Contents :
Formal Risk Assessment has become a field of great importance since tragic accidents (Herald of Free Enterprise, Derbyshire and Piper Alpha) together with environmental disasters (Exxon Valdez, Amoco Cadiz) have questioned ship safety.
The cost of implementing the various international standards (SOLAS, MARPOL) is very high (and not easy to apply to old vessels) and at the same time history has proven that even the strictest regulations (e.g. USOPA 90), cannot guarantee accident-proof ships and navigation. Accidents will still occur as long as no effort to anticipate and prevent accidents is done, and regulations are confined to making ships stronger.
The House of Lords Select Committee on Science and Technology produced a report on "Safety Aspects of Ship Design and Technology" with recommendations to improve ship safety. It is based on a more scientific approach to safety regulation in the shipping industry including a Safety Case (Formal Safety Assessment) for every ship trading commercially, produced by the operator and approved and audited by the flag state. This Safety Assessment demonstrates that ship's operations could achieve the safety goals subject to prescribed conditions. The safety case involves risk analysis and specifies how these risks can be minimized.
I. Hazard: a physical situation with a potential for human injury, damage to property, damage to the
environment or some combination of these.
II. Risk: a combination of the probability and the degree of the possible injury or damage to health in
a hazardous situation.
III. Safety: freedom from unacceptable risks / personal harm.
Risk analysis, as used for the assessment of hazards associated with ships, can be summarized by three questions:
I. What can go wrong?
II. What will the effects and consequences be?
III. How often will it happen?
The first and basic step of hazard identification (the first question) is purely qualitative and is often called a safety study. Such a study may reveal aspects of the ship and equipment which require more consideration. It is then necessary to answer the next two questions in order to complete the risk analysis. The results of the analysis are used for judgment, about the acceptability of the risk and for decision making. Qualitative answers are often given to the second and third questions. However, recent developments have involved the application of quantitative techniques for obtaining answers to these two questions. This is usually referred to as quantitative risk analysis. The whole exercise may be called risk assessment.
Formal Risk Assessment can be used to:
1. Increase the understanding of ship safety through a systematic and logical development of accident
sequences.
2. Separate important accident sequences from unimportant ones.
3. Provide a quantitative measure of risk.
4. Determine the importance of ship operator actions in coping with accidents.
5. Identify cost effective design or procedural changes for controlling risk.
6. Improve the decision making (risk management process).
7. Help clarify emergency planning needs.
8. Provide assurance that state-of-the-art methods have been responsibly used to assess ship safety.
The process of designing for safety can be subdivided into the following phases:
1. Problem definition: Definition of the extent and the objectives of the safety assessment.
2. Risk identification: Identification of the potentially hazardous conditions or events associated with
the product design, for each of which all possible sequences of events leading to their occurrence
(failure modes) and respective consequences must be identified.
3. Risk estimation: The qualitative or quantitative estimation of the likelihood of occurrence of the
identified hazards and the severity of respective potential consequences.
4. Risk evaluation: Definition of risk associated with the product as a function of the estimated
measures of the likelihood of occurrence and severity of resulting probable consequences.
5. Design Review: The identification and implementation of design changes aimed at reducing the risk associated with the product. Design for safety is the repeat process including risk identification through to design review, converging to the safety design objectives defined in the problem definition phase.
The level of safety assessment in engineering design depends on the level of innovation associated with the concept and on the population at risk. Statutory requirements define the objectives and the required documentation.
The process of risk assessment for ships is difficult due to the level of innovation and consequences and furthermore has the following difficulties:
a) The non-existence of historical data on design aspects of the product. This is particularly true for
original design problems and design solutions.
b) The impracticability of full-scale experimentation with many design aspects of the product.
c) The difficulty of replacing or modifying the product once on location and in operation if the safety is
found to be unacceptable.
Risk identification may be conducted on either a top-down or bottom-up approach on the basis of either hardware elements or events and states. The decision as to which approach is more appropriate and whether it should be carried out on a hardware or event basis in a particular context depends on the following considerations:
a) The indenture level of the product breakdown at which the risk identification is conducted.
b) The degree of complexity of the interrelationships of the items at the investigated indenture level.
c) The degree of innovation associated with the product design idea.
In many cases, the principal hazards associated with the product are known, or may at least be identified in the relatively early design stages. However, how these may occur and develop to unacceptable consequences may not always be readily related to the design hardware and systems.
The system operation and process has to be systematically decomposed and the interactions of primary and intermediate events on system safety and performance analyzed.
Top-down and bottom-up event based risk identification methods may be applied to identify the systems states, operational conditions, environmental conditions and other design considerations which contribute to the likelihood of occurrence of such hazardous conditions and define the magnitude of their respective resulting consequences.
When, however, there is a lack of knowledge or experience regarding the design solution and its possible effects on the product safety, hardware bottom-up approaches, although time consuming, should yield higher levels of confidence that all hazardous system states and respective modes of occurrence have been identified.
2.1. Preliminary Hazard Analysis (PHA)
PHA is used to identify possible hazards associated with a product or system and respective causes, effects and corrective actions. It is a formal top-down approach to risk identification and is conducted on the basis of the comprehensive knowledge of similar systems and the analysis of past accident data (Historical Analysis).
A PHA conducted at the product level in the early design stages should lead to the identification of hazardous systems and processes, and should prove an essential foundation for further in-depth analysis of individual hazards, with particular reference to Fault Tree Analysis and Event Tree Analysis.
Typical steps of PHA are:
i) identification of hazardous events.
ii) identification of hazardous causes.
iii) identification of hazardous effects.
iv) classification of risks.
v) determination of preventative measures.
2.2. Failure Mode and Effects Analysis (FMEA)
Having identified hardware system failures or states, the complexity of the interrelationships of the items and respective state variables may require the use of a more systematic identification approach such as FMEA since the top-down event-based approach may lead to the omission of modes of occurrence. FMEA is normally conducted following a bottom-up approach in the context of hardware components.
It consists of breaking down the system investigated into its components levels for each of which all the constituting items are individually examined. For a specific item, it involves the identification of all failure modes, the effects of failure on the higher indenture levels and the level to which the item belongs and the means by which failure may be detected. FMEA, by identifying all failure modes and respective effects of all hardware items, leads to the identification of system states which affect both safety and reliability.
3.1. Qualitative Analysis
In early design stages, the likelihood and consequences of hazards cannot normally be estimated on a quantitative basis because the hazard identification has not reached a state of development such that the events may be readily quantified. The likelihood of occurrence of events may be estimated using qualifiers such as frequent, probable, occasional, remote and unlikely, and consequences by catastrophic, critical, marginal and negligible. This qualitative approach is commonly used in PHA and FMEA.
3.2. Quantitative Analysis
On a quantitative basis, the probability of occurrence of the top events may be estimated on the basis of their respective minimal cut sets. Depending on the dependency between the occurrence of the individual basic events and between the minimal cut sets, the probability or bounds of probability of occurrence of the top events may be directly estimated using the laws of probability, or may be estimated using Discrete Event Simulation (DES).
DES allows the modeling of a system whose behavior of interest changes value or state at discrete moments in time and on the basis of logical expressions, the stochastic behaviors are modeled by sampling from descriptive probability distributions.
For each probable consequence of an event tree, the probability of occurrence is the product of the conditional probability of occurrence of all the events along the path leading to its occurrence.
The probability of occurrence of individual events can be obtained from historical analysis, monitoring and experimentation or engineering judgment, or obtained from FTA or DTSA being top events in their own right.
Having estimated hazards qualitatively, the risk may be evaluated by a criticality matrix. At the intersection of each frequency and consequence qualifiers requirements can be specified for further investigation. Since the relationship between consequences and public response is not linear, the risk should ultimately be evaluated in the form of a Frequency-Consequences diagram or curve.
Once risk is estimated, it can be evaluated as a function of the estimated measures of the likelihood of occurrence and the severity of the resulting probable sequences.
Reduction of the likelihood of occurrence of a top event may be achieved by any one or combination of the following approaches:
a) Change the design solution to the design problem, i.e. conceptual design.
b) Reduce the likelihood that the occurrence of sets of events will develop into hazardous conditions,
i.e. build redundancy into the product design and operating procedures.
c) Reduce the likelihood of occurrence of individual events.
The ways by which the likelihood of occurrence of individual basic events may be reduced depend on their nature. The likelihood of human errors may generally be reduced by the improvement of training, supervision and communication. The failure rate of hardware components may be reduced by de-rating the use of superior components and improved inspection and maintenance policies.
A simulation can be carried out for further analysis. In a simulation analysis different distribution of failure can be dealt with, and covert and revealed failures as well as maintenance can be taken into account. The accumulated failures in simulation analysis can be collected and compared with the system decision table to assess the probabilities of occurrence of each prime implicant and system failure state.
The results can be used to design protection systems which will reduce or eliminate the impact of the prime implicants with unacceptable high probabilities of occurrence, and also to design optimal maintenance policies.
Formal Risk Assessment is probably the way to increased safety in ships. It is a process which assesses and diminishes the possibilities of hazardous events by several methods (design review, personnel training, provision of information, etc.).
So far, Formal Risk Assessment is not required by law. This is due to the following facts:
i) Formal Risk Assessment has been developed recently and has not yet widespread as an efficient
safety tool.
ii) it is quite difficult to create and apply such a system without proper training.
iii) it is money and time consuming to maintain such a system.
iv) there is unavailability of persons able to apply such systems into different production of service
industries.
Despite the above difficulties, Formal Risk Assessment, if properly developed could lead the way towards safer operations and must become mandatory as soon as research indicates the proper ways of its application into the different industries.