Making video of Vpython output in Windows

I have been searching long and hard for a way to make a simple video file of the Vpython output. And then I found Open Broadcaster Software. I can finally make a video abstract for the paper I am working on thanks to this software.

All one needs to do is run the Vpython program and start recording. Okay, let me elaborate in easy steps for you.


Before you start – general settings

This youtuber guide makes it easy to understand the settings of Open Broadcaster Software.


Here is a step-by-step process to make a video of Vpython output on windows 

Step 1 :  Run your program  (I advise you code a key logger event to start the program, that way the program is not running before you start recording)

Step 2: Start the open broadcaster software and follow this video instruction

Step 3: Right click on the Scene menu and start a new scene (name it as you wish)

Step 4: Right click on the Sources menu and select game capture (a settings window will pop up)

Step 5: Select the Vpython output window as the application you want to record and click ok. If your program requires mouse interaction, remember to check “Capture mouse cursor”. This records your mouse cursor movements when you interact with the Vpython window.

Step 6: Click on the preview stream to check that the Vpython output window is previewing

Step 7: Click on start recording

Step 8: Run the Vpython program

Step 9: Stop recording

The output video file saves at the location you specified in the general settings.

There you go. A simple low-tech solution to make a video of Vpython output. Hope this helps.

Be safe!


Origins of energy barrier accident perspective

This post will introduce the energy transfer model and the development of energy barrier accident perspective.

During 1960’s and 1970’s, two pioneering safety theories were developed, both of which studied the transition of excess energy from a source to a vulnerable target. Both theories demonstrated how accidents occurred, and paved the way for safety thinking based on potential energy sources. James. J. Gibson was the first among the two researchers to define and illustrate the energy model- Energy Source-Barrier-Vulnerable Target (as discussed in earlier post) in the year 1961  (Kjellén, 2000).

The infamous The infamous Energy Model by James. J. Gibson

However, in the 1970, William Haddon revolutionized the field of accident causation. William Haddon introduced 10 simple yet powerful rules to avoid, control, and, mitigate accidents involving vulnerable targets (Haddon, 1980).

Haddons 10 accident prevention strategies
Haddons 10 accident prevention strategies Haddon (1970, 1980)

In 1980, W.G. Johnson  defined a barrier as “The physical and procedural measures to direct energy in wanted channels and control unwanted releases”. W.G.Johnson also is famous for his proposed MORT- Management Oversight & Risk Tree adopted by the nuclear industry (read MORT manual  here).

In 1987, Urban Kjellen  used the accident prevention strategies proposed by Haddon and termed them as <Barriers> to ensuring safety, but in a later publication Kjellen proposed to use the term <Barrier> on physical countermeasure e.g. a metal mesh = <Barrier> to separate rotating propellers and vulnerable targets.  (Kjellen, 2000)

History and development of energy model into energy barrier model
History and development of energy model into energy barrier accident perspective

In 1997, James Reason coined a safety theory based on the notion that accidents can be avoided with a approach of defense-in-depth. In other words, there is more than one barrier in a system and every layer of the barrier, has faults and failures. Only when all of these barriers fail, will an incident or accident occur. He illustrated this in intuitive illustration of a Swiss Cheese, where the hole in the cheese illustrated failure in the barrier and rightly called the Swiss Cheese Model.  If the hazards transit through the holes in the barriers, it can convert to either a serious incident or a failure in the system. He also distinguished between terms  <latent failure> and <active failure>. Latent failure is a barrier functional failure due to unknown causes and are not observable, while active failures occur during the execution of barrier functions and are observable.

Swiss Cheese Model - James Reason (1997)
Swiss Cheese Model – James Reason (1997)

Snorre Sklet in his Doctoral thesis defined three key terms in safety and barrier performance management applicable to the oil and gas industry (Sklet, 2006). The recommendations from Sklet has been well adopted in the Norwegian Oil and gas industry. The key is to organize and use the barrier terms consistently. The recommendations were used in the recently published Petroleum Safety Authority memo on <Barrier Management>

Barrier system, functions, and elements.
Overview of barrier system, functions, and elements.
  • Barrier system– is a system that has been designed and implemented to perform one or more barrier functions. e.g, Reduce consequence of hydrocarbon leak
    • There may be one of more barrier system depending on the risk reduction requirements
  • Barrier function– is a function planned to prevent, control, or mitigate undesired events or accidents. e.g, Reduce duration and size of leak
    • Each barrier system may have 1 to N barrier functions
  • Barrier element– A barrier element is a component or a subsystem of a barrier system that by itself is not sufficient, to perform a barrier function e.g, Process shutdown systems
    • Each barrier function requires 1 to N number of barrier elements to function on demand

In 2013, Petroleum Safety Authority (PSA) published the barrier management principle memo to guide oil and gas operators in maintaining barrier management according to the PSA requirements. This guide builds on previous work on RNNP (Trends in Risk Level  in petroleum industry)  and suggests development of technical, operational and organizational safety barriers.

So, how is energy barrier accident perspective applied in high risk industries?

Lets consider a typical bow-tie risk model. The left of side of the bow-tie contain preventive barrier systems, functions, and elements (before the accident). The same is true to the consequence part (right) of the bow-tie (after the accident) . As illustrated, the energy source initially has to transit through the preventive barriers before the accidental event can occur. The number of barrier systems may differ depending on the overall hazard identification and corresponding risk reduction strategies for a given system.

Energy barrier perspective with a bow-tie risk model
Energy barrier perspective with a bow-tie risk model

If the accidental event occurs, the barriers to prevent escalation of the event have to perform as planned. If they don’t, the vulnerable target, be it human, machinery or cost of operations are severely affected.  In a traditional barrier management approach, the energy can be ideally traced to the source, in ideal situations (with help of risk management and reliability assessment). A key point to note here is that these barriers are not only technical barriers, e.g, valves. Barriers may also be in form of operational procedures, or organizational practices. In other words, Man Technology and Organizational barriers (MTO) have to be combined.

A case study

Let us take the Macando blowout as an example to demonstrate the energy barrier accident perspective. Previous studies have shown that the cause of the blowout are not due to a single failure, but a set of multiple failures in the MTO barriers. The illustration shows the barrier functions and barrier elements in green blue and yellow boxes. The barrier system – avoid hydrocarbon leak.

Macando blowout explained with energy barrier accident perspective
Macando blowout explained with energy barrier accident perspective

One observation, as it is pointed out in the limitations section is that, the illustration shows the accident progression to be linear, but seldom do complex system fail with single failures. This example shows the main draw back of the energy barrier accident perspective; linear vs. complex system interactions.

Strengths of the energy barrier accident perspective

  • Useful tool to identify hazard control strategies
  • Forms a basis for analytical risk control
  • Fundamentally based on energy transfer phenomenon and physics of the immediate environment
  • Helps avoid over conservative design of barrier functions. Choice of right preventive defense strategies.
  • Is transferable within various application fields, such as medicine, emergency preparedness, and high risk industries.
  • For example, a computer virus may be termed as a potential energy transiting through a network of computer servers.

Limitations of the energy barrier accident perspective

  • Energy model and energy barrier perspectives are fundamentally based on linear progression of failures to an accident, while accidents may occur due to complex interactions in a complex system.
  • Inter-dependencies between barriers from different barrier systems exist and may be missed during various safety analysis. E.g., Failure of power supply may effect one or more sub-barrier functions.
  • The adoption of energy transfer model in a large-scale system may deem challenging due to need for system co-ordination in distributed systems, e.g., Aviation industry.
  • If over conservative barrier functions are designed, it may complicate the workings of the entire system and increase the inter-dependencies .


Feel free to explore the following references.



Johnson, W.G (1980). MORT Safety Assurance Systems. New York: Marcel Dekker

Haddon, W. (1970). On the escape of tigers: An ecological note. Technological review, 72(7), Massachusetts Institute of Technology, May 1970.

Haddon, W. (1980). The Basic Strategies for Reducing Damage from Hazards of All Kinds. Hazard prevention, Sept/Oct. 1980.

Kim, Hyung Ju. (2014) Titanic Viewed from Different Perspectives on Major Accidents. Presentation TPK5160 Risk Analysis- URL:

Kjellen, U. 2000: Prevention of Accidents Through Experience Feedback, Taylor & Francis, London and New York URL:

Petroleum Safety Authority. 2013. Principles for barrier management in the petroleum industry. Technical report. URL :

Rosness, R., Grøtan, T. O., Guttormsen, G., Herrera, I. A., Steiro, T., Størseth, F., Tinmannsvik, R. K., and Wærø, I., 2010, “Organisational Accidents and Resilient Organisations: Six Perspectives Revision 2,” No. Sintef A 17034, SINTEF Technology and Society Trondheim. URL:

Reason, J. 1997: Managing the Risks of Organizational Accidents. Ashgate.

Sklet, S. 2006. Safety barriers on oil and gas platforms. means to prevent hydrocarbon releases. Doctoral thesis.

Subsea safety valves – types, safe-states, and function.

Extraction of oil and gas from deep offshore reservoirs is a risky business and can result in serious accidents, such as the recent Macando Blowout. Functional safety along with proper operations and maintenance procedures play a vital role in ensuring safe subsea oil and gas production. In this post, types of subsea valves, their safe-states and their function is described. Towards the end, an illustration of remote activation of subsea safety valve is also provided.

In functional safety terminology, a safety valve is the final element of a safety instrumented function – SIF, which acts as a physical barrier to the flow of hydrocarbons, chemicals, etc. A safety instrumented system (SIS) may contain one or more number of safety instrumented functions. Each safety instrumented function may further contain one or more final elements. A typical relation between SIS and SIF is illustrated in Figure 1.

Safety Instrumented System and Safety Instrumented Function
Figure 1 Safety Instrumented System and Safety Instrumented Function

Function of subsea safety valves

Isolate or contribute to isolate the flow of hydrocarbons and other production fluids between a pre-determined zone.

 Before describing the overall architecture of subsea safety valve control, some basic facts about safety valves are listed below.

  • Safety valves (final elements) are part of a safety instrumented system (Sensor – Logic Solver – Final Element)
  • Operated vastly by electrohydraulic configurations. (Some are also operated pneumatically topside and some with flow pressure changes)
  • Vary greatly in size and design aspects. (Gate, ball, shear types etc.)
  • The Subsea Control Module receives electrohydraulic supply from the topside offshore facility.
  • The Subsea Control Module controls the electrohydraulic supply to the subsea valves (both directional control valves and external safety valves)
  • System safety engineers evaluate the SIS and the SIF architectures according to standard and system requirements.

 Subsea control systems

Basically, there are two different types of subsea control systems. Firstly, a basic control system (process control), which is used to control normal operations of the subsea production system and secondly, a safety control system (Safety Instrumented System), which is used to control abnormal incidents and avoid accidents by isolating the energy source.

Figure 2 Subsea safety control high-level architecture (multiplexed architecture)

Figure 2 illustrates the overall high level safety architecture for a subsea production system.

Subsea safety valves

Key safety related valves in the subsea industry are as illustrated in Figure 3.

Different Subsea safety valves
Figure 3 Different Subsea safety valves
  • Directional control valves: These are electrohydraulic/electropneumatic valves, which can direct the hydraulic fluid flow from one port to another port when the function requires such an activation. Some are external directional control valves; i.e, they are hydraulically operated through another DCV housed in the subsea control module. Multiplexing of valves are carried out to ensure limited amount of hydraulic fluid to operate a valve and to design sequential shutdowns.
Directional Control Valve (Credits- Oceaneering)
  • Gate valves: These valves can vary in size depending on the diameter of the production bore or annulus bore. They can be double acting or spring actuated gate valves. If  the valve actuator requires pressure to either open and close the valve, then such type of valve is called double acting valve. On the contrary, spring actuated gate valves need hydraulic power to either open or close the valve. The spring chamber acts as a potential energy source to assist in close or open function of the valve, thereby decreasing the value closure/opening time.
Hydraulic Operated Subsea Gate Vavle (Credits- Olovervalvetek)
  • Shear rams: These are special type of valves, mainly used to cut and seal the production and annulus bore. They are one of the most critical valves in the safety function. The shearing function allows the riser to be disconnected from the topside facility. They are used as a last resort safety function, i.e, when isolation of hydrocarbons fail. One of the root technical causes for the Macando Blowout was multiple failure in Shear rams (DHSG, 2011).
Shear Ram
Shear Ram (Credits – New York Times)
  • Shuttle valves: The shuttle valve can allow flow of fluid from one of the two valve output ports. The pressure of the supply fluid determines which output port can function at any given time.
Subsea Shuttle Valve (Credits- Bifold)
  • Check valves: The function of a check valve is to ensure that it allows flow of fluid to the output port provided the flow pressure is higher than it’s trip pressure. When used in opposite configuration, a check valve can only allow flow from one direction and block the flow in the other direction. Usually check valves are used as exhaust valves and in some cases to avoid hydraulic pressure loss from a hydraulic circuit (avoiding hydraulic back flow).
Subsea Check Valve (Creidts – Olivervalvetek)

Safe states of safety valves

Safe state is defined as “state of the equipment under control when safety is achieved” (IEC 61508). The safety function dictates the configuration of the valve safe state. For example, let us assume safe state for a valve is  “close”. When a safety function is triggered, the valve should close, if not, the system is said to be in a failed state (valve still open). In the contrary, if the valve safe state was “open”, the safe state would be achieved only if the valve remained open or shifted to open position from a closed position. The configuration of the safe state therefore directly depends on the system safety requirements, which is most important to be considered while designing a safety function. Some process need to be isolated to be safe (production gate valves), while others need to be relieved to be safe (pressure relief valves).

Fail states of safety valves
Figure 4 Fail states of safety valves

In subsea safety valves, there are mainly four different safe states depending on the type of configuration of the system and type of valve. For example, a gate valve may be configured to fail safe close, fail safe open, or fail as is safe states. A shear ram in the contrary has a safe state of shear and seal.  One thing common among all the safe states of a safety valve are the external power sources required to perform the function: hydraulic, electrically, and/or  pneumatic.

Example – Activation of a subsea safety valve

Now, let us take an example of a SIF, which consists of a gate valve as the final element. In figure 5, the illustration to the left shows the valve to be in the open position. For this example, let us assume that the safe state for the gate valve is to isolate hydrocarbon flow and the valve is configured as a “fail safe close” type.

Normal Working Condition

During normal working condition the electrohydraulic supply is provided from the topside facility to the Subsea Control Module (SCM). In the SCM, a directional control valve is energized electrically with help of a subsea logic solver. This electrical power ensures the hydraulic fluid flow to the hydraulic open chamber of the safety valve is continuous. A subsea accumulator in the SCM provides the hydraulic supply to the two valves. The hydraulic pressure in the open chamber of the valve acts against the spring chamber to keep the valve in open position. The return line in the direction control valve is blocked due to directional control valve’s inherent design (flow in one direction).

Figure 4 Example of a safety loop and valve safe state
Figure 5 Example of a safety loop and valve safe state
Safety Response

During a safety response, the subsea logic solvers execute the safety function by cutting the power to the directional control valve. The hydraulic flow ports shift due to loss in electrical power in the directional control valve. The hydraulic fluid in the hydraulic open chamber of the valve is returned to the exit port of the directional control valve. Simultaneously, the spring chamber exerts additional pressure stored in the form of a potential energy in the spring and decreases the time required for the gate valve to close. The return hydraulic fluid is either exhausted to the sea or routed to a subsea compensatory (fluid return storage).


Bai, Yong, and Qiang Bai. 2012. Subsea Engineering Handbook. Burlington: Elsevier Science.

IEC 61508. Functional safety of electrical/electronic/programmable electronic safety-related systems, 1998. Part 1-7.

IEC 61511. Functional safety – safety instrumented systems for the process industry sector, 2003.

Marvin Rausand. Risk Assessment : Theory, Methods, and Applications. John Wiley & Sons, Inc, 2011.

OLF 070. Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the continental shelf, 2004.

The Deepwater Horizon Study Group 2011. Final report on the investigation of the Macondo well Blowout.

Blog post header image is credited to Oceaneering.

Analysis and Discussion of Deepwater Horizon Accident and Barrier Strategies

The Macando well blowout in the Gulf of Mexico has been one of the most comprehensively studied accidents in the oil and gas industry, which resulted in numerous accident investigation reports. The report attached in this post, analyzes the Macondo blowout and the barrier strategy that was in place when the accident occurred.  “Final report on the investigation of the Macondo well blowout” by The Deepwater Horizon Study Group (DHSG) was extensively referred during this study. The overall goal was to discusses what could have been done differently in order to minimize the escalation of the outcome/consequences or even interrupt the chain of events that caused the blowout.

Emergency rescue attempts of Deepwater Horizon Rig- April 20, 2010 (Credits- SkyTruth- Flickr)
Emergency rescue attempts of Deepwater Horizon Rig- April 20, 2010 (Credits- SkyTruth- Flickr)

The report employs the human risk perspective, meaning more than 80 days of oil spill after the sinking of the rig  and the corresponding environmental damage caused were outside the scope of this study. We choose to limit the analysis of the accident up to the rescue of personnel not because the 5 million barrels of oil (Vinnem 2014, DHSG 2011, CSB 2014) reportedly split is of small importance, but to keep this study within a feasible analysis scope.


  • A condensed presentation of the failed barriers and accidental events are illustrated chronologically through a STEP Diagram.
  • Failed barriers are analyzed with  Energy Flow  and Man, Technology, and Organization (MTO)  perspective.
  • Both analysis further evolves to include human and organizational aspects relevant to failures that permitted the accident to escalate to the point where 11 deaths and 17 injuries occurred.
  • A comparison of other similar accidents in terms of causes and consequences are described.
  • Based on PTIL’s 2013 Barrier Management Memo, the report proposes specified barrier strategy based on the failure of barrier functions revealed during the accident.
  • Suitable performance standards to measure the performance of recommended barrier strategies.

Main conclusions 

  • Complex systems will continue to manifest complex accident propagation.
  • Risk analysis must be performed and updated during the life-cycle of the facility to decrease dormant and weak MTO barriers.
  • Barrier management is paramount because the organizational and human barriers are constantly in demand during accident progression.
  • Human and organizational barriers (passive/active barriers) are comparatively more vital than the technical barriers, which are for the most part active barriers. This claim is supported by the findings by the MTO analysis.
  • Systems safety should not be neglected in favor of traditional HSE indicators.

Access to full report:  Report

Access to presentation: Presentation


I would like to thank Nathalie M. De Oliveira, the co-author if this report and presentation for her valuable contributions.


[Vinnem, 2014] Vinnem, J. E. (2014). Offshore Risk Assessment Vol 1 and 2, volume 1 and 2. Springer London, 3rd edition edition.

[The Deepwater Horizon Study Group (DHSG), 2011] The Deepwater Horizon Study Group (DHSG) (2011). Final report on the investigation of the macondo well blowout. Technical report, Center for Catastrophic Risk Management (CCRM).

[CSB, 2014] CSB, U. (2014). Deepwater Horizon Blowout Animation. YouTube Video

[PSA, 2013] PSA, P. (2013). Principles for barrier management in the petroleum industry. Technical report.

[Rausand, 2005] Rausand, M. (2005). Lecture Notes- Risk Assessment- Preliminary Hazard Analysis (PHA).

[Rausand, 2011] Rausand, M. (2011). Risk Assessment : Theory, Methods, and Applications. JohnWiley & Sons, Inc.

[Sklet, 2006] Sklet, S. (2006). Safety barriers on oil and gas platforms. means to prevent hydrocarbon releases.

[PSA, 2014] Petroleum Safety Authority Norway- PSA (2014). PSA regulations.

LaTeX code for Preliminary Hazard Analysis (PHA)

In a recent course project, I had to code a PHA worksheet and associated risk matrix on LaTeX. Preparing the LaTeX code for the worksheet and risk matrix took a lot of time.  Hence, I would like to share my code for others to use.  I have used “TexStudio” as my primary LaTeX editor and complier.

This is the PDF output file———> PHA LaTeX demo


The code starts …. 





\usepackage[hidelinks]{ hyperref}


%\usepackage[utf8x]{inputenc}                   % replace by the encoding you are using






















%Since the PHA worksheet is wide, start in a new page by using begin {landscape} command.
\caption{Preliminary hazard analysis (continued)}
\begin{tabular}{p{1.4cm}p{1.2cm}p{1.9cm} p{2cm} p{2cm} p{1.3cm} p{1cm}p{1cm}p{4cm} p{1.3cm}p{1cm} p{1cm}}
\hline & & & & & \bf Initial Risk & & & &\bf Residual Risk & & \\ [5pt]
\bf \bf Generic Hazard & \bf Identifier & \bf Hazard & \bf Accident Event & \bf Probable Causes & \ \bf Probability & \bf Severity & \bf Risk Level & \bf Preventive Actions& \bf Probability &\bf Severity & \bf Risk Level \\
Example- & 5g & & Early launch of life crafts & Improper evacuation procedure & 3 & 4 & \cellcolor{red!50} 12 & Plans for Emergency Preparedness based on facility design & 2& 2& \cellcolor{green!50} 4 \\ %cell color can be changed to red or yellow- {yellow!50} or red -{red!50}

%add more rows as required



%The below command generates a 4 X 5 risk matrix with ALARP regions for initial risk matrix.

\caption{Initial risk matrix}
\begin{tabular}{|p{2cm}|p{2cm}|p{2cm}| p{2cm} |p{2cm}| p{2cm}|}
\hline \bf Frequency/ Consequence & \bf 1-Very Unlikely & \bf 2-Remote & \bf 3-Occasional & \bf 4-Probable & \bf 5-Frequent\\ [10pt]

\hline \bf 4-Catastrophic & \cellcolor{yellow!50} & \cellcolor{red!50} & \cellcolor{red!50} & \cellcolor{red!50} &\cellcolor{red!50} \\ [10pt]

\hline \bf 3-Critical &\cellcolor{green!50} & \cellcolor{yellow!50} & \cellcolor{yellow!50} & \cellcolor{red!50} &\cellcolor{red!50} \\ [10pt]

\hline \bf 2-Major & \cellcolor{green!50} & \cellcolor{green!50} & \cellcolor{yellow!50} &\cellcolor{yellow!50} &\cellcolor{red!50} \\ [10pt]

\hline \bf 1-Minor & \cellcolor{green!50} & \cellcolor{green!50} & \cellcolor{green!50} &\cellcolor{yellow!50} &\cellcolor{yellow!50} \\ [10pt]
\end{tabular} \\


%The below command generates a 4 X 5 risk matrix with ALARP regions for residual risk matrix.

\caption{Residual risk matrix}
\begin{tabular}{|p{2cm}|p{2cm}|p{2cm}| p{2cm} |p{2cm}| p{2cm}|}
\hline \bf Frequency/ Consequence & \bf 1-Very Unlikely & \bf 2-Remote & \bf 3-Occasional & \bf 4-Probable & \bf 5-Frequent\\ [10pt]

\hline \bf 4-Catastrophic & \cellcolor{yellow!50} & \cellcolor{red!50} & \cellcolor{red!50} & \cellcolor{red!50} &\cellcolor{red!50} \\ [10pt]

\hline \bf 3-Critical &\cellcolor{green!50} & \cellcolor{yellow!50} & \cellcolor{yellow!50} & \cellcolor{red!50} &\cellcolor{red!50} \\ [10pt]

\hline \bf 2-Major & \cellcolor{green!50} & \cellcolor{green!50} & \cellcolor{yellow!50} &\cellcolor{yellow!50} &\cellcolor{red!50} \\ [10pt]

\hline \bf 1-Minor & \cellcolor{green!50} & \cellcolor{green!50} & \cellcolor{green!50} &\cellcolor{yellow!50} &\cellcolor{yellow!50} \\ [10pt]
\end{tabular} \\


%The command below provides the legend for the Risk Matrix

\caption{Risk matrix colour legend}
\hline \bf Colour & \bf Legend \\
\hline \cellcolor{red! 50} & Not Acceptable- Risk reduction required \\ [10pt]
\hline \cellcolor{yellow! 50} & Acceptable using ALARP. Consider further risk reduction. \\[10pt]
\hline \cellcolor{green! 50} & Acceptable. \\ [10pt]


%Probability Classes Legend
\caption{Probability classes}
\begin{tabular}{ p{2cm} p{3cm} p{8cm}}
\hline \bf Rank & \bf Probability class & \bf Description \\
\hline 1 & Very unlikely & Once per 1000 years or more seldom \\
2 & Remote & Once per 100 years \\
3 & Occasional & Once per 10 years \\
4 & Probable & Once per year \\
5 & Frequent & Once per month or more often \\




%Severity Classes Legend
\caption{Severity classes}
\begin{tabular}{ p{2cm} p{3cm} p{8cm}}
\hline \bf Rank & \bf Severity class & \bf Description \\

\hline 4 & Catastrophic & Failure results in major injury or death of personnel. \\
3 & Critical & Failure results in minor injury to personnel, personnel exposure to harmful chemicals or radiation, or fire or a release of chemical to the environment \\
2 & Major & Failure results in a low level of exposure to personnel, or activates facility alarm system.\\
1 & Minor & Failure results in minor system damage but does not cause injury to personnel, allow any kind of exposure to operational or service personnel or allow any release of chemicals into the environment. \\



[Rausand, 2005] Rausand, M. (2005). Lecture Notes- Risk Assessment- Preliminary Hazard Analysis (PHA).

[Rausand, 2011] Rausand, M. (2011). Risk Assessment : Theory, Methods, and Applications. JohnWiley & Sons, Inc.

Facets of Safety

You might have heard many terminologies describing safety, but have you ever wondered why there is different understanding of safety in the society?

The oxford dictionary describes the word safety as “The condition of being protected from or unlikely to cause dangerrisk, or injury”. As a modifier, the definition is “Denoting something designed to prevent injury or damage.  For the sake of this post, let us agree with a fundamental dictionary definition; Safety is protection from a danger, risk or injury.

Use of the word safety can often vary depending on the context. Human safety, financial safety, asset safety, wildlife safety, environment safety, society safety, system safety, national safety etc. are to name few of the safety contexts.  Some argue that safety is a science, while others debate about the scientific approach used to understand safety in terms of human safety alone. However, both schools of thoughts agree that understanding safety requires combination of individual, situational, and societal perceptions (Aven, 2014).

But, what are we trying to protect? What kind of danger is looming? What kind of risk or injury is probable and serious? Answering these questions require understanding of safety in multiple perspectives.

To demonstrate the varied perspectives, let us scrutinize the fundamental definition of safety with some examples.

Example 1: Umbrella – personal Safety

Umbrella protects us (humans) from the rain. Rain may be a form of danger to some people. If continually exposed (risk) to this danger (rain) the person may get sick.

Umbrella--protect—rain—getting sick (Credits: Sascha Kohlmann )
Umbrella–protect—rain—getting sick (Credits: Sascha Kohlmann )

In short, umbrella is a protection against rain (danger), getting sick (risk or injury). The definition now makes sense in a human safety perspective.

Example 2: Helmet – personal safety

Helmet protects people from injury to the head. The danger in this situation can be from high-density traffic and/or poor road surface. The risk in this situation is falling from the vehicle, which may result in a person getting fatal head injury. In short, helmet is a protection against road surface/traffic (danger), risk or injury (fatal head injury).

Helmet--protect—fall—head injury (Credits: Eric R. Patalinghug )
Helmet–protect—fall—head injury (Credits: Eric R. Patalinghug )

Both umbrella and helmet protect humans from a certain danger and probable risk. Such protective items are termed as Personal-Protective-Equipment (PPE).

Example 3: Online payment system- financial safety

Secured online payment system protects us from online fraud. The danger in this situation is the ability of black-hat hackers to intercept your online payments. The risk/injury in this situation is loss of finance and disclosure of personal bank account details. A secured online payment system is robust to avoid fraud (danger) and financial loss/identity theft (risk). This is an example for financial safety.

Example 4: Fire Response- wildlife and environment safety

Fire rescue teams protect environment from seasonal wildfires. The danger in this situation is the wildfire in the dry forest areas. The probable risk of loss of forests and wildlife exists. A fire response team can protect the environment by preventing or mitigating the danger of wildfires.

Do you observe how the danger and risk change in the given examples? Risk of getting sick vs. risk of head injury vs. risk of financial loss vs. risk of wildfires are drastically different. Individuals assess these different types of dangers and risks in different ways. This is the reason why understanding safety in different contexts is important.

Describing safety through “Energy Model” 

Let us use a simple model to make sense of safety in different contexts. This model fits all contexts of safety. Firstly, in the four examples, we observe there is an energy (potential), which can cause a harm. Secondly, there is a protection barrier (umbrella, helmet, secure payment system, fire fighters). Thirdly, there is a vulnerable target (humans, wildlife), which depends on the protection barrier. This model was termed as the Energy Model by James J Gibson in 1961 (Kjellén, 2000).

Adaptation of Energy Model by James J Gibson
Adaptation of Energy Model  (James J Gibson)


The table below provides examples for the Energy Model.  The three main links making the energy model differ in each safety context.

Table 1


Take away

1. The definition of safety is highly dependent on the individuals defining it.

The competence and experience of personnel who assess safety vary and so does their understanding on the dangers and risks involved. For example, a financial risk advisor may not fully understand the dangers and risk faced by a wildfire fire fighter, but both are part of the protection (barrier) in their respective fields.

 2. Safety is not deterministic by nature.

Safety is dynamic and based on the situation, individuals, and societal perception. A perceived danger by one person/animal/system may not be the same as perceived by another person/animal/system. Uncertainty exists in both determination of dangers and risks involved.

3. Danger (hazard), risk and safety are interrelated.

In other words, the earlier definition of safety- Protection from a danger, risk or injury- stands evaluated with demonstration of different examples.

4. Safety models illustrate the difference in safety perspectives.

The energy model illustrates a simple yet powerful model to study safety. It demonstrates the propagation of energies to the vulnerable target. There are other models such as the swiss cheese model, domino theory etc., which explain the propagation of energy towards vulnerable targets (Kjellén, 2000). In the upcoming posts, we will review them in detail.


Aven, Terje. What is safety science?, Safety Science, Volume 67, August 2014, Pages 15-20, ISSN 0925-7535, (

Kjellén, Urban. (2000). Prevention of accidents through experience feedback. London: Taylor & Francis. (

Patalinghug, Eric. (2012). My First Racing Helmet. [Image] Available at:  [Accessed 20 Oct. 2014].

Kohlmann, Sascha. (2014). Umbrella. [Image] Available at:  [Accessed 20 Oct. 2014].


Leave your comments in the comments section, or feel free to contact me if you would like to discuss the contents of this post.