially identical with the Gospel of
Mark given to the Church at a later time." Perhaps, he intimates,
"Luke was not yet acquainted with Mark's final revision, which, as we
can quite well imagine, Mark undertook while in Rome."[288] The
priority of Mark, under this supposition, is left hanging by a slender
thread. It is highly probable that Luke gathered the material for his
work (and a great part of it was certainly independent of Mark) while](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-68-2048.jpg)
![in Palestine, and if he did not see Mark's Gospel, or a rough draft of
it, until he was in Rome, it is improbable that the Markan document
was his primary and principal source, as the two-document theory
asserts.
Whatever the literary foundation of the two-document theory, it
cannot be said to have led to any very important historical results.
Those who regard the portrait of Jesus in Mark as historical see in
the portrayal of Matthew and Luke only a difference in the nuances
of the narrative. On the other hand, those who cannot accept the
picture drawn by the First and the Third Evangelists are equally
unable to accept that given to us by Mark. The criticism of the
sources, in its usual form, has not revealed to us a Jesus who is
more historical than the Jesus of any of the Synoptists; and it is
necessary to pursue the quest in the more problematical region of
"sources of sources." In this process Mark is found to be as little
historical as the other Synoptic Gospels, or even as the Gospel of
John.
The "dissonances of the Evangelists" appear to be left practically
where they were before the present movement in Synoptic criticism
began. They remain what they always have been when one Gospel
is compared with another, and are neither softened nor made more
acute by any certain results which have been reached in the study of
the Synoptic problem. Some, no doubt, may say that the
discrepancies are so great that the Synoptic Gospels cannot be
accepted as historical records; while others will say, as does a
devout commentator on the Acts, that "such is the naturalness of
Holy Scripture that it seems as though it were indifferent about a
superficial consistency. So it ever is with truth: its harmony is often
veiled and hidden; while falsehood sometimes betrays itself, to a
practised ear, by a studied and ostentatious uniformity."[289] Others
again will appeal to the writers on historical method, such as
Langlois and Seignobos: "The natural tendency is to think that the
closer the agreement is, the greater is its demonstrative power; we
ought, on the contrary, to adopt as a rule the paradox that an](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-69-2048.jpg)
![agreement proves more when it is confined to a small number of
circumstances. It is at such points of coincidence between diverging
statements that we are to look for scientifically established historical
facts."[290] The inter-Synoptic differences are certainly, in general,
no greater than those which a single author allowed himself in the
accounts of the same incident, as is shown in Luke's threefold
account of the conversion of the Apostle Paul.
IV. The Johannine Problem
It is scarcely surprising that the mystery which surrounds the most
mysterious Personality in history should communicate itself to the
records which tell of His life, and even to the authors of these
records. If the Synoptic problem is a "well," as Goethe said, the
problem presented by the "spiritual Gospel" usually assigned to the
Apostle John is equally fascinating and difficult. The mystery of the
Master has in part enveloped the disciple whom Jesus loved.
The questions of the authorship and the historicity of the Fourth
Gospel are closely bound together. If the Gospel is a theological
romance intended to give currency to the conceptions of the
Alexandrian philosophy, it is clear that its authorship cannot be
ascribed to one of the disciples of Jesus. On the other hand, if it was
written by one of the Apostolic band, it must certainly, whether
reliable or not in its details, contain a wealth of historical
reminiscence which will enrich our knowledge of the personality, the
words and the deeds of Christ.
It is an interesting fact that a strong defense of the Apostolic
authorship of the Gospel has been made, in the present generation
and in the one which preceded it, by writers whose theological
position would incline them to an opposite conclusion.[291] The
strength of the evidence for Johannine authorship lies in the
testimony which it receives from all parts of the early church,
whether divisions be made on geographical or theological lines, and](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-70-2048.jpg)
![in the links of connection which bind the witnesses to the alleged
scene of John's labours and to the Apostle himself.
If it be objected that John, as a Galilean fisherman and an
unlettered man, could not have produced a work so profound in
thought and so polished in Greek composition, the objection may be
compared with that which is raised against the authorship of the
plays which go under the name of Shakespeare. Andrew Lang
remarks with irony upon the surprising belief that "a young man
from a little country town, and later an actor, could possibly possess
Shakespeare's vast treasures of general information, or Latin enough
to have read the Roman classics."[292]
The external evidence for Johannine authorship is strong and, with
the exception of the obscure sect of the "Alogi,"[293] is uniform. It is
"sufficient," and there can be little doubt that it would be efficient in
producing general belief except for the theological interests involved.
Objections to the Apostolic authorship from the side of the external
evidence are based (1) upon supposed indications that John was
martyred with James at Jerusalem and never lived in Ephesus at all,
and (2) upon the statement of Papias, interpreted to mean that two
men by the name of John lived in Ephesus. (1) The evidence upon
the first point is confessedly late and confused. It is contained in the
statements of Georgios Hamartolos, a ninth-century writer, and in
the so-called "De Boor Fragment," purporting to contain an extract
from a fifth-century writer, Philip of Side. The former says that
Nerva, "having recalled John from the island, dismissed him to live in
Ephesus. Then, being the only survivor of the twelve disciples, and
having composed the Gospel according to him, he has been deemed
worthy of martyrdom. For Papias, the Bishop of Hierapolis, having
been an eye-witness of him, says in the second book of the 'Oracles
of the Lord,' that he was slain by the Jews, having, as is clear, with
his brother James, fulfilled the prediction of Christ concerning him,
and his own confession and assent in regard to this." He adds that
the learned Origen, in his commentary on Matthew, "affirms that
John μεμαρτύρηκεν [memartyrêken] (has borne witness, or suffered](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-71-2048.jpg)
![martyrdom), intimating that he had learned this from the successors
of the Apostles."[294] But Origen, in his comment on Matthew xx. 23,
says that "the king of the Romans, as tradition teaches, condemned
John, witnessing for the truth, to the island of Patmos." If Georgios
Hamartolos thus incorrectly refers to Origen as a witness to the
martyrdom of John, less weight attaches to his professed
reproduction of the statement of Papias.
The "De Boor Fragment" contains the statement that "Papias, in the
second book, says that John the Divine and James his brother were
slain by the Jews."[295] This supports the statement of the ninth-
century writer in regard to the second book of Papias, but the
evidence, whether for the martyrdom of John by the Jews, or for the
fact that John was put to death at the same time with his brother
James, as is sometimes inferred, is exceedingly slight. Paul (Gal. ii.
9) speaks of John at a time usually identified with the Council at
Jerusalem (Acts xv.), although Ramsay would identify it with Acts xi.
30, thus placing it immediately before the death of James (Acts xii.
2). The statement of Georgios that John lived in Ephesus at the time
of Nerva also negatives this supposition. Of the slightly attested view
that John was martyred at an early date, Dr. Dawson Walker
remarks: "It is difficult to think that this latter hypothesis would have
met with so great favour if it had not been such an effective
instrument in excluding St. John from any possibility of being the
writer of the Fourth Gospel."[296] The statements that John was put
to death by the Jews may possibly be an inference from the
prophecy, "The cup that I drink ye shall drink, etc." (Mark x. 39).
(2) A mediating theory, based upon the well-known statement of
Papias[297] in which a "presbyter" John may, with much probability,
be distinguished from the Apostle of that name, does not deny the
influence of the Apostle upon the construction of the Fourth Gospel,
while its ultimate authorship is assigned to the "presbyter" John. The
hypothesis of the two Johns rests upon the statement of Papias'
fragment as interpreted by Eusebius; but Eusebius, while suggesting](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-72-2048.jpg)
![that the "presbyter" might have written the Apocalypse, indicates no
doubt of the Apostolic authorship of the Gospel and the First Epistle.
The possibility that there were two Johns, who were both in some
sense disciples of the Lord (as Papias describes the "presbyter"),
who both lived in Asia Minor, and who were both more or less
concerned in the writing of the Fourth Gospel, cannot be denied. But
it is also possible that Papias has been misinterpreted, and that,
when he described the "presbyter" John, the disciple of the Lord, he
had only the Apostle John in mind. In this case we should be freed
from the necessity, involved in the theory of authorship we are
considering, of supposing that the Apostle had a mysterious alter
ego of the same name, who was with him alike in Palestine and in
Asia Minor, shared in a degree his authority and published the
substance of his teaching, and so completely merged his personality
in that of the Apostle that in the Gospel record no trace of a
separate "presbyter" can be found, and there is no mention of the
name of either John.
The First Epistle, supposed to be a sort of supplement to the Gospel,
is of importance in its bearing upon the question of authorship. As a
recent writer says: "The persistent note of authority which is
overheard, rather than heard, in the Epistles is the more impressive
because it is only implied. St. John assumes that his authority is
unquestioned and unquestionable by those Asians who are loyal to
the Christian tradition. When we compare his letters with those of
his younger contemporaries, we conclude that it was unquestionably
because he was an Apostle."[298]
Another mediating position, adopted by those who do not accept the
full Apostolic authorship, is found in a theory of partition, which
assigns a portion of the Gospel to the Apostle. The artistic unity of
the Gospel and the qualities of style which distinguish it from other
writings present a grave difficulty to any theory of partition. As a sort
of half-way house it will scarcely be permanently tenable. Of Spitta's
analysis, which assigns a part of the Gospel to the Apostle, it has](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-73-2048.jpg)
![been objected by a critic of more radical sympathies that such an
admission places him outside the limits of scientific criticism.[299]
The stronghold of the evidence alike for and against the Johannine
authorship is to be found in the facts of the Gospel itself. On the one
hand a powerful argument, such as that which has been developed
by Lightfoot and Westcott, can be drawn to show that the author of
the Gospel must have been a Jew, a Jew of Palestine, a disciple of
Jesus, one of the inner circle of disciples, and in fact none other than
the "beloved disciple" himself. The internal facts of the Gospel are
used in a different way by others to show that the Fourth Gospel
differs so radically in scene, in the style of its discourses, and indeed
in its entire portrait of Jesus, that it cannot be accepted as historical,
or as the work of one of the disciples.
The difference in scene between the Galilean Gospels and the
Jerusalem Gospel presents no great difficulty, but the crux of the
problem is in the difference in style and subject matter. The Jesus of
the Synoptics cannot, it is said, have spoken in the style of the
discourses in John. Before this judgment can be accepted without
qualification, several points deserve to be noticed. The difference in
style is in part accounted for by the difference in subject matter and
in the character of the audience. There are out-croppings of the
Johannine style in the Synoptics, especially where the subject of
discourse is similar. The passage, Matthew xi. 25-30, which, as we
have seen, contains the essential teachings found in John xiv., is a
notable illustration. The Jerusalem audience again was different from
the Galilean audience. If it be said that when the Jesus of the Fourth
Gospel speaks in Galilee (John vi.) He uses the same mystical style
as when He speaks in Jerusalem, it should at least be considered
that the discourse in Capernaum is not given as a sample of the
usual synagogue preaching of Jesus. The scene clearly marks a crisis
in the ministry, a crisis indicated in the other Gospels by the northern
journey for retirement which immediately followed, but made more
intelligible by the supposition that the Capernaum discourse was
practically a clearer revelation to the Galilean audience of the](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-74-2048.jpg)
![Teacher and Lord, and of the mighty Worker manifesting His glory.
The Synoptic Gospels tell us of the authority of Jesus and of His
office of judgment and of His founding a Church. In John we see the
ground of His authority in His relation to God and in His mystical
relation to the disciples. In the Synoptists we have the Last Supper
and general prophecies of the future and commands for the
guidance of the Church. We should expect some more intimate and
personal revelation of His relation to the disciples, such as is
furnished by the Johannine picture of the disciple whom Jesus loved,
and in the words, "Woman, behold thy son" (John xix. 26, 27); and
in the intimate discourse of John xiv.-xvi. When we read, once more,
that Jesus often retired for prayer, but in the Synoptic Gospels have
the record of only one or two of His petitions: "Remove this cup
from me.... Thy will be done" (see Luke xxii. 42 and compare xxii.
32), we expect some such enrichment of our knowledge of the
prayer-life of Jesus as is contained in John xvii.
The historical character of the Fourth Gospel is shown alike by the
light which it throws upon the course of events in the public ministry
and by the more subtle resemblances between John and the
Synoptists, so different in emphasis and shading that John's account
cannot well have been due to Synoptic tradition, and yet so much in
agreement as to give confidence that the same course of events
underlies both accounts. If we look at the outward course of events
under the guidance of writers such as Askwith[300] or A. E. Brooks,
[301] we see that John's picture of the earliest disciples in Judea may
throw light upon the narrative of the call of the four (Mark i. 16 f.).
The crisis in the ministry, indicated rather than explained in the
Markan narrative, is more intelligible in the light of John vi. The
hosannas of the Triumphal Entry into Jerusalem, as well as the
settled determination of the rulers to put Jesus to death, can be
better understood with the help of John's statements about Lazarus
(see John xii. 9-11); and the accusation of the witnesses, "We heard
him say I will destroy this temple" (Mark xiv. 58), and the weeping
of Jesus over Jerusalem (Matt, xxiii. 37) are again more intelligible in](https://image.slidesharecdn.com/1079758-250605074730-e57028c1/75/Safety-And-Reliability-Of-Industrial-Products-Systems-And-Structures-Harcdr-Carlos-Guedes-Soares-76-2048.jpg)
More Related Content
Similar to Safety And Reliability Of Industrial Products Systems And Structures Harcdr Carlos Guedes Soares
Safety And Reliability Of Industrial Products Systems And Structures Harcdr Carlos Guedes Soares
- 1. Safety And ReliabilityOf Industrial Products Systems And Structures Harcdr Carlos Guedes Soares download https://ebookbell.com/product/safety-and-reliability-of- industrial-products-systems-and-structures-harcdr-carlos-guedes- soares-2159516 Explore and download more ebooks at ebookbell.com
- 2. Here are somerecommended products that we believe you will be interested in. You can click the link to download. Nuclear Power Plants Innovative Technologies For Instrumentation And Control Systems International Symposium On Software Reliability Industrial Safety Cyber Security And Physical Protection Of Nuclear Power Plant 1st Edition Yang Xu Eds https://ebookbell.com/product/nuclear-power-plants-innovative- technologies-for-instrumentation-and-control-systems-international- symposium-on-software-reliability-industrial-safety-cyber-security- and-physical-protection-of-nuclear-power-plant-1st-edition-yang-xu- eds-5886756 Nuclear Power Plants Innovative Technologies For Instrumentation And Control Systems The Second International Symposium On Software Reliability Industrial Safety Cyber Security And Physical Protection Of Nuclear Power Plant 1st Edition Yang Xu https://ebookbell.com/product/nuclear-power-plants-innovative- technologies-for-instrumentation-and-control-systems-the-second- international-symposium-on-software-reliability-industrial-safety- cyber-security-and-physical-protection-of-nuclear-power-plant-1st- edition-yang-xu-6844660 Nuclear Power Plants Innovative Technologies For Instrumentation And Control Systems The Third International Symposium On Software Reliability Industrial Safety Cyber Security And Physical Protection Of Nuclear Power Plant Isnpp 1st Ed Yang Xu https://ebookbell.com/product/nuclear-power-plants-innovative- technologies-for-instrumentation-and-control-systems-the-third- international-symposium-on-software-reliability-industrial-safety- cyber-security-and-physical-protection-of-nuclear-power-plant- isnpp-1st-ed-yang-xu-10493520 Safety And Reliability Of Bridge Structures Khaled M Mahmoud https://ebookbell.com/product/safety-and-reliability-of-bridge- structures-khaled-m-mahmoud-4346224
- 3. Safety And ReliabilityOf Complex Engineered Systems Esrel 2015 Papcom Krger https://ebookbell.com/product/safety-and-reliability-of-complex- engineered-systems-esrel-2015-papcom-krger-5279754 Safety Reliability And Risk Of Structures Infrastructures And Engineering Systems Proceedings Of The 10th International Conference On Structural Safety And Reliability 1317 September Osaka Japan Hitoshi Furuta Dan M Frangopol Masanobu Shinozuka https://ebookbell.com/product/safety-reliability-and-risk-of- structures-infrastructures-and-engineering-systems-proceedings-of- the-10th-international-conference-on-structural-safety-and- reliability-1317-september-osaka-japan-hitoshi-furuta-dan-m-frangopol- masanobu-shinozuka-4422174 Philosophies Of Structural Safety And Reliability Vladimir Raizer https://ebookbell.com/product/philosophies-of-structural-safety-and- reliability-vladimir-raizer-47242730 Synesis The Unification Of Productivity Quality Safety And Reliability 1st Edition Erik Hollnagel https://ebookbell.com/product/synesis-the-unification-of-productivity- quality-safety-and-reliability-1st-edition-erik-hollnagel-50948200 Safety Security And Reliability Of Robotic Systems Algorithms Applications And Technologies Nadia Nedjah https://ebookbell.com/product/safety-security-and-reliability-of- robotic-systems-algorithms-applications-and-technologies-nadia- nedjah-22492770
- 6. SAFETY AND RELIABILITYOF INDUSTRIAL PRODUCTS, SYSTEMS AND STRUCTURES SAFERELNET.indb i SAFERELNET.indb i 10/30/2010 4:28:47 PM 10/30/2010 4:28:47 PM
- 7. Safety and Reliabilityof Industrial Products, Systems and Structures Editor C. Guedes Soares Technical University of Lisbon, Instituto Superior Técnico, Portugal SAFERELNET.indb iii SAFERELNET.indb iii 10/30/2010 4:28:48 PM 10/30/2010 4:28:48 PM
- 8. CRC Press/Balkema isan imprint of the Taylor & Francis Group, an informa business © 2010 Taylor & Francis Group, London, UK Typeset by Vikatan Publishing Solutions (P) Ltd., Chennai, India Printed and bound in Great Britain by Antony Rowe (a CPI Group Company), Chippenham, Wiltshire All rights reserved. No part of this publication or the information contained herein may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, by pho- tocopying, recording or otherwise, without written prior permission from the publisher. Although all care is taken to ensure integrity and the quality of this publication and the information herein, no responsibility is assumed by the publishers nor the author for any damage to the property or persons as a result of operation or use of this publication and/or the information contained herein. Published by: CRC Press/Balkema P.O. Box 447, 2300 AK Leiden, The Netherlands e-mail: [email protected] www.crcpress.com – www.taylorandfrancis.co.uk – www.balkema.nl ISBN: 978-0-415-66392-2 (Hbk + CD-ROM) ISBN: 978-0-203-81865-7 (eBook) SAFERELNET.indb iv SAFERELNET.indb iv 10/30/2010 4:28:48 PM 10/30/2010 4:28:48 PM
- 10. v Safety and Reliabilityof Industrial Products, Systems and Structures – Guedes Soares (ed) © 2010 Taylor & Francis Group, London, ISBN 978-0-415-66392-2 Table of contents Preface ix Project organizational structure xi Framework documents General framework for safety and reliability of industrial products, systems and structures 3 C. Guedes Soares Framework for integrated risk assessment 7 E. Kragh, M.H. Faber & C. Guedes Soares Framework for safety, security and sustainability risk management 21 A.G. Hessami Framework for maintenance planning 33 C. Guedes Soares, J. Caldeira Duarte, Y. Garbatov, E. Zio & J.D. Sorensen Framework for assessment and life extension of existing structures and industrial plants 53 Ch. Bucher, M. Brehm & H. Bolt Risk assessment methodology Risk acceptance criteria in Europe 65 V.M. Trbojevic Acceptable safety levels by a socio-economic approach 75 R. Rackwitz Risk assessment of natural hazards with applications to landslides and abnormal waves 85 P.H.A.J.M. van Gelder, F. Nadim & C. Guedes Soares Efficient practice of risk assessment in design process 99 S. Medonos Consequences of explosions in various industries 107 J. Czujko Fire risk assessment in buildings 133 M. Holický Human and organisational factors in risk assessments Techniques for human reliability evaluation 141 H. Bolt, J. Morris, M. Pedrali, P. Antão & C. Guedes Soares Analysing the impact of human factors in transport systems 157 J. Drobiszewski & Z. Smalko On projects’ and organizations’ performance uncertainty 167 Ove T. Gudmestad & R.R. Stoelsnes SAFERELNET.indb v SAFERELNET.indb v 10/30/2010 4:28:48 PM 10/30/2010 4:28:48 PM
- 11. vi Reliability based design Overviewof structural reliability methods 181 T. Vrouwenvelder & H. Karadeniz Methods of structural reliability applied to design and maintenance planning of ship hulls and floating platforms 191 C. Guedes Soares, Y. Garbatov & A.P. Teixeira Discrete multicriteria reliability-based optimization of spatial trusses 207 S. Jendo & E. Silicka Continuous and discrete reliability-based optimization of truss structures 215 R. Stocki, K. Kolanek, S. Jendo & M. Kleiber Assessment of existing structures and life extension Condition monitoring and remaining life assessment approach at the EDP Group 231 M.P. Gomes Maia Reliability assessment of a primary school 239 M. Holický & J. Marková Seismic assessment and retrofitting of existing structures in Romania: Background, programs, regulatory basis 245 D. Lungu & I. Craifaleanu Risk based inspection and maintenance planning Maintenance optimization for structures by a renewal model 263 A. Joanni & R. Rackwitz Maintenance modelling and optimization applied to safety-related equipment at nuclear power plants 277 S. Martorell, J.F. Villanueva, S. Carlos & A. Sánchez Maintenance modeling and optimization applied to power distribution networks 295 R. Briš, S. Rusek & R. Goňo Applications of probabilistic safety assessment for vulnerability analyses 307 M. Čepin Two computational methods for performing availability analysis of power-systems 321 M. Bouissou & A.P. Ulmeanu Production availability 331 J-P. Signoret Application of reliability centred maintenance in ship operations 347 J. Wang, A. Pillay & A. Mokashi Corrosion of steels in marine environment, monitoring and standards 369 M. Panayotova, Y. Garbatov & C. Guedes Soares Strategy in the various industrial sectors Application of safety and reliability approaches in the power sector: Inside-sectoral overview 417 K. Lauridsen, E. Hollo & I. Kozine Risk-based approaches to maritime safety 433 C. Guedes Soares, A.P. Teixeira & P. Antão SAFERELNET.indb vi SAFERELNET.indb vi 10/30/2010 4:28:48 PM 10/30/2010 4:28:48 PM
- 12. vii Optimization of operationalsafety in tunnels 443 M. Holický Integrating QRA and SRA methods within a predictive Bayesian approach: An example from offshore projects 451 W. Rettedal & T. Aven Author index 459 SAFERELNET.indb vii SAFERELNET.indb vii 10/30/2010 4:28:48 PM 10/30/2010 4:28:48 PM
- 14. ix Safety and Reliabilityof Industrial Products, Systems and Structures – Guedes Soares (ed) © 2010 Taylor & Francis Group, London, ISBN 978-0-415-66392-2 Preface Risk Assessment is a fundamental support for decisions related with design, construction, operation and maintenance of industrial products, systems and infrastructures. Risks are influenced by design decisions, by the process of construction of the systems and infrastructures and by the way in which they are oper- ated and maintained. Different aspects are more important in the various phases and types of activities and different methods have been developed to deal with them. Risk Analysis techniques have been used to study accidental situations, to assess their probability of occurrence and to indicate design measures and barriers that can prevent them or mitigate their effect. Structural reliability theory has been used to design structures and structural systems subjected to opera- tional loads and to proper utilization and operation. Human reliability analysis has concentrated on the failures that can be induced by operators of systems, which create situations that have not been consid- ered in the design process and which can lead to large scale accidents. Human errors can also occur in the design and building phase although it is in the operational phase that they tend to occur more often. This overall description shows that these three types of methods concentrate on different aspects that complement each other and that in many cases can be considered separately. It is because of this and of the different characteristics of the techniques developed in each of the fields that the respective specialists have had little interaction and few efforts have been made to integrate the methods. Most accidents are due to human actions either as initiating events or as failing to interrupt the series of accidental events that lead to catastrophic failure. However, many of them also involve structures and thus it becomes clear that a comprehensive picture is only obtained when these three aspects are dealt with in a complementary fashion. This has been the emphasis of the SAFERELNET project and of this book that deals with safety and reliability of industrial products, systems and structures. It covers all aspects of safety issues related to: Risk Assessment Methodology; Human and Organisational Factors in Risk Assessments; Integration of Risk and Reliability Formulations; Reliability Based Design; Assessment of Existing Structures and Life Extension; Risk Based Inspection and Maintenance Planning. The focus is on safety-critical systems in all types of industrial plant, equipment, structural system, building and other civil engineering facilities. The SAFERELNET project was an important initiative at European level, involving about 70 institu- tions, and 200 participants, addressing the questions related with the assessment and management of safety and reliability of industrial products, systems and structures. It was a thematic network and thus it did not aim at doing research but at reviewing the state-of-the-art so as to identify emerging ideas and solutions which hold promise for practical implementation and also reviewing the current practice in dif- ferent countries and different industrial sectors with a view to identify the “best” practices. It intended to identify gaps in practice in different industrial sectors and countries considering the industrial problems for which there are no satisfactory technical solutions, the gaps between practice and research, the gaps in the level of technology used between countries, and the gaps in the level of technol- ogy used between industrial sectors. Most of the project members were from the Oil & Gas, Process, Power, Highways, Maritime and Build- ing sectors, and this is reflected in the type of approaches dealt with and in the comparisons between industrial practices that were made. An initial effort was made to compare the practice of application of safety and reliability approaches in these sectors and this has identified some main directions (Guedes Soares et al., 2003) that were then followed in the project. It was identified that: • There is a need to define a generic risk management framework which addresses all aspects which have an influence on safety. This framework can then be customised to individual sectors at a level which is appropriate. • Integration of Quantitative Risk Analysis, Human and Organisational Factor Analysis and Structural Reliability Analysis is critical for the evaluation of total risk of an installation and for addressing all hazards on a consistent basis. SAFERELNET.indb ix SAFERELNET.indb ix 10/30/2010 4:28:49 PM 10/30/2010 4:28:49 PM
- 15. x • The approachfor setting risk acceptance criteria need to be consistent with the above methodology for integrated risk analysis. • The methodologies for risk and reliability based maintenance management need to recognise that there will be typically many hundreds of components within a plant and many thousands of assets within a transport network. • Besides safety, the main drivers for maintenance management are cost, availability, reliability and sus- tainability. For industrial plants in process, power and oil & gas sectors the maintenance spending is governed by active components and therefore every effort should be made to develop a consistent framework for the maintenance management of both active and passive (structural) systems. • Decisions on reassessment and life extension need to take account of all systems in an installation and hence a consistent framework is needed to address both active and passive systems. These conclusions have guided the work developed later, a good part of which is included in this book. An important aspect has been the development of an integrated methodology that addresses fundamental problems in risk and reliability analysis with the aim of consistently modelling and quantitatively treating the different types of uncertainties governing the decision problems of the modern “sustainable” society. The methodology is here presented in four framework documents addressing specific complementary top- ics involved in the systematic and integrated treatment of risk applicable to any industry: • Integrated Risk Assessment • Risk Management • Maintenance Planning • Assessment and Life Extension. This set of documents is complemented by various papers within each of those areas presenting in more detail a survey of available techniques, examples of application to specific problems or surveys of the state of affairs within industrial sectors. It is hoped that this overview will be useful to provide the common features of the application safety and reliability of industrial products, systems and structures in different industrial sectors. C. Guedes Soares Technical University of Lisbon, Instituto Superior Técnico, Portugal REFERENCES Guedes Soares, C., Shetty, N., Hagen, O., Teixeira, A.P., Pardi, L., Vrouwenvelder, A., Kragh, E. and Lauridsen, K. Applications of Safety and Reliability Approaches in Various Industrial Sectors. Safety and Reliability, Bedford, T. and van Gelder, P., (Eds.), Lisse: Swets & Zeitlinger; 2003; pp. 719–726. SAFERELNET.indb x SAFERELNET.indb x 10/30/2010 4:28:49 PM 10/30/2010 4:28:49 PM
- 16. xi Safety and Reliabilityof Industrial Products, Systems and Structures – Guedes Soares (ed) © 2010 Taylor & Francis Group, London, ISBN 978-0-415-66392-2 Project organizational structure SAFERELNET was a Thematic Network funded by the 5th Framework Programme of the Commission of the European Communities, under contract number G1RT-CT-2001-05051. NETWORK COORDINATOR Instituto Superior Técnico, Portugal (C. Guedes Soares) NETWORK STEERING COMMITTEE Bauhaus—University of Weimar, Germany (C. Bucher, M. Brehm) D’Appolonia S.p.A., Italy (M. Pedrali, E. Noce) EQE International Ltd., UK (V. Tbrojevic) Instituto Superior Técnico, Portugal (C. Guedes Soares) Norwegian University of Science and Technology, Norway (B.J. Leira) PAFA Consulting Engineers, UK (P. Smedley) RCP Consult GmbH, Germany (R. Rackwitz, S. Gollwitzer) Swiss Federal Institute of Technology, Switzerland (M.H. Faber, O. Kübler) WSAtkins Consultans Ltd, UK (N. Shetty, B. Commandeur) NETWORK PARTNERS AND CONTACT POINTS 1. Aalborg University, Denmark (J.D. Sorensen)—Subcontracted to COWI A.S. 2. Aker Offshore Partner, Norway (O.T. Vardal) 3. Autostrade, Italy (L. Pardi) 4. Bauhaus—University of Weimar, Germany (C. Bucher, M. Brehm) 5. Biuro Projektow Architektonicznych I Budowlanych (AiB), Poland (J. Perzynski) 6. BOMEL Limited, UK (H. Bolt) 7. Budapeste University of Technology and Economics, Hungary (G. Szabo) 8. Bureau Veritas, France (J. Goyet) 9. Caminhos de Ferro Portugueses, Portugal (V.M.S. Risota) 10. CEA—Nuclear Reactor Division, France (N. Devictor, M. Marques) 11. COWI Consulting Engineers & Planners AS, Denmark (E. Kragh) 12. Companhia Portuguesa de Produção de Electricidade SA, Portugal (A.J. Sequeira) 13. Czech Technical University in Prague, Klokner Institute, Czech Republic (M. Holický) 14. D’Appolonia S.p.A., Italy (M. Pedrali, E. Noce) 15. Den Norske Stats Oljeselskap A.S., Norway (O. Gudmestad) 16. Det Norske Veritas, Norway (O. Hagen, E. Bitner-Gregersen) 17. Electricité de France, France (A. Lannoy) 18. EQE International Ltd., UK (V. Trbojevic) 19. EURO-CYNK Gdynia Ltd., Poland (C. Pawluk) 20. FORCE Technology Norway AS, Norway (J. Czujko) 21. Gdynia Maritime Academy, Poland (K. Kolowrocki) 22. Highways Agency UK, UK (V. Hogg) 23. Institut “Josef Stefan” (IJS), Slovenia (M. Čepin) SAFERELNET.indb xi SAFERELNET.indb xi 10/30/2010 4:28:49 PM 10/30/2010 4:28:49 PM
- 17. xii 24. Institute ofConstruction & Architecture of the Slovak Academic of Sciences, Slovakia (Z. Sadovsky) 25. Institute of Fundamental Technology Research, Poland (S. Jendo) 26. Instituto Superior Técnico, Portugal (C. Guedes Soares) 27. Instituto Tecnológico para a Europa Comunitária, Portugal (P. Antão) 28. Liverpool John Moores University, UK (J. Wang) 29. LISNAVE, Portugal (A. Correia Rodrigues) 30. MARINTEK, Norway (A. Bjorset) 31. National Building Research Institute, Romania (D. Lungu) 32. National Galati University “Dunarea de Jos”, Romania (I. Matulea) 33. Norwegian Geotechnical Institute, Norway (F. Nadim) 34. Norwegian University of Science and Technology, Norway (B.J. Leira) 35. PAFA Consulting Engineers, UK (P. Smedley) 36. Petrellus Limited, UK (S. Medonos) 37. Polish Airlines LOT S.A., Poland (R. Sontowski) 38. Polish National Energy Conservation Agency, Poland (K. Adamzcewska) 39. Polish Register of Shipping Joint-Stock Company, Poland (A. Kowalski) 40. Polytechnic of Milan, Italy (E. Zio) 41. QUEST Consulting Limited, UK (M. Wilson) 42. Railtrack PLC, UK (B. Bell) 43. RCP Consult GmbH, Germany (R. Rackwitz, S. Gollwitzer) 44. Risø National Laboratory, Denmark (I. Kozine) 45. S.C. ICEPRONAV S.A., Romania (S. Brazdis) 46. Ship Design and Research Center—CTO, Poland (J. Dudziak) 47. Ship Machine—Building J.S. Co., Bulgaria (I. Daskalov) 48. SOPORCEL—Sociedade Portuguesa de Papel, S.A., Portugal (A. Quental Martins) 49. Swiss Federal Institute of Technology, Switzerland (M.H. Faber, O. Kübler) 50. Tallinn Technical University, Estonia (P. Tint) 51. Technicatome, France (J.L. Pelletier) 52. TECNOMARE S.p.A., Italy (W. Priotti) 53. TRANSGÁS—Sociedade Portuguesa de Gás Natural SA, Portugal (A. Lacerda Nobre) 54. Technical University of Delft, The Netherlands (H. Karadeniz) 55. Technical University of Ostrava, Czech Republic (R. Bris) 56. Technical University of Sofia, Bulgaria (G.I. Petkov) 57. Technical University of Szczecin, Poland (A. Krystosk) 58. Technical University of Varna, Bulgaria (P. Antonov, P. Kolev) 59. The University of Liverpool, UK (H. Najafian) 60. TotalFinaElf, France (J.P. Signoret) 61. University of Mining and Geology, Bulgaria (M. Panayatova) 62. Univesity Politehnica of Bucharest, Romania (P. Ulmeanu) 63. University of Surrey, UK (T. Onoufriou) 64. VEIKI Institute for Electric Power Research Co., Hungary (E. Hollo) 65. VTT Industrial Systems, Reliability and Risk Management, Finland (V. Rouhiainen) 66. Warsaw University of Technology, Poland (Z. Smalko) 67. Wroclaw University of Technology, Poland (W. Zamojski) 68. WSAtkins Consultans Ltd., UK (N. Shetty, B. Commandeur) 69. University of Valencia, Spain (S. Martorell) SAFERELNET.indb xii SAFERELNET.indb xii 10/30/2010 4:28:49 PM 10/30/2010 4:28:49 PM
- 18. Framework documents SAFERELNET.indb 1 SAFERELNET.indb1 10/30/2010 4:28:49 PM 10/30/2010 4:28:49 PM
- 20. 3 Safety and Reliabilityof Industrial Products, Systems and Structures – Guedes Soares (ed) © 2010 Taylor & Francis Group, London, ISBN 978-0-415-66392-2 General framework for safety and reliability of industrial products, systems and structures C. Guedes Soares Instituto Superior Técnico, Technical University of Lisbon, Lisbon, Portugal ABSTRACT: This paper introduces the general framework for safety and reliability of industrial products, systems and structures, by explaining the logic of its four main components and how each of the four specific documents relate to each other. A central idea is that an integrated risk assessment must be conducted as a support for decision making, in which techniques that sometimes have been dealt separately need to be considered in an integrated way, namely risk assessment, structural reliability and human and organizational factors. These principles are applied to risk assessment, risk management, maintenance planning and assessment and lifetime extension. The documents are of a general nature being applicable to any industrial sector. A major issue to be properly addressed by the integrated methodology is the need to extend the lifetime of products, structures and facilities and to monitor that this extension is done without degrading their safety levels of operation. Within the integrated methodological approach proposed, this entails the development of specific strategies and procedures tailored to each industry. This is achieved by modelling the reliability of the systems throughout their lifetime so as to be able to study the impact of new maintenance and repair schemes on system safety, life cycle costs, reliabil- ity, serviceability and quality. Proper methods for the assessment of existing structures and equip- ment must be integrated with proper approaches and criteria for extending their lifetime while maintainingtherequiredsafetylevelsandproviding competitive levels of reliability and availability. The integrated methodology addresses funda- mental problems in risk and reliability analysis with the aim of consistently modelling and quantitatively treating the different types of uncer- tainties prevailing the decision problems of the modern “sustainable” society. The methodology is here presented in four frame- work documents addressing specific complemen- tary topics involved in the systematic and integrated treatment of risk applicable to any industry: • Integrated Risk Assessment • Risk Management • Maintenance Planning • Assessment and Life Extension The framework documents are aimed at presenting an overview of the main aspects that 1 AIMS AND SCOPE The economic drivers behind modern human activities raise pressures in all industries to be efficient and competitive. On the other hand, safety of the people and protection of the environment are the critical values underpinning sustainable development and progress. Recent developments show an increasing need to consider social and cultural aspects, as well. This leads to the challenge of providing safe and cost-effective solutions to products, systems, facilities and structures across different industries. To meet the challenge, the safety, reliability and availability requirements, which are critical to efficiency and cost, need to be ensured not only in the design and manufacturing phases but also during the operational and ageing phases of the products and facilities. This requires an integrated treatment of the technical and organizational aspects involved in design, production and operation, in the face of dynamicallychangingworkorganisationsandinclud- ing the extended use of information technologies. In light of this, the scope of the developed methodology is precisely the integrated treatment of the design, production and operation of safe, environmentally-friendly, socially acceptable, and cost-effective industrial products and systems. The main emphasis is on the use of risk- and reliability-based methods for the optimal design of products, production facilities, industrial systems and structures from the point of view of balancing the economic aspects associated with providing predefined safety levels with the associated costs of maintenance and profits from service availability. SAFERELNET.indb 3 SAFERELNET.indb 3 10/30/2010 4:28:49 PM 10/30/2010 4:28:49 PM
- 21. 4 need to betaken into account for a rational, integrated risk assessment and management, together with the proper frameworks, methods and approaches needed. Established best practices and generic, industry-independent issues are addressed and approaches are presented with no reference to particularities that are specific of each industry. The documents are aimed at being used by the managers and specialists involved in the process of ensuring safety and reliability of industrial products, systems and structures. As such, they require basic knowledge of risk and reliability, but not necessarily a detailed expertise. 2 ORGANISATION OF THE DOCUMENTS The first document presents the general method- ology for integrated risk assessment, including the issue of risk acceptance criteria which is the key to interpret and rationally manage the results of risk assessments. Risk is understood as the expected consequences from a given industrial activity and thus is the result of the probability of occurrence of undesired events and their consequences. Its assessment needs both adequate models and methods and appropriate data. Concerning the latter, relevant and informative data is sometimes difficult to find, particularly for low-probability events which may very well be critical because associated with accidental situations of large consequences. In these cases, one may resort to expert judgment within a subjective interpretation of probability and decision making. The formalised analysis and quantification of the influence that human and organisational factors have on safety needs to be incorporated in the integrated risk assessment methodology. In this respect, the advances have been made in the discipline of human reliability lend themselves to integration in the overall risk assessment. Structural reliability theory has been developed to deal with models of structural behaviour and to predict probabilities of failure based on the laws of mechanical behaviour of materials. Although quantifiedriskassessmentsandstructuralreliability analyses are used as complementary techniques for an improved overall assessment of safety, seldom there is enough integration of their results. In this respect, the aim is that of improving the integration of these techniques, including also the above discussed human reliability formulations. Risk assessment can be required at different stages of planning and operation of the infrastructures and systems. They are important contributions to a risk management strategy which involves a series of actions that aims at keeping risk with predefined levels. Risk management, which is treated in the second document, needs to be conducted through the whole life-cycle and it addresses all elements that can contribute to risk. Cost-effectiveness and safety cannot be obtained solely by design. Maintenance plays a fundamental role in counteracting degradation effects, which are present in all infrastructures and industrial products. Therefore, maintenance planning, which is dealt with in the third document, is a very critical aspect to consider both during the design and during the whole life span of operational use, within an integrated framework founded on risk- and reliability-based techniques. A major current problem to be addressed is relatedtotheuseinmanyindustriesof long-existing infrastructures which are being questioned on whether they can continue being fully utilised beyond their original design lifetime. This poses the problem of evaluating the state of health of the involved systems, structures and components, a task which entails proper modelling and the identification of the load history to which they were subjected. The integration of the knowledge of the health state with the design criteria set at the time the facility was constructed allows the assess- ment of the available residual strength and safety. These need to be rationally weighed against appro- priately established target safety levels, in order to consciously license life extension, which is created in the fourth referred document. The results of the application of the integrated methodology are expected to contribute to the competitiveness of industries in Europe. Indeed, when correctly implemented integrated risk analysis and management support significant cost savings and provide enhanced control of the risks to personnel, public and environment. The economic gains for the industrial sectors will include increased productivity, reduced costs for design, construction and operation, minimised use of natural resources, improved competitiveness, and better exploitation of the products. Benefits for the consumers and end-users will include improved services, environmental quality, well-being and mobility. A significant impact is also expected in terms of reduction of work injuries and fatalities. Figure 1 demonstrates the connection between the single framework documents within a simplified view to the life cycle of any structure, facility or product. However, depending on the considered object and its restraints not all items will be weighted equally with respect to importance. To ensurelowcostsduringthelifetime,riskassessment, risk management, as well as maintenance plan- ning have to be involved in early design phases. As soon as design and the construction are com- pleted, the management of risk and maintenance SAFERELNET.indb 4 SAFERELNET.indb 4 10/30/2010 4:28:49 PM 10/30/2010 4:28:49 PM
- 22. 5 work will coordinatethe further inspections and corresponding restorations or replacements. If a special event (e.g., earthquake, dramatic deterioration) occurs or the end of (re)design lifetime is reached, the assessment process will be activated, where a detailed inspection of the object is foreseen. In case the doubts are confirmed, the object has to be assessed, redesigned, and repaired, or strengthened. Similar to the design phase, risk issues have to be considered. Consequently, an update of the maintenance and risk management plan is necessary. Assuming the risk is to high and cannot be managed or it is not possible or worthy to repair or strengthen the object it should be demol- ished, which is indeed the final end of the lifetime of the facility, plant, structures, or product. The framework documents presented in the references are meant to reflect the general level of understanding and are not meant to be bibliographic overview of the various fields. Therefore it was chosen not to include any refer- ence in these documents to avoid having to present a very extensive list of references or being biased in the choice of a smaller number. The presentation of references has been left for the accompanying papers in this book, which survey various subject areas. ACKNOWLEDGEMENTS The work presented was performed within the EU Project on “Safety and Reliability of Industrial Products, Systems and Structures” (SAFERELNET), (www.mar.ist.utl.pt/saferelnet), which was funded partially by the European Commission under the contract number G1RT- CT2001-05051 of the programme “Competitive Sustainable Growth”. This document has benefited from various comments and suggestions from several project partners, while it was being prepared, which are gratefully acknowledged. Special thanks are due to the authors of the four framework documents referenced here, who gave more specific contributions to this document. REFERENCES Bucher, Ch., Bolt, H. and Brehm, M. - Framework for assessment and life extension of existing structures and industrial plants, Safety and Reliability of Indus- trial Products, Systems and Structures, C. Guedes Soares (Ed.), Balkema, London, 2010, pp. 53–62. Guedes Soares, C., Caldeira Duarte, J., Garbatov, Y., Zio, E. and Sorensen, J.D. Framework for mainte- nance planning, Safety and Reliability of Industrial Products, Systems and Structures, C. Guedes Soares (Ed.), Balkema, London, 2010, pp. 33–52. Hessami, A.G. Framework for safety and security risk, this book, Safety and Reliability of Industrial Prod- ucts, Systems and Structures, C. Guedes Soares (Ed.), Balkema, London, 2010, pp. 21–32. Kragh, E., Faber, M.H. and Guedes Soares, C. Framework for integrated risk assessment, Safety and Reliability of Industrial Products, Systems and Structures, C. Guedes Soares (Ed.), Balkema, London, 2010, pp. 7–20. maintenance according planning assessment of the object and corresponding risk design & construction including initial risk assessment and plans for risk management and maintenance repair & strengthening demolition updating of plans for risk management and maintenance end of lifetime Risk Assessment Risk Management Maintenance Planning Assessment & Life Ext. special event or end of (re)design lifetime? assessment necessary? no yes no yes Colours according to the four framework documents: Figure 1. Application of framework documents within a life cycle of a facility or structure. The colours indicate the covered issue of each framework document. SAFERELNET.indb 5 SAFERELNET.indb 5 10/30/2010 4:28:49 PM 10/30/2010 4:28:49 PM
- 24. 7 Safety and Reliabilityof Industrial Products, Systems and Structures – Guedes Soares (ed) © 2010 Taylor & Francis Group, London, ISBN 978-0-415-66392-2 Framework for integrated risk assessment E. Kragh COWI A/S, Denmark M.H. Faber ETH Zurich, Switzerland C. Guedes Soares Instituto Superior Técnico, Technical University of Lisbon, Lisbon, Portugal ABSTRACT: This framework for integrated risk assessment addresses decision makers and professionals responsible for or involved in establishing decision support. The purpose is to outline the basic premises for the utilization of risk assessment in establishing rational decisions for the benefit of and consistent with the preferences of society or other stakeholders. In this way the framework provides the general philosophy to be followed and points to a best practice in the treatment of the many aspects of this complex problem. However, with the combined efforts of the project members it has been possible to identify the basic framework and the major constituents in a way which it is hoped will contribute to improving the quality of risk based decision making in the future. 2 DECISION, RISK AND UNCERTAINTY Decisions must be based on risk in the meaning of expected benefit, i.e. expected income minus the expected losses. Expected losses must consider consequence in terms of potential fatalities, poten- tial damage to the quality of the environment, as well as potential economic losses. General decision problems subject to uncer- tainty expressed in frequentistic and/or subjective terms may be adequately treated within the frame- work of the Bayesian decision theory. In assessing the risk for a given system caution must be paid to a complete modelling of consequences and prob- abilities. Consequences must include both direct and indirect consequences and should preferably be assessed in only one common unit, typically a monetary unit. Probabilities must include all uncertainties of relevance for the system and no differentiation in regard to these is relevant for decision making. When risk assessments are performed for sup- portingdecisionsonbehalf of society,theperception of risk of individuals is not relevant. Transpar- ency, robustness and documentation of the risk assessment model are essential prerequisites for establishing a rational basis for decision making. 1 INTRODUCTION Risk assessment is a key element in the decision making process that leads to ensure safety and reliability of industrial products, systems and structures throughout their lifetime. Risk assessments made in the initial phase of development of system concepts provide very important information to be used in decisions related with the design and construction process. Risk assessment provides essential information to risk management systems, which aim at ensur- ing the necessary measures for risk to be properly managed during operation of industrial products, systems and structures. Finally risk assessment is also necessary for risk based maintenance plan- ning and for the risk based reassessment and life extension, which are also essential elements in the operational phase of industrial products, systems and structures. Therefore the treatment of risk assessment in this document recognizes these interactions and is compatible with the three other framework papers presented here. The framework for integrated risk assessment is not subject to the boundaries of application areas and countries. The framework is presented with an emphasis on what is considered to be best practice within the group of members of the SAFERELNET project and thus is broadly repre- sentative for the member states of Europe. The development of this framework has been a great challenge as before the project there was no clear basis for the integrated assessment of risks. SAFERELNET.indb 7 SAFERELNET.indb 7 10/30/2010 4:28:49 PM 10/30/2010 4:28:49 PM
- 25. 8 Modelling of riskaversion into the risk assessment should be avoided. Instead the assessment of risks should carefully consider all possible consequences whether they be direct or indirect. Risk assessment is not considered as a goal in itself but as an intermediate step that contributes to the process of ensuring safety and reliability of industrial products, systems and structures through- out their lifetime. Risk assessments made in the initial phase of development of concepts provide very important information to be used in decisions related with the design and construction process, as well as those related with the operation and mainte- nance phase, and finally the decommissioning plan. 3 THE INTEGRATED APPROACH TO RISK ASSESSMENT The term “integrated” in the present context refers to the explicit consideration of the interaction between all relevant agents i.e. technical and struc- tural elements, nature, humans and organizations in the assessment of the risks associated with the system considered. Only when an integrated approachistakentoriskassessmentcanitbeensured that the significant risk contributions originating from the interactions between the different agents are accounted for. In fact any risk assessment not accounting for this interaction must in general be seen as subject to crude simplifications whereby the transparency of the results of the assessment is severely limited. It is advocated to take a holistic per- spective to risk assessments also with regard to time. Risk assessments of planned facilities or structures should consider all phases of the future life of a system from the early concept phases to the end of the service life, and including decommissioning. The integrated approach to risk assessment is furthermore a prerequisite for risk and safety man- agement at all levels. Decision makers at high levels are often responsible for the risks associated with not only one system or activity but for several. If risk assessments are not performed consistently for the individual systems it is not possible to assess the risks originating as an effect of the portfolio of systems at hand. Furthermore and more impor- tantly it is then also not possible to devise the rational actions of risk control and reduction. Best current practice of risk assessment in most fields is only a partly integrated approach, how- ever well suited to cover the designated purpose in each case. The methods and techniques used are in general described in the documents prepared in the SAFERELNET work packages 2, 3 and 5. These are also the bases upon which the recommended practice for integrated risk assessment is developed for this framework document. Risk assessment practitioners may therefore not immediately be able to recognize their own perfectly valid best practices in this framework, but will experience the wider perspective of risk assessments as a high level tool for decision support, for example to optimize the societal benefits of a new installation. Although this is an overall perspective of the document, it also advises how to use the same integrated approach for decisions at lower and more specific levels, for example to optimize the benefits of the owner/developer of a new installa- tion, without compromising the tolerability of the society on risk to humans and environment. The approach advocated in this framework is new in the sense that it emphasizes the need for a holistic perspective and furthermore describes how to do it. The approach is largely philosophical and methodical and does not depend on the latest development in for example numerical methods and specific techniques for technical investiga- tions. Even though the framework does point to a selection of what is believed to be the best tools for various tasks in risk assessment at present, emphasis is placed on describing the purpose and scope of these tools rather than their procedural characteristics. In this way it is ensured that future inevitable technological improvement will not result in the framework becoming obsolete. 4 GENERAL METHODOLOGY FOR INTEGRATED RISK MODELING When a risk assessment is required with the objec- tive of decision making, the first important tasks are to define the system (the nature of the problem in focus) and then the risk model to be used for the assessment. An analysis of the decision problem may be used to reveal at which levels of detail the hazards and uncertainties of interest are visible, and at which levels the effects of the most relevant safety measures are contributing to risk reduction. It is also necessary to assess how complex the risk model needs to be in order to achieve a correct and robust decision. The higher complexity, the more need for an integrated risk model where the overall system is the issue and where the interaction between natural, technical, structural, human and organizational elements are important for assessing of the risk contributions from failure, error and uncertainty. Whereas the term risk is used in a wide range of meanings including probability, consequences, chance and likelihood the correct and consistent definition of risk for use in decision problems is the expected utility (or harm, costs and benefit). Typically risk based decisions focus on the adverse effects and in such cases the following formulation is useful: SAFERELNET.indb 8 SAFERELNET.indb 8 10/30/2010 4:28:49 PM 10/30/2010 4:28:49 PM
- 26. 9 The risk ofa system is a functional measure of pre- defined adverse effects of system malfunction and their corresponding probability of occurring in the time span considered. In this definition all relevant causes, preven- tive and mitigating measures, adverse effects and uncertainties are included. Any activity possesses a certain risk potential and the way this risk potential is managed in terms of procedural and technical measures will deter- mine the risk which is associated with the activity. If all risks are understood, treated correctly, and controlled they have been reduced to a level which is considered tolerable. However, in practice a very large part of the risk potential may get out of con- trol due to various types of human and procedural factors and therefore these equally need to be taken into account and encompassed by risk treatment measures. The underlying reasons may be lack of knowledge, organizational failure, procedural fail- ure, operational error and typically at the last place technical or structural failure. The general purpose of an integrated risk assessment is thus: • to analyse the system itself and its interaction with the surroundings, including humans and organisations, to decide whether or not the risk is tolerable • to optimise the robustness and the benefit achieved from the system over the lifetime. In this light the following outlines the basic modelling and procedural aspects of risk assess- ment (Fig. 1). 4.1 Modelling aspects of risk assessment In different application areas of risk assessment many rather specific methodologies have been developed and this has had the effect that risk assessments across the boundaries of application areas are difficult to compare and even more dif- ficult to integrate. Numerous procedural schemes for risk based decision making are available but these focus on the process flow of risk assessments rather than on the framework for risk assess- ment itself. Moreover, one of the most significant drawbacks of existing frameworks for risk assess- ment is that they do not sufficiently facilitate and enhance the potential for utilizing evidence and/or indications of evidence in the assessment of risks. Here it is advocated to utilize a generic and Baye- sian framework for risk assessment facilitating a full utilization of risk indicators. This will make the assessment a dynamic tool supporting a rational treatment of risks throughout the life of the facil- ity or structure. The hazards to the system are represented as dif- ferent adverse events acting on the elements of the system. The elements of the system can be consid- ered as the first defence of the system in regard to the exposures. The damage to the system caused by failure or malfunction of the elements is considered to be associated with direct consequences. Direct consequences may comprise different attributes of the system such as monetary losses, loss of lives, damage to the quality of the environment or just changed characteristics of the elements. Certain combinations of failure or malfunction and their corresponding consequences may cause escalation or consequential losses to occur. These consequen- tial adverse effects may be significant and should be included in the risk model. The vulnerability of a system is related to the direct consequences caused by the damage to the elements of a system for a given hazard event. The damage to the elements of a system repre- sents the damage state of the system. In probabil- istic terms the vulnerability of a system is defined through the conditional probability of all possible direct consequences given an exposure event. The robustness of a system is inter alia related to the ability to sustain a given damage state subject to the prevailing exposure conditions and thereby limit the effects to the direct consequences. It is of impor- tance to note that the indirect consequences for a system not only depend on the damage state but also on the exposure of the damaged system. When the robustness of a system is assessed it is therefore necessary to assess the probability of indirect conse- quencesasanexpectedvalueoverallpossibledamage states and exposure events. A conditional robustness may be defined through the robustness conditional on a given exposure and/or a given damage state. In a Bayesian framework for risk based decision making such indicators play an important role. Considering the risk assessment of a load bearing Safety through risk treatment Accepted risks Hazards due to human errors Objective hazard potential Objectivly known Subjectivly realised Taken into account Risk treatment measures Adequate measures Correctly implemented measures Not realised Neglected Not known Not adequate Wrong Accepted risk Figure 1. Risk treatment will only cover part of the potential hazards. SAFERELNET.indb 9 SAFERELNET.indb 9 10/30/2010 4:28:49 PM 10/30/2010 4:28:49 PM
- 27. 10 structure where riskindicators are, for example, any observable quantity which can be related to the loading of the structure (exposure), the strength of the components of the structure (vulnerability) and the redundancy, ductility, effectiveness of condition control and maintenance (robustness). This framework may be applied to elements, sub-systems and the system as a whole; thereby the framework also facilitates a hierarchical approach to risk assessment. The definition of the system in this context is very significant and linked to the definition of exposure, vulnerability and robust- ness. The risk assessment framework allows for uti- lization of any type of quantifiable indicators with regard to the exposure, vulnerability and robustness of the considered system. Due to the hierarchical structure of the risk assessment, the framework is greatly supported, in terms of conditional events, by modern risk assessment tools such as Bayesian Probabilistic Nets and Influence Diagrams. If the risk modelling has been performed appro- priately, risk indicators will in general be available for what concerns the exposure to the system, the vulnerability of the system and the robustness of the system. 4.2 Procedural aspects of risk assessment The process for conducting risk assessments is here represented in a generic format, which is largely independent from the application, for example, independent of whether the risk assessment is per- formed in order to document that the risks associ- ated with a given activity are acceptable or to serve as a basis for a management decision. A risk assessment will include the following steps (Fig. 2): 1. Definition of context 2. Identification of risks and hazard scenarios 3. Analysis of effects and consequences 4. Analysis of causes and causal relations 5. Assessment phase 6. Evaluation and risk reduction which are briefly described in the following. 5 DEFINITION OF CONTEXT If the risk of a system under consideration is well known in all relevant aspects, then it is possible to set requirements that shall be fulfilled for the sys- tem to be considered safe or reliable. This means that all significant uncertainties have been taken into account. If this has been done, and compli- ance is demonstrated, then there will be no need for a risk assessment. If the risk of a system under consideration is well known in all relevant aspects, but no specific requirements have been set, it will be possible to define a tolerable risk level. A risk assessment shall then demonstrate that the risk is below this level. Setting the risk level may be an issue for discus- sion, but after that issue has been solved, the risk assessment may be used for deciding which addi- tional risk reducing measures and/or safety barri- ers shall be applied until the risk is tolerable. In many real life situations, the risk of a sys- tem under consideration is not well known in all relevant aspects. The causes of possible event sequences leading to different adverse effects may be interconnected in complicated ways. They may be difficult to identify and quantify, because both failures in technical systems, for example process equipment, and errors by persons may be affected Figure 2. The steps of a risk assessment and the link to risk assessment. SAFERELNET.indb 10 SAFERELNET.indb 10 10/30/2010 4:28:50 PM 10/30/2010 4:28:50 PM
- 28. 11 by organizational andenvironmental factors, which are not easy to model. It is for these latter situations that the real chal- lenge of the risk analyst lies. The risk assessment must give a total picture of the risks and the associated uncertainties related to knowledge, modelling and failure data. It is therefore imperative to realize what type of decision the risk assessment is supposed to support: • Who are the stakeholders and decision makers, their background and tolerability levels • How well are the risks known • How do risk contributors interfere with each other • How well can the risk be modelled (both prob- abilities and effects) • Are relevant data available, or must many of them be judged by experts • Which aspects of the risk assessment must be communicated to the decision maker? Some degree of consensus on these topics should be reached before the risk assessment con- text is defined as described below. 5.1 Definition of system and scope The physical boundaries of the system shall be defined, together with the operational limitations and the time span to be considered, for example from perception to decommissioning, or just dur- ing normal operation and maintenance. Some check of how situations outside the scope of the risk assessment are considered should be made, in order to be able to include from the start what is really relevant. It is important to define the system with due consideration of all relevant interrelations between human, organizational and technical aspects. The system modelling will have an important impact on the level of detail in the risk analysis and this aspect should be addressed in the system description. The risks of an industrial activity can be assessed by only considering the relevant technical instal- lations, whereas the system analysis is the main scope of the integrated risk assessment process. As a system is also characterized by its organization, it is necessary to include the organizational factors within its definition boundaries, and consequently in the model used in order to analyze the system. 5.2 Definition of effects of concern Relevant effects may include loss of lives, adverse exposure, contamination, costs, delays, collapse, collisions etc. where one effect may depend on the outcome of another. Often it is relevant to consider morethanonetypeof effect.If possibletheeffectsof relevance should be combined into a common utility measure (e.g. cost) and, thus, providing the basis for rational decision making. The risk model must be developed to give a clear picture of the probability of each effect and the way they are interrelated. In principle both positive and adverse effects may be the scope of a risk assessment, thereby optimizing the utility of the system; adverse effects are counted as negative. 5.3 Decision criteria It is important to set the decision criteria. This includes the specification of the tolerable level with regard to economic risks, the risk to person- nel and the risk to the environment. In setting the criteria—which might be considered a decision problem itself—due account should be taken of both international and national regulations in the considered application area. These criteria will enable the analysis team to include recommendations of risk reducing meas- ures and describe their effects and uncertainties. Decision criteria may also define the limits of concern for the risk assessment, i.e. how low must the probability be to be considered negligible (or broadly acceptable), and what probability is considered intolerable. These limits may be differ- ent for each effect considered. 6 IDENTIFICATION OF RISKS AND HAZARD SCENARIOS This phase is the most important part of any risk assessment and the result is the basis of the risk model. The system is analyzed with regard to how direct and indirect damage may occur as a conse- quence of the different exposures. Three steps are generally used: • Decomposition of the system into a number of causally or otherwise logically connected elements representing technical and structural objects, human actions, operations, interfaces between organizations, etc. This decomposition will form the basis for the risk model, the analy- ses of consequences, the numerical assessments and the further treatment and management of risks. • Identification of all relevant exposures -and their uncertainties- acting on the elements and the corresponding damage and failure. This step shall wherever possible be based on experiences from similar systems and information from records of failures or near-misses of similar kinds of system elements. SAFERELNET.indb 11 SAFERELNET.indb 11 10/30/2010 4:28:50 PM 10/30/2010 4:28:50 PM
- 29. 12 • Identification ofhow the damage and failure identified may induce direct consequences, and how it may cause escalation, domino effects in the system or have subsequent consequences. A lot of experience is built into the various methods for risk/hazard identification, and the key factors for quality are: • The preparation of the process • The knowledge and experience of the team doing the job • The systematic approach, including follow-up of unsolved questions. 7 ANALYSIS OF EFFECTS AND CONSEQUENCES The result of the identification phase is a list of more or less complex situations, which may have a potential for one or more of the adverse effects defined to be of concern. This could for exam- ple be loss of containment, causing a release of a hazardous substance. The analysis in this phase then includes the modelling of the potential consequences to persons or the environment, which may be exposed to the toxicity, or to the fire in case of ignition. It also includes the conditional probability of the adverse scenario developments, such as toxic or flammable gas dispersion in a certain direction and to a certain distance, that an ignition source is present, if a person is present, the effects of a fire on exposed persons and equip- ment (vulnerability), and any possible progressive effects etc. In addition the effects of contingency measures applied shall be included in the analysis, as well as the effects of the human and organi- zational factors on the probability of successful mitigation. Those scenarios where the risk poten- tial is considered to be significant should then be subject to the further analyses of causes and causal relations in the next phase. 8 ANALYSES OF CAUSES AND CAUSAL RELATIONS Depending on the scope of the risk assessment, the availability of relevant data, the complexity of the risk or hazard scenarios, and the potential for sig- nificant consequences, the causes of the scenarios shall be analysed in more or less detail. When this has been done, all details for the risk model have been determined. Back to basics, all causes are natural, as man is part of nature, as all systems are designed, made, operated and maintained by persons, and as organ- izations, which fail, are made up by persons as well. It is therefore essential that the analysis of causes tracks back from any apparent technical issues to the underlying human influences. (Fig. 3). In the analysis of causes, such human factors are however categorized in manageable groups, for which some experience or failure data exist or may be deduced by expert judgment. How to model the interrelationship between the groups is a major challenge in an integrated risk assessment. Bayesian probabilistic nets are well suited for a consistent treatment of complex systems, but also barrier dia- grams may be used, if a semi-quantitative approach is sufficient. Techniques for risk analyses are intro- duced in other papers of this book. Lessons learnt from past accidents in very complex systems, for example in process plants, have shown that there are always organizational dynamics. It is therefore important to analyze in a systematic way such dynamisms in order to promote and encourage some useful organiza- tional changes that might prevent the occurrence of disasters. A further step should be a possible assessment for such aspects that strongly interact with the technological and design features that are normally considered in a risk assessment. Human errors in organizations are mistakes “socially organized and systematically produced”. Accidents, in very complex organizations, are not External factors: Largely outside the control of the organization − Legislation − Regulation − Market/competition − Public/the press − Owners − Suppliers Organizational factors: Largely controlled by the organization − Safety culture − Procedures − Training/recruitment − Learning − Task allocation − Equipment/HMI Individual and team factors: − Knowledge − Skills − Motivation − Compliance/violations − Safety commitment − Teamwork Risk and actual safety outcomes: − Unsafe acts − Near misses − Incidents − Accidents Figure 3. Categorization of factors with risk influence. SAFERELNET.indb 12 SAFERELNET.indb 12 10/30/2010 4:28:50 PM 10/30/2010 4:28:50 PM
- 30. 13 likely to occurfor one cause only, but often find their origins in unpredictable interactions of many events; none of which alone, could possibly deter- mine the occurrence of an accident. The phases in integrating these factors in the risk assessment consist of: (a) identifying human error potentials and assessing their strength and effects for the system (this will involve so-called active errors committed typically by frontline staff); and (b) identifying the impact of organi- zational (or performance shaping) factors on the likelihood that active errors will occur. 8.1 Analysis of human errors Determining human risk contribution to a system involves identification of the tasks that may fail with respect to given work goals. Task analytical techniques seek to analyze a given overall task by decomposing this (in a highly structured, and possibly hierarchical, format) into the steps that must be carried out for a certain activity to be successfully completed. The probability of failure of the individual steps is determinedbythenatureof thetask(e.g.monitoring a level indicator, inspecting a rail track for foreign objects) in the given work context and by the con- ditions—organizational factors, often referred to as Performance Shaping Factors (PSF)—under the direct or indirect control of the organization responsible for the system under analysis. 8.2 Analysis of organizational factors Organizational factors are largely under the control of the individual organization responsible for oper- ations (or for the phases of the life-cycle of the sys- tem currently targeted). They may be divided into structural factors and safety culture (safety climate) factors. Structural factors are rules and routines that govern the strategic and day-to-day operations: Recruitment and training of staff; definition and maintenance of operating procedures and guide- lines; learning from experience including reporting and feedback after all risk relevant events; equip- ment; definition and implementation of HMI (Human-Machine Interface) guidelines; distribu- tion of tasks, shifts, manning levels. In contrast, safety culture and climate concerns the manner in which the procedures, guidelines and routines are implemented, the interpretation and understand- ing of these and the commitment with which they are enforced and followed. Safety culture concerns the mostly tacit and slow-to-change norms and beliefs that are shared among members of an organization, and safety climate refers to the more explicit, more changeable attitudes and perceptions. Safety culture and safety climate may be assessed via interviews and dedicated questionnaire-based surveys and structural factors may be assessed in terms of safety audits that use a range of safety management survey (audit) techniques. 9 ASSESSMENT PHASE The comprehensive risk model now established shall be used for assessing the risks, and if neces- sary for identification of additional risk reducing measures. 9.1 Qualitative categorization Assessing the significance of risk contributions may be a qualitative process using one, two or three dimensional categorization: A utility measure (combining all effects) such as cost may be one- dimensional, a probability/consequence matrix is two dimensional, and the differentiation on effect types of the probability and the magnitude/ severance of effect will be three dimensional. 9.2 Quantification of risk contributions Even if the defined criteria for the risk assessment are not quantitative, a certain amount of quantification will normally be necessary in order to check if there is a risk at all, to illustrate the order of magnitude and/or for comparison purpose. This could for exam- ple be the calculation of distance to a certain damage effect (e.g. death with a probability of 1% or 50%), the estimation of frequency of a certain failure type, or the reliability of a certain safety measure. If the criteria are strictly quantitative all rel- evant risk contributions should be assessed by the severance of the effect and the corresponding probability over the time span considered. The quantification should be well defined, transparent and all data used should be traceable. The assessment of the probabilities may be based on different approaches depending on the type of component/sub-system and the information avail- able on its performance. For electrical systems or process equipment where significant amounts of information are available, the failure probabilities may be assessed on the basis of observed failure rates. If there is no available information on fail- ure rates, methods of structural reliability theory and of estimating the effect of human and organi- zational factors are suggested for the assessment of failure probabilities. As a last resort an expert judgment may be used. A consistent treatment of uncertainties shall be aimed at, which may also be more or less quantified. The purpose is to give the decision maker and the stakeholders a realistic picture of the SAFERELNET.indb 13 SAFERELNET.indb 13 10/30/2010 4:28:50 PM 10/30/2010 4:28:50 PM
- 31. 14 risk contributions andthe amount of confidence to place on the numeric values. 9.3 Sensitivity The scope of the risk assessment may define some limits of basic parameters of the system, or the risk analystmayusethevariationof certainof theparam- eters to describe the robustness of the risk picture arrived at. By varying critical parameters within their ranges, the risk contributions will change, and this will show the sensitivity to these parameters. Critical parameters may be some of the more uncertain data used in the assessment, but it may also be different modes of using the system during the time span considered, e.g. the manning level of an offshore installation or the land use around a refinery. The sensitivity analysis may include studies of “what if” situations for the evaluation of the importance of various system simplifications per- formed under the definition of the risk model. This may extend to consideration of changes in external influences on businesses which impact on different aspects of the organization with knock-on effects for human practices and performance. In this way the robustness of the analysis may be assessed but also possible ways of reducing the risks by modifi- cation of the model or the system itself, or the per- formance of its components may be investigated. 10 EVALUATION AND RISK REDUCTION 10.1 RAC and ALARP The result of the risk assessment is compared with the criteria defined for the system, see the section on risk acceptance later in this paper. Risk Assess- ment Criteria (RAC) may be qualitative or quan- titative, giving the level of risk tolerability and the level of acceptable risk, between which the ALARP criterion will often apply. If the risk is shown to be higher than tolerable, the system may only be acceptable, if risk reduction is applied to bring it below the criterion. The ALARP criterion expresses, that the risk shall be As Low As Reasonably Practicable. This means that risk reduction shall be applied unless the inconveniences or the costs involved are grossly disproportionate to the beneficial effect to be achieved. 10.2 Risk reduction measures If the risks level cannot be accepted in accordance with the specified risk acceptance criteria there are principally four different ways to proceed: Risk reduction: Risk reduction may be implementedbyreductionof boththeconsequences and their probability, or of either of these alone—in practice risk reduction is normally performed by a physical modification of the considered system, for example by improvement of the behavior of equip- ment and structures during accidental events. First priority should be given to the prevention of hazard scenarios. If total prevention is not fea- sible, detection and control measures should have priority over mitigation and emergency response measures. If the ALARP criterion is applicable a sys- tematic approach should be used to identify and assess the feasibility and cost/benefit of risk reducing measures. Basically the same team as for the risk identification phase should be involved in this phase of the risk assessment. Risk mitigation: In essence risk mitigation is implemented by reducing the probability of the occurrence of the hazard scenario, in practice by modification of the system. The risk of cor- rosion damage in concrete structures may, for example, be mitigated by the use of non-corrosive reinforcement. Risk transfer: Risk transfer may be performed by, for example, insurance or other financial arrangements where a third party takes over the risk. Therefore risk transfer is normally associated with a cost. Risks not related to cost consequences are normally not transferable. Risk acceptance: As a last option if the risks do not comply with the risk acceptance criteria and if other approaches for risk treatment are not effective, risk acceptance may be an option. This may, for example, be the case when considering unacceptable economic risks and where the costs of risk reduction and/or risk mitigation or transfer are higher than the desired risk reduction. Continued operation of ageing facilities with a high societal utility is an example. Risk acceptance may nor- mally not be pursued when risks to humans are not tolerable without fulfilling specific requirements of regulations, and if so, then usually only for a limited period of time. 11 USE OF THE RISK ASSESSMENT 11.1 Monitoring and review Duringtheprocessof riskassessmentmanyassump- tions are normally made. These assumptions may be of technical, operational or analytical nature. It is necessary to ensure that these assumptions are fulfilled over the time span considered, i.e. some kind of inspection, review and monitoring is needed. This is typically an element of the safety (or risk) management system applied. SAFERELNET.indb 14 SAFERELNET.indb 14 10/30/2010 4:28:50 PM 10/30/2010 4:28:50 PM
- 32. 15 The risk assessmentis a living process involving constant feedback of information from the considered system. 11.2 Total picture for decision support and risk management The risk assessment is documented in a report with the purpose of communicating the total risk picture of the system in a way that is understood by the decision makers and by those responsible for implementation of the risk management system. If necessary a non-technical summary should be made in order to communicate the result to other stakeholders. Important key qualifications of a proper risk assessment and the resulting report are as follows: The risk assessment will have to be systematic, con- sistent and transparent, and well-experienced per- sonnel of the operator/owner organisation need to be involved in the process. Furthermore the assessment must be update-able, and risk reduction measures and safety barriers will have to be visible. Finally an independent review of the risk assessment will have to be made. 12 TECHNIQUES FOR INTEGRATED RISK ANALYSIS A large number of techniques for risk analysis have been developed in different application areas and industries. Many of these have been developed since the 1960s due to increased focus on safety, environment and optimal decision making in economics, however, some of the techniques have a far older origin. The techniques can be categorized in the classes (Fig. 4): • System definition • Hazard identification • Overall system modelling • Component/element analysis • Analyses of effects and impacts. In the following sections risk analysis techniques appropriate for the different risk assessment needs and steps are discussed. 12.1 Techniques for system definition and hazard identification Before any identification and subsequent analy- sis and assessment of the risks to a system can be defined, the system ad its states must be defined. By system not only is the technical system meant, but also the relevant part of the world interacting with the system in some way and which must be taken into consideration in the various parts of the risk analysis. Generally the definition of systems including exposures, system constituents, logical or causal interrelations between constituents, damage and failure states of constituents and finally con- sequences is best carried out by multi-discipline teams. The system definition can best be seen as a preliminary hazard identification and analysis which serves the purpose of defining the relevant system and its boundary. The basic requirement for doing this is physical understanding of the system. This understanding can—over and above general and overall hazard identification tech- niques—be built on overall statistical modelling, with hypothesis testing, as well as on data-min- ing. For the identification of relevant exposures, constituents, logical interrelations between con- stituents and consequences, it is important that experienced personnel are available covering all relevant aspects of the problem. Then the detailed and systematic hazard identi- fication studies are carried out by multi-discipline teams, where all the team members’ observations and comments are recorded to form a basis for the risk assessment, or in a less structured way by groups in brainstorm type sessions. Dependent on industry the techniques may make use of certain sets of guide words or other means of ensuring a more or less systematic identification of all haz- ards. The key point of hazard identification is the systematic approach. 12.2 Techniques for overall system modelling The techniques for risk assessment of the overall system vary in complexity and range from purely qualitativetechniquestofullyquantifiedtechniques including uncertainties. Some techniques provide Hazard identification Assessment of system frequencies Assessment of system consequences Overall system model Detailed/Dedicated assessments of subsystems or components Definition of system and states Figure 4. Phasing of risk analysis techniques. SAFERELNET.indb 15 SAFERELNET.indb 15 10/30/2010 4:28:50 PM 10/30/2010 4:28:50 PM
- 33. 16 for an integratedassessment of probabilities/ frequencies and consequences whereas other have the focus of one or the other. Approaches also differ in the extent to which technical and human performance factors are considered and combined. The most frequently used quantitative tech- niques for risk assessment, including assessment of consequences and probabilities, are fault and event tree analyses or some variety of these techniques such as the barrier diagrams. These techniques, however, all imply a deterministic relation between events/faults/causes and are therefore not able to reflect the uncertainty in the relations (the strength of relations). Therefore, these are not ideal as basis for decision making subject to uncertainty. Bayesian Probabilistic Nets are considered the most capable all round tools for integrated risk assessment purposes. The Bayesian net provides a probabilistic approach combining the causal struc- ture of the fault trees with uncertain causal rela- tions resulting in a joint probability distribution of the entire system of causes and consequences. The probability distribution can be updated based on collected evidence. Furthermore, the Bayesian nets can be extended to influence diagrams calculating the expected utility of alternative actions. 12.3 Techniques for detailed/dedicated risk assessment of subsystems and components The techniques for detailed or dedicated assess- ment of the probability/frequency of specific components are many and the techniques are gen- erally related to specific types of components. The assessed reliabilities generally form the basis for a specific entry in the overall system model and thus can be used where data is not directly obtainable or where new information need to be combined with the a priori information available. Often dedicated assessments are made with respect to human and organizational factors, structural reliability etc. However, subsystems and individual constituents can in some cases depending on their nature, also be analyzed using the techniques applicable for the overall system. 12.4 Techniques for analyses of effects and impacts Models for estimating the possible consequences to humans, the environment and assets following an accident, for example loss of containment of hazardous materials, are very well developed for specific applications. Although this part of the risk analysis is of utmost importance for systems with handling of materials that are hazardous to persons and the environment, reference is made to the literature on consequence calculations related to process safety. Of these, only effects of fire and explosion were the subject of a specific task in the SAFERELNET project. In the risk assessment the results are used of the suite of calculations and probability estimations related to, for example, the release rate and compo- sition, the dispersion of gas and toxic components, the toxic effects, the ignition probability, the fire types, the heat radiation, the explosion pressure, the explosion effects, and the probabilities of colli- sion and collapse. These techniques should be used also for risk reduction by improving the behaviour of equipment and structures during accidental events (and/or the utilization of their already built-in robustness), thereby preventing accidents and escalation of accidents. 13 RISK ACCEPTANCE AND OPTIMIZATION 13.1 Risk criteria for decisions Risk assessment may be used for ranking of optional decisions and activities in a consistent manner according to the expected utility (harm, costs or benefits). Based on this the preferred deci- sions can be recommended from an overall point of view. However, it is just as important that the risk assessments are used to check whether a given activity is tolerable or if it may be justified to take further measures to reduce the risk. The anchor points for such a method are risk criteria. Different decisions will imply different risks and benefits. The representation of risk in terms of expected utility facilitates decisions corresponding to the preferences of the decision maker. Decisions which do not yield a positive expected utility should not be taken. Optimally the decision yielding the largest expected utility/benefit is selected but there could be constraints on the optional decisions which are not explicitly included in the formulation of the utility function. In these cases not all feasible decisions may be acceptable or even tolerable. In normative decision making, for example, on behalf of a society, the issue of interest is to be able to identify the decisions which to the greatest extent fulfil the preferences of society. In such situ- ations the opinion of individuals or groups of indi- viduals is not of immediate interest. What is often seen is that societal decisions divert from rational principles of normative ones in order to fulfill per- sonal or political incentives. Whereas such behavior is often observed in society it may implicitly lead to a distribution of the resources of society which is suboptimal and non-ethical. It is believed that this fact is not correctly appreciated by decision makers SAFERELNET.indb 16 SAFERELNET.indb 16 10/30/2010 4:28:51 PM 10/30/2010 4:28:51 PM
- 34. 17 at all levelsin society and further information and training is required. Risk criteria can be considered as a special form of general decision criteria which can be classified under three “pure” types: 1. Utilitybasedcriteria—whichinvolvedecisionsthat are based on the valuation of outcomes, i.e. on the comparison in monetary terms of the benefits obtained by adopting a particular risk prevention measure and the cost of introducing it. 2. Rights-based criteria—are not primarily con- cerned with outcomes. Their concern is with process and allowed action or activities. An extreme example of this type is the “zero risk” criterion which says: independent of the bene- fits and costs, and of how big the risks are, elim- inate, or do not allow the introduction of the risk. This type is typical for risk to humans. 3. Technology-based criteria—require the use of the “best available technology” (or the best cur- rent practice) for the acceptable risk reduction or prevention. This type is widely used in envi- ronmental regulations. Utility based criteria can involve a balancing of benefits and cost (in deterministic or probabilis- tic cost-benefit analysis), or cost effectiveness can be taken into account when the value of benefits cannot be estimated (Fig. 5). The bounded cost criterion deals with allocating the given resources to achieve the maximum risk reduction, while the multi-attribute utility criterion involve choices between options with different attributes which in general may not be scalable (i.e. on some occasions it may be possible to convert each attribute to an equivalent monetary value). 13.2 Utility based risk optimization Technology based criteria may require qualifica- tion of terms “current” and “best available” due to rapid changes in technology, and therefore “at affordable cost” is often added bringing this type of criterion closer to utility based criteria. It may be interesting to note that all the deci- sion criteria are intended to be used for quantita- tive comparisons of decision alternatives. Once the risk quantifications are performed, any compari- son with decision making criteria is, in principle, straightforward. According to the decision theory it is a prereq- uisite that the risk assessments include and treat all types of uncertainties in the same manner. Oth- erwise, the decision analysis will be informal and might lead to bad decisions. It is sometimes argued that existing risk criteria as listed in the foregoing are overly technocratic; putting focus on the process of performing compli- cated numerical evaluations of risk and neglecting or suppressing the philosophical aspects of the deci- sion situation. However, it will always be desirable to establish a correct and rational basis for decision making and this should always be the aim. It is not the task of the decision maker to estab- lish or understand the details of such a basis for decision making on his own but rather to appreci- ate the significance of any underlying assumptions and the robustness of the decisions. 13.3 Risk criteria for human safety In terms of the philosophical framework, most of the safety risk criteria are a mix of the “bounded or constrained risk” model and the “deterministic cost-benefit” model, with the As Low As Reasona- bly Practicable (ALARP) principle representing the latter element, and the tolerability limit the former (Fig. 6). It should be noted that the demonstration of ALARP is the basis of safety legislation in the UK, however there is tendency in the EU to mimic this approach by requiring risk reduction based on cost-benefit analysis. Feasible decisions Optimal decision Utility/Benefits Decision alternatives increasing safety Tolerable decisions Acceptable decisions Figure 5. Utility based risk optimization. Unacceptable region Risk cannot be justified save in extraordinary circumstances Tolerable only if risk reduction is impractical or if its cost is grossly disproportionate to the improvements gained Tolerable if cost of reduction would significantly exceed the improvements gained Negligible risk Broadly acceptable region (No need for detailed working to demonstrate ALARP) Necessary to maintain assurance that risk remains at this level The ALARP or Tolerability region (risk is undertaken only if a benefit is desired) Figure 6. The ALARP principle. SAFERELNET.indb 17 SAFERELNET.indb 17 10/30/2010 4:28:51 PM 10/30/2010 4:28:51 PM
- 35. 18 13.4 The ALARPprinciple In general it seems logical to assume that there is a level of risk so high that in normal circumstances activity is not pursued, i.e. the risk is not tolerated. It can also be assumed that there is a level of risk regarded as insignificant which is readily accepted by people and regulators without searching for fur- ther reduction. The region between these two levels of risk is often called “tolerability region” and this is the focus of most of the criteria. It is in this region that ALARP has to be demonstrated in the UK. ‘Tolerability’ does not mean ‘acceptability’. It refers to a willingness to live with a risk so as to secure certain benefits and in the confidence that it isbeingproperlycontrolled.Totolerateariskmeans that we do not regard it as negligible or something we might ignore, but rather as something we need to keep under review and reduce still further if and as we can. For a risk to be ‘acceptable’ on the other hand means that for purposes of life or work, we are prepared to take it pretty well as it is. 13.5 Societal preferences for investments into life saving In a society with limited resources there is an urgent need to establish a basis for deciding how and how much of the available resources should be allocated for life saving activities. Within the last decade a philosophically founded mathematical framework has been formulated and empirically verified which allows for the assessment of thepreferencesof agivensocietyintoinvestments of life saving. The idea underlying the framework is the use of a Life Quality Index encompassing the behavior of all individuals on an average scale, in terms of suitable societal indicators such as the gross domestic product per capita, the life expect- ancy and the time spent earning a living. The LQI in this way is comparable to the UN Human Develop- ment Index. The LQI implicitly describes the large scale preferences of the individuals in society and as it also relates the economic capability of a society with life expectancy, it is possible to derive from the LQI how much a given society implicitly values life. Due to the character of the LQI it is obvious that its use results in different optimal investments into life saving activities for different societies. Based on the concept of the LQI it is possible to include the monetary consequence of loss of human lives for a society directly into engineering decision mak- ing such as, for example, optimal life-cycle benefit based design and maintenance. 13.6 Tolerability limits Determination of tolerability limits is based on risk perception and the adopted approach to risk management (goal setting or prescriptive). The following approaches can be distinguished: • In the UK tolerability limits have been derived from observations of the way people instinctively react to different levels of risk in the absence of any understanding of quantity. This approach implicitly mixes up the premises for normative decision making with the personal preferences of the decision maker, involving human reactions and choice. The tolerability region in the UK is three order of magnitude wide and most of the industrial activities are positioned somewhere in the middle. This means that the tolerability limits in the UK are not used as instruments of primary control, but the ALARP dynamic is relied upon to bring down the risk. Besides forcing reasonable measures for risk reduction, ALARP is associated with cost-benefit calcula- tions based on the cost of averting a fatality, the Value of Statistical Life (VOSL) or Social Value of a Statistical Life (SVSL) which may all be derived from the Life Quality Index principle. • Imposing risk reduction by means of tolerabil- ity limits which also represent a risk “target”. This also means allowing increase in risk up to the tolerability limit which is obviously set fairly low. This is the situation in the Netherlands. • There are proposals to evaluate “necessary, affordable and efficient” tolerability limits based on the country’s Gross Domestic Prod- uct (GDP), the life working time, the life quality index, etc. The lower limit in this case corre- sponds to “absolute liability”and is applicable to the owner or the duty holder and includes com- pensation to the bereaved families of the victims of an accident. The upper limit corresponds to the value of a statistical life balancing the spend- ing on risk reduction with the overall economic performance taking account of the Life Quality Index. This approach facilitates calculation of the optimal cost for risk reduction (i.e. that is affordable and efficient) and is applicable to the high level (e.g. government) decision making. 14 CONCLUDING RECOMMENDATIONS This framework document contains a number of important recommendations: • The need is emphasized for a theoretically sound basis for risk based decision making where all uncertainties influencing the risks are accounted for, consistent with available information and knowledge. The suggested detail of a given risk assessment may be adjusted to the needs in a given situation but, in general, it may be SAFERELNET.indb 18 SAFERELNET.indb 18 10/30/2010 4:28:51 PM 10/30/2010 4:28:51 PM
- 36. 19 observed that ifa risk assessment is needed at all, it should also be correct. • Risk based decisions should be based on expected benefits or risks. The introduction of confidence on risk estimates is not compatible with rational decision making. • It is underlined that risk assessments should include a complete assessment of consequences. To this end it is suggested that in addition to the direct consequences of damage and failure also the possible subsequent consequences which may occur due to the combination of direct con- sequences should also be considered explicitly. This approach eliminates the need for any con- cepts of risk aversion in normative risk based decision making. • Generic and indicator based approaches for the representation of systems in risk assessment may greatly enhance the integrated consideration of risks due to human, organizational, technical, structural or natural failures and uncertainties. It is strongly recommended that risk assess- ments be formulated within a Bayesian proba- bilistic framework whereby any information about the system may be taken into account at any time and thus used to update the risk model consistently. • The number of different techniques available for risk analysis is considerable but many tech- niques are developed for relatively narrow fields of application and are thus of limited value in the context of integrated risk assessments. Whatever technique is selected for a specific task in a risk assessment, the important aspect is to understand its capabilities as well as the limita- tions. Modern techniques based on probabilistic nets of different sorts appear to provide a good platform for integrated analysis. • Decision making based on risk assessments may be readily performed through optimization or what is often referred to as cost-benefit analysis. The criterion which is currently considered best practice across the industries and EU member states for the assessment of acceptability and tolerability of risks is the ALARP principle. However,atpresentthereisalargedegreeof arbi- trariness in how this criterion is implemented and this is seen as a hindrance for rational decision making. New concepts based on the Life Quality Index are available to provide a consistent and rational basis for the assessment of acceptability and tolerability. The implementation of this concept on a broad scale would enhance deci- sion making for the benefit of the societies and the industries of the EU member states. • The precautionary principle is often misinter- preted as being an obstacle for the development of new technologies and products. On the con- trary, the precautionary principle should rather be considered as a way to establish a well docu- mented decision basis, which reflects all available information and knowledge relevant, whenever decisions could imply high consequences. ACKNOWLEDGEMENTS The work presented was performed within the EU Projecton“SafetyandReliabilityof IndustrialProd- ucts, Systems and Structures” (SAFERELNET), (www.mar.ist.utl.pt/saferelnet), which is funded partially by the European Commission under the contract number G1RT-CT2001-05051 of the pro- gramme “Competitive Sustainable Growth”. This document has benefited from various comments and suggestions from several project partners, while it was being prepared, which are gratefully acknowledged. Special thanks are due to I.B. Kroon, V. Trbojevic, R. Rackwitz, H. Bolt, S. Medonos and I. Kozine. SAFERELNET.indb 19 SAFERELNET.indb 19 10/30/2010 4:28:51 PM 10/30/2010 4:28:51 PM
- 38. 21 Safety and Reliabilityof Industrial Products, Systems and Structures – Guedes Soares (ed) © 2010 Taylor & Francis Group, London, ISBN 978-0-415-66392-2 Framework for safety, security and sustainability risk management A.G. Hessami Atkins, UK Presently with Vega Systems, UK ABSTRACT: The management of risks is regarded as a key element of good business practice and governance. Whilst many aspects of business activities entail degrees of risk often left to the discretion of the enterprise, the safety, environmental and governance issues are increasingly scrutinised and regulated. A systematic regime for management of risks across many diverse disciplines by necessity requires a rational, structured and adaptive approach since the application requirements would differ in each sector/industry, depending on the specifics of the technology, the environment and resources employed. This paper is aimed at reviewing best practice and developing a generic risk management framework founded on a number of systemic principles. A candidate framework founded on seven key principles is derived and proposed for adoption. The framework offers a strategic yet consistent and scaleable approach to risk management which can be mapped to the specific requirements of a team, section, organization or industry sector as appropriate. The proposed framework is principally focused on safety, security and environmental protection/sustainability dimension of products, infrastructures, systems and services. 1.1 Background Products, processes and systems exhibit a number of emergent facets in their performance which are either inherent or perceived by the relevant stake- holders. These generally comprise: • technical and functional; • commercial; • safety; • security and vulnerability; • environmental; • reliability, availability and maintainability; • quality; • perceived value. Amongst these often inter-related aspects of performance only safety and environmental dimensions of products, processes and systems are subject to regulation. Safety is a major societal con- cern and amongst the few aspects of business and social activities which are subject to regulatory and legal constraints. Understanding the key factors influencing the overall safety, security and envi- ronmental performance of various industrial and infrastructure systems will lead to the development of policy initiatives to promote higher integrity, more cost-effective and environmentally acceptable solutions at the EU level. It will also simplify regu- lation while providing transfer of knowledge and 1 INTRODUCTION The rapid development of technology generates new products, systems and process knowledge often with significant potential to improve techni- cal, commercial and environmental performance and enhance the overall quality of life. However, the innovations especially those with embedded intelli- gence and adaptability are plagued by uncertainty about their overall characteristics including the concern about the risks arising from their adop- tion. To this end, a systemic assurance process and associated methodologies are required to underpin verification, validation and enhanced confidence in the desired performance of commercial, indus- trial and technological systems and innovations. The regulatory regime is the key instrument in the overall certification (approval) and deployment (acceptance) of innovations. Many developments including the safety case regime mandated within nuclear, offshore and rail transportation in the UK are intended to pave the way to enhanced confi- dence as well as rapid deployment of modern inno- vations. In this context a systematic and adaptive approach to identification, control and manage- ment of risks is fundamental to the achievement, maintenance and improvement of the overall performance of products, processes, systems and undertakings. SAFERELNET.indb 21 SAFERELNET.indb 21 10/30/2010 4:28:51 PM 10/30/2010 4:28:51 PM
- 39. 22 expertise from moresuccessful domains and states to those which have evolved at a slower pace. A European Union Council Directive 2002/22/ EC on Safety on the Community’s Railways has been issued in April 2003. The thrust of the so called Safety Directive is aimed at harmonising the principles, approach and sub-cultures in member states which would otherwise pose technical barri- ers to integration and interoperability. In this spirit, it typifies the need for a systematic framework to ensure the approach and outcome of efforts spent on management of risks which may arise from any one of seven different aspects of performance (technical, commercial, etc.) are consistent, effec- tive and preferably harmonised across many indus- trial and service sectors within the EU. This paper develops a generic framework which can be adapted and applied to any product, proc- ess, system, environment, undertaking and indus- try with risk, safety, security and environmental implications. In this spirit, the framework is a goal setting environment for effective, scaleable and har- monised management of safety, environmental and potentially other (technical, commercial) risks at product, project, team, organisation, infrastruc- ture, industry or state level as appropriate. Given the adaptive and scaleable nature of the proposed framework and its heavy reliance on creative haz- ard identification and risk assessment activities, it is prudent to relate this to a systematic and consistent framework for identification, assessment and eval- uation of risks. The development of a synergistic risk assessment framework is beyond the scope of this paper however, a candidate framework is refer- enced (Engineering Safety Management Issue 3). 2 RISK MANAGEMENT & ASSURANCE 2.1 Current practice A review of the current practices across many industrial and service sector organisations was undertaken at the outset to establish the baseline and existence of any systematic frameworks in use. This was partly constrained by the limited published account of how the responsible organi- sations addressed their safety and security risks. In this context, most of the surveyed literature related to safety management systems adopted by the relevant organisations. For brevity, a graphical notation known as the Weighted Factors Analy- sis (WeFA) schema was adopted for the capture and representation of the safety management sys- tems reviewed. Whilst the detailed description of the methodology is given in the literature, a brief account is given here to facilitate comprehension of the review outcomes presented in WeFA notation. WeFA is a hierarchical, creative and graphical knowledge capture and representation methodol- ogy comprising three fundamental objects referred to as the aim, goals and influences. The aim of a WeFA schema is the focal point of the study and is depicted by a description captured within an ellipse and annotated by A0. The goals are principally in two classes referred to as drivers and inhibitors. The driver goals are those factors (physical or intan- gible) which are known or perceived to contribute to the attainment of the aim. The inhibitor goals to the contrary are factors, again physical or intangible which militate against the attainment of the aim. The influences are simply arrows acting as connec- tors between the objects. A typical WeFA schema comprises an aim, a limited number of driver and inhibitor goals. The driver goals are represented by a description captured within an ellipse with bright background colour connected to the aim by a for- ward green arrow. The inhibitor goals are repre- sented by a description captured in an ellipse with a grey background, connected to the aim via a reverse red coloured arrow. The driver goals are numbered in a clockwise direction from top-centre as G1, G2, etc. and those of the inhibitors numbered in an anti- clockwise direction starting with G1, G2 but with a bar on or below the number etc. The driver and inhibitor goals in a WeFA schema can in turn be analysed and hierarchically decomposed into lower level driver/inhibitor goals. The decomposition is pursued until sufficient clarity is arrived at for the purpose of the study. The level of detail in the analy- sis is thus determined by the value judgements exer- cised by the stakeholders. The outcome of the reviews into cross-sectoral international approach to risk and safety manage- ment undertaken is principally presented in the WeFA schema form with an outline explanatory account for brevity. 2.1.1 Safety platform—UIC The working group referred to as the safety plat- form within the international union of railways (UIC), have devised a safety management frame- work (UIC Safety Platform). This is depicted in the WeFA schema of Figure 1 below. The nine driver goals within the above schema are: • Remedial action; • Safety policy; • Responsibilities and competencies; • Involvement of resources; • Definition of safety targets; • Definition of risks; • Training and competency; • Internal SMS monitoring; • Internal SMS audit. SAFERELNET.indb 22 SAFERELNET.indb 22 10/30/2010 4:28:51 PM 10/30/2010 4:28:51 PM
- 40. 23 2.1.2 Safety managementin the process industry Earlier research in the structure and culture of safety management in the chemical and nuclear industries conducted as part of the funded European project SAMRail has identified the key elements and attributes of such a system. These are depicted in the WeFA schema of Figure 2. The eight level 1 goals within the above schema are: • Business processes; • Risk inventory; • Risk barriers and controls; • Risk management system; • Inspection and monitoring; • Auditing and management review; • Incident and accident registration & analysis; • Societal and regulatory criteria. 2.1.3 Safety management in Canadian railways The published safety management regime within the Canadian railways comprises 11 key elements as depicted in the WeFA schema of Figure 3. The eleven level 1 goals in the above schema are as follows: • Safety policy; • Authority, responsibility & accountability; • Employee involvement; • Compliance with regulations; • Risk management process; • Risk control strategies; • Accident and incident reporting; • Skill, training & supervision; • Safety performance data collection; • Safety audit and evaluation; • Corrective action development. 2.1.4 Safety management in the FAA, USA The Federal Aviation Administration (FAA) in the USA employs a streamlined approach to the safety management in the industry as depicted in Figure 4. The five main level one goals in the FAA system comprise: • Plan; • Hazard identification; • Analysis; • Risk assessment; • Decision. Safety Management System (Safety Platform) REMEDIAL ACTION: definition, approval, implementation and monitoring G1 Safety POLICY G2 RESPONSIBILITIES, competencies and appointments in the field of safety MANDATORYrules G3 Involvement of RESOURCES G4 Definition of safety TARGETS and planning of safety initiatives G5 RISKS G6 Competencies, INITIAL TRAINING, further training and STAFF monitoring G7 Internal monitoring (feedback): collection and analysis of safety data G8 Internal SMS AUDITS G9 Figure 1. The safety management system according to the safety platform working group at the UIC. Safety Management System (Academic Research) Risk inventory & analysis in all LCPs and the transitions between them G2 Risk barriers & controls (b&c) for all LCPs & transitions + requirements for their good functioning (life cycle of b&c) G3 Competence, suitability of people G9 Business processes (primary & subsidiary) in all life cycle phases G1 Risk management system to provide all requirements for good functioning of technical/procedural barriers & controls G4 Availability, planning of people & hardware G4.6 Inspection & monitoring (technical, behavioural) G5 Auditing & management review G6 Incident & accident registration & analysis G7 Societal & regulatory criteria, benchmarking, response to market pressures G8 Commitment, conflict resolution G4.1 Communication, coordination of groups G4.2 Procedures, rules, goals G4.3 Hardware, equipment, tools G4.4 Interface, ergonomics G4.5 Figure 2. The safety management system according to the academic research in the process industry. Safety Management System (Canadian Railways) Safety Policy G1 Authority, responsibility, & accountability G2 Employee involvement G3 Compliance with Reg, rules, standards & orders G4 Risk management process G5 Risk control strategies G6 Accident & incident reporting, investigation & analysis G7 Skill, training & supervision G8 Safety performance data collection & analysis G9 Safety audit & evaluation G10 Corrective action, development approval & monitoring G11 Figure 3. The safety management system according to the Canadian railways. Figure 4. The safety management system according to the US Federal Aviation Authority. SAFERELNET.indb 23 SAFERELNET.indb 23 10/30/2010 4:28:51 PM 10/30/2010 4:28:51 PM
- 41. 24 2.1.5 Safety managementaccording to HSE, UK The UK health and safety regulator (HSE) has published guidelines on the best practice approach to the successful management of health and safety. This is depicted in the WeFA schema of Figure 5. The five goals in the HSE best practice safety management framework comprise: • Policy; • Organization; • Planning & implementation; • Measuring performance; • Review; • Audit. 2.2 A critique of existing approaches The examples of current practice cited above within a diverse range of industries and applica- tions invariably share some aspects and collectively have a number of discernable attributes namely: • Mainly empirical in nature; • Focused on the needs of a particular industry or sector; • Not scalable for application at various levels of project or organizational perspective; • Failing to address the entire spectrum of risks from causative factors to response to accidents and eventual recovery strategies; • Some being fairly generic and lack specific qual- ities which make them instantly recognizable as a risk management solution for safety; • Often lack of adequate attention to security issues; • Lack of sufficient attention to environmental and sustainability issues; • Lack of relevance or sufficient emphasis on human, behavioural, cultural and organizational factors underpinning success; • Almost complete absence of a numerate approach to assessment and management of risks with a view to arrive at an objective recog- nition of risks; • Insufficient focus on benchmarking, goal setting and the need for a continuous improvement in performance; • Lack of systemic relationship between elements. Taking these dysfunctional aspects in the cur- rent practice into account, the need for a system- atic and credible framework based on a systems perspective is strongly felt. 2.3 Derivation of the principles A principle is regarded as a fundamental truth or proposition on which many others depend. It is also regarded as a fundamental assumption form- ing the basis of a chain of reasoning. It is argued that a management regime founded on a suite of principles will be superior in terms of its stability, integrity, effectiveness and its capacity to be adapt- able and scaleable for multiplicity of circumstances and stakeholders since it is constructed using a set of fundamental & universal truths. A framework for management of risks should inherently address all life-cycle phases and issues comprising: • Identification/recognition of fundamental faults and failures (causes of hazards, threats and vulnerabilities); • Allowing for epistemic and aleatory uncer- tainties taking a precautionary approach as appropriate; • Prediction of realisation/occurrence of hazard- ous states arising from random and deliberate causes; • Identification of potential escalation of hazard- ous states into accidents; • Coverage of post accident scenarios, actions and recovery processes; • Human organisation, culture, capabilities, res- ourcing, procedures and requisite competencies; • An inherent monitoring and measurement sys- tem underpinning a feedback and enhancement regime based on a suite of lagging and leading predictors and indicators. On the other hand, assurance is synonymous with gaining increasing confidence about the per- formance of an often complex product, process or system so that; • It delivers an optimal level of essential and desir- able properties/performance; • It is free form an unacceptable level of undesir- able properties/performance. A systems framework based on a complete and inter-related set of principles for perform- ance assurance would enhance the degree of con- fidence that apart from the delivery of required functionality, the product, process or system is free G1 G2 Planning & G3 Measure G4 G5 G6 Safety Management System Policy G1 Organisation G2 Planning & Implementation G3 Measure Performance G4 Review G5 Audit G6 Figure 5. The safety management system according to the UK Health and Safety Executive. SAFERELNET.indb 24 SAFERELNET.indb 24 10/30/2010 4:28:52 PM 10/30/2010 4:28:52 PM
- 42. 25 from vulnerabilities/potentially harmfulproperties and behaviours hence assurance. The review of risk management practice as depicted above pro- vides a basis for classification of the key objectives and clustering of a number of requisite systemic principles. 2.4 Risk management system—principles Compliance with the generic requirements cited aboverequiresasystematicscrutinyof fault-failure- accident scenarios to ensure a comprehensive risk perspective. In reality, adopting a hazard/threat based approach to risk assessment and manage- ment generates a more systematic framework for coping with varieties of risks. A fault-error-failure sequence is proposed to address the processes leading to the realisation of a hazardous state or event in a product, process or system. Considera- tion of the post hazard horizon in this approach involves identifying the potential escalation sce- narios, the defences against accidents, the range of accidents that arise due to the failure of defences and response and recovery regimes for each major accident scenarios. Therefore the systematic frame- work for risk management comprises the following seven principles: 1. Prediction & Proactivity; 2. Prevention; 3. Containment & Protection; 4. Preparedness & Response; 5. Recovery & Restoration; 6. Organisation & Learning; 7. Continual Enhancement. These principles collectively address the total risk landscape and are inter-related in a systemic fashion rendering a holistic system and an inclu- sive and comprehensive approach to risk man- agement. A diagrammatic representation of the framework is depicted in the WeFA schema of Figure 6. The principles cited here also relate to the SafeRelNet framework for risk assessment in a consistent and demonstrable way. The principles are detailed below. 2.4.1 I—Prediction & proactivity principle The primary principle in systematic assurance is that of Prediction which involves analysis and identification of credible system modes and haz- ardous states, anticipation of escalation scenarios, assessment of the baseline risks and taking hard and soft risk control measures in advance of fore- seeable accidents. This is akin to advanced prog- nosis and by necessity involves developing and implementing methods and procedures to assess the risks and establish the baseline performance in order to support the case for further risk reduction or mitigation as appropriate. The principle is the focal point for the identi- fication (Prediction or forecasting) of foreseeable activities, modes and states within a system which adversely affect performance (safety, security, envi- ronmental, reliability etc.) comprising normal, degraded, failure and emergencies and the triggers and transitions for these. The administrative, strategic and implementa- tion facets of performance are addressed through proactivity principle comprising policy, planning, resourcing and determination of strategy and plan for compliance with existing, emerging and modified directives, regulations, rules and manda- tory standards. Proactivity also implies setting the ground rules/norms and the scene for Prevention, Protection, Response and Recovery policies (BS EN ISO 9001:2000, BS EN ISO 14001:1996). Establishing communications channels between internal and external stakeholders including the production of a safety or security or environmental case for the organisation or undertaking, a portfo- lio of relevant management manuals, a document management system and a configuration manage- ment and change control system also fall within the scope of Proactivity. 2.4.2 II—Prevention principle Once the baseline performance is established through Prediction and the need for risk reduc- tion is identified, the Prevention strategy provides the most logical and prudent approach to the realisation of this objective. Prevention principle addresses the analysis of the known and predicted hazards/vulnerabilities, understanding of their causation chain and identification of the measures capable of eliminating or reducing the likelihood of hazardous states. Prevention strategies are best attempts at reducing the causative factors (faults, errors and failures) and comprise a broad range of Figure 6. The risk management system framework. SAFERELNET.indb 25 SAFERELNET.indb 25 10/30/2010 4:28:52 PM 10/30/2010 4:28:52 PM
- 43. 26 technical, procedural andhuman competence related measures. This is the cornerstone of most industries’ traditional approach to ensuring safe states through design and implementation of fail safe systems, inspections, preventative mainte- nance, selection, training and briefing of staff. However, whilst prudent, these measures fail to completely eliminate or control the hazardous states thus assurance of desirable performance of the overall system cannot be relied upon the suc- cess of preventative strategies alone. The Prevention focus ensures all causations and escalation routes to hazardous states are identified, analysed and all credible and reasonably practica- ble elimination and control measures are evaluated and implemented. This includes advanced design techniques and architectures, scheduled and pre- ventive maintenance activities, design reviews and consideration of appropriate technologies aimed at avoiding hazardous states and maintaining the functionality and integrity of the system. 2.4.3 III—Containment & protection principle The thrust of the classical approach to performance assurance of systems and operations is embodied in the designs, architectures, rules, processes, sys- tems and behaviours which are mainly based on the Prevention philosophy as cited before. Whilst allocating resources and focusing atten- tion on Prevention is rational and prudent, it should not be at the expense of the mitigating residual risks, once undesirable hazardous events occur. The aim here is to determine the escalation mechanisms/scenarios for hazardous conditions and establish strategies, responsibilities, solutions and programme of action aimed at Containing the energy or potential of hazardous states in such a manner that they would not readily escalate into accidents potentially causing commercial, environ- mental and human harm/loss. Having failed or discounted prevention, the preference here is to set up effective barriers to escalation and where possible, turn hazardous occurrences into incidents or lower severity acci- dents. The second aspect to this is to attempt to “protect” the people, property or environment at risk against potential injuries, fatalities and dam- age should accidents occur or attempt to reduce the severity of such harm/damage. The Containment and Protection principle is developed and proposed in recognition of the fact that in spite of major efforts by duty holders, haz- ardous states do occur in many systems and envi- ronments often driven by complexity and change or adoption of unproven yet promising innova- tive technologies. It is prudent therefore to have strategies, plans and measures in place to reduce the harm which would otherwise be caused by the escalation of these states if not detected and controlled in a timely and effective manner. The Protection focus ensures that the escalation paths for credible hazardous states are recognised and reasonably practicable hard and soft measures (barriers) are identified, assessed and adopted or strengthened to detect and rectify the hazard esca- lation and where not possible mitigate the conse- quences post accident. 2.4.4 IV—Preparedness & response principle The essence of risk management lies in the success of the Proactivity, Prevention and the Protection strategies and risk control initiatives. However, in view of the complexities inherent in many indus- trial, infrastructure and service sector operations nowadays, accidents do occur from time to time. In the same spirit, a high degree of anticipation and preparedness for responding to emergencies and degraded modes of operation is an integral facet of ensuring the impact is kept to a minimum (Civil Contingencies Secretariat). The Preparedness is an aspect of organisational and resource planning and provision which entails anticipating, planning, resourcing, training and clarifying roles, responsibilities, communications, command structure and exercises to address criti- cal classes of degraded, failure and emergency states occurring within the operational environ- ment. This by necessity requires a degree of learn- ing from past experience as well as anticipating new scenarios when changes are enforced to the organisation, composition, structure or the opera- tion of the systems being managed. The Response dimension of the principle is mainly concerned with the implementation of the Preparedness plans comprising: • mobilising resources for presence on the scene and in pre-planned support roles in a timely manner; • protecting the site of an accident; • evacuating the affected parties and the public; • determining a command structure to manage each event; • informing civil authorities, emergency services and other relevant stakeholders with a view to protect and rescue those exposed or involved in the circumstances and minimise the degree of harm which would otherwise be sustained; • implementing the preparedness and response plan; • minimising overall harm and loss arising from an accident. The Preparedness and Response principle also addresses contingency scenarios i.e. new/ unexpected degraded, failure and emergency aspects and circumstances for which, a general class SAFERELNET.indb 26 SAFERELNET.indb 26 10/30/2010 4:28:52 PM 10/30/2010 4:28:52 PM
- 44. 27 of reaction isrequired as a safety net against all unforeseen cases. The Preparedness and Response focus ensures optimal reaction to accidents and catastrophes is recognised and attained with a view to minimise safety, property and environmental losses in such circumstances. 2.4.5 V—Recovery & restoration principle The timely and appropriate response to incidents and accidents ensures those affected or exposed to hazardous states receive optimal help and support with a view to minimise any harm/damage which would otherwise be incurred in the circumstances. However, depending on the severity and nature of the degraded, failure or emergency state, a degree of anticipation, advance planning and resourcing is required to initiate timely and efficient Recovery activities on the affected system or infrastructure. Recovery after incidents and accidents essen- tially begins after Response process has resulted in ensuring the safety/security of the affected or exposed people and is mainly concerned with the requisite processes and resources to repair the damage incurred in a safe, timely and effi- cient manner working towards the resumption of service and Restoration of the system to the nor- mal state. It may also arise from disturbances to the system including preventive or reactive main- tenance when the system is being brought back to normal operational state. Depending on the nature of the degraded, failure or emergency, the Recov- ery activities may additionally impose various risk control restrictions on the functionality, infrastruc- ture or the operation of the system. The Restoration addresses the rules, processes, roles, tests, competencies and authorities required to ensure the state of the infrastructure or opera- tions after the Recovery activities are technically sound and acceptably safe and secure for return to restricted or normal service. In this spirit, Recov- ery and Restoration are assurance related activi- ties. Restoration may be achieved in a number of phases culminating in the full resumption of the normal operational state. The Recovery and Restoration focus ensures the repairs to the infrastructure and production system post disturbances (including maintenance) and accidents is carried out in a safe and efficient manner and the subsequent deployment is subject to a systematic test, verification and validation process. 2.4.6 VI—Organisation & learning principle The achievement, maintenance and improvement of the overall performance of any system or opera- tion is contingent on timely appropriate actions assured through a learned and competent human organisation focused on the assurance tasks. The Organisation principle addresses the entire spectrum of human resource issues pertinent to the maintenance and improvement of perform- ance including recruitment, induction, deploy- ment, training, briefing and communication of critical issues, qualifications, fitness, certification and regular verification and validation of the capa- bilities and competencies. Traditionally, assurance is treated as a specialist discipline and relegated to a particular group of staff solely concerned with this objective. How- ever, whilst performance assurance like other dis- ciplines has its specialist niches, its recognition, understanding of the underlying concepts, care for other people’s health, safety, security and wel- fare constitute a broad suite of beliefs, values and practices referred to as organisational culture. The recognition, promotion and nurturing of this cul- ture is a crucial factor in the success of policies and initiatives within an organisation. Assurance culture promotes the notion that apart from spe- cialist activities, knowledge, practices, beliefs and values in accident prevention should be common to all who have a role in the provision of service or systems with a potential to cause harm to the customers, employees and the general public or damage to property. The organisation does not necessarily imply a dedicated arrangement for risk management, fun- damentally separate from other functions of the business or service, infrastructure management or other stakeholders. Apart from specialist activi- ties, a supportive and pervasive assurance culture must be developed and promoted throughout the organisation including education, briefing and establishment of a confidential channel for com- munication of observations, suggestions and feed- back on all performance related matters. In this spirit, the principle underpins all other aspects of the framework since it provides the human motive force for realisation of all other principles inherent in safety/security management. The other facet of the Organisation principle is the ability to learn and capitalise on the new and emerging knowledge for improving performance. A key instrument supporting the learning process is development, implementation and maintenance of a corporate memory to underpin the record- ing, retrieval and processing of relevant knowledge and resultant learning. The corporate repository of performance information must include an up- to-date directory of infrastructure, systems and operational hazards which needs to be initiated at system level whilst being updated for local condi- tions. This repository must be made accessible to all stakeholders to inform them about all pertinent issues which may relate to their roles, tasks and undertakings within the system. SAFERELNET.indb 27 SAFERELNET.indb 27 10/30/2010 4:28:52 PM 10/30/2010 4:28:52 PM
- 45. 28 The repository ofperformance information should additionally include records of reported failures, incidents and accidents and any analy- sis establishing causation, escalation mechanisms and the degree of harm or damage caused. Whilst such analysis is carried out under the Continual Enhancement principle, it is crucial that these are captured, shared openly and employed actively to enhance systems and processes with a view to prevent future occurrences (Prevention principle). This is a costly but essential aspect of learning from what amounts to the failures of the manage- ment system. Finally, the Organisation principle must cater for the relationships, reporting structure, licensing and responsibilities of various stakeholders involved in the design, installation, operation, maintenance and disposal of the infrastructure, production sys- tem and its constituents. The focus on Organisation and Learning ensures that competent people are recruited, trained and tasked with assurance related activities and lessons are learnt from faults, failures, incidents and acci- dents with a view to eliminate or minimise future occurrences or associated losses. 2.4.7 VII—Continual enhancement principle The principles and their inherent activities cited earlier can underpin achieving and sustaining a desirable performance in the context of a product, process, system or organisation. However, improv- ing quality of life, advancing social values and con- sequent emerging legislation, rules and standards tend to demand more stringent targets, more responsive behaviours and improving overall per- formance. The other key driver is the rising con- sciousness in the society about duty of care and negligence by people and organisations delivering services and products and the consequent crimi- nal, civil claims and fines in the event of accidents causing harm to victims or the environment. The inherent complexities of the infrastruc- ture, production systems and operations in indus- trial and service sectors as well as the increasing demand for incorporation of novel technologies pose a challenge to the maintenance of perform- ance levels during the transition. A rational, sys- tematic and scientific approach to the traditionally empirical treatment of assurance matters is called for. Identification of key performance predictors and indicators, measurement and proactive control of risks are key instruments in the new approach. The Continual Enhancement of various facets of performance necessitates an objective appre- ciation of the existing drivers, actors, faults, fail- ures, hazards, targets and existing performance levels before reasonably practicable options are identified and assessed for improvement. To this end, a comprehensive approach to identification, monitoring and measurement of precursors to accidents, agreement on relevant performance criteria and normalising factors, audit of safety/ security processes and culture, review of targets and making a case for performance improvements constitute the essence of this principle. The enhancement of performance may arise from the identification and strengthening of the barriers to causation or escalation of the hazardous states or complete elimination of hazards/ vulnerabilities through adoption of novel or emerg- ing methods and technologies. The extent and scope of the performance improvements may be driven by revised targets, new standards or emerging lower cost technologies making risk reduction reasonable when contrasted against the likely gains. The corporate repository of performance information cited under the Organisation Princi- ple should also be actively reviewed for detecting trends in the underlying causes, precursors to acci- dents and near hits (strangely referred to as near misses). This information should be communicated with all stakeholders and employed as a potent tool to eliminate the unacceptable levels of faults, fail- ures and errors arising from human or automation sources, thus preventing accidents. The focus on Continual Enhancement ensures attainment of tolerable levels of overall perform- ance is treated as a dynamic and evolving objective subject to a systematic measurement and assess- ment regime and cost benefit justification . The attainment and demonstration of compliance with regulatory and industry benchmarks should addi- tionally underpin the need and quest for perform- ance enhancement. 2.5 Risk management system—the framework 2.5.1 Risk management framework The seven principles inherent in the safety, secu- rity and environmental performance assurance of products, processes, systems and organisations fall into three broad categories. The first principle, Prediction and Proactivity, is mainly concerned with establishing an envi- ronment and a baseline for the product, process, system or organisation in terms of its desirable properties and performance. It represents an antithesis to reactivity in facing the potential of accidents. In this spirit, Proactivity is fundamental to the achievement and improvement of perform- ance since it emphasises that plans and resources must be devised, secured and applied in advance of incidents and accidents to enable the duty hold- ers to eliminate or mitigate the risks in preference to learning from accidents. This principle is there- fore akin to prognosis. SAFERELNET.indb 28 SAFERELNET.indb 28 10/30/2010 4:28:52 PM 10/30/2010 4:28:52 PM
- 46. 29 The second groupcomprising Prevention, Protection, Response and Recovery are mainly associated with the understanding and tackling the causation and escalation of accidents and the preparedness in responding to emergencies with a view to minimise harm and losses. The third and final group of two principles relate to the significant role that the human organ- isation, communications, responsibilities, beliefs and culture, competencies, certification, regulation and corporate memory/learning play in the attain- ment and improvement of overall performance. This includes a drive for continual enhancement based on a measurement, audit and feedback loop to ensure a set of common indicators are continu- ally monitored, measured and assessed to empower the duty holders to take effective remedial and improvement actions as appropriate. The seven fundamental principles collectively constitute a structured, systemic and holistic framework for assurance of overall performance. The framework depicted in Table 1 represents a constellation of complementary and inter-related principles which when applied collectively, can sys- tematically underpin the attainment, maintenance (principles I-VI) and improvement (principle VII) of overall desired performance. A framework founded on systemic principles is more fundamen- tally credible, stable and universally applicable than specific context related suite of actions, processes or methodologies. 2.5.2 Systemic characteristics of the framework Whilst holistic and comprehensive, the frame- work for safety, security and environmental risk management possesses essential properties such as simplicity, rationality and a level of abstraction which lends it adaptable to any context, scale and organisation. These are crucial to the stakeholders understanding, adapting and applying it to opti- mal effect. The framework transforms the traditional focus on accidents to understanding, control and man- agement of hazards and vulnerabilities. This fun- damental shift of emphasis yields a more profound knowledge on the root causes of faults, errors and failures thus resulting in a more effective manage- ment of safety, security and sustainability. The framework sets out all the building blocks for systematic risk management starting with establishing the environment and baseline per- formance (principle I) leading to four focal points (principles II-V) for actualising plans and policy. A major emphasis is also placed on the organisa- tional facets from performance focused structure, roles, responsibilities, accountabilities, competen- cies and communications to the more subtle cul- tural aspects (principle VI). The intangible human Table 1. The Systemic Assurance Framework of seven principles. Principle Scope & intent I. Prediction & Proactivity Setting Policy and Strategy, Identifying all stakeholders and interfaces, Hazard / Vulnerability Identification, planning, resourcing and data collection. Modelling, assessing baseline risks, identifying key performance indicators and implementing policy. Developing Safety Case and Safety Management Manual. II. Prevention All measures, processes, activities and actions from design reviews to maintenance aimed at eliminating or reducing the likelihood/frequency of hazardous states with a potential to cause harm and loss. III. Containment & Protection All measures, processes, activities and actions aimed at reducing the likelihood/frequency or severity of potential accidents arising from the hazardous states. IV. Preparedness & Response All plans, measures, processes, activities and resources relevant to managing degraded and failure modes and emergencies, collection, maintenance & sharing of records. V. Recovery & Restoration All plans, measures, processes, activities and resources relevant to recovery from planned and unplanned disturbances, degraded and failure modes and emergencies towards full resumption of production/ service including the criteria and organisation for authorising the system back into service post disruptions and emergencies. VI. Organisation & Learning Structuring, reporting, communicating, training, certification, competencies, roles & responsibilities and validation for human organisation as well as ensuring lessons are learnt from incidents and accidents and key points recorded, shared and implemented. (Continued) SAFERELNET.indb 29 SAFERELNET.indb 29 10/30/2010 4:28:53 PM 10/30/2010 4:28:53 PM
- 47. 30 dimension related tobuy-in, motivation, conflict resolution and taking people and property into account in everything we do is often ignored or not given sufficient prominence in existing safety and security frameworks and standards. Finally an active learning ethos and actualisation of learning in improvement of overall performance is empha- sised in principles VI & VII. The derived principles are not things to do per se. They constitute a complete roadmap and essential focal points for the requisite activities and processes inherent in the systematic assurance of performance in products, processes, systems and undertakings. In this spirit, each principle also constitutes a focal point for measurement, bench- marking and determination of the status, success or shortcomings of the specific aspects of the risk management system. The principles within the framework are goal- oriented and apart from guidance on the purpose and nature of essential activities, are designed to allow specific stakeholders to adapt these to their roles and circumstances and innovate to improve performance. This is particularly relevant to the historically diverse nature of the EU member states with different cultural and structural under- pinnings to their industrial and service sectors. The four key focal points (principles II-V) on the actualisationof thesafetyplansandpoliciesempower duty holders to collaboratively contribute to the over- all performance of their operations. These principles would naturally involve a different set of activities for an each stakeholder organisation but none-the- less remain equally applicable at the framework level hence the need for scalability and adaptability. The proposed principles are valid at any stage of the life-cycle therefore, they are equally appli- cable to any group or organisation involved in the provision of service, products or management of infrastructure, production and operations. These can provide proactive indicators to assist the duty holders with their tasks as well as those responsible for the supervision and regulation of the relevant industry. It would therefore be feasible to audit, assess and score an organisation’s processes, capabilities and maturity in Proactivity, Prevention, Protection, Response, Recovery, Organisation and Continual Enhancement as appropriate to the nature of the undertaking. These scores and proactive criteria when benchmarked, will signify the status, strengths and shortcomings of an organisation in their sys- temic approach to the management of risks. Apart from audit, assessment and scoring of the individual principles, it is also possible to generate an overall index of merit for the performance of the whole framework, thus giving a holistic leading indication for the capabilities and maturity for an organisation in its risk management endeavours. This provides an objective and constructive frame- work for intra-industry benchmarking, compari- sons and enhancements. The framework founded on seven systemic prin- ciples can underpin performance assurance when applied in aggregate. In this spirit, the architecture of the proposed framework is entirely scaleable and can be adopted to manage risks at the level of a product, process, team, project, department, organisation, an alliance of organisations and an industry as a whole. At every level of the applica- tion, the essential invariant aspects of the frame- work i.e. the seven inter-related principles, require mapping and adaptation to the nature, scale, con- text, tasks and the application. 2.5.3 Relationship with SafeRelNet integrated risk assessment framework The framework for integrated risk assessment developed within SafeRelNet comprises six key stages in the identification, analysis and assess- ment of risks as follows: 1. Definition phase; 2. Identification of risk or hazard scenarios; 3. Analysis of effects; 4. Analysis of causes; 5. Assessment phase; 6. Evaluation and risk reduction. The relationship between the assessment frame- work elements and the corresponding management framework principles is described in Table 2. In principle, risk management covers a much broader set of issues and activities which do not readily map across the assessment tasks as evidenced in Table 2. In this spirit, assessment of risks is a pre- requisite and essential to the management tasks. The risk management framework addresses a spectrum of activities and principles such as Preparedness & Response, Recovery & Restora- tion and Organisation & Learning which are not Table 1. (Continued) Principle Scope & intent TabVII. Continual enhance- ment All processes associated with setting and reviewing targets, measuring/assessing, process- ing, auditing, reviewing, monitoring, regulating and sustaining/improving performance including decision aids and criteria. This includes investigation of the causes of poor performance and accidents. SAFERELNET.indb 30 SAFERELNET.indb 30 10/30/2010 4:28:53 PM 10/30/2010 4:28:53 PM
- 48. 31 3 CONCLUSIONS The approachto the management of risks is best served through a structured and systemic framework comprising principles that hold true in different sectors, levels of hierarchy, contexts and circumstances. The principle based approach generates consistency, integrity and a familiar harmonised process to underpin the principal assurance activities. However, the principles in a framework only constitute focal points for alloca- tion of resource and energy and require mapping to the specific characteristics and demands of an environment, sector, system or undertaking. A framework of seven principles has been developed and proposed for risk management and overall safety, security and environmental assur- ance. Apart from random mishaps, the framework is equally applicable to the malicious intents and can provide one consistent and systemic environ- ment for successful management of safety, security and environmental/sustainability risks pertinent to products, processes, systems and undertakings. Because of its high-level and principle focused constitution, the framework is scalable and can be applied at any level and within any industrial, infrastructure and service sector context. Its adop- tion as a common framework for management of safety and risks across all sectors and partner organisations is recommended. ACKNOWLEDGEMENTS The author extends his gratitude for support and professional input from the SafeRelNet colleagues. Special thanks to Professor C Guedes Soares for his introductory and scene setting input in the development of the SAFERELNET risk manage- ment framework document, derived from the con- tents of this paper. The work presented was performed within the EU—Project on “Safety and Reliability of Industrial Products, Systems and Structures” (SAFERELNET), described in www.mar.ist. utl.pt/saferelnet, which is funded partially by the European Commission under the contract number G1RT-CT2001-05051 of the programme “Competitive Sustainable Growth”. Figure 7. The systematic framework for risk manage- ment, its interfaces and interactions. Table 2. The relationship between the risk assessment & management framework principles. Assessment stage Management principle – Definition phase Prediction & Proactivity – Identification of risk or hazard scenarios – Analysis of causes Prevention – Evaluation and risk reduction – Analysis of effects Containment & Protection – Evaluation and risk reduction No counterpart Preparedness & Response No counterpart Recovery & Restoration No counterpart Organisation & Learning – Assessment phase Continual Enhancement traditionally considered within the scope of assess- ment. This is principally driven by the traditional attitude to assessment which is concerned with scoping, identification of hazards and estimation of probability/frequency and severity of the likely accidents. The assessment task is an integral aspect of the overall successful management of risks how- ever since it sets out the basis on which critical risks are identified, prioritised, controlled and managed to maintain a degree of tolerability acceptable to all stakeholders. SAFERELNET.indb 31 SAFERELNET.indb 31 10/30/2010 4:28:53 PM 10/30/2010 4:28:53 PM
- 50. 33 Safety and Reliabilityof Industrial Products, Systems and Structures – Guedes Soares (ed) © 2010 Taylor & Francis Group, London, ISBN 978-0-415-66392-2 Framework for maintenance planning C. Guedes Soares, J. Caldeira Duarte & Y. Garbatov Instituto Superior Técnico, Technical University of Lisbon, Lisbon, Portugal E. Zio Politecnico di Milano, Milan, Italy J.D. Sorensen Aalborg University, Aalborg, Denmark COWI, Denmark ABSTRACT: The present document presents a framework for maintenance planning. Maintenance plays a fundamental role in counteracting degradation effects, which are present in all infrastructure and industrial products. Therefore, maintenance planning is a very critical aspect to consider both during the design and during the whole life span of operational use, within an integrated framework founded on risk and reliability based techniques. The document addresses designers, decision makers and professionals responsible for or involved in establishing maintenance plans. The purpose of this document is to present maintenance as an integrated approach that needs to be planned, designed, engineered, and controlled by proper qualitative and quantitative techniques. This document outlines the basic premises for maintenance planning and provides the general philosophies that can be followed and points to a best practice in the treatment of the many aspects of this complex problem. the system and other economical consequences. In other words, inspections and maintenance must be planned so that a balance is achieved between the expected benefits and the corresponding eco- nomical consequences. To be able to determine expected benefits and costs it is necessary to deal properly with uncertain- ties and probability theory has been widely used for that purpose. This allows to employ decision the- ory to minimize overall service life costs including direct and implied costs of failures, repairs, inspec- tions and maintenance. These approaches have reached the maturity of practical procedures and are indeed applied in various industries. The purpose of this document is to present maintenance as an integrated approach that needs to be planned, designed, engineered, and controlled by proper qualitative and quantitative techniques. Generically, it is possible to state that mainte- nance is ‘the set of actions that ensure the ability to maintain equipment or structures in, and restore it to, the functional state required by the purpose for which it was conceived’. In all generality, two different categories of engineering problems can be identified with respect to maintenance issues: those for which the priority is to guarantee safety and reliability and those for which the priority is to guarantee availability. 1 INTRODUCTION The complex modern engineering systems, such as offshore structures, bridges, ship hulls, pipelines, wind turbines and process systems, are ideally designedtoensureeconomicaloperationthroughout the anticipated service life in compliance with given requirements and acceptance criteria typically related to the safety of the personnel and the risk posed to the public and the environment. Inevitably, deterioration processes, such as fatigue crack growth and corrosion, are always present to some degree and if not controlled and limited they may reduce the performance of systems beyond what is acceptable. Hence, to ensure that a given acceptance criteria are fulfilled throughout the service life of the engineering sys- tems, it is necessary to control the development of deterioration and install proper maintenance measures. The control of the health status of a system is achieved by appropriate planning and performing of inspections and maintenance actions. This requires decisions on what to inspect and maintain, how to inspect and maintain, and how often to inspect and maintain. These decisions need to be taken so as to achieve the maximum benefit from the control of the degradation process while minimizing the impact on the operation of SAFERELNET.indb 33 SAFERELNET.indb 33 10/30/2010 4:28:53 PM 10/30/2010 4:28:53 PM
- 51. 34 Correspondingly,forthefirstcategory,inspections and maintenance areplanned in order to keep the equipment or structure in a healthy state, avoiding failures whereas for the second category the prior- ity is to define a maintenance plan that ensures availability, taking into account the life cycle costs, by properly balancing the costs of failure and times between failures with time to repair and their costs. 2 UNCERTAINTY MODELLING Maintenance is required for equipment and structures whose performance degrades with time and it aims at counteracting those effects. The performance of engineering facilities i.e. the degradation over time is subject to a number of uncertainties. These include operational condi- tions, material characteristics and environmen- tal exposure. The uncertainties have origin in inherent physical randomness and in uncertain- ties associated with the models used to assess the performance of the systems. If, furthermore, the statistical basis for the assessment of the uncer- tainties is limited, then also statistical uncertain- ties may be important. The deterioration processes are only partly understood and their evolution in time is associ- ated with significant uncertainty as depicted in Figure 1, where d(t) is the damage at time t, and dinit models the initial damage. Statistical or proba- bilistic models can be formulated for the predic- tion of future deterioration. The probabilistic models are usually based on a mixture of physi- cal understanding, observations and experience. Observations of the actually occurring deteriora- tion, as can be obtained by inspections, may be introduced into the models and greatly enhance the precision of their predictions. In general alea- toric uncertainty (physical uncertainty) cannot be reduced by inspections, whereas epistemic uncertainty (model and statistical uncertainty) can be reduced using information from inspection. The statistical characteristics of the deteriora- tion in the future are decisive for the estimation of the future performance of a component and thus for its safety. Monitoring or inspections may be used as a tool to reduce the uncertainty in the predicted deterio- ration and/or as a means of identifying deteriora- tion before it becomes critical. Figure 1 shows how the predicted future dete- rioration will significantly change if the observed deterioration state is used to update the probabi- listic deterioration model at the time of the first inspection t1. At that occasion the updated distri- bution du(t) will start from a lower value and will lead to another expected damage at the time t2 of the following inspection. If dcrit is assumed to be a critical “size” of the expected value of the predicted deterioration state, inspections may be planned such that this deterio- ration state is not exceeded. It is also important to realise that the degree of control of the engineering systems achieved by the inspections is strongly influenced by the reliability of the monitoring or inspection monitoring and i.e. their ability to detect and size degradation. The reliability and thus the information achieved by inspection is strongly dependent on the quality of the monitoring system or the planned inspec- tion, their coverage and the times at which they are performed. The reliability of data collection them- selves may be subject to very significant uncer- tainty and this must be taken into account in the planning of inspections and when the results of inspections are interpreted and used to update the predicted performance of the considered engineer- ing facility. Inspections and maintenance actions are also subject to substantial uncertainties. The quality of inspections is normally quantified in terms of their ability to detect (modelled by Probability Of Detection—POD-curves) and size the defects of consideration. Further, also the possibility of false detections should be taking into account in the probabilistic modelling. Different inspection methods may thus be adequate for the inspec- tion of different deterioration processes. Inspec- tion strategies are specified in terms of inspection method, time intervals between inspections and coverage. Assuming that observed deterioration states will be subject to remedial actions if they are consid- ered serious it is easily realised that there is a strong relationship between inspection quality, inspection intervals, inspection coverage and the safety which is achieved as a result of the inspection. However, it should be emphasised that safety is only increased d(t) du (t) d(t) t1 t2 t dInitial dInspection Critical d 0 Figure 1. Illustration of predicted future deterioration. SAFERELNET.indb 34 SAFERELNET.indb 34 10/30/2010 4:28:53 PM 10/30/2010 4:28:53 PM
- 52. 35 by remedial actions.Inspections themselves do not increase actual safety but may reduce uncertainty in the assessment of the actual condition. Different deterioration processes will follow different patterns both time wise and in terms of location in the facility depending on the choice of materials, detailing of the structures and process systems, production characteristics, loading and exposure to aggressive environments. Even though design strategies may attempt to mitigate or mini- mise the effect of deterioration processes by choice of material or dimensions, deterioration processes will still occur due to errors or flaws during manu- facturing and executions. The consequence of component failure e.g. in terms of potential loss of lives or of costs will depend on the component and its importance for the operation of the facility. The risk associated with the component is the product of the probability of component failure and the consequence of failure. The risk based approach in maintenance takes basis in a quanti- fication of risk not only on a component basis but for all components on the installation as a whole. Different inspection and maintenance strategies with different effort, quality and costs will have different effect on the risk. By comparing the risk associated with different strategies the inspection and maintenance strategy implying the smallest risk can be identified. In this frame the importance of statistical and probabilistic models is now clear. The main proba- bilistic concepts that govern models and decisions related with maintenance planning are: • Reliability of a component or system at time t is the probability that the component survives up to time t. The reliability of a system, or the abil- ity of a system to perform successfully a certain function, depends mainly on: the quality and reliability of its components; the implementation and accomplishment of a suitable preventive maintenance and inspec- tion program in the case of deteriorating components. • Availability of a component or system at time t is the probability that the component or system is operating at time t. Availability is a function of the operating time (reliability) and the down- time (maintainability). Availability is a decreas- ing function of failure rate and is an increasing function of repair rate. Availability is also a function of the preven- tive maintenance program and shows the pos- sible effects on system availability of such a program. • Maintainability of a component or system within a given period of time is the probability that the component or system will be restored to specified conditions within the given period of time when maintenance action is performed in accordance with prescribed procedures and resources. Maintainability, like reliability, is an inherent characteristic of system or product design. It concerns to the ease, accuracy, safety, and economy in the performance of maintenance actions. Maintainability is the ability of a sys- tem to be maintained. 3 MAINTENANCE MANAGEMENT SYSTEM From the point of view of the owner of an asset that needs to be managed during its lifetime, the underlying objective of maintenance is to provide reliability and production with the long- and short-term availability requirements (the planned production) at a minimum resource cost. The cornerstone of effective maintenance planning is minimizing unplanned downtime. In practice, taking into consideration the financial aspects of system operation, the maintenance philosophy of a system basically boils down to performing the optimal maintenance plan that is consistent with the optimisation of system availability, while not compromising safety. This general formulation is applicable to either a plant, which is based on active components and which has to reach a certain level of production or a structure which is made of mainly passive components, as for example a bridge that has to be available for a certain level of traffic flow. To achieve these goals, Maintenance Manage- ment Systems are put in place. A Maintenance Management System is characterized by the fol- lowing elements: • Strategic planning—This planning generally covers a horizon of several years in the future and its basic objective consists in provid- ing improvements to operational processes; examples of applications in this area are the allocation of resources to processes, the adop- tion of measures of development and the expan- sion of the production capacity. • Demand management—An optimal main- tenance strategy needs to be founded on an accurate estimation and prediction of the main- tenance and operation loads. • Maintenance planning—This process comprises all the functions related to the preparation of the work order, material billing, labour plan- ning sheet, job standards, necessary drawings, purchase requisition, and all the data needed prior to scheduling and releasing the work order. SAFERELNET.indb 35 SAFERELNET.indb 35 10/30/2010 4:28:53 PM 10/30/2010 4:28:53 PM
- 53. 36 • Maintenance execution,monitoring and control—The aim is the scheduling, perform- ance and control of the actual maintenance action. • Basic records management—This task aims at providing he basic data in support to the other tasks, e.g. in terms of work orders. • Supporting and reporting systems—These systems allow the access of the users to the avail- able information. The above elements constituting a Mainte- nance Management System are also typical for production planning and control, although some people claim that there are significant differences between planning and programming of produc- tion and of maintenance. These differences would justify a differentiated treatment of the two issues. The two key elements of Maintenance Manage- ment can be summarized as: • Maintenance is a vital core business activity crucial for business survival and success, and as such it must be managed strategically. • Effective maintenance management needs to be based on quantitative business models that inte- grate maintenance with other decisions such as production, safety etc. Maintenance is viewed as a multidisciplinary activity that involves: • scientific understanding of degradation mechanisms and linking it with data collec- tion and data analysis to assess the state of equipment; • building quantitative models to predict the impact of different actions (maintenance and operations) on equipment degradation; and • managing maintenance from a strategic perspective. Finally, control is the activity that allows the evaluation of the performance of the strategic maintenance system implemented and it provides feedback for the update and revision of its constituents. The definition of priorities to the distinct main- tenance tasks so that the most critical ones are carried through first, is a fundamental component of a strategic maintenance plan. The priorities are to be assigned taking into account the urgency of the maintenance tasks with respect to the effects in the production lines and to safety. There are several proposals of classification of priority levels. Table 1 attempts to somewhat merge such classifications. With a Maintenance Management System, it is possible to manage efficiently the flow of materi- als, to co-ordinate the internal activities with the ones of the suppliers and to dialogue with the pro- ductive sector about the necessities of equipment availability. This entails handling a great volume of data in reasonable time, to properly support the manage- ment tasks and operational activities. Thus, an effective Maintenance Management System must inevitably be supported by an efficient informatic system of data processing. It needs to be stressed that equipment is understood with great general- ity with goes from active components like rotating machinery to fixed structures, such as pressure ves- sels, bridges, buildings, offshore platforms among others. The goal of any company is to produce goods or services. In this view, forecasting of produc- tion or service demand is an important element to integrated production or service and maintenance planning and control. The forecasts of items, spare parts and other independent demands are the key to plan production or service and maintenance for production or service. Table 1. Priorities of maintenance work. Priority Code Name Type of work Time frame work should start 1 Emergency Work that has an immediate effect on safety, environment, quality, or will shut down the operation. Work should start immediately 2 Urgent Work that is likely to have an impact on safety, environment, quality, or will shut down the operation. Work should start within 24 hours 3 Normal Work that is likely to impact the production within a week. Work should start within 48 hours 4 Scheduled Preventive maintenance and routine; all programmed work. As scheduled 5 Postponable Work that does not have an immediate impact on safety, health, environment, or the production operations. Work should start when resources are available or at shutdown period SAFERELNET.indb 36 SAFERELNET.indb 36 10/30/2010 4:28:53 PM 10/30/2010 4:28:53 PM
- 54. 37 4 STRATEGIC MAINTENANCE PLANNING Theboundaries that will determine the level at which strategic maintenance must be planned are mainly decided at the design stage. Design deci- sions will govern the initial quality, cost and layout of the installations or structures and this will have an impact on the level of maintenance that is required during operation. Basically, the owners of the assets will aim to minimize their total life-cycle cost and thus after the design, construction and dismantling costs being fixed, the strategic aims of maintenance are to minimize the costs of operations and maintenance. In the cases where failure of the equipment or structure will cause so high costs of operation resulting from downtime and repair, or even from human lives lost, maintenance will aim to keep equipment and structures in healthy conditions so as to never fail. In other cases, failures can be tolerated if the repair can be done without nega- tive impact on production or availability of the system. Independently of the primary target of main- tenance being to keep the reliability or the avail- ability of the system, maintenance activities always interface with the operability of the system or the structure. Therefore, in the strategic planning of maintenance the strategy of operation of the installation or structure must be considered and a minimization of the expected costs or a maximiza- tion of the benefits must be sough under the exist- ing uncertainties. Life-Cycle Cost (LCC) involves all costs asso- ciated with the system life cycle (Figure 2) to include: 1. Benefits. • all incomes in the system life cycle. 2. Development and Design cost. • The cost of feasibility studies. • System analysis. • Detail design and development, fabrication, assembly, and test of engineering models. • Initial system test and evaluation. 3. Construction cost. • The cost of fabrication, assembly and test of operational systems. • Associated initial logistic requirements (test and support equipment development, spares/ repair parts provisioning, training, facility construction). 4. Operation and maintenance cost. • The cost of sustaining operation, personnel and maintenance support; • Spare/repair parts and related inventories; DetailedDesign DetailedDesign Requirement stage Feasibility Data Revised targets RAMS targets Maintenance strategy Modifications Reliability up date Operation and maintenance Acceptance Construct/install Testing Construction of Prototypes Design of modifications Detailed Design Conceptual Design Figure 2. Life-cycle model. SAFERELNET.indb 37 SAFERELNET.indb 37 10/30/2010 4:28:53 PM 10/30/2010 4:28:53 PM
- 55. Other documents randomlyhave different content
- 56. Students of Ephesians,moreover, are coming to hear in it more and more clearly, if we mistake not, the voice of the Apostle and the expression of his mature Christian experience, and of that doctrine of the church in which Royce sees the essence of Paulinism. A. C. Headlam says that it is the careful study of a book that will often solve the question of its origin, and remarks: "To me Ephesians is Pauline through and through, and more even than Romans represents the deepest thought of the Apostle."[260] The important fact is that, when all the disputed epistles are excluded, the progress of criticism has placed beyond reasonable doubt the great body of the Apostle's teaching and the bulk of his writings. The practical question now at issue, as Ramsay has observed, is not, "What did Paul write?" but "What did Paul teach?"[261] In Paul's acknowledged writings we have a solid basis in fact from which to estimate the Gospel narratives and the Acts. The epistles of Paul carry us back into the circle of the earlier apostles and of the Jerusalem church, and throw light upon various events and aspects of the life, character, words, death, and resurrection of Christ. II. The Acts of the Apostles The book of Acts, while secondary in interest to the Gospels, occupies a central place in New Testament criticism. It is the bridge between the Ascension and the time thirty years later when Nero persecuted "a great multitude called Christians at Rome." It covers the period in which doctrinal evolution took place. Through its authorship it bridges the gap between the Gospels and the Pauline church among the Gentiles. The course of the history in the early chapters of Acts is so different from that which the imagination of a later age would have pictured, that it bears upon its face the marks of early origin and of trustworthiness. To a later writer, without contact with the actors, and writing after the destruction of the Temple and the final breach
- 57. of the Christianswith the Jews and the assured success of the Gentile mission, it would seem exceedingly improbable (1) that the apostolic company should have continued to worship in the Temple; (2) that they should at first have found favour with the people; and (3) that they should have remained in Jerusalem with no apparent intention of leaving until scattered by persecution; and perhaps (4) that the Sadducees should have been the first to start the persecution. The recorded history, improbable to a later age, bears upon its face the stamp of truth. The imagination of a post-Pauline writer would have given us, we may be sure, a very different picture of church history. It would scarcely have conceived of the primitive Christology of Peter's speeches, the use of the term, "child," or "servant" of God (παῖς [pais]) in place of the Pauline term, "Son of God" (υἱός [huios]), yet with the same attitude, shared by Christians of earlier and later time, of adoration, worship and love. The presumption in favour of credibility is strengthened by the author's full and detailed treatment of persons and places. "A man who would venture to introduce ninety-five persons and a hundred and three places into a history of his own times must have been pretty sure of his ground. The majority of these persons were still living when he wrote; into every one of these places his volume shortly penetrated.... The correctness of his geography upholds the truth of his history."[262] A great many of the statements of the Acts can be checked by comparison with Paul's epistles, as has been shown by Paley's "Horæ Paulinæ," and more recently, for the first part of the Acts, by Harnack. In case of apparent conflict, it has been said, "we are confronted by the task of reconciling the differences between two first-century documents, each of which has, admittedly, very powerful claims."[263] More than half of the Acts is taken up with the labours of the Apostle Paul, and yet the Acts does not mention or show knowledge of his epistles. This fact, used by some to throw doubt upon the genuineness of the epistles, may be an indication of the early date of the Acts, and of so close a relationship between the
- 58. author and theApostle that the evidence of letters would be unnecessary. Important alike in its bearing upon the questions of credibility and authorship, is the evidence of the so-called "we-sections." A prima facie case is made out that the author of the Acts was an eye- witness of some of the scenes it records, and a companion in travel of the Apostle Paul. This evidence has of late been greatly strengthened by linguistic investigation. While critical attempts are still made to divide the Acts into documents, the "we-sections" (xvi. 10-17; xx. 5-15; xxi. 1-18; xxvii. 1-xxviii. 16), as Sir J. Hawkins says, show an "immense balance of internal and linguistic evidence in favour of the view that the original writer of these sections was the same person as the main author of the Acts and of the Third Gospel."[264] No living writers have done more to stimulate interest in the book of Acts than have Sir W. M. Ramsay and Harnack, and the writings of both have materially strengthened the case alike for its Lukan authorship, and, in the main, for its historical accuracy. Ramsay, starting, as he says, from the standpoint of the Tübingen school, "with the confident assumption that the book was fabricated in the middle of the second century, and studying it to see what light it could throw on the state of society in Asia Minor, was gradually driven to the conclusion that it must have been written in the first century and with admirable knowledge."[265] Harnack's defense, in his four monographs,[266] of the Lukan authorship, integrity, historical reliability (where the supernatural is not in question) and early date of the Acts is the most outstanding and significant achievement of the age in New Testament criticism. Harnack's work has been so thorough and convincing that it may be said to have carried the theological world by storm. At least his powerful argument for Lukan authorship does not appear to have been successfully met. The attempt to turn its flank by asserting that the Paul of Acts, in making a vow, shaving his head and entering
- 59. into the Temple,was not the defender of Gentile liberty who wrote Galatians, and so that the author of the Acts was not the companion of Paul, is met by Harnack in the fourth of his monographs. Paul, he declares, not only was a Jew, but remained so, whether consistently or not. Harnack thinks that Paul shrank back from taking the last logical step,[267] but that in this the author of the Acts represents the relation of Paul to Judaism precisely as do his letters.[268] Stanton well remarks that the difficulty of accounting for alleged discrepancies between the Acts and the Epistles is equal or greater on the supposition that the author wrote 100 a. d., or later, than if the author was the companion of Paul.[269] The very fact, for example, that Luke says that Paul worshipped in the Temple is an indication that we have here no conception of a later age to which such an act would have seemed unnatural. In his "Date of the Acts and of the Synoptic Gospels" (IV), Harnack reverses his former opinion and strongly defends a date for the Acts within the lifetime of Paul and before the end of his trial at Rome. Reviewing his former arguments for a later date, he finds them inconclusive, and thinks that the earlier date is required by the abrupt close of the Acts. Minor considerations favouring an early date are (1) the titles for Christ in the early chapters, and for Christians, and the description of the Jews as "the people of God"; (2) the fact that the Jews are the persecutors and not the persecuted; (3) the absence of any indication of the use of Paul's letters such as would be expected in a later writer; (4) the use of the "first day of the week," instead of the "Lord's Day," and of the names of Jewish feasts, in which Luke stands with Paul against later writers. And (5) even the prediction, Acts xx. 25, which looks primarily to Jerusalem, not Rome, would not have been written, if the second imprisonment be accepted, after its apparent falsification by I Timothy i. 3 and 2 Timothy i. 18. H. Koch develops these arguments independently,[270] and it can no longer be said that the early dating of the Acts is "a pre-critical theory which rests on sentimental or subjective grounds."[271]
- 60. Why should theauthor follow so carefully the fortunes of the Apostle on his voyage to Rome, and describe so fully the initial stages of his trial, and yet leave the reader in doubt concerning its outcome? Commentators have been puzzled by the seemingly inordinate space which Luke devotes to the details of the voyage and shipwreck. Sometimes it is said that the voyage marks the final rejection of the Jewish people; or in the description is seen a literary device intended to intensify the suspense of the reader; or allegorical interpretations are resorted to by those who think that Luke would not thus descend from the level of the philosophical historian to that of the novelist. In the minute description of the voyage and shipwreck, Koch sees evidence that the writer's experiences as Paul's companion on the voyage were still fresh in his mind. The details would scarcely have been remembered and recorded so vividly after twenty-five years. Even if a journal had been kept, it is still strange that the minutiæ of the story should have been retained in the perspective of the finished history. "The author still stands under the fresh impression of the wonderful divine guidance through which Paul, in spite of all dangers and hindrances, reached his long sought goal." "What interest would a reader of later times have in details such as that on an Alexandrian ship precisely two hundred and seventy-six men were found?" In the seventh or eighth decade more important contemporary events would have stood in the foreground of interest. [272] A striking parallelism has been observed between the Third Gospel and the Acts, while, supposing Paul's death to have occurred, it is urged that Luke has missed "the finest—the most essential— point of the whole comparison, the death of Paul."[273] The assumed intention of the author to write a third treatise does not help the matter much. It is absurd, Ramsay admits, to relate the earlier stages of the trial at great length, "and wholly omit the final result which gives them intelligibility and purpose"; but his conclusion is that "it therefore follows that a sequel was contemplated by the author," a sequel which the "first" (prôtos) of
- 61. Acts i. 1implies, if Luke "wrote as correct Greek as Paul wrote."[274] But the intention of writing a sequel does not explain the failure to mention the outcome of the trial. Luke would have no motive like the writer of a continued story for keeping the reader in suspense, and the simple addition of the words "until his release or acquittal" would have relieved the suspense, and given "intelligibility and purpose" to the detailed description of the earlier stages of the trial. The account of the Ascension is not omitted from Luke's Gospel although given in greater detail in the Acts. There is nothing un- philosophical in the abrupt ending of a history which brings the record down to the date of writing. The leading argument against an early date for the Acts is drawn from the possible use by Luke of the writings of Josephus, and the crux of the question is in the words put into the mouth of Gamaliel (Acts v. 36, 37). The coincidence of the names of Theudas and Judas of Galilee (Acts v. 36, 37; Antiq. xx. v. 1 and 2) is striking and, if the two men named Theudas be (1) Luke had from Paul, whether or not Paul was present at the meeting of the Sanhedrin, the best means of knowing what Gamaliel, his teacher and the spokesman of the Pharisaic party, actually said. (2) The assumption that Luke was quoting Josephus is in itself very difficult when we compare the passages. Luke speaks of about four hundred under Theudas while Josephus mentions a great part of the people; Luke speaks of Judas while Josephus speaks of the sons of Judas. To quote thus loosely from his assumed authority and then to commit the further blunder of making Gamaliel allude to an event which occurred at least a dozen years later is, while possible, strangely out of keeping with Luke's proved care and accuracy in most of his historical allusions. The difficulty is acknowledged by those who make Luke dependent on Josephus. Why did Luke diverge from a correct narrative if he had one before him? Writers who affirm (Holtzmann) and those who deny (Schürer) the dependence on Josephus practically agree that if Luke had read Josephus he had forgotten him. (3) In the narrative of the death of
- 62. Herod (Acts xii.20 f.; Antiq. xix. viii. 2), where the two authors most obviously come together, both are plainly describing the same event, and yet seem to be quite independent both in the use of words and in the details of the description. (4) The cumulative evidence of an early date for Luke weighs heavily in the scale against the hypothesis of dependence upon the "Antiquities" written about 93 or 94 a. d. The question of date cannot be said to be absolutely settled, but the tendency of criticism as illustrated by Harnack is to the acceptance of an early date, as well as to that of the Lukan authorship of the entire book. It is difficult to see how Harnack, with his present defense of a date before Paul's release from prison, can consistently maintain his skepticism where the supernatural events recorded in the Acts are concerned. It is idle to say that his "revolution in chronology" has no effect upon the question of reliability. It is an established principle of historical method that the nearer a tradition is to the event it professes to describe, the more likely it is to be trustworthy. The resources of Harnack's learning have been used in support of the reliability of Luke in his geographical and chronological references,[275] and his treatment of persons and reports of their speeches.[276] He has shown that Luke was in touch with the leaders of the Jerusalem church, and that his statements are abundantly confirmed by the writings of Paul. If Luke wrote within the lifetime of Paul, the Acts was published while the main actors were still living, and, by inference, it recorded events as Peter and Barnabas and Apollos and Philip and Mark thought that they happened. If further, as Harnack argues, it was written during Paul's imprisonment there seems no room for doubt that it was written under the eye and with the full endorsement of its principal actor, and that we have thus the implicit guarantee not only of Luke but of Paul also for the accuracy of its record. III. The Synoptic Problem
- 63. It has beensaid that the two most important questions for religion are those of the rational foundations of theism and of the trustworthiness of the Four Gospels.[277] The Gospel records have always been regarded as the citadel of the Christian Faith. Not only do they contain the record of works of power and words of grace, and of a transcendent Personality, but they have always been considered to have been themselves supernatural in origin and character. They have been regarded as "a house not made with hands" (Robertson Nicoll), "a miracle of the Holy Ghost" (Stier), "the heaven-drawn picture of Christ, the living Word." The criticism of the past century, in its quest for the historical Jesus, has taken a very different attitude towards the Evangelical records. By many critics they have been regarded as a patchwork of traditions, a work of pious but credulous men, whose idealization and exaggeration, in the supposed interest of faith, it is necessary to discount in order to reach the bed-rock of historical fact. The literary relation of the Synoptic Gospels to one another has furnished to the New Testament student a problem of great intricacy and singular fascination. Its importance for our present purpose is in its bearing upon the trustworthiness of our canonical Gospels. The school of Baur, under the influence of the Hegelian dialectic, saw in Matthew, the Jewish Gospel, the thesis; in Luke, the Gentile Gospel, the antithesis; and lastly in Mark, the neutral Gospel, the synthesis or last term of the development. Criticism since the time of Baur has, with much unanimity, seen in Mark not the latest but the first of the Gospels, and has made Matthew and Luke dependent upon Mark. The theory which has for some years held the field is the so-called "two-document" theory. According to this Matthew and Luke, usually regarded as independent of each other, are both dependent, for much of their narrative portion and for the framework of their history, upon Mark, and, for the non-Markan discourse material which they have in common, upon a collection of the sayings of Jesus, formerly designated as "the Logia" but now usually called by
- 64. the letter "Q."The importance of the Synoptic Problem, for our present purpose, is in its historical rather than its literary features. Assuming the priority of Mark, and assuming that Matthew and Luke were dependent upon him alone in those parts of their narratives which have Markan parallels, it is clear that we must regard all deviations made by the other Synoptists from the Markan narrative as of only secondary value. Variations from Mark, if Mark be the sole source, whether these consist of additions, omissions or modifications in the narrative, obviously add nothing to our knowledge of the facts, but simply represent changes which the later writers have made in their source from subjective reasons. It is important, then, to ask whether, in the present state of opinion upon the inter-Synoptic relations, there is reason to believe that Matthew and Luke are following Mark as their sole authority for the narratives which have Markan parallels. There is now a quite general recognition of the fact that the literary problem presented by the Synoptic Gospels is exceedingly intricate, and that the "two-document" hypothesis in its simplicity has not solved all the difficulties. It is recognized that it must be modified in one of three directions. (1) There may be said to be a growing appreciation of the part which oral transmission has played in the composition of the Gospels. This is shown for example in the volume of Oxford "Studies in the Synoptic Problem" (1911),[278] and by the statement of Sir John Hawkins, who, in the second edition of his "Horæ Synopticæ" (1909), expresses the strong opinion "that at least the Second and Third Evangelists had provided themselves with written documents as their main sources, but that they often omitted to refer closely to them, partly because of the physical difficulties which there must have been in consulting manuscripts, and partly because of the oral knowledge of the life and sayings of Jesus Christ which they had previously acquired as learners and used as teachers, and upon which therefore it would be natural for them to fall back very frequently."[279] It is natural to suppose, with Schmiedel, that oral
- 65. tradition continued fora considerable time after the first documents were written.[280] (2) A considerable number of scholars, finding that Mark condenses his account of such incidents as the Baptism and Temptation of Jesus and the discourse concerning Beelzebub, and that Matthew and Luke are parallel in matter which they add at these points to the Markan account, have concluded that Mark must have used Q, the assumed source of the Matthew-Luke agreements. A moderate statement is that of Dr. Sanday: "I do not think that Q was used by Mark regularly and systematically, as the later Evangelists use his own narrative; but he must have known of its existence, and reminiscences of it seem to have clung to him and from time to time made their way into his text." [281] (3) Another group of scholars, basing their view on the agreement of Matthew and Luke against Mark in matter with Markan parallels, and on the difficulty of accounting for some omissions from Mark in the later Evangelists (such as the omission in Luke, where it would be most appropriate, of the story about the Syro-Phœnician woman), have framed a theory of different recensions in Mark, one being used by Matthew, a different one by Luke, and a final recension, whether the work of the Evangelist himself or of an editor, representing our canonical Mark. This theory in different forms has been advocated by Stanton in his "Gospels as Historical Documents," Part II (1909), and more recently by Holdsworth in his "Gospel Origins" (1913). When the two-document theory is held in this form, the priority of Mark belongs only to the assumed earlier editions, for whose extent and contents there is no objective evidence except the assumed dependence, while our canonical Mark is later than either Matthew or Luke. There is a growing tendency to find secondary elements in Mark as well as in Matthew or Luke. Hawkins, it will be recalled, gives a list of passages in Mark "which may have been omitted or altered (by the other Evangelists) as being liable to be misunderstood, or to give
- 66. offense, or tosuggest difficulties."[282] Of the passages which seem (a) to limit the power of Jesus, or (b) to be otherwise derogatory to, or unworthy of Him, the more noteworthy of the twenty-two instances given by Hawkins are as follows: under (a), 1. Mark i. 32-34, "He healed many that were sick." Matthew viii. 16, "He healed all"; cf. Luke iv. 40, "Every one of them." 3. Mark vi. 5, "He could there do no mighty work, save etc." Matthew xiii. 58, "He did not many mighty works there because of their unbelief." Under (b), 2. Mark i. 12, "The Spirit driveth him forth." Matthew and Luke use words meaning to "lead." 4. Mark iii. 21, "They said he is beside himself." This is omitted by Matthew and Luke. 10. Mark x. 17, 18, "Good Master" and "Why callest thou me good?" appear in Matthew xix. 16, 17 (R. V.) as "Master" and "Why askest thou me concerning that which is good?" Luke follows Mark. Over against these passages may be placed others where the change, if any, and whether made unconsciously or for reasons of style or with conscious tendency, would seem to be in the other direction. 1. In the Parable of the Vineyard, Matthew xxi. 37, "My son." Luke xx. 13, "My beloved son." Mark xii. 6, "He had yet one, a beloved son." 2. Matthew x. 42, "A cup of cold water only in the name of a disciple." Compare Mark ix. 41, "In name because ye are of Christ." 3. Luke xxiii. 47, "Certainly this was a righteous man." Mark xv. 39, "Truly this man was the Son of God," or "a son of God." Matthew xxvii. 54 follows Mark.
- 67. 4. (According toBousset) Mark's abbreviation of Q in iii. 27 makes it appear that it was Jesus who bound the strong man, instead of God. [283] 5. Matthew xiii. 55, "Is not this the carpenter's son?" Compare Luke iv. 22, "Is not this Joseph's son?" Mark vi. 3, "Is not this the carpenter, the son of Mary?" Belief in the Virgin Birth is perhaps safeguarded by Mark. 6. Mark x. 45, "The Son of man came not to be ministered unto, etc." Here Bousset sees a dogmatic working over of Luke xxii. 27, "I am among you as one that serves."[284] Matthew xx. 28 follows Mark. So far as tendency to Christological heightening is concerned, critics of the school of Bousset are now especially severe against Mark. It appears that "Luke's Gospel in the Passion history has preserved a series of primary traditions over against Mark."[285] Holdsworth finds a number of secondary elements, mostly stylistic, in Mark where the three Gospels have a common narrative. Among these are the vivid touches of the second Gospel, considered to be "distinctly secondary features," the fuller descriptions in many instances, and the use of the noun "gospel" not found at all in Luke although the verb is used, and not found in Matthew in its absolute sense.[286] Taking, then, the present state of opinion as to the relation of our Mark to the other Gospels, we see that while in general the "priority of Mark" is in some sense defended, yet the relation between any given passage in Matthew or Luke and its parallel in Mark may be variously construed. When Matthew, for example, deviates from Mark, this modification according to current theories may arise (1) from the first Evangelist's fancy or his dogmatic tendency, and will in either case be historically worthless. It may arise (2) from reliable oral tradition, and in this case be as worthy of credence as the Markan source. It may be derived (3) from the source Q, but may be for some reason omitted by Mark, whose knowledge of Q is
- 68. assumed. The deviationin Matthew may (4) have been found in a proto-or deutero-Mark, but have been omitted in his final edition. The difference in this case between Matthew and Mark is no greater than that between two editions of the same work. The point to be emphasized is that, in the present state of opinion upon the Synoptic problem, the difference of one Evangelist from another does not in itself invalidate the testimony of either. The Synoptic problem, while primarily a literary problem, is indeed "fraught with momentous issues which the Church, and not scientific criticism only, is concerned to face";[287] but in the present state of the discussion, the fact that Matthew adds to or modifies the narrative of Mark does not necessarily place the Matthean modification upon a lower plane of credibility than the Markan statement. The Matthean modification may be an exact copy of an earlier edition of Mark, or may be derived from one of Mark's sources, Q, or may be taken from that stream of oral tradition coming from "eye-witnesses and ministers of the word," which Luke in his preface evidently regarded as the touchstone of historical truth, whatever his use of written sources. Passing over the vexed question of Q, we may observe that the acceptance of Harnack's early dating of the Acts and Luke would further complicate the two-document theory. He agrees that Luke was written before the Acts, and the Acts before Paul's trial at Rome was decided; further that Mark is one of the sources of Luke, and that Mark was written at Rome. "Tradition asserts no veto against the hypothesis that Luke, when he met Mark in the company of Paul the prisoner, was permitted by him to peruse a written record of the Gospel history which was essentially identical with the Gospel of Mark given to the Church at a later time." Perhaps, he intimates, "Luke was not yet acquainted with Mark's final revision, which, as we can quite well imagine, Mark undertook while in Rome."[288] The priority of Mark, under this supposition, is left hanging by a slender thread. It is highly probable that Luke gathered the material for his work (and a great part of it was certainly independent of Mark) while
- 69. in Palestine, andif he did not see Mark's Gospel, or a rough draft of it, until he was in Rome, it is improbable that the Markan document was his primary and principal source, as the two-document theory asserts. Whatever the literary foundation of the two-document theory, it cannot be said to have led to any very important historical results. Those who regard the portrait of Jesus in Mark as historical see in the portrayal of Matthew and Luke only a difference in the nuances of the narrative. On the other hand, those who cannot accept the picture drawn by the First and the Third Evangelists are equally unable to accept that given to us by Mark. The criticism of the sources, in its usual form, has not revealed to us a Jesus who is more historical than the Jesus of any of the Synoptists; and it is necessary to pursue the quest in the more problematical region of "sources of sources." In this process Mark is found to be as little historical as the other Synoptic Gospels, or even as the Gospel of John. The "dissonances of the Evangelists" appear to be left practically where they were before the present movement in Synoptic criticism began. They remain what they always have been when one Gospel is compared with another, and are neither softened nor made more acute by any certain results which have been reached in the study of the Synoptic problem. Some, no doubt, may say that the discrepancies are so great that the Synoptic Gospels cannot be accepted as historical records; while others will say, as does a devout commentator on the Acts, that "such is the naturalness of Holy Scripture that it seems as though it were indifferent about a superficial consistency. So it ever is with truth: its harmony is often veiled and hidden; while falsehood sometimes betrays itself, to a practised ear, by a studied and ostentatious uniformity."[289] Others again will appeal to the writers on historical method, such as Langlois and Seignobos: "The natural tendency is to think that the closer the agreement is, the greater is its demonstrative power; we ought, on the contrary, to adopt as a rule the paradox that an
- 70. agreement proves morewhen it is confined to a small number of circumstances. It is at such points of coincidence between diverging statements that we are to look for scientifically established historical facts."[290] The inter-Synoptic differences are certainly, in general, no greater than those which a single author allowed himself in the accounts of the same incident, as is shown in Luke's threefold account of the conversion of the Apostle Paul. IV. The Johannine Problem It is scarcely surprising that the mystery which surrounds the most mysterious Personality in history should communicate itself to the records which tell of His life, and even to the authors of these records. If the Synoptic problem is a "well," as Goethe said, the problem presented by the "spiritual Gospel" usually assigned to the Apostle John is equally fascinating and difficult. The mystery of the Master has in part enveloped the disciple whom Jesus loved. The questions of the authorship and the historicity of the Fourth Gospel are closely bound together. If the Gospel is a theological romance intended to give currency to the conceptions of the Alexandrian philosophy, it is clear that its authorship cannot be ascribed to one of the disciples of Jesus. On the other hand, if it was written by one of the Apostolic band, it must certainly, whether reliable or not in its details, contain a wealth of historical reminiscence which will enrich our knowledge of the personality, the words and the deeds of Christ. It is an interesting fact that a strong defense of the Apostolic authorship of the Gospel has been made, in the present generation and in the one which preceded it, by writers whose theological position would incline them to an opposite conclusion.[291] The strength of the evidence for Johannine authorship lies in the testimony which it receives from all parts of the early church, whether divisions be made on geographical or theological lines, and
- 71. in the linksof connection which bind the witnesses to the alleged scene of John's labours and to the Apostle himself. If it be objected that John, as a Galilean fisherman and an unlettered man, could not have produced a work so profound in thought and so polished in Greek composition, the objection may be compared with that which is raised against the authorship of the plays which go under the name of Shakespeare. Andrew Lang remarks with irony upon the surprising belief that "a young man from a little country town, and later an actor, could possibly possess Shakespeare's vast treasures of general information, or Latin enough to have read the Roman classics."[292] The external evidence for Johannine authorship is strong and, with the exception of the obscure sect of the "Alogi,"[293] is uniform. It is "sufficient," and there can be little doubt that it would be efficient in producing general belief except for the theological interests involved. Objections to the Apostolic authorship from the side of the external evidence are based (1) upon supposed indications that John was martyred with James at Jerusalem and never lived in Ephesus at all, and (2) upon the statement of Papias, interpreted to mean that two men by the name of John lived in Ephesus. (1) The evidence upon the first point is confessedly late and confused. It is contained in the statements of Georgios Hamartolos, a ninth-century writer, and in the so-called "De Boor Fragment," purporting to contain an extract from a fifth-century writer, Philip of Side. The former says that Nerva, "having recalled John from the island, dismissed him to live in Ephesus. Then, being the only survivor of the twelve disciples, and having composed the Gospel according to him, he has been deemed worthy of martyrdom. For Papias, the Bishop of Hierapolis, having been an eye-witness of him, says in the second book of the 'Oracles of the Lord,' that he was slain by the Jews, having, as is clear, with his brother James, fulfilled the prediction of Christ concerning him, and his own confession and assent in regard to this." He adds that the learned Origen, in his commentary on Matthew, "affirms that John μεμαρτύρηκεν [memartyrêken] (has borne witness, or suffered
- 72. martyrdom), intimating thathe had learned this from the successors of the Apostles."[294] But Origen, in his comment on Matthew xx. 23, says that "the king of the Romans, as tradition teaches, condemned John, witnessing for the truth, to the island of Patmos." If Georgios Hamartolos thus incorrectly refers to Origen as a witness to the martyrdom of John, less weight attaches to his professed reproduction of the statement of Papias. The "De Boor Fragment" contains the statement that "Papias, in the second book, says that John the Divine and James his brother were slain by the Jews."[295] This supports the statement of the ninth- century writer in regard to the second book of Papias, but the evidence, whether for the martyrdom of John by the Jews, or for the fact that John was put to death at the same time with his brother James, as is sometimes inferred, is exceedingly slight. Paul (Gal. ii. 9) speaks of John at a time usually identified with the Council at Jerusalem (Acts xv.), although Ramsay would identify it with Acts xi. 30, thus placing it immediately before the death of James (Acts xii. 2). The statement of Georgios that John lived in Ephesus at the time of Nerva also negatives this supposition. Of the slightly attested view that John was martyred at an early date, Dr. Dawson Walker remarks: "It is difficult to think that this latter hypothesis would have met with so great favour if it had not been such an effective instrument in excluding St. John from any possibility of being the writer of the Fourth Gospel."[296] The statements that John was put to death by the Jews may possibly be an inference from the prophecy, "The cup that I drink ye shall drink, etc." (Mark x. 39). (2) A mediating theory, based upon the well-known statement of Papias[297] in which a "presbyter" John may, with much probability, be distinguished from the Apostle of that name, does not deny the influence of the Apostle upon the construction of the Fourth Gospel, while its ultimate authorship is assigned to the "presbyter" John. The hypothesis of the two Johns rests upon the statement of Papias' fragment as interpreted by Eusebius; but Eusebius, while suggesting
- 73. that the "presbyter"might have written the Apocalypse, indicates no doubt of the Apostolic authorship of the Gospel and the First Epistle. The possibility that there were two Johns, who were both in some sense disciples of the Lord (as Papias describes the "presbyter"), who both lived in Asia Minor, and who were both more or less concerned in the writing of the Fourth Gospel, cannot be denied. But it is also possible that Papias has been misinterpreted, and that, when he described the "presbyter" John, the disciple of the Lord, he had only the Apostle John in mind. In this case we should be freed from the necessity, involved in the theory of authorship we are considering, of supposing that the Apostle had a mysterious alter ego of the same name, who was with him alike in Palestine and in Asia Minor, shared in a degree his authority and published the substance of his teaching, and so completely merged his personality in that of the Apostle that in the Gospel record no trace of a separate "presbyter" can be found, and there is no mention of the name of either John. The First Epistle, supposed to be a sort of supplement to the Gospel, is of importance in its bearing upon the question of authorship. As a recent writer says: "The persistent note of authority which is overheard, rather than heard, in the Epistles is the more impressive because it is only implied. St. John assumes that his authority is unquestioned and unquestionable by those Asians who are loyal to the Christian tradition. When we compare his letters with those of his younger contemporaries, we conclude that it was unquestionably because he was an Apostle."[298] Another mediating position, adopted by those who do not accept the full Apostolic authorship, is found in a theory of partition, which assigns a portion of the Gospel to the Apostle. The artistic unity of the Gospel and the qualities of style which distinguish it from other writings present a grave difficulty to any theory of partition. As a sort of half-way house it will scarcely be permanently tenable. Of Spitta's analysis, which assigns a part of the Gospel to the Apostle, it has
- 74. been objected bya critic of more radical sympathies that such an admission places him outside the limits of scientific criticism.[299] The stronghold of the evidence alike for and against the Johannine authorship is to be found in the facts of the Gospel itself. On the one hand a powerful argument, such as that which has been developed by Lightfoot and Westcott, can be drawn to show that the author of the Gospel must have been a Jew, a Jew of Palestine, a disciple of Jesus, one of the inner circle of disciples, and in fact none other than the "beloved disciple" himself. The internal facts of the Gospel are used in a different way by others to show that the Fourth Gospel differs so radically in scene, in the style of its discourses, and indeed in its entire portrait of Jesus, that it cannot be accepted as historical, or as the work of one of the disciples. The difference in scene between the Galilean Gospels and the Jerusalem Gospel presents no great difficulty, but the crux of the problem is in the difference in style and subject matter. The Jesus of the Synoptics cannot, it is said, have spoken in the style of the discourses in John. Before this judgment can be accepted without qualification, several points deserve to be noticed. The difference in style is in part accounted for by the difference in subject matter and in the character of the audience. There are out-croppings of the Johannine style in the Synoptics, especially where the subject of discourse is similar. The passage, Matthew xi. 25-30, which, as we have seen, contains the essential teachings found in John xiv., is a notable illustration. The Jerusalem audience again was different from the Galilean audience. If it be said that when the Jesus of the Fourth Gospel speaks in Galilee (John vi.) He uses the same mystical style as when He speaks in Jerusalem, it should at least be considered that the discourse in Capernaum is not given as a sample of the usual synagogue preaching of Jesus. The scene clearly marks a crisis in the ministry, a crisis indicated in the other Gospels by the northern journey for retirement which immediately followed, but made more intelligible by the supposition that the Capernaum discourse was practically a clearer revelation to the Galilean audience of the
- 75. consciousness of Jesusand the spiritual character of His work. When we recall that such expressions, familiar to John, as Logos, Lamb of God, propitiation for sin, are never placed by John in the mouth of Jesus, we have strong negative evidence that the discourses of Jesus in the Fourth Gospel are not the free composition of the author himself. After all, the question of the style of the Fourth Gospel is not so important as that of its contents. Does it draw an essentially different picture of Jesus from that of the Synoptic writers, or does it help us to fill out and to interpret the Synoptic portrait? Two considerations of a general nature should be kept in mind. Ordinary readers of the Gospels in all ages have seen no lack of unity in the composite portrait of the four Gospels; and recent criticism has shown that even to the sharp sighted modern critic the harmony is so great that one who rejects the historical character of John's Gospel will also reject the Second Gospel, which was written from the standpoint that Jesus is the Son of God (so Bousset), and is to be distinguished from the Fourth Gospel in degree (graduel) rather than in essence. The aim of Mark, and there is no reason to doubt that he reaches his aim, is in fact the same as that of John, so far as concerns his desire that his readers may believe that Jesus is the Christ, the Son of God (John xx. 31). If what the Synoptic Gospels say is true as to the words and the works and the claims and the consciousness of Jesus, then we should expect some such supplement as we find in John. We should expect either more or less than we find in the Synoptic Gospels. When we read of the Divine Voice at the baptism and the transfiguration, we ask, What did Jesus Himself conceive His relation to God to be? The full answer is in John. When we read, "Where two or three are gathered together in my name, there am I in the midst of them" (Matt. xviii. 20), we should expect fuller teaching on the relation of Jesus to the disciples. This we have in the last discourses in John. When we read in the Synoptists accounts of the teaching and the mighty works, we turn to John for the full description of the
- 76. Teacher and Lord,and of the mighty Worker manifesting His glory. The Synoptic Gospels tell us of the authority of Jesus and of His office of judgment and of His founding a Church. In John we see the ground of His authority in His relation to God and in His mystical relation to the disciples. In the Synoptists we have the Last Supper and general prophecies of the future and commands for the guidance of the Church. We should expect some more intimate and personal revelation of His relation to the disciples, such as is furnished by the Johannine picture of the disciple whom Jesus loved, and in the words, "Woman, behold thy son" (John xix. 26, 27); and in the intimate discourse of John xiv.-xvi. When we read, once more, that Jesus often retired for prayer, but in the Synoptic Gospels have the record of only one or two of His petitions: "Remove this cup from me.... Thy will be done" (see Luke xxii. 42 and compare xxii. 32), we expect some such enrichment of our knowledge of the prayer-life of Jesus as is contained in John xvii. The historical character of the Fourth Gospel is shown alike by the light which it throws upon the course of events in the public ministry and by the more subtle resemblances between John and the Synoptists, so different in emphasis and shading that John's account cannot well have been due to Synoptic tradition, and yet so much in agreement as to give confidence that the same course of events underlies both accounts. If we look at the outward course of events under the guidance of writers such as Askwith[300] or A. E. Brooks, [301] we see that John's picture of the earliest disciples in Judea may throw light upon the narrative of the call of the four (Mark i. 16 f.). The crisis in the ministry, indicated rather than explained in the Markan narrative, is more intelligible in the light of John vi. The hosannas of the Triumphal Entry into Jerusalem, as well as the settled determination of the rulers to put Jesus to death, can be better understood with the help of John's statements about Lazarus (see John xii. 9-11); and the accusation of the witnesses, "We heard him say I will destroy this temple" (Mark xiv. 58), and the weeping of Jesus over Jerusalem (Matt, xxiii. 37) are again more intelligible in
- 77. view of theJohannine statements about the temple of His body (John ii. 20, 21), and the accounts of His frequent visits to Jerusalem. Relationships of a more subtle kind may be found when John is compared with the Synoptic Gospels. (1) The relation of Jesus to His mother is the same in both. Compare Luke ii. 49, "Knew ye not that I must be in the things of my Father"; and John ii. 4, "Woman, what have I to do with thee?" The relation with His brethren is also the same, their right to influence Him not being admitted. (2) The causes of opposition are differently described, but are the same in principle. In both Mark ii. and John v., the charges against Him are those of blasphemy and Sabbath breaking, and in both cases are made in connection with the miracle of healing. His defense of His action in healing on the Sabbath day is the same in principle but different in detail. In both there is an à fortiori argument: "How much then is a man of more value than a sheep!" (Matt. xii. 12); "If a man receive circumcision on the Sabbath ... are ye wroth with me because I made a man every whit whole on the Sabbath?" (John vii. 23). In both cases His action is defended by reference to His unique position, in the one case in His relation to God, "My Father worketh hitherto" (John v. 17); and in the other case in His relation to men, "The Son of man is lord even of the Sabbath" (Mark ii. 28). (3) The relation of Jesus to various classes of people as described by John is remarkably different in detail, but wonderfully similar in essence, when compared with the Synoptic record. In each with entire difference of scene and circumstance He meets with a woman that was a sinner, but the essentials of penitence and the public expression of gratitude are similar in both (Luke vii. 37 f.; John iv. 7 f.). No narratives could be more independent of each other than those of the conversation with Nicodemus in John iii., and with the rich young ruler in Mark x., yet in both cases the attitude of Jesus towards an influential and upright and religious man was the same. In spite of difference in language also, the words to Nicodemus, "Ye must be born again" (John iii. 7), do not differ in their radical demands from the words addressed to the ruler, "One thing thou
- 78. lackest: go, sellwhatsoever thou hast and come, follow me" (Mark x. 21). The comparison might be continued indefinitely, but only to show that the picture of Jesus and of His relation to the Father, and to His disciples, to publicans and sinners, to the Pharisees, to women, and to the human race as Saviour and Judge, is so different in John that it cannot be due merely to the influence of the Synoptic tradition, and yet so identical in substance that it cannot possibly, with any regard for literary probabilities, have been the free invention of the writer. It is generally agreed that the writer of the Fourth Gospel took for granted in his readers an acquaintance with the narrative or the tradition of the Synoptic Gospels. He would not have written unless he had some new light to throw upon the figure of Jesus, or some deeper insight into His personality and work. The photograph and the portrait may not perhaps agree in their mechanical measurements, but to one who knows the subject the portrait may reproduce the original as faithfully, and even more adequately, than does the photograph. Each is useful for its own purpose, but both together are needed to give us the body and the soul, the exact features and the expression, the total impression of the personality. The criticism of the Gospels has thrown the figure of Jesus into strong relief, not only against the background of His time, but against the background of humanity in general. In its recent developments, it has left us practically with the choice between the Christ of the four Gospels or a shadowy figure to be found in none of them. The true historical Jesus that criticism has brought before us is clad in the coarse garments of Galilee, but with the glory of the only-begotten of the Father, full of grace and truth. The searchlight of modern knowledge is the fierce light that beats upon the throne. As nature and the human soul and the relationships of thought and the phenomena of religion and the book of revelation are more fully studied, the majesty and beauty of the
- 79. central Figure inhistory is more clearly revealed. Each age sees a new glory in Jesus Christ. "It is one of the evidences of the moral greatness of Jesus," says Peabody, "that each period in Christian history, each social or political change, has brought to view some new aspect of His character and given Him a new claim to reverence." The modern age sees in Him and in His Cross of love and sacrifice the guide and inspiration of its ethical and social advance. It sees in Him and in His Cross the solution, so far as ultimate solution may be possible, of its deepest intellectual problems. It sees in Him not merely a Guide and a Revealer, but a Redeemer from sin and the Giver of Eternal Life.
- 80. Bibliography of RecentImportant Works For Chapter I Harnack, A. Das Wesen des Christentums, 1900, 2d ed., 1908; What is Christianity? 1901, 2d ed., 1910. Sprüche und Reden Jesu, 1907; The Sayings of Jesus, 1908. Aus Wissenschaft und Leben, 2 vols., 1911. Loisy, A. L'Évangile et l'Église, 3d ed., 1904; The Church and the Gospel, 1903. Bousset, W. Was wissen wir von Jesus? 1904. Kyrios Christos; Geschichte des Christusglaubens von den Anfängen des Christentums his Irenæus, 1913. Schumacher, H. Die Selbstoffenbarung Jesu bei Mat 11, 27 (Luc 10, 22), 1912 (Freiburger Theologische Studien, Heft 6). Schweitzer, A. Von Reimarus zu Wrede, 1906; The Quest of the Historical Jesus, 1910. Drews, A. Die Christusmythe, 4th ed., 1911; The Christ-Myth, 3d ed., 1910. Warfield, B. B. The Lord of Glory, 1907; and recent articles in theological reviews. Thorburn, T. J. Jesus the Christ: Historical or Mythical? 1912. For Chapter II Darwin and Modern Science. Edited by A. C. Seward, 1909. Anniversary Volume by Various Authors.
- 81. Fifty Years ofDarwinism, 1909. Anniversary Volume by Various Authors. Weismann, A. The Evolution Theory, 2 vols., 1904. Wallace, A. R. The World of Life, 1911. Man's Place in the Universe, 3d ed., 1905. Morgan, T. H. Evolution and Adaptation, 1908. Henderson, L. J. The Fitness of the Environment, 1913. Thomson, J. A. The Bible of Nature, 1908. Merx, J. T. History of European Thought in the Nineteenth Century. Vol. II, 1903. Herbert, S. First Principles of Evolution, 1913. For Chapter III James, W. Varieties of Religious Experience, 1903. The Will to Believe, and Other Essays in Popular Philosophy, 1902. Starbuck, E. D. The Psychology of Religion, 1900. Ames, E. C. The Psychology of Religious Experience, 1910. Leuba, J. H. A Psychological Study of Religion, 1912. Pratt, J. B. The Psychology of Religious Belief, 1907. Stevens, George. The Psychology of the Christian Soul, 1911. Royce, J. The Sources of Religious Insight, 1912. Begbie, H. Twice-Born Men, 1909. Jastrow, Joseph. The Subconscious, 1906. Coe, George A. The Religion of a Mature Mind, 1902. Hall, G. Stanley. Adolescence, 1904. For Chapter IV Bergson, Henri. L'Évolution Créatrice, 7th ed., 1911; Creative Evolution, 1911. LeRoy, Edouard. The New Philosophy of Henri Bergson, 1913. Eucken, Rudolf. Der Wahrheitsgehalt der Religion, 3d ed., 1912; The Truth of Religion, 2d Eng. from 3d German ed., 1913.
- 82. Können wir nochChristen sein? 1911; Can We Still Be Christians? 1914. Jones, W. Tudor. An Interpretation of Rudolf Eucken's Philosophy, 1912. Hermann, E. Eucken and Bergson: Their Significance for Christian Thought, 1912. Gibson, W. R. Boyce. Rudolf Eucken's Philosophy of Life, 3d ed., 1912. Ward, James. The Realm of Ends, 1911. Royce, Josiah. William James and Other Essays, 1911. The Problem of Christianity, 2 vols., 1913. For Chapter V Clemen, Carl. Religionsgeschichtliche Erklärung des Neuen Testaments, 1909; Primitive Christianity and Its non-Jewish Sources, 1912. Der Einfluss der Mysterienreligionen auf das älteste Christentum, 1913. Reitzenstein, R. Poimandres: Studien zur griechisch-ägyptischen und frühchristlichen Literatur, 1904. Die Hellenistische Mysterienreligionen, 1910. Cumont, F. Les Religions Orientales dans le Paganisme Romain, 2d ed., 1909; The Oriental Religions in Roman Paganism, 1911. Kennedy, H. A. A. St. Paul and the Mystery Religions, 1913. Mead, G. R. S. Thrice Greatest Hermes, 3 vols., 1906. Fowler, W. Warde. The Religious Experience of the Roman People, 1911. Mackenzie, W. D. The Final Faith, 1910. Marett, R. R. The Threshold of Religion, 1914. Religionsgeschtliche Volksbücher, begun in 1904.
- 83. For Chapter VI Orr,James. The Problem of the Old Testament, 1906. Harnack, A. Beitrage zur Einleitung in das Neue Testament: I. Lukas der Arzt, 1906 (Luke the Physician, 1907); II. Sprüche und Reden Jesu, 1907 (The Sayings of Jesus, 1908); III. Die Apostelgeschichte, 1908 (The Acts of the Apostles, 1909); IV. Neue Untersuchungen zur Apostelgeschichte und zur Abfassungszeit der Synoptischen Evangelien, 1911 (The Date of the Acts and of the Synoptic Gospels, 1911). Ramsay, Sir W. M. Pauline and Other Studies in Early Church History, 1906. Koch, Heinrich. Die Abfassungszeit des lukanischen Geschichtswerkes, 1911. Sanday, W. (Ed.). Studies in the Synoptic Problem, 1911. The Criticism of the Fourth Gospel, 1905. Stanton, Vincent H. The Gospels as Historical Documents, Part II, The Synoptic Gospels, 1909. Holdsworth, W. W. Gospel Origins: A Study in the Synoptic Problem, 1913. Hawkins, Sir John C. Horæ Synopticæ, 2d ed., 1909. Moffatt, James. An Introduction to the Literature of the New Testament, 1911. Allen, W. C. and Grensted, L. W. Introduction to the Books of the New Testament, 1913. Drummond, James. An Inquiry Into the Character and Authorship of the Fourth Gospel, 1904. Bacon, Benjamin W. The Fourth Gospel in Research and Debate, 1910. Worsley, F. W. The Fourth Gospel and the Synoptists, 1909. Schaefer, Aloys. Enileitung in das Neue Testament, 1913.
- 84. Index Abbot, Ezra, 228 Absolute,the, 125, 127, 147, 162 Activism, 138, 139 Acts of the Apostles, credibility of, 206-210, 215-216; authorship of, 209; date of, 210-215 Adolescence and conversion, 107-110 Adonis, 166 Allen, Grant, 58 Allen and Grensted, 232 Ames, E. C., 115, 117 Arrhenius, S. A., 76 Askwith, E. H., 238 Atonement, 157-160 Augustine, 93, 94, 98-99, 110 Bacon, B. W., 35 Baldwin, J. M., 63 Bardsley, H. J., 233 Bartlett, J. V., 219 Bateson, W., 65 Baur, F. C., 203, 204, 217 Begbie, H., 96 Bergson, H., 62, 63, 69, 73, 127-137, 146, 163 Bernoulli, C. A., 234 Booth, M., 144 Bousset, W., 20, 35, 38, 40-42, 46, 48, 174-176, 184, 188, 222, 223
- 85. Brooks, A. E.,238 Brooks, Phillips, 29 Browning, R., 162 Buddhism, 170 Carlyle, T., 43, 119 Carter, J. B., 96 Cheyne, T. K., 168 Christian experience, 53, 144; evidence of, 122-124 Christianity, essence of, 15, 26, 27, 54; of the New Testament writers, 16-21; primitive and Pauline, 21-26; of Jesus and Paul, 26-34; doctrinal, 52, 54-55, 157-158; Eucken's relation to, 142-145; what is vital in, 156-158; and ancient religions, 165-193; and modern religions, 193-197 Christology, 161, 162, 175; of Paul, 15, 23; of Mark, 20, 223, 236; of Jesus, 35-44; and ethics, 28-35 Clemen, C., 168, 170, 181, 187, 189 Clifford, W. K., 93 Coe, G. A., 90 Confucius, 167-168 Conklin, E. A., 79 Conversion, 96-99, 107-110, 123 Copernicus, 60, 85 Creed, J. M., 189 Cumont, F., 178,180
- 86. Darwin, C., 56,85,129 Darwinism, see Evolution DeBoor fragment, 231 Deissmann, A., 172, 176 Dewey, J., 127 Dobschütz, E. von, 42, 53-54, 182 Drews, A., 45, 46, 48, 50 Driesch, H. A. E., 70 Drummond, Henry, 89 Drummond, James, 228 Edwards, Jonathan, 89, 122 Eigenmann, C. H., 62 Eimer, G. H. J., 63 Élan vital, see Vital impulse Eliot, C. W., 197 Emerson, R. W. 58, 89 Emperor, worship of, 172-177 Environment, fitness of, 60, 68-69 Ephesians, epistle to, 204 Epigenesis, 73-75, 81, 83 Epiphanius, 229 Ethics, of Jesus and Paul, 27-35; Christian, 51 Eucken, R., 33, 91, 137-146, 163 Eusebius, 232 Evolution, 56; as unfavourable to religion, 57-58; as favourable to religion, 59-60; and the Copernican theory,60-61; method of, 61-66; meaning of, 66-82; and design, 66-73;
- 87. and theism, 82-85; creative,127-136 Faith, salvation by, 102, 104 Finalism, 132-134 Fletcher, M. S., 116 Forrest, D. W., 122 Fowler, W. Warde, 192 Fox, George, 107, 118 Franckh, 170 Frazer, J. G., 46 Georgios Hamartolos, 230, 231 Goethe, 228 Gospel, the double, 25, 53-54 Grace, 159-161 Gregory, E. L., 122 Grützmacher, R. H., 171 Haeckel, E., 58, 139 Hale, E. E., 101 Hall, G. S., 107 Harnack, A. von, 18, 25, 26, 27, 37, 38, 52, 53, 188, 207-211, 215, 216, 225 Hartmann, E. von, 128 Hase, K. A., 39 Hatch, E., 183 Hawkins, Sir J. C., 208, 211, 219, 221 Headlam, A. C., 204 Headley, F. H., 83 Hegel, 146-162 Heitmüller, W., 182 Henderson, L. J., 68, 69 Herbert, S., 65 Heredity, 61
- 88. Hermas, Shepherd of,185, 190-192 Hermes, 189-192 Hermetic literature, 185-188, 189 Höffding, H., 121 Holdsworth, W. W., 221, 223, 238 Holtzmann, H. J., 214 Hügel, Baron F. von, 73 Huxley, T. H., 67, 85 Immortality, 59, 129, 130, 141, 152-154 Incarnation, 157, 162-163 Inge, W. R., 90 Intellectualism, 140 Ishtar, 171 Jackson, H. L.,2 24 James, William, 89, 90, 92, 100, 102, 104, 111-114, 119-120, 122, 125, 137 Jastrow, J., 102, 111 Jesus Christ, passion, 16-20, 41-42; resurrection, 16-18, 25, 143; person, 20; authority, 31-32; character, 31, 43-44, 51; liberal view of, 44-49, 143-144; mythical view of, 45-47 John, Gospel of, 227-242; authorship of, 228-229; external evidence, 229-233; internal evidence, 234-238; historical value, 238-242 Josephus, 211, 213-215 Justin, 170 Kalthoff, A., 22
- 89. Welcome to ourwebsite – the perfect destination for book lovers and knowledge seekers. We believe that every book holds a new world, offering opportunities for learning, discovery, and personal growth. That’s why we are dedicated to bringing you a diverse collection of books, ranging from classic literature and specialized publications to self-development guides and children's books. More than just a book-buying platform, we strive to be a bridge connecting you with timeless cultural and intellectual values. With an elegant, user-friendly interface and a smart search system, you can quickly find the books that best suit your interests. Additionally, our special promotions and home delivery services help you save time and fully enjoy the joy of reading. Join us on a journey of knowledge exploration, passion nurturing, and personal growth every day! ebookbell.com