Safety and Reliability in Transport

tf
<
Proceedings of the 16th ESReDA Seminar Organised by Det Norske Veritas Grand Hotel, Karl Johansgate 31 Oslo, May 20-21, 1999 co
-
o w co
Safety and Reliability In Transport
C O
Edited by Espen Funnemark and Giacomo Coiazzi
<D
JOINT RESEARCH CENTRE

EUROPEAN COMMISSION
2000
EUR 19518 EN
Proceedings of the 16th ESReDA Seminar Organised by Det Norske Veritas Grand Hotel, Karl Johansgate 31 Oslo, May 20-21, 1999
Edited by Espen Funnemark and Giacomo Cojazzi
WM
2000
EUROPEAN COMMISSION
JOINT RESEARCH CENTRE
EUR 19518 EN
LEGAL NOTICE Neither the European Commission nor any person acting on behalf of the Commission is responsible for the use which might be made of the following information.
Luxembourg: Office for Official Publications of the European Communities, 2000 ISBN 92-828-9143-7 European Communities, ESReDA, 2000 Printed in Italy
Proceedings of the 16th ESReDA Seminar Organised by Det Norske Veritas Grand Hotel, Karl Johansgate 31 Oslo, May 20-21, 1999
Edited by Espen Funnemark DET NORSKE VERITAS, OSLO, NORWAY Giacomo Cojazzi JOINT RESEARCH CENTRE, INSTITUTE FOR SYSTEMS, INFORMATICS AND SAFETY, ISPRA, (VA), ITALY
2000
EUR 19518 EN
European Safety, Reliability & Data Association (ESReDA)

ESReDA is a European Association established to promote research, application and training in Reliability, Availability, Maintainability and Safety (RAMS). ESReDA was formed from the combined forces of EuReDatA (European Reliability Data Bank Association) and ESRRDA (European Safety and Reliability Research and Development Association), two organisations active in the period 1978-1991. Present members of ESReDA are 48 organisations from 15 countries. Among the Association activities are its Seminars. They are held every six months in conjunction with the ESReDA General Assembly meetings. For more information on ESReDA, contact ESReDA General Secretary, Pekka Pyy, VTT AUTOMATION Mail address: P.O. Box 1301, 02044 VTT Street address: Otakaari 7 B, 02150 Espoo, FINLAND Tel. 358-0-4566441 Fax. 358-0-4566475, GSM 358-40-5015248 Email: Pekka.Pyy@vtt.fi
Foreword
The 16th ESReDA Seminar was dedicated to the actual and important topic of "Safety and Reliability in Transport" which represents one of the areas of interest to the European Safety, Reliability and Data Association (ESReDA). A previous ESReDa Seminar held in 1992 was also dedicated to the subject of Safety in Transport Systems. The 16th ESReDA seminar was organized by Det Norske Veritas AS (DNV) and took place on Grand Hotel, Karl Johansgate 31, in Oslo May 20-21, 1999. The 16th ESReDA seminar on Safety and Reliability in Transport was a successful event, which attracted more then 50 participants from industry, research centers, academia and regulatory authorities. Operators of transport systems were also present. Eighteen high level technical contributions tackled different aspects related to the safety and reliability of transport system, addressing reliability and safety of transport by road, rail, ship and by air. Papers addressed topics such as: safety investigations and databases, vulnerability, simulation and modeling, RCM and human factors. Special topics were also discussed such as the transport of dangerous goods and the specific implications posed by the use of tunnels. Other important topics addressed were effectiveness of safety measures, certification and the discussion of specific project results. The editorial work for this volume and its reproduction and distributions was partially supported by the Harmonisation of Safety aspects, Study of Severe Accidents project of the Institute for Systems, Informatics and Safety of the Joint Research Centre of the European Commission. Espen Funnemark DNV, Hvik, Norway Giacomo Cojazzi JRC, Ispra (Va), Italy
Availability of previous ESReDA seminar proceedings

Proceedings of the 1st ESReDA seminar on the use of expert systems in safety assessment and management, J. Flamm and A. Poucet Eds, S.P.I. 91.31, Joint Research Centre. Proceedings of the 2nd ESReDA seminar on safety of systems relying on computers, J. Flamm Ed., S.P.I. 92.20, Joint Research Centre, Ispra, Italy. Proceedings of the 3rd ESReDA seminar on equipment ageing and maintenance, J. Flamm Ed., S.P.I. 93.13, Joint Research Centre. Proceedings of the 4th ESReDA seminar on safety in transport systems, J. Flamm Ed., S.P.I. 93.25, Joint Research Centre, Ispra, Italy. Proceedings of the 6th ESReDA seminar on maintenance and system effectiveness, J. Flamm Ed., S.P.I. 94.29, Joint Research Centre, Ispra, Italy. Proceedings of the 7th ESReDA seminar on accident analysis, J. Flamm Ed., S.P.I. 94.66, Joint Research Centre, Ispra, Italy. Proceedings of the 8th ESReDA seminar on reliability data analysis and use, J. Flamm Ed., S.P.I. 95.31, Joint Research Centre, Ispra, Italy. Learning from accident investigations and emergency responses, Proceedings of the 9th ESReDA Seminar, J. F. Pineau and S. P. Arsenis Eds, S.P.I. 96.58, Joint Research Centre, Ispra, Italy. Rotating machinery performance, Proceedings of the 10th ESReDA Seminar, H. Procaccia and S. P. Arsenis Eds, S.P.I. 97.36, Joint Research Centre, Ispra, Italy. Communicating safety, Proceedings of the Joint SRD Association Annual Conference and the 11th ESReDA Seminar, S. P. Arsenis Ed., S.P.I. 97.91, Joint Research Centre, Ispra, Italy. Decision analysis and its applications in safety and reliability, Proceedings of the 12th ESReDA Seminar, P. Pyy and S. P. Arsenis Eds, S.P.I. 98.14, VTT Automation, Espoo (FIN). Industrial application of structural reliability theory, Proceedings of the 13th ESReDA Seminar, P. ThoftChristensen Ed., ISBN: 92-828-3069-1, Joint Research Centre, Ispra, Italy. Quality of reliability data, Proceedings of the 14th ESReDA Seminar. L. Petterson, S. P. Arsenis Eds. Stockholm (Sweden), ISBN: 92-828-3070-5, Joint Research Centre, Ispra, Italy. Safety and reliability in transport, Proceedings of the 16h ESReDA Seminar, E. Funnemark, G. Cojazzi, Eds, Oslo (Norway), Joint Research Centre, Ispra, Italy.
ESReDA proceedings are available from: Giacomo Cojazzi, ISIS/JRC, T.P. 723, 21020 Ispra (VA), Italy Tel. +39-0332-785085 Fax.+39-0332-785815 Email: giacomo.cojazzi@jrc.it
Seminar schedule
Thursday, May 20, 1999 8.30: 8.55: 9.00-12.30 Registration Opening of seminar SESSION 1. Safety and reliability in transport by road Chaired by Mr. Terje Andersen, (N) Cost-benefit analysis of road safety measures: applicability and controversies. R. Elvik; Institute of Transport Economics (Oslo, NORWAY). The Dutch project VeVoWeg on the safety of freight traffic by road. B.A. van den Horn, MM. Kruiskamp and D. de Weger; Ministry of Transport, Public Works and Water management (Utrecht, THE NETHERLANDS). Proactive use of safety investigations. S.R. Larsen; Norwegian State Railways (Oslo, NORWAY). Database analyses and transport corridors N. Rosmuller; Delft Univ. of Technology (Delft, THE NETHERLANDS). P.C. van Beek; TNO Environment, Energy and Process Innovation (Apeldoorn, THE NETHERLANDS). Vulnerability in the road transportation system. K. Berdica; Royal Institute of Technology (Stockholm, SWEDEN). Transport of dangerous goods through road tunnels: an integrated QRA model developed under the joint OECD/PIARC project ERS2. D. Lacroix; CETU (Bron, FRANCE). P. Cassini; INERIS (Paris, FRANCE). R. Hall; WS Atkins, (Surrey, UK). F. Saccomanno; University of Waterloo (CANADA) 14.30-18.00 SESSION 2. Safety and reliability in transport by road and ship Chaired by Mr. Ben van den Horn, (NL) An update of the risks from the transport of dangerous goods in Great Britain. T.N.K. Riley and R. Rowlands; Health and Safety Executive (Bootle, UK). S.A. Gadd; Health and Safety Laboratory (Sheffield, UK).
Ill
Suitable criteria for managing land transport of hazardous materials. R. Bubbico; C.N.R. (Rome, I TALY). S. Di Cave and B. Mazzarotta; Univ. of Rome (Rome, I TALY). Simulation of port traffic regularity, possible future traffic scenarios. S. Eisinger and I .A. Stermo; Det Norske Veritas (Hvik, NORWAY). Effectiveness of safety measures in maritime operations. S. Kristiansen and Soma; Norwegian Univ. of Science and (Trondheim, NORWAY). Modelling of communication process on ships. H. Moen and S. I . Masdal; Norwegian Marine Institute (Trondheim, NORWAY).
Technology
Technology
Research
Integration of FTA and RCM a case from shipping. R. Bye and S.I . Masdal; Norwegian Marine Technology Research I nstitute (Trondheim, NORWAY). Friday, May 21, 1999 9.0012.30 SESSION 3. Safety and reliability in transport by rail and air Chaired by Mr. Sverre Quale, (N) Development of the railtrack safety & standards directorate's safety risk model. A. Symons; Railtrack PLC (London, UK). CR. Dennis; WS Atkins PLC (UK). Overview of effective benefits of a speed control system. F. Keravel and A. Montadert; Rseau Ferr de France (Paris, FRANCE). Safety effects of automatic traffic control and lineblock. Johan Bckman; Royal I nstitute of Technology (Stockholm, Crossborder railway operations: a human factors analysis. M. Anderson; Human Reliability Associates (UK). Human reliability and railway safety. T. Andersen; Det Norske Veritas (Hvik, NORWAY). The reliability/safety analyses of transport airplane systems in process of their certification. R. Holub andZ. Vintr; Military Academy (Brno, CZECH REPUBL I C).
SWEDEN).
IV
Table of contents
Foreword Availability of previous ESReDA seminar proceedings Seminar schedule Safety and reliability in transport by road Cost-benefit analysis of road safety measures: applicability and controversies. R. Elvik; Institute of Transport Economics (Oslo, NORWAY). The Dutch project VeVoWeg on the safety of freight traffic by road. B.A .van den Horn, M.M. Kruiskamp and D. de Weger; Ministiy of Transport, Public Works and Water management (Utrecht, THE NETHERLANDS). Proactive use of safety investigations. S.R. Larsen; Norwegian State Railways (Oslo, NORWAY). Database analyses and transport corridors N. Rosmuller; Delft Univ. of Technology (Delft, THE NETHERLANDS). P. C. van Beek; TNO Environment, Energy and Process Innovation (Apeldoorn, THE NETHERLANDS). Vulnerability in the road transportation system. K. Berdica; Royal Institute of Technology (Stockholm, SWEDEN). Transport of dangerous goods through road tunnels: an integrated QRA model developed under the joint OECD/PIARC project ERS2. D. Lacroix; CETU (Bron, FRANCE). P. Cassini; INERIS (Paris, FRANCE). R. Hall; WS Atkins, (Surrey, UK). F. Saccomanno; University of Waterloo (CANADA) Safety and reliability in transport by road and ship An update of the risks from the transport of dangerous goods in Great Britain. T.N.K. Riley and R. Rowlands; Health and Safety Executive (Bootle, UK). S.A. Gadd; Health and Safety Laboratory (Sheffield, UK). Suitable criteria for managing land transport of hazardous materials. R. Bubbico; C.N.R. (Rome, ITALY). S. Di Cave and B. Mazzarotta; Univ. of Rome (Rome, ITALY). 79 1 17 i ii iii
31 41
53
69
87
Simulation of port traffic regularity, possible future traffic scenarios. S. Eisinger and I.A. Stenno; Det Norske Veritas (Hvik, NORWAY). Effectiveness of safety measures in maritime operations. S. Kristiansen and T. Soma; Norwegian Univ. of Science and Technology (Trondheim, NORWAY). Modelling of communication process on ships. H. Moen and S.I. Masdal; Norwegian Marine Technology Research Institute (Trondheim, NORWAY). Integration of FTA and RCM - a case from shipping. R. Bye and S.I. Masdal; Norwegian Marine Technology Research Institute (Trondheim, NORWAY). Safety and reliability in transport by rail and air Development of the railtrack safety & standards directorate's safety risk model. A. Symons; Railtrack PLC (London, UK). CR. Dennis; WS Atkins PLC (UK). Overview of effective benefits of a speed control system. F. Keravel and A. Montadert; Rseau Ferr de France (Paris, FRANCE). Safety effects of automatic traffic control and lineblock. Johan Bckman; Royal Institute of Technology (Stockholm, SWEDEN). Cross-border railway operations: a human factors analysis. M. Anderson; Human Reliability Associates (UK). Human reliability and railway safety. T. Andersen; Det Norske Veritas (Hvik, NORWAY). The reliability/safety analyses of transport airplane systems in process of their certification. R. Holub andZ. Vintr; Military Academy (Brno, CZECH REPUBLIC). Appendix list of participants in the ESReDA 16th seminar
101 109
129
149
165 177 191 199 209 227
241
vi
Safety and Reliability in Transport
Cost-benefit analysis of road safety measures: applicability and controversies

Rune Elvik Institute of Transport Economics, PO Box 6110 Etterstad, 0602, Oslo, Norway
Abstract This paper discusses the applicability of cost-benefit analysis as an aid to policy making for road safety measures. A framework for assessing the applicability of costbenefit analysis is developed. Five main types of criticism of cost-benefit analysis are identified: 1. 2. 3. 4. Rejecting the basic principles of cost-benefit analysis, Excluding some types of issues from the scope of calculation of costs and benefits, Setting policy objectives that are not amenable to cost-benefit analysis, Rejecting the need for maintaining a separation between policy objectives and policy programmes as required for cost-benefit analysis, and 5. Rejecting, or denying the possibility of ever obtaining, acceptably valid and reliable economic valuations of the consequences of alternative policy programmes. It is concluded that rejecting the basic principles of cost-benefit analysis is a difficult position to defend, since these principles are simply a re-statement in economic terms of veiy general principles of rational choice. These principles are part of the nonnative basis of all formal techniques designed to aid policy making as well as the democratic system of government. Everybody, including those who advocate the use of cost-benefit analysis, agree that some issues are unsuitable for cost-benefit analysis, in particular those that involve basic human rights and fairness in distribution. There may, however, be disagreement with respect to the perception o f a specific policy issue in terms of whether it is mainly about rights and fairness or mainly about the effective use of policy instruments to solve a social problem. Politicians may be tempted to set policy objectives that are ill suited for cost-benefit analysis, but this does not imply that cost-benefit analysis makes unreasonable assumptions. Perhaps the most important issue for the applicability of cost-benefit analysis is whether people in general have sufficiently well ordered preferences for economic valuations based on these preferences to make sense. Key words: Cost-benefit analysis, road safety, assessment of applicability.
Proceedings of the 16th ESReDA Seminar, Oslo, May 20-21, 1999
1.
Introduction
Cost-benefit analysis has been applied for many years to set priorities for road safety measures. It application goes at least twenty years back (Trilling, 1978), but has remained controversial (Hauer, 1994). Joksch (1975), in an early appraisal of the applicability of cost-benefit analysis to road safety measures, concluded that there were so many problems in estimating both costs and benefits that one should not rely on cost-benefit analysis to decide whether a road safety measures ought to be introduced. His objections did not, however, question the basic principles of costbenefit analysis. Critics like Hauer and Haukeland (Hauer, 1991, 1994; Haukeland, 1994) have been more fundamental and reject the basic principles of cost-benefit analysis as stated in applied welfare economics. They state that the very idea of putting a monetary value on human life does not make sense and is ethically unacceptable. The implications for the applicability of cost-benefit analysis of various types of criticism against its use depend on the nature of the arguments made. If one rejects the basic principles of cost-benefit analysis, then the technique cannot be applied at all. If, on the other hand, one thinks that the economic valuation of a certain nonmarketed good is too uncertain, then more research is called for to obtain a more precise valuation. This paper attempts to clarify the implications for the applicability of cost-benefit analysis of various types of criticism made against it. By doing so, the paper also tries to clarify the assumptions that must be made for the use of costbenefit analysis to make sense. The context for the discussion is the application of cost-benefit analysis to road safety measures. The main questions discussed in the paper are: 1. How can the applicability of cost-benefit analysis to a specific topic be determined? 2. What are the implications of various types of criticism against the use of costbenefit analysis for its applicability? The outline of the paper is as follows. Following a brief presentation of how most textbooks introduce cost-benefit analysis, a framework for discussing its applicability is proposed. This framework forms the basis for a discussion of the implications of various types of criticism levelled against cost-benefit analysis. The discussion is concluded, with an assessment of how adequate current cost-benefit analyses of road safety measures in Norway are as a basis for deciding on their use. Some alternatives to cost-benefit analysis are briefly discussed. It is concluded that every formal technique for analysing policy options relies, more or less, on the same basic assumptions. Hence, the objections made against cost-benefit analysis apply with almost equal force to any formal technique used as an aid for policy making.
2.
Cost-benefit analysis as presented in textbooks
Most textbooks in cost-benefit analysis and applied economic welfare theory (Boadway & Bruce, 1984; Dasgupta & Pearce, 1972; Grmlich, 1990; Hanley &
Spash, 1993; Johansson, 1991; Layard & Glaister, 1994; Mishan, 1988; Sassone & Schaffe, 1978; Sugden & Williams, 1978; Williams & Giardina, 1993) contain examples of such analyses, intended to show their basic logic. In general, the problems used to illustrate cost-benefit analysis in textbooks share the following characteristics: 1. They involve public expenditures, often investments. Projects are sometimes financed by direct user payment, but more often by general taxation. 2. There are multiple policy objectives, often partly conflicting and requiring tradeoffs to be made. It is assumed that policy makers want solutions that realise all policy objectives to the maximum extent possible. 3. One or several of the policy objectives concern the provision of a non-marketed public good, like less crime, a cleaner environment or safer roads. 4. It is assumed that an efficient use of public funds is desirable, since these funds are scarce and alternative uses of them numerous. These, then, are the main characteristics of problems that economists regard as well suited for cost-benefit analysis. Applied welfare economics supplies the basic principles of cost-benefit analysis. There are three main principles: Consumer sovereignty, welfare maximisation and neutrality with respect to distributive outcomes. The principle of consumer sovereignty, briefly stated, means that welfare is defined in terms of how consumers choose to spend their income between commodity bundles. The right of consumers to choose how to spend their income is respected. The strength of consumer preferences for the provision of public goods is measured by the amount of money that consumers are willing to pay for these goods. The objective of cost-benefit analysis is welfare maximisation. To determine whether a project increases welfare or not, cost-benefit analysis relies on the Pareto-criterion. This criterion states that welfare is increased when those who benefit from a project can compensate those who loose from it and still retain a net benefit. A project that satisfies this criterion yields a potential Pareto-improvement. In practice, a project is regarded as satisfying this criterion when benefits are greater than costs. There is, however, no requirement that actual compensation of those who loose takes place. Cost-benefit analysis is neutral with respect to distributive outcomes. What counts is the aggregate size of benefits and costs, not how these impacts are distributed between various groups of the population.
3.
A framework for assessing the applicability of cost-benefit analysis
In order to sort out various objections to cost-benefit analysis with regard to their implications for the use of this technique, a framework for assessing the applicability of cost-benefit analysis has been developed. This framework is displayed graphically on Figure 1. The framework identifies five stages in assessing the applicability of cost-benefit analysis to a certain problem.
These stages are: 1. 2. 3. 4. 5. Assess the basic principles of cost-benefit analysis. Determine the type of issue to be decided. Evaluate the suitability of policy objectives for cost-benefit analysis. Determine if suitable policy programmes can be developed. Evaluate the consequences of policy programmes, especially with respect to the possibility of monetary valuation.
Table 1 elaborates each of these stages and lists some of the most common objections to cost-benefit analysis. These objections are discussed more in detail below. Table 1 is intended only to give an overview. In practice, the distinction between the various stages in Figure 1 is likely to be blurred." Some objections to the use of cost-benefit analysis can be placed at more than one stage of the model shown in Figure 1. It is hoped, however, that the model can at least sort out the major types of objections that are made against the use of cost-benefit analysis. Stage 1: Assess basic principles of cost-benefit analysis According to the framework of Figure 1, assessing the applicability of cost-benefit analysis proceeds through five stages. The first stage is to assess the basic principles of cost-benefit analysis. Those who reject these principles, rule out the use of costbenefit analysis at all. A commonly made argument for rejecting the principle of consumer sovereignty as far as road safety is concerned, is that road users are poorly informed about accident risks and have no idea of what it is like to be severely injured. Hence, it is argued road users are not in a position to form well-informed preferences with respect to the need for improving road safety. Hauer (1994, 112) argues that trying to put a monetary value on human life is impossible, because it is "impossible to have preferences for an option involving the death of the deciding organism and it is meaningless to speak about them". This point of view could have troublesome implications. Very many activities and choices that people are allowed to make influence their survival prospects. This is true of choice of occupation, where to live, how much and by what means to travel, and lifestyle habits with respect to, for example eating, exercising, sexual activities, smoking, and alcohol consumption. All these choice can reasonably be modelled as lotteries involving death as one of its possible outcomes. It does not make sense to claim that people cannot intelligently make these choices, because there is a certain probability that death will be the outcome. There is always a certain probability that death may occur - in every human activity. There is nothing special about road traffic in this respect. Another common objection to using cost-benefit analysis to assess road safety measures is that the major policy objective ought to be to reduce the differences in accident risk between different groups of road users. It is true that the measures that pass a benefit-cost test will not necessarily be those that chiefly benefit the groups that have the highest risk level, and thus reduce the differences between groups of
road users in this respect. Objections to cost-benefit analysis referring to how benefits and costs are distributed are based on the perception of the nature of the policy issue to be decided. Cost-benefit analysis is not equally well suited for all types of policy issues. Stage 2: Determine type of issue to be decided The second stage in an assessment of the applicability of cost-benefit analysis is, therefore, to determine the nature of the policy issue to be decided. A typology of four main types of policy issues has been developed in Table 2, which gives some examples of issues belonging to each category. The types of issues identified by the typology are "ideal types" in the sense of Max Weber (1971). In practice, most policy issues will be a mixture of two or more of the "pure types" listed in Table 2. Proponents of cost-benefit analysis recognise the fact that it is not appropriate to use the technique as an aid to help decide every type of issue. Some issues concern universal human rights, whose existence is not subject to a calculation of costs and benefits. Arrow (1997) refers to these goods as invaluable goods. They include, at least in the highly industrialised countries of the OECD-area, the right to vote, freedom of speech, freedom of movement, and the protection of personal integrity (protection from violent assault and selling of the body). Issues that concern the existence, exercise or protection of these rights are labelled "constitutional issues" in Table 2, and are widely agreed to lie outside the scope of economic reasoning. Issues that mainly concern justice and fairness are also widely agreed to lie outside the scope of cost-benefit analysis. It is important to note that the perception of a public policy issue is, at least to some extent, subjective and varies between people. Whereas some people regard the provision of road safety mainly as a technical and economic issue, others regard it as a matter of bringing justice to those who are disproportionately at risk in the present road system. The former group may accept the use of cost-benefit analysis of road safety measures whereas the latter group is likely to reject it. The third type of issue listed in Table 2 is macro-economic issues. To the extent that these issues are dealt with by means of formal analyses, those analyses are in most cases likely to be some form of general equilibrium model for the economy as a whole. Macro-economic issues are widely agreed not to be particularly suitable to cost-benefit analysis. The fourth category of issues in Table 2, issues that concern specific social problems, are probably those that are best suited for cost-benefit analysis. Cost-benefit analysis is typically applied to problems that are not adequately solved by means of the market mechanism. This includes programmes designed to reducing crime, provide better health care, reduce environmental problems or reduce accidents. Stage 3: Evaluate the suitability of policy objectives for cost-benefit analysis In order to allow for a cost-benefit analysis of policy options, policy objectives have to satisfy certain formal requirements. The first requirement is that policy objectives must be sufficiently clearly stated to make it possible to value their attainment in
monetary terms. This does not necessarily require policy objectives to be quantified. On the contrary, quantified policy objectives may, depending on how they are formulated, be inconsistent with the principles of cost-benefit analysis. A policy objective must, however, be so clearly stated that economists can design a study intended to assign monetary values to various levels of goal attainment. A second requirement is that multiple policy objectives are all stated in terms that allow tradeoffs between them to be made. This means, that a policy objective, which is lexicographically prior to all other objectives, is ruled out. An example of target formulation fitting this description is Vision Zero for road accident fatalities. It states that there should not be any deaths or injuries resulting in permanent impairment in road traffic and explicitly rules out any trade off of this objective against other policy objectives (Vgverket, 1997). Finally a third requirement, not formally stated in most textbooks, but recognised as important in practice by Eriksen, Killi and Minken (1994), is that policy objectives should not be highly controversial. Political controversies cannot be resolved by resorting to calculations of how much various policy objectives are "worth" in monetary terms. If people disagree about the political objectives worth pursuing, this disagreement must be resolved either by majority vote or by negotiations that bring the different opinions closer together. Policy objectives are not always as clearly stated as analysts would like in order to do a meaningful cost-benefit analysis. In fact, it is sometimes rational for politicians to prefer vague policy objectives. This is easily shown by means a model making fairly innocuous assumptions about the preferences of politicians. An example of such a model is shown in Figure 2, taken from Elvik (1993). Figure 2 is a decision tree, showing the options facing politicians with respect to the formulation of road safety targets. The squares denote decision nodes, that is points at which a decision is made between the options that form the branches emerging from the squares. The circles denote chance nodes, that is points at which the outcome of a decision is determined parti)' by chance, meaning that politicians do not have full control of the outcome. Politicians are faced with the choice of either setting a clear, perhaps quantified, road safety target, or not doing so. If a clear target is set, there is a choice between popular and unpopular measures to realise it. The measures taken, irrespective of whether they are popular or not, will either realise the target or they will not. These outcomes are indicated by the boxes to the far right of Figure 2. Inside each box, the payoff to politicians of that outcome is shown. The numbers denoting payoffs are meant as an indicator of ordinal preference only. If a clear policy target is not set, it is assumed that the actions taken by politicians will depend on how the number of accidents develops. If accidents increase, politicians can take either popular or unpopular action to curb the increase. If accidents go down, the same options are available, but the need for exercising them will perhaps not be felt as equally pressing. Figure 2 shows that as long as accidents tend to decline, politicians are likely to prefer not setting a clear policy target. It is only when accidents increase that the option of setting a clear target becomes more attractive.
Although this conclusion is bound to follow from the assumptions made in the model, it is still of some interest, as these assumptions are not unreasonable. Stage 4: Determine if a suitable policy programme can be developed The theory of cost-benefit analysis tells decision-makers to choose those policy programmes that give the greatest benefits in relation to costs. It does, however, not tell decision-makers how best to develop alternative policy programmes to choose from. The policy options are simply taken as given, very little is said about how to obtain them. Can anything at all be said about this, or is it outside the scope of science to advice policy makers with respect to how best to develop alternative policy options? Before briefly discussing this question, some criteria are needed to determine what a suitable policy programme is. The following criteria are proposed: 1. A suitable policy programme should be effective, which means that it ought to help in solving the problem it is designed to solve. Purely symbolic programmes, designed merely to give an impression that something is being done to solve a problem, are not suitable. 2. A suitable programme should be cost-effective, which means that benefits should be greater than costs. If benefits are smaller than costs, the programme cannot be justified within the framework of a cost-benefit analysis. 3. A suitable programme should be ethically acceptable, which means that it should not employ policy instruments that violate widely supported ethical principles. These criteria impose a set of restrictions on the process of developing suitable policy programmes. As far as road safety policy is concerned, the search for a suitable policy programme should start by conducting a broad survey of potentially effective road safety measures (Elvik, 1997, 1999; Elvik et al., 1997). To make sure that the measures that are really the most cost-effective are included in the policy programme, it is important to remain "actively open minded" (Baron, 1994) when screening potentially effective measures for inclusion in a programme. Cost-benefit analysis rests on an assumption that it is possible separate means from ends, at least in the sense that a recursive (unidirectional) relationship prevails between ends and means. What this means can perhaps be clarified by means of an example. Suppose that an acceptably reliable estimate of the willingness-to-pay of the population for safer roads is available. A road safety programme is developed and a cost-benefit analysis performed. Suppose it turns out that cost-effective road safety measures (measures for which benefits are greater than costs) can reduce the number of road accident fatalities by 25%. Assume further that a quantified target has been set of reducing the number of road accident fatalities by 50%. It is then against the rules of cost-benefit analysis to tamper with the willingness-to-pay estimate in order make a programme reducing the number of fatalities by 50% cost-effective. A more appropriate conclusion, consistent with the principles of cost-benefit analysis, would be to give up the target of a 50% reduction in fatalities, because the population is not willing to pay what it costs to reduce fatalities by 50%. This example illustrates both
what the principle of consumer sovereignty implies and how a quantified policy target can be inconsistent with the application of cost-benefit analysis. Stage 5: Evaluate the consequences of policy programmes Cost-benefit analysis rests on the assumption that all economically relevant impacts of a project are valued in monetary terms according to the principles of welfare economics (Hanley & Spash, 1993). An economically relevant impact is one that affects the utility of an individual. Roughly speaking, this means that all impacts that are subject to individual preferences are relevant. It is of course difficult to know when all economically relevant impacts have been included in a cost-benefit analysis. An area in which cost-benefit analysis has been applied for a long time is road investment planning (Elvik, 1995). The use of costbenefit analysis for road investment planning goes back to the nineteen sixties. The cost-benefit analyses of road investment projects that were made in the nineteen sixties were pioneering work. Nevertheless, when these analyses are examined today, they appear as rudimentary. The items that were included were, most often, the costs of travel time, vehicle operating costs, road accident costs and road investment costs. No environmental costs were included. Road accident costs were usually estimated by means of the lost output method, and did not include any economic valuation of lost quality of life. In recent years, the list of effects that are included in a cost-benefit analysis has grown as more and more items are valued in monetary terms. To give an example of the types of effects that are included in cost-benefit analyses of road investment projects, Table 3 lists the items that are currently included in such analyses in Norway (Statens vegvesen, 1995; Elvik, 1998). It is seen that, although a large number of possible impacts of road investment projects have been valued in monetary terms, there is still a substantial number of impacts that are not included in cost-benefit analyses. Inclusion of these impacts could make a major difference for the results of a cost-benefit analyses.
4.
Discussion
The framework proposed for assessing the applicability of cost-benefit analysis works like a sieve. A project has to pass through all stages of the framework in order to apply cost-benefit analysis. Briefly stated, this means that: 1. Consumer sovereignty is respected and welfare maximisation is taken as the basic criterion of rationality. 2. The policy issue is regarded as one that mainly concerns the provision of nonmarketed public goods, and not as an issue that concerns basic human rights, justice or fairness in distribution or macro-economic policy. 3. Policy objectives are stated in sufficiently clear terms to allow the willingness-topay for their realisation to be determined. There are no policy objectives that are lexicographically prior to all other objectives.
4. Effective policy programmes can be developed. A recursive relationship between policy objectives and programmes is respected. 5. All economically relevant impacts of policy programmes are valued in monetary terms in a way that is consistent with the basic principles of applied welfare economics. Taken together, these conditions seem to be rather strict and may seem to preclude the application of cost-benefit analysis in all but a very few areas. Such a conclusion is, however, premature and misleading. There are three points that need to de discussed in this connection. In the first place, policy decisions have to be made, and some basis for making them has to be provided. The relevant issue is, therefore, how to provide the best basis for making policy decisions. Cost-benefit analysis is just one of several formal techniques that have been developed in order to provide a better basis for policy decisions. Other techniques include cost-effectiveness analysis, decision analysis based on multi-attribute utility theory, and various techniques derived from planning theory, like the goal achievement matrix and the planning balance sheet. All these techniques share the following basic characteristics with costbenefit analysis: 1. The techniques take the preferences of the general population or their elected representatives as the basis for defining policy objectives or utility. 2. The techniques recognise the fact that preferences can be multi-dimensional and that tradeoffs between competing values often need to be made. 3. The purpose of the analysis is to find the "best" policy alternative, where best is taken to be what maximises overall utility or goal attainment. Hence, all formal techniques developed to support policy making share a commitment to individual freedom of choice (consumer sovereignty) and rationality (welfare maximisation). What sets the different techniques apart is simply how these basic principles are interpreted in detail and applied in a specific context. Thus, the second point to be made in this discussion is that all formal techniques designed to support policy making encounter essentially the same problems when they are applied in a real context. The valuation of non-marketed goods is often regarded as a difficulty that can be avoided by not using cost-benefit analysis. The point of monetary valuation in cost-benefit analysis is, however, simply to make all effects comparable and to measure the strengths of individual preferences for the provision of the goods that are valued. But this has to be done no matter what formal technique is used, if a basis is to be provided for a rational choice. Proponents of decision analysis, for example, argue that one of its virtues is that it does not require a monetary evaluation of all relevant consequences of a decision. It does, however, require an evaluation of preferences for various outcomes in utility terms, which is not necessarily an easier task than a monetary evaluation. On top of this, if at least one the relevant consequences of a decision is denominated in monetary terms, it is possible to "price out" all the others by solving a set of equations for the implicit economic valuations of these consequences (Keeney & Raiffa, 1976, 125). The real issue, as far as the use of any formal technique for policy making is concerned, is whether sufficiently well ordered and precise preferences exist for the use of these techniques to make sense. Recent reports (Fischhoff, 1991; Dubourg et al., 1997) express considerable scepticism in this respect.
The third and final point worth stressing in this discussion is that objectively correct conclusions from using the framework for assessing the applicability of cost-benefit analysis do not exist. As noted above, some people may see road safety mainly as an issue of justice and fairness, others mainly as issue of how best to minimise the total number of injuries. Neither opinion is more correct than the other one but their implications for the applicability of cost-benefit analysis are different. By the same token, some people may regard estimates of the willingness-to-pay for a nonmarketed good as sufficiently valid and reliable for use in a cost-benefit analysis, while others reject this research. Both parties in such a debate may be able to marshal good arguments to support their opinion.
5.
Conclusions
This paper has proposed a framework for assessing the applicability of cost-benefit analysis to road safety measures. The framework is intended as a heuristic device for discussing the implications of various types of criticism often made against the use of cost-benefit analysis. The main implications of various types of criticism against costbenefit analysis can be summarised as follows: 1. Those who reject the basic principles of cost-benefit analysis rule out its use altogether. Rejecting these principles is, however, a difficult position to defend, since all other formal techniques for analysing policy options, as well as the democratic system of government, rely on the same basic principles (individual freedom of choice and norms of rationality). The real issue is whether preferences are sufficiently well ordered to allow a rational choice to be made. 2. Some issues are less well suited for cost-benefit analysis than others. If road safety is treated as an issue involving basic rights and fairness in distribution, it is less suited for cost-benefit analysis than if it is treated as a technical issue about how to use the most cost-effective measures to reduce the number of accidents and injuries. 3. Policy objectives need to be clearly stated to support a cost-benefit analysis. However, they do not necessarily have to be quantified. A problem with respect to policy objectives is that it can sometimes be rational for politicians to adopt vague or non-committal policy objectives. Lexicographic policy objectives are unsuited for cost-benefit analysis. 4. Policy programmes should be effective; the use of purely symbolic measures that are ineffective is not sanctioned by cost-benefit analysis. Moreover, policy programmes must be treated as instruments only, and not as ends by themselves. 5. All economically relevant impacts of a policy must be valued in monetary terms. Unless they are, a cost-benefit analysis can give misleading results. While this requirement may seem very restrictive, it is in fact only a statement of a necessary condition of rational choice, namely that all relevant consequences of a choice need to be made comparable in terms of a common scale of desirability. All formal techniques designed to support policy making try to reduce multi-dimensional or incommensurable consequences to a common denominator in this sense.
10
Stage
Stage 2
| Assess basic principles of costbenefit analysis Accepted Determine type of issue to be decided Suitable for costbenefit analysis Evalale policy objectives with respect to suitability for cost bencfit analysis Suitable Determine if suitable policy programmes can be developed on J the basis of policy objectives | Programmes available
Implications of not finding cost-benefit analysis applicable The use of costbenefit analysis is rejected altogether
Issue at hand must be decided on another basis than a comparison of costs and benefits
Stage 3
Policy objectives must be reformulated or decided on by negotiation
Stage 4
Economically, ethically or politically acceptable policy programmes cannot be developed; objectives must be rejected
Stage 5
Evaluate how well known and comparable consequences of policy programme are All consequences known and valued monetarily
^1
If some consequences are unknown or cannot be valued in monetary terms, it cannot be determined if benefits are greater than costs
CO BJ
^<
>
CD
Figure 1. A multistage model to determine the applicability of costbenefit analysis to a specific policy programme
3 CL
f
3
Table 1: Basic assumptions of cost-benefit ana ysis and common objections to these assumptions. Criterion of applicability Basic tenets of cost-benefit analysis 1 Consumer sovereignty Basic principles of cost-benefit analysis 2 Welfare maximisation 3 Irrelevance of distribuii ve outcomes 1 Efficient use of scarce resources desirable Types of issues 2 Fairness of distribution not an issue 3 Basic rights not an issue 1 Explicitly stated, but may be partly conflicting 2 Amenable to tradeoffs (not lexicographic) 3 Policy objectives are not politically controversial Nature of policy programmes
io
Nature of policy objectives
1 : Recursive in relation to policy objectives 2: Effective in solving problem at hand 3: Economically efficient (benefits exceed costs)
Common objections to the basic tenets 01 : Consumers do not know their own best 02: Compensation of loosers is rare in practice 03: There are many invaluable goods 0 1 : Fair distribution can be an overriding policy objective 02: Protecting basic rights is not subject to a calculation of costs and benefits 0 1 : In some cases, vagueness in policy objectives is rational for politicians 02: Some policy objectives are absolute constraints 03: Political controversies cannot be solved by making calculations Ol: Sometimes maintaining a strict separation of means and ends is difficult 02: Some policy programmes that are efficient may be unacceptable for other reasons 0 1 : All consequences are never known 02: Experimental policies are impossible 03: Monetary valuations are incomplete or arbitrary
o r. > >
fiq
D.
5"
s*
ON
S-
o >
)
Ej
o v:
to
Consequences of policy programmes
1 : All are known 2: All can be valued monetarily
Table 2: Typology of policy issues accord ing to their suitability for cost-benefit analysis. Type of policy issue (ideal types) Some examples of the type of issue Constitutional issues Basic human rights, voting systems, constitutional amendments Issues of justice and fairness Income distribution, rights to education or other scarce goods Macro-economic issues Design of tax system, fiscal policy, monetary policy, foreign trade Solving social problems Reducing crime, unemployment, accidents, poverty and so on
Suitability for cost-benefit analysis Very poor Poor General equilibrium analysis Sometimes well suited
target realised (3) Popular measures
H5
^
Target not realised Target realised (1)
Target
|
Unpopular measures Target not realised (-1) Trend turns I
Choice of policy target | Accidents increase
Popular measures Trend continues (-1) Trend turns (-1) Unpopular measures Trend continues (-3) 1 No target | ( ) Popular measures Greater reduction (3) Smaller reduction (3) Greater reduction (3) Unpopular measures
OJ
KS
Accidents go down
Preference relations assumed, ceteris paribus:
Payoff for outcomes assumed, ceteris paribus:
Smaller reduction (2) Clear (quantified) targets ) No clear targets Popular measures ) Unpopular measures Reduction in accidents ) Increase in accidents Clear target: 1; No clear target: 1, if accidents go down; 0 if accidents are unchanged; 1 if accidents increase Popular measures: 1; unpopular measures: 1 Accidents go down: 1; accidents increase: 1
H?
in
CD
3 CL
50 2
s3'
cr
Figure 2. Decision tree for politicians' choice with respect to setting clear policy targets. Illustration for road safety policy targets.
ta 3
O
Table 3: Items included in and omitted from current costbenefit analyses of road investment pi ojects in Norway. Subcategories Physical units etc Unit of valuation Main policy objective Pedestrian Person/hour Travel time Improving mobility Cyclist Person/hour Moped, motorcycle Person/hour Car occupant Person/hour Truck driver Truck/hour Bus driver Bus/hour Bus passenger Person/hour Delays, closed roads Reliability of transport Not yet defined Passenger car Vehicle operating cost Km/travel Reducing transport cost Single truck Km/travel Truck with trailer Km/travel Km/travel Bus Road accidents Police reported injuries Fatality Improving road safety Critical injury Serious injury Slight injury Mean for all severity levels Road users Insecurity Not yet defined Residents along roads Not yet defined Traffic noise Small cars Km/travel Better environment Km/travel Heavy cars Air pollution Tonne of C 0 2 C02 NOx KgofNO x
Value per unit (NOK 1995) Not included Not included Not included 48 272 244 35 Not included 0.86 2.22 3.26 3.98 16,600,000 11,370,000 3,780,000 500,000 1,430,000 Not included Not included 0.055 0.550 220 115 37 15 1,800 Not included Not included Not included
o o
CD
S"
5
(ra Sn
0\ S-
m
m o n n
3
>
^3
to to
so2
VOC PM10 Landscape preservation Unspoilt nature Aesthetic qualities Severance of habitats
KgofS02 KgofVOC KgofPM 1 0 Not yet defined Not yet defined Not yet defined
References
Arrow, K.J., (1997). Invaluable goods. Journal of Economic Literature, XXXV, 1997, 757-765. Baron, J., (1994). Thinking and deciding. Second edition. Cambridge University Press, Cambridge. Boadway, R.W. & Bruce, N., (1984). Welfare economics. Blackwell, Oxford. Dasgupta, A.K. & Pearce, D.W., (1972). Cost-benefit analysis: Theory and practice. Macmillan, London. Dubourg, W.R., Jones-Leem, M.W. & Loomes, G., (1997). Imprecise preferences and survey design in contingent valuation. Economica, 64, 681-702. Elvik, R., (1993). Hvor rasjonell er trafikksikkerhetspolitikken? TI-rapport 175. Transportkonomisk institutt, Oslo. Elvik, R., (1995). Explaining the distribution of State funds for national road investments between counties in Norway: Engineering standards or vote trading? Public Choice, 85, 371-388. Elvik, R., (1997). A framework for cost-benefit analysis of the Dutch road safety plan. Report 380. Institute of Transport Economics, Oslo. Elvik, R., (1998). Opplegg for konsekvensanalyser av tiltak for gende og syklende. TI-notat 1103. Transportkonomisk institutt, Oslo. Elvik, R., (1999). Improving road safety in Sweden. Report in preparation. Institute of Transport Economics, Oslo. Elvik, R., Mysen A. B. & Vaa T., (1997). Trafikksikkerhetshndbok. Tredje utgave. Transportkonomisk institutt, Oslo. Eriksen, K.S., Killi, M. & Minken, H. Samfunnskonomiske analyser. TI-rapport 242. Transportkonomisk institutt, Oslo. Fischhoff, B., (1991). Value elicitation. Is there anything in there? American Psychologist, 46, 835-847. Grmlich, E.M., (1990). A guide to benefit-cost analysis. Second edition. Prentice Hall, Englewood Cliffs, NJ. Hanley, N. & Spash, C.L., (1993). Cost-benefit analysis and the environment. Edward Elgar, Aldershot. Hauer, E., (1991). The behaviour of public bodies and the delivery of road safety. In: Koornstra, M. J. and Christensen, J. (Eds). Enforcement and Rewarding: Strategies and Effects. Proceedings of the International Road Safety Symposium in Copenhagen, Denmark, September 19-21, 1990, 134-138. Published by the SWOV Institute for Road Safety Research, Leidschendam. Hauer, E., (1994). Can one estimate the value of life or is it better to be dead than stuck in traffic? Transportation Research, series A, 28, 109-118. Haukeland, J.V., (1994). Om sette pris p livet. Samferdsel, Mai 1994, 28-29. Johansson, P.O., (1991). An introduction to modem welfare economics. Cambridge University Press, Cambridge. Joksch, H.C. (1975). A critical appraisal of the applicability of cost-benefit analysis to highway traffic safety. Accident Analysis and Prevention, 7, 133-153. Keeney, R.L. & Raiffa, H., (1976). Decisions with multiple objectives: Preferences and value tradeoffs. John Wiley & Sons, New York, NY. Layard, R. & Glaister, S. (Eds)., (1994). Cost-Benefit Analysis. Second edition. Cambridge University Press, Cambridge.
15
Proceedings of the 16lh ESReDA Seminar, Oslo, May 2021, 1999
Mishan, E.J., (1988). Costbenefit analysis. An informal introduction. Fourth edition. Unwin Hyman, London. Sassone, P.G. & Schaffer, W.A., (1978). Costbenefit analysis. A handbook. Academic Press, New York, NY. Statens vegvesen, (1995). Handbok 140. Konsekvensanalyser. Del I. Prinsipper og metodegrunnlag. Vegdirektoratet, Oslo. Sugden, R. & Williams, ., (1978). The principles of practical costbenefit analysis. Oxford University Press, Oxford. Trilling, D.R., (1978). A CostEffectiveness Evaluation of Highway Safety Countermeasures. Traffic Quarterly, 32, (January 1978), 4167. Vgverket, (1997). Nollvisionen, frdjupning. Vgverket, B orlnge. Text located at http://www.vv.se/ts/nollvisn.htm. Weber, M., (1971). Makt og byrkrati. Gyldendal, Oslo. Williams, . & Giardina, E. (Eds)., (1993). Efficiency in the public sector. The theory and practice of costbenefit analysis. Edward Elgar, Aldershot.
16
The Dutch project VeVoWeg on the safety of freight traffic by road

BA. van den Horn, M.M. Kruiskamp and D. de Weger Ministry of Transport, Public Works and Water Management, Civil Engineering Division Risk Analysis Department P.O.Box 20000, 3502 LA Utrecht, The Netherlands
Abstract Freight traffic by road is an important cornerstone of the Dutch economy. However, freight traffic is not only economically profitable, it also involves risk. The policy of the Dutch government is aimed at enhancing the safety of road transport. From 1994 to 1998 the Dutch Ministry of Transport, Public Works and Water Management carried out the project VeVoWeg (Safety of Freight Traffic by Road). The aim of this project was to develop a risk assessment methodology for freight traffic by road including the cost-benefit ratio of risk-reducing measures. The methodology has been described in a set of guidelines. The risk calculations include traffic accidents involving heavy freight vehicles and releases of toxic and flammable materials. Both external and internal safely are evaluated. External safety is the risk to people close to the hazardous transportation routes. Internal safety is the risk to road users as a result of freight traffic including hazardous materials. In this paper the power and limitations of the guidelines are outlined. The state-of-the-art of risk standards in the Netherlands is briefly described. The risk indicators are explained and an inventory of input data required for a risk assessment is presented. Finally, as an example, the methodology is applied to a specific infrastructure project.
1.
Introduction
Freight traffic by road in the Netherlands is not only economically profitable, it also involves risks. Heavy freight vehicles cause risks to road users (internal safety) and the transport of hazardous materials causes risks to both road users (internal safety) and people close to the roads (external safety). Due to the difference in mass and speed between the heavy transport vehicles and other road users relatively large numbers of victims occur in this type of accidents. In the Netherlands trucks and vans are involved in 20% of the annual traffic accidents, despite trucks and vans account for only 10% of the total number of vehicles. Table 1 shows more data on the relationship between the fatal accidents and the type of traffic and the type of infrastructure [1]. According to 'Figures Traffic Unsafety 1997', a publication by the Dutch Transport Research Centre, 1163 fatal traffic victims occurred in 1997.
17
Proceedings of the 16 th ESReDA Seminar, Oslo, May 20-21, 1999
Table 1: Statistical data on traffic accidents involving fatalities in the Netherlands. % Vehicles Involved Fatalities (Heavy Transport Vehicles involved) 20 Heavy Transport Vehicles Involved Car Driver or Passenger No Heavy Transport Vehicles Involved 80 Vulnerable Traffic Participants 100 Truck Driver or Co-Driver Total Total Accident Scene (Heavy Transport Vehicles involved) Within the Built Environment On 80km/h Roads On the Major Road Net Total % 46 41 13 100
% 20 20 60 100
In 1998 this number decreased to 1066 (Dutch Central Department for Statistics), although the number of injuries is increasing every year. Within the action programme aimed at the reduction of the annual number of traffic victims, in 1994 the Dutch Ministry of Transport, Public Works and Water Management started the development of a set of guidelines for risk assessment for freight traffic by road including the cost-benefit ratio of risk-reducing measures. These guidelines were issued in 1998.
2.
Why a set of guidelines?
The Long-Term Road Safety Plan 1996-2000 (MPV) issued in 1996 addressed the safety problem of heavy freight traffic. In the mid nineties the Dutch Ministry of Transport, Public Works and Water Management decided that more insight was needed in risks to people, environment, nature and matter associated with freight traffic. The goal of the Dutch Government is 25% less (fatal) accidents in 2000 and 50% less in 2010. This will be achieved with a so-called 'two-track-policy': a preventive track Sustainable Road Safety, and a curative track, where the most evident accident situations are tackled. Hence, one of the spearheads in road safety policy is to address the unsafety of heavy freight traffic. The project 'Heavy Traffic' has implemented this policy, for instance by: the promotion of the use of side protection sheets on trucks, the installation and promotion of road safety consultants on transportation organisations, and the development of European guidelines for front protection of trucks. Although serious hazardous materials accidents or fires in tunnels are rare there may be many victims. Therefore, safety standards for the transport of hazardous materials [1] have been drawn up to ensure the safety of people close to transport routes. The policy of the Dutch Ministry is to maintain the safety level of 1986 of the transport of hazardous materials in 2000 [2].
18
Due to the dense population in the Netherlands there is an increasing problem of meeting the Dutch environmental legislation standards close to transport routes, especially in and near urban areas. In recent years there has been a tendency to solve meeting these standards by building tunnels, sound barriers and roofing in roads (tunnels). Although this helps to meet the environmental standards for external safety, noise and air pollution, it increases the risk to road users. This has been the main reason for the development of an internal safety QRA methodology in the project VeVoWeg. Contrary to the external safety, the internal safety methodology includes both accidents with heavy freight traffic and accidents with the transport of hazardous materials. The project VeVoWeg (Dutch acronym for the Safety of Freight Traffic by Road) was a collaborative program of the Ministries of Transport, Public Works and Water Management, of the Interior and of Housing, Spatial Planning and Environment. The project aimed to work out government policy on the internal and external safety issues and to give guidance to the policy implementation. Only the transport of cargo with vehicles weighing over 3.5 tons is considered. The guidelines are used for Quantitative Risk Assessment (QRA) and to asses the effect of government control measures on infrastructure or vehicles. The focus of the risk assessment methodology is on: Internal Safety QRA: Accidents with fatal victims, injured victims and material damage are addressed. External Safely QRA: Only accidents with fatal victims are addressed. The project VeVoWeg has resulted in a set of guidelines which is described in Chapter 4.
3.
3.1
Risk assessment methodology

Risk indicators and standards
To indicate safety zones between transport routes and vulnerable developments the Individual Risk (IR) is used. IR represents the local probability to die per year for a fictive person due to a transport with hazardous materials. This person is assumed to be present at that location continuously and unprotectedly. The standard for the Individual Risk has been introduced as a limit value of 10~6 per year. So between the 10"6-contour and the transport route no vulnerable developments may be present. IR can be presented on a topographical map as lines connecting points of identical risk (risk contours). In external safety the Societal Risk represents the probability per year that a group of people die simultaneously due to a transport accident with hazardous materials. It is calculated per kilometre transport route. Figure 1 shows a Societal Risk presentation in a double logarithmic graph where the number of simultaneous deaths N is given on the horizontal axis and the cumulative frequency per year for an accident with at least N deaths on the vertical axis. The external safety risk standard (valid for N>10), is a
19
Proceedings of the 16 t h ESReDA Seminar, Oslo, May 20-21, 1999
straight line in the double logarithmic graph from the point (10 deaths, 10"4 per kilometre per year) through the point (100 deaths, 10"6 per kilometre per year) and is used to locate possible disaster locations, a location with a high risk of a large number of deaths close to the road. The standard is not strict in the sense that authorities can deviate from this standard with proper motivation.
Cum. Frequency (km"'year" 1 ) IO'4 IO"5 IO"6 EV = 10' 7 area 10' 8
10 N (death persons)
100
1000
Figure 1. The Societal Risk, the Expected Value and the standard for the external safety Societal Risk.
In internal safety the number N can stand for deaths (N >1), the number of injuries (for N > 1) and the cost of material damage (for N > 0) on the horizontal axis. The Societal Risks can be used to identify disaster locations, locations with a high risk of a large number of victims or material damage on the road. The Expected Value (EV) represents the average number of deaths, number of injuries and cost of material damage per year for the studied transport route. The EV equals the area below the Societal Risk (see Figure 2). At present there is no legal standard for risk standards for internal safety. They are being developed and expected in the near future. 3.1.1 External safety quantitative risk assessment In 1988 the SEVESO directive [3] in the Risks of Severe Accidents Decree [4] was implemented in the Netherlands. Since then, all companies handling hazardous materials have been obliged to assess the risk they cause to their surroundings. Companies using or storing hazardous materials in amounts exceeding the threshold level fixed by the Dutch Government, had to carry out a QRA. This has resulted in the development of a risk analysis philosophy on which a large degree of consensus has been reached among the involved parties. The development of the external safety methodology for road transport of hazardous materials in VeVoWeg has elaborated on these past experiences. The most important steps in the external safety QRA methodology for road transport are presented in Figure 2.
20
Hazardous Materials Accidents

Step 1: System Decription and Basic Information Ignition Sources Transport Flow (transport, roads, goods) __ Weather Data
_ Environmental Data Accident Data Physical Planning Data (Built-up Area' Population Data Step 2: Accident Scenarios Identification of Undesired Events Failure Probabilities Definition of Accident Scenarios Step 3: Determination of Physical Effects Calculation of Physical Effects Step 4: Determination of Damase
Damage Calculation
Step 5: Determination of Risks
Internal Safety Analysis
External Safety Analysis
Expected Value
Internal Societal Risk
Individual Risk
External Societal Risk
Figure 2. QRA methodology (Hazardous Materials Accidents and Tunnel Fires). Step 1. Step 2. The first step is to describe the system and to gather basic data. All undesired events and all relevant accident scenarios are identified. Hereto, descriptions are to be made of the release of the hazardous materials and the predictable follow-up events. In each scenario the proper initial accident frequency and probabilities of follow-up events must be assessed. Specific or default accident frequencies and probabilities will be used depending on the level of detail of the QRA study (see Table 2) and the availability of the data. The physical effects are determined. The out-flow quantity and duration of the accident scenarios are assessed. Then, the spatial distributions of the resulting physical effects are calculated for all possible atmospheric conditions, such as the heat radiation intensity for fire scenarios and the over-pressure for explosion scenarios and the concentration profile for all other scenarios. The 'damage' to the exposed population caused by the heat radiation's, over-pressures and concentrations are determined. The damage is expressed as the probability to die. All basic data, scenarios, probabilities and effects are combined to present the risk indicators. The risk indicators are Individual Risk, the Societal Risk and the Expected Value.
Step 3.
Step 4. Step 5.
21
3.1.2 Internal safety quantitative risk assessment Figure 2 and 3 show the steps of this methodology. The QRA methodology treats accidents with heavy transport vehicles separately from accidents with hazardous materials.
Heavy Transport Vehicle Accidents

Step 1: System Decription and Basic Information Road Step 2: Accident Scenarios Accident Scenario Step 3: Determination of Damag; Damase Calculation Step 4: Determination of Risks Internal Societal Risk Expected Value Transport Accident Data
T.
Figure 3. QRA Methodology for Non-Hazardous Materials Accidents.
Heavy Transport Vehicle Accidents The procedure in Figure 3 treats the common traffic accidents involving heavy transport vehicles. Step 1. A system description and the gathering of basic data. Step 2. The accident scenarios of the common accidents and fires are identified. Step 3. The damage caused by these accidents is determined except for the tunnel fires. The effects of the heat radiation of the fire and the possible formation of toxic combustion products and/or explosions are comparable to the physical effects of the hazardous materials and therefore treated in Figure 2. Step 4. The intermediate results are combined to present the Expected Value and Societal Risk of the number of deaths, the number of injuries and the cost of material damage. Hazardous Material Accidents Figure 2 also shows the internal safety QRA methodology for: the transport of hazardous materials, the damage resulting from fires in tunnels. The internal safety QRA methodology is basically identical to the external safety methodology. The only differences are: instead of calculating the effect on people close to the transport route, here the effect on road users is calculated, the effect of heavy transport vehicle fires in tunnels is included in the methodology, and
22
the risk is represented as the Expected Value and Societal Risk. These risks are presented only for the number of deaths, since at present there are no methods to determine the number of injuries and cost of material damage due to accidents with hazardous materials. Finally, the risks resulting from the accidents with heavy cargo transport and transport of hazardous materials are added to form the total internal risks. 3.2 Risk analysis depth level
The VeVoWeg guidelines have been tried out in various pilot studies. Table 2 shows the risk analysis depth level in three general types of studies.
Table 2: Study types. Main Characteristics Study Type Strategic and explorative studies, Hot spot identification Subject: studies A large number of locations and transport routes, (Depth level I) Object: Motivation: Over-all insight in the level of risk and to identify socalled 'hot spots' or bottle-necks from a safety point of view, to rank risks and to test meeting the risk standards, Calculation Simple, model: Coarse data on roads, accidents, traffic and transport Data: Subject: Studies on the Decision problems, effectiveness of government control Object: Safety-enhancing measures on road infrastructure measures (Depth level II) Motivation: Study to quantify control measure effects, for instance to compare to establish the safest detour option, Calculation More refined, model: Data: Location specific data on roads, accidents, traffic and transport Studies on putting risk Subject: Decision problems, risk indicators on the test Object: safety-enhancing measures on road infrastructure to meet standards (Depth level Motivation: Study to quantify control measure effects, for instance to compare alternative transport route design, and to quantify ID the effect of control measures of alternative transport routes, to put risk indicators on the test to meet risk standards Calculation refined model: Data: location specific data on roads, accidents, traffic and transport
Table 3 shows the available calculation methods addressing internal and external safety issues. A rule-of-thumb is available only for external safety issues [5] to decide weather a QRA is required to mark a certain location as a potential 'hot spot' from a
23
safety point of view. Table 3 also gives the relationship between the calculation methods and the internal and external safety issues.
Table 3: Available calculation protocols addressing Internal and External Safety issues. External Safety Issue rule-of-thumb [5] simple QRA thorough QRA (IPO-RBM) (commercial codes) hot spot identification effectiveness of government control measures putting risk indicators on the test to meet risk standards Internal Safety Issue hot spot identification effectiveness of government control measures putting risk indicators on the test to meet risk standards rule-of-thumb not available
X X X X
simple QRA (IPO-RBM)

X X
thorough QRA (commercial codes)

X
3.2.1 Similarities and differences in the internal and external safety QRA methodologies In both methodologies the type of study and the availability of the basic data determine the depth of the QRA study: 1. In Depth Level I studies a rough QRA is performed, it requires a relatively low amount of general input data, uses general data (for example the average initial accident frequency for a specific road type). It results in a 'quick scan' of the risks and a Depth Level I external risk analysis can be done with the relatively simply computer code IPORBM (developed by the Dutch provinces) [6]. 2. Depth Level studies are more detailed with location specific and larger amounts of input data. The computer codes are more advanced, most of these programs have been developed by engineering and research institutes, and the results are better. 3. Depth Level studies require a lot of very detailed input data, advanced computer codes and provide very detailed results. This study level is at present only used to put external safety risks to the legal standard test. In many practical cases detailed input can not be obtained and one has to fall back on a lower depth level. The transport of hazardous materials and fires in tunnels parts of the internal safety methodology is almost equal to the external safety methodology. The only real difference is the location of possible victims close to the road or on the road, the use of the Individual Risk (external safety) or the Expected Value (internal safety) and the modelling of fleeing from tunnels (internal safety).
24
The accident scenarios and open-field fire analysis of the internal safety analysis differs from the external safety analysis, because the internal safety methodology: only uses statistical data for the number of accidents and fires, number of victims and material damage, whereas each methodology for hazardous material events also involve modelling of out-flow, formation of toxic combustion products, evaporation, dispersion, heat radiation, over-pressure and fleeing, elaborates an initial accident frequency based on all accidents involving heavy freight traffic, whereas the other methodologies use an initial accident frequency based on all accidents in which at least one person in a motorised vehicle was injured, and calculates the risk of injury and the risk of material damage, in addition to the risk of death.
4.
The VeVoWeg guidelines
4.1 Scope The VeVoWeg methodology consists of a set of modular guidelines which form a risk assessment methodology and enable the users: to quantify risks associated with freight traffic by road, to assess the effect of risk-reducing measures, and to weigh these risk-reducing measures. Figure 4 shows the scope of the guidelines. Accidents are separated into two classes: collision accidents and accidents with hazardous materials and/or fires. Collision accidents have impact only on road users (internal safety) and a relatively 'large' occurrence probability (many collisions) with rather 'small' consequences (few victims per accident). The collision accident consequences are assessed for all road traffic to be able to calculate risk numbers. The full spectrum of road safety includes also the collision accidents with motorised traffic and slow traffic. As VeVoWeg has been focused on freight traffic the latter group has not been part of the guidelines yet. However, the 'total internal safety' for road users, is determined by the sum of all risks caused by any type of traffic accidents. This includes the so-called indirect 'extra' risks of fires and hazardous materials. Contrary to the collisions accidents, the class 'hazardous materials and fires' are mainly accidents with a 'small' occurrence probability (few accidents) and 'large' consequences (many victims per accident) L Table 4 shows description of the modules in the VeVoWeg Guidelines. Module A through C are meant for risk calculation, while module D through G are informative. Module H contains procedures for weighing internal and external risk-reducing measures.
While we are writing this paper the newspapers report that a serious truck fire in the Mont Blanc Tunnel has led to dramatic consequences and that an accident like this 'has never occurred since the opening of the tunnel in 1965'. This is a typical example of an accident with low probability (the first in 35 years in one of the about 40 comparable European tunnels) and severe consequences (at least 40 fatal victims).
25
Collision Accidents Direct Risks

Traffic Safety Motor Cars Slow Traffic Heavy Traffic
Accidents with Hazardous Materials and/or fires Indirect Risks
on the Road
beside the Road
Internal Safety
External Safety
VeVoWeg scope
Internal Safety, Direct Risks other Traffic Internal Safety, Direct Risks Heavy Traffic Internal Safety,
Indirect Risks
External Safety
Figure 4. Scope of the VeVoWeg guidelines. Table 4: Description of the modules in the VeVoWeg Guidelines. Module Protocol for Events direct risk assessment collision with heavy transport A vehicle involvement indirect risk assessment events with hazardous materials, fires in tunnels indirect risk assessment C events with hazardous materials Module Description vehicle and road D categorisation procedure survey of freight traffic E internal safety issues F survey of external safety issues shows the order of magnitude of the effects and costs weighing process and weighing methods Scope and/or Subject measures on vehicles or infrastructure. a list of internal risk-reducing measures including the costs and effectiveness. a list of external risk-reducing measures including the costs and effectiveness both internal and external safety-enhancing measures cost-benefit analysis methods
Risk Carrier road users road users
people close to transport routes Purpose Assess the effect on road safety Information
Information
Report of cost-benefit analysis how to weigh and select potential safety enhancing measures
Module A of the guidelines enable the prediction of 'direct' risks, e.g. collisions with heavy transport vehicle involvement. Module contains a protocol for the analysis of the risks for road users due to the transport of hazardous materials and fires: Hazardous material accidents cause risk to road users in the open field and in tunnels, and Fires cause risk to road users only in tunnels.
26
Module C contains a protocol for the analysis of the external safety, e.g. the risks for people close to the roads where hazardous materials are transported. Module D contains a vehicle and road categorisation procedure. Modules E through H are focused on the effects of safety-enhancing measures and on how to weigh and select potential internal and external safety-enhancing measures. The VeVoWeg guidelines are mainly meant for risk consultants. Other target groups are policy makers and road maintenance managers. Users are mainly working for the government, provinces, cities, or the transportation branch.
5.
Demonstration
This section shows an example of the internal and external safety methodologies, derived from [7]. The risks of three different options for a highway through a city in the Netherlands are compared. 1. A highway without a tunnel (option 1). 2. A tunnel of 400 m length in the highway where all hazardous materials are allowed to pass (option 2). 3. A tunnel of 400 m length in the highway with a prohibition for LPG trucks in the tunnel (option 3). Figure 5 shows the study area. In option 2 the LPG trucks will have to bypass the tunnel and cross the city. A 1000 LPG trucks and 500,000 other heavy transport vehicles pass the highway annually, while 50,000 heavy freight vehicles pass the roads in the city. Figures 6 through 8 show the results of the individual risks. It is clear that the first tunnel option 2 will result in less risk exposure in the city since all hazardous materials will use the tunnel. However, a prohibition for LPG trucks to use the tunnel will dramatically increase the risk level in the city. Table 5 presents the expected number of deaths.
highway road
highway
> > .
city
(tunnel)
city
1
I
1
10"8 contour
Figure 5. The study area.
Figure 6. Individual Risk for the highway without a tunnel.
27
Proceedings of the 16 th ESReDA Seminar, Oslo, May 2021, 1999
road
\1
1
\
r ^
city
IO"8 contour
Figure 7. Individual Risk for the motor way with the tunnel (LPG prohibition in tunnel).
Figure 8. Individual Risk for the motor way with the tunnel (no prohibition).
Table 5: Expected Value for the annual number of deaths Highway option 1 (no tunnel) 12 (tunnel, no prohibition) Expected Value 0.0094 0.0089
3 (tunnel, LPG prohibition) 0.0088
The expected value of the highway without a tunnel is higher than the expected values of the second and third option. The expected values of both tunnel options are almost equal. This can be explained as follows: the expected number of deaths EV is equal to the sum of all products of average number of deaths (NA) per accident and the initial accident frequency I, in formula EV = I . This equals the area below the Internal Societal Risk (see Figure 1). The expected number of deaths EV is merely (say about 99% in this example) determined by the daytoday accidents. Hence, the area under the Internal Societal Risk curve at the interval N A between 1 and 10 determines EV. The Internal Societal Risk curves for both tunnel options, however, differ only for the 'rare' accidents with N A > 10. Therefore, no real difference in EV is found for both tunnel options. Figures 9 and 10 show the Societal Risk for external and internal safety, respectively. It appears:
Cum.Frequency (km"1 year'1)
104 105 IO"
6
Cum.Frequency (km"1 year"1)

104 105 106
....
^k.
107 108
1
107
"
10
tv>
i
108 1000
1
iHn ;.... ii.

10 100
100
1000
/ (death persons)
(death persons)
highway (no tunnel) highway with tunnel (no prohibition) highway with tunnel (LPG prohibition) Figure 9. Societal Risk (externai safety).
highway (no tunnel) highway with tunnel (no prohibition) highway with tunnel (LPG prohibition) Figure 10. Societal Risk (internal safety).
28
A tunnel without prohibitions has a positive effect on the external Societal Risk. A tunnel with prohibitions has a negative effect on the external Societal Risk. It increases considerably, since the LPG trucks have to cross the city. It even exceeds the Societal Risk standard. A tunnel with or without prohibition has a negative effect on the internal Societal Risk, so more risk to road users is introduced. The more hazardous materials will pass the tunnel, the higher the internal Societal Risk. The decision from a safety point of view would be to choose for a tunnel without prohibition.
6.
Evaluation and future developments
The above example demonstrates that QRA techniques may be successfully applied to transport safety problems including hazardous materials. The methods are suitable to assess the efficiency of an infrastructure measure (building a tunnel). A limitation of the method is the fact that some successful measures aimed at reducing the number of fatal accidents may lead to more injuries. The question how to deal with this has not yet been answered. Another limition is that in cases where only very little location specific basic data are available the applicability of the method may be disputable. To successfully apply the method in the future it is necessary for the local, regional and national authorities to gather various types of information. The VeVoWeg guidelines are capable to judge the desirability of new transport activities close to densely populated area's. So, it can be used as a decision-making tool by the local authorities. The VeVoWeg method stimulates to incorporate road safety aspects at an early stage in new infrastructure design or spatial planning and housing issues.
'&
During the project other VeVoWeg case studies have shown that for internal safety issues in most cases also the effect of potential risk-reducing measures on the other road users (light traffic and slow traffic) should be considered. For instance, the safety effect of an overtaking prohibition for trucks could not be established with the VeVoWeg method. An overtaking manoeuvre of a truck may lead to an accident with no heavy traffic involvement which would be completely discarded. Hence, to answer what type of traffic caused the accident is not always easy, generally. Another motivation for a risk assessment method for all road users is the following. Up till now road safety has been expressed in absolute numbers of deaths or injured annually. Also the national safety targets of the Dutch authorities have been expressed in absolute numbers. A complicating factor with the use of absolute numbers is that at a the scale of many local Dutch towns the number of deaths are limited to zero or one. So for local authorities it is difficult to propose measures to establish a reduction from one to zero victims. Besides, it is difficult to account for regional and mobility differences.
29
To meet this needs a new research project called A Risk-Based Approach for Road Safety has been initiated. The results of this new project should facilitate the development of a cost-efficient risk standard for road safety.
7.
Conclusions
The internal and external safety methodologies have proven to be very promising tools to reveal the risk in conjunction with freight traffic including hazardous materials for road users and people living close to the transport routes. The tunnel decision problem in this paper was just an example to show the power of methodology. The VeVoWeg guidelines facilitate an administrator to make the right decision, after comparing the efficiency of potential safety measures. In many cases a quick risk scan is possible based on only limited rather coarse data. The extension to a complete risk assessment methodology for the full spectrum of road safety is ongoing. It is expected that completing this extension will lead to a real brake-trough in risk assessment for road safety issues. One point of attention is the collection of all the information. In cases and locations were insufficient data are available campaigns to collect proper data at the right format should be organised.
References
[ 1 ] Risk Standards for the Transport of Hazardous Materials (RNVGS), Dutch Parliament, 1995-1996, 24 611, NR. 1 and 2, February the 15th 1996(in Dutch). [2] Policy Strategy Heavy Freight Traffic and Road Safety, Directorate General for Water Management, October 1995 (in Dutch). [3] Guideline 82/501/EEG of the Board of European Communities, 24 th of June 1982 concerning the Risks of Severe Accidents at Certain Industrial Activities, PbEG L 230, Seveso guideline, last modified by Guideline 91/692/EEG (in Dutch). [4] Decision on 15tn of September 1988, concerning the rules on reporting of the risks of severe accidents, State Magazine of the Kingdom of the Netherlands, 432, 1988, last modified on the 20th of June 1994 State Magazine 463 (in Dutch). [5] Guideline External Safety Transport of Hazardous Materials, The Hague, Three Dutch Ministries of Traffic, Public Works and Water Management (1), of Housing, Spatial planning and Environment (2), and of Internal Affairs (3), , VNG, VNG Editor, ISBN 90 322 7141 5, 1998 (in Dutch). [6] Risk Assessment Methodology (JPORBM): for water way, rail, pipe and road infrastructure. AVIV, Enschede, The Netherlands July 1997 (in Dutch). [7] M.M., Kruiskamp and B.A., van den Horn, A Risk-Based Analysis Method to Assess the External and Internal Safety in Infrastructure Projects in the Netherlands, 2 nd World Congress on Safety of Transportation, February 1998, Delft, The Netherlands.
30
Proactive use of safety investigations

Major injuries in transport - the same accident as last year?
Sverre Roed Larsen Office of the President and CEO Norwegian State Railways ADK - NSB BA, 0048 OSLO, Norway
Abstract Accidents - either personal-, freight-, material- or environment events - within the transport arena (air, sea, road, and rail) have different injury patterns and accident profiles. A common feature, however, is the potential for disasters or catastrophes. This paper focuses on problems connected to accident investigation, especially the use of accident investigation commissions in the transport area. However, the use of the accident investigation commission method - although widely used by most companies and public authorities - raises several issues and dilemmas that need to be analysed and answered. One set of issues concerns the characteristics of the commission itself and its work. Another set is linked to the institutional setting and the external relations outside the company in the same country or at an international level. A special set of issues is connected to the interrelationship between different transport sectors, e.g air traffic, sea traffic and rail traffic, on an international level. A very important question is linked to the possible usefulness, relevance, and implementation of proposals concerning risk-reducing measures and preventive actions. The author has just started a research project (1999-2003), focusing on the possible proactive use of conclusions drawn by accident investigation commissions concerning causes, preventive measures and necessary actions - within the pertinent company, between similar companies and within the mode of transport on a regional or international level. The main objectives and research methods are listed. The implementation of a modern Safety, Health and Environment System is seen as the main challenge to transport companies in Europe. Management
The paper concludes with three points of view, underlining the need for better preventive safety measures, indicating the consequences of lacking in-depth analyses, and advocating stronger co-operation between main actors in the different transport modes in order to establish effective safety management systems.
31
1.
Introduction
Accidents - either personal-, freight-, material- or environment events - within the transport arena (air, sea, road, and rail) have different injury patterns and accident profiles. A common feature, however, is the potential for disasters or catastrophes, although the risk of disasters varies considerably (Elvik, 1999)between various sectors of transport. Major accidents are characterised by massive loss of life and/or extensive material damage as well as by operational problems. Historically the accident pattern within the different transport sectors has undergone major changes. These changes are linked to developments in society, technological innovation, political conditions, commercial developments, the pattern of living, socio-economic factors, mobility in society etc. Another common property is that major accidents are now investigated, either by the police, by special investigation teams, or by both. However the investigation approach will differ: the police focus on the legal responsibility, the safety experts on the causes, consequences and conclusions on preventive measures to be taken. The investigation process can differ in many ways: regarding position, competence, relations, process, length, publication, follow-up etc. The crucial question is how experience, analysis, conclusions and proposals are linked to a proactive preventive process in the safety management system operated by the relevant transport actors. In a proactive perspective, near-accidents, or near-misses, are unwanted events that under some other circumstances could have caused injuries or losses. Data from such events are very valuable in risk analysis and constitute a necessary part of the knowledge needed to develop preventive measures.
2.
Disasters - rare, but with enormous consequences
Disasters in the transport field are rare. However their inherently dramatic character, the vast human and material consequences, the individual tragedies, the great mobilisation of rescue resources, the strain of heroic deed, the massive coverage in mass media, means that they become part of our national and even global memory. Books like "Disasters in rail" or "Disasters in aviation" or similar videos contribute to maintain the memory of such events. In a recent research report from the Norwegian Research Institute (TI) a disaster is defined as a fatal accident with 20 persons or more killed. With that definition as a point of departure, we can see that the frequency of fatal accidents, defined as disasters, is very rare. The frequency varies with the mode of transport. There are large differences between different transport modes (eg aviation vs. road). In air traffic, according to TI, a disaster statistically will occur in Norway every 11 years, compared to one disaster per 46,510 years in road traffic.
32
The probability of a disaster in road traffic is seldom compared to aviation. The risk of injury on the road is greater by far than that in rail traffic. If we use an exposure perspective for the different transport modes in Norway (measured by persons killed per 100 million hours), the picture is quite different. The use of heavy motorbikes on roads causes 425 fatalities in Norway per 100 million hours compared to 5 fatalities in rail traffic. In everyday life the frequency of fatalities and exposure data related to modes of transport may influence some peoples' choice of transport, but seldom determines the choice for larger sectors of the population.
3.
The mobile society - and some of the consequences
Modern societies - in their industrial and post-industrial phases - have been characterised both by an explosion of physical mobility and by technical development. More and more people expanded their mobility range, using increasingly a technical device as an aid. The development of the mobile society can be illustrated by some facts from a study made in Sweden (Rumar, 1999): "Personal mobility and transport has probably changed even more than trade transport. An average Swede, for example, moved about 200 metres each day in 1800. In 1900 this average mobility had increased to about 500 metres per day. In year 2000 it is estimated that the average mobility of a Swede will be about 50 kilometres!" Another international example is from an OECD-study which shows remarkable changes in the transport pattern in 18 OECD countries in Europe from 1970 till 1997, measured in passenger traffic/billion passenger km. In general personal mobility has had a remarkable increase. Mobility by private car has more than doubled in about 25 years. Passenger-kilometres delivered by train and bus has also increased, but to a much smaller degree. Persons killed in road accidents have in the same period decreased in Europe, but are still very high - about 48000 fatalities per year in 1997 in 18 European countries. According to Professor Kaare Rumar (1999) road crashes are the largest single cause of death for persons under 45 years and cause the highest number of lost years of any cause of death. The privatisation of personal mobility has created a major public health problem and has resulted in very large economic costs. A presentation from the European Transport Safety Council (January 1999) summarises, by transport mode, risks to EU passengers related to both transport work (billion passenger km) and exposure (100 million hours) in one diagram. The risk profile of the different transport modes varies quite a lot, but with rail transport on a low score both by traffic work and by exposure.
33
All modes of transport involve complex systems. Most of the losses could have been prevented, or the seriousness of injuries could have been reduced. Modem safety philosophy - based on experiences and results from safety management systems advocate zero tolerance to incidents and a vision of zero fatal injuries. All parties have a vital interest in preventing serious disasters and catastrophes with their unacceptable consequences for life and health or environment. But accidents cause destruction, again and again. Accident data represent reactive information about an event that should not have occurred and which has caused losses, through injuries or damage (ESReDA, 1997). The challenge to responsible transport companies is to include accident data in a systematic, proactive approach, implement constructive proposals and take action to prevent the occurrence of similar accidents. The selection and design of a set of preventive methods should not be limited to experience and data from the company's own activities; data from other sources may be equally useful in the identification of risks and implementation of measures (ESReDA Compendium, 1998). My main thesis is that transport companies, and in particular railway companies, do not make full use of or do not adequately use available or potential accident information as input in a sufficient, preventive management system context in order to reduce risk levels. This failure to apply possible knowledge is predominant both on the national and international level. For one thing, knowledge within the same sector is ignored. There are, however, significant barriers in the use and exchange of accident data between transport modes, eg between air, sea and rail transport companies. Shortcomings in the theories and methods used (e.g. accident analysis models, methods in selecting adequate measures, systems to overview lossconsequences etc), seems to be one of the major reasons that the potential of accident data is not sufficiently explored.
4.
Proactive use of accident investigation commissions: approaches and dilemmas
Accidents can be registered, analysed and described in many ways. Methods include the use of accident or injury statistics, identification of hazardous conditions or risk factors, observation of risk-related behaviour, analyses of near-misses, interviews, safety audits etc. In the case of serious accidents or near-misses with great loss potential, the use of an accident investigation commission is a highly recommended tool and often mandatory by law. However, the use of accident investigation commissions - although common to most companies and public authorities - raises several issues and dilemmas that need to be analysed and answered: One set of issues is connected to characteristics of the commission itself and its work.
34
Another set is linked to the institutional setting and the external relations outside the company in the same country or at an international level. A special set of issues is connected to the interrelationship between different transport sectors ie air traffic, sea traffic and rail traffic, on an international level. A very important question is linked to the possible usefulness, relevance, and implementation of proposals concerning risk-reducing measures and preventive actions. The main questions to be answered as to the use of an accident investigation commission (AIC), by a transport company, transport organisation, professional association, safety institutions, public authority, inspectorate, or by government, are the following: 4.1 When shall an investigation by a special commission be used?
Most companies have an injury reporting system, partly for their own safety management use and partly as a consequence of mandatory regulations, e.g. from the transport inspectorate or Labour Inspection Authorities (Norway, the Act of 4 February 1977). The dilemma for the company is to decide upon the criteria which will trigger a special commission investigation and on which level the commission should be established: a corporate commission investigating every fatal injury, or a commission on division level? What about a serious near-miss, a major injury causing heavy material losses or production losses? The same problem is faced by national inspection authorities, which often have an independent right and in some cases an obligation to do investigations. In some fields and in some countries the companies' duty to report is regulated by law. But such claims are often not harmonised across sectorial barriers. 4.2 Who shall investigate a serious accident or near-miss?
In the transport area, the picture is quite mixed; from precise definitions, criteria, procedures and organisation set out in national or regional regulations to total dependency on the decisions taken in the single company. In Sweden the Board of Accident Investigation is mandated by law to investigate specific types of accidents when one person (air) or several persons (other modes) have been fatally or seriously injured, when the accident has caused substantial (air) or extensive (other) damage or when some specific additional criteria are fulfilled (SHK Homepage, 1999). 4.3 What kind of competence is necessary in the AIC ?
The competence required for participation in an internal AIC, set up by the company, may vary quite a lot from the formal requirements needed to work in permanent, public accident investigation commissions. One trend seems to be a shift from engineer qualifications to modem risk assessment education. Requirements concerning competence in public investigation commissions seem also to differ.
35
The Swedish Board of Accident Investigation regulations presupposes that the Director-General and two of the other investigators shall be former judges. The kind of expertise needed for the other investigators are also specified (SHK Homepage). It seems likely that background experience, education and competence may colour the safety philosophy and models used in investigations. 4.4 What kinds of models are used to clarify causes, identify losses and promote preventive measures?
Traditionally, a single cause model seems to be the dominant explanation in many reports, identifying the cause as either violation of a safety rule (human factor) or a material cause (technical failure), especially in company reports. In modern safety management systems, more advanced models are quite common, like the Loss Causation Model developed by Det Norske Veritas (Larsen, 1997). An interesting question will be to see to what degree cause models, loss identification and recommendation of preventive measures in a more advanced manner are reflected in different types of investigation reports. 4.5 Which are the effects of proposals on responsible companies in obtaining higher safety levels/better safety management?
If the cause is identified to be a violation of rules, then often the preventive measure is in the same area: the guilty person must leam and obey safety regulations. The answer to a technical failure may be more technical inspections or testing. The National Transportation Safety Board (NTSB) in US has issued almost 10,000 recommendations in all transportation modes to more than 1,250 recipients; in their own words "more than 80 % of its recommendations have been adopted by those in a position to effect change" (NTSB Homepage, 1999). On the contrary, an evaluation of the in-depth accident investigation of the Swedish National Road Administration, concludes that none of the proposed 37 measures have initiated regulatory or any other kind of work at central level (Midtland et al., 1995). 4.6 How is interaction with safety culture?
Are accident investigations in any way linked to the overall safety management system, or is it totally detached and independent. If related, what kind of feedback processes are established? What is the time-span between the accident, the proposals in the report and the possible integration and functioning of a new measure as part of the safety culture? The challenge to a modem company advocating the idea of a learning organisation, will be to establish simple methods for leadership involvement and commitment, management mechanisms and communication systems that stimulate a rapid integration of new insights and knowledge from investigation reports into safety culture.
36
4.7
Which is the status of the final report?
In some companies, the report from an investigation commission may be looked at as the final verdict. That fact could have, and in some cases has had, as a side effect a prolongation of the publication until after the police report has been finalised. Another consequence is the effect a legal-oriented approach can have on the attitude and co-operation of people involved. The willingness-to-report is often influenced by the status of the investigation. Consequently, near misses are often under-reported. 4.8 How are reports distributed and used outside the pertinent company or transport field?
In some transport companies, the accident investigation report is a restricted document. In others, the full report is available on the Internet. In some transport fields, a regional or international organisation has built databanks based on information from such reports, and also in some cases give full access to the whole report - as a commercial service. Other agencies offer the text of such reports as a public duty. A central question will be to analyse to what degree there is a systematic distribution and use of the different kind of investigation reports; in the company itself, among other transport companies of the same kind or within the transport sector, in international organisations, by transport inspectorates and public authorities etc. 4.9 What is the relationship between research analyses, innovation and results?
Some transport companies have a tradition of self-supporting functions, from leadership recruitment to education. This tradition is diminishing. Modern transport companies initiate and encourage research and are eager to make use of scientific findings. Additionally there may be a connection between company culture, its attitude to research and development and the use of accident investigations in a process of continuous improvement. 4.10 What is the effect on public image? The company's public image is of growing importance to top management. Public confidence in a company's safety management is often a necessary condition for survival in the market. The company's ability to master major accidents and disasters, which are of great public interest and are closely covered by the mass media, and the way they follow up such crises, e.g. through investigations, are crucial. An open attitude, based on freedom of information, a customer-oriented approach and priority to public relations, characterise modem transport companies more and more.
37
5.
My own research project
The main topic of my research work deals with the possible proactive use of conclusions drawn by accident investigation commissions concerning causes, preventive measures and necessary action - within the pertinent company, between similar companies and within the mode of transport on a regional or international level. Special attention will be given to the developments of structural and functional factors during the 10 year period 1990 - 1999, identification of major changes in internal and external conditions, models and systems adapted, changes in safety philosophy expressed and techniques used. The research period is scheduled from 1999 till 2003. The main objectives of the study are to: Describe, analyse and conclude on the developments of work done and reported by accident investigation commissions in different transport modes (air, sea, and rail) and in different European countries during 1990 - 1999. Develop insight and knowledge on the relationship between major accident investigation and proactive measures in selected transport companies based on scientific research. Enhance scientific theory about the risk-reducing potential of reactive accident experiences used in a preventive, safety management setting in large transport companies. Propose a set of preventive measures to be undertaken in order to reduce risks. Different methods will be used, depending on which issue or historical phase is to be analysed: In-depth interviews. Documentation analysis. Selected reports from Accident Investigation Commissions in Hungary, The Netherlands, England, Denmark, Sweden and Norway during 1990 -1999. In-depth analysis of a selection of reports. Statistical data on accidents, injuries and losses. Analysis of relevant international and national conventions, directives, laws, regulations, standards, etc. Research projects, reports and articles. Background literature.
38
6.
The challenge - implementation of a modern SHE management system
Safety thinking, management and practice have undergone remarkable development during the last decades. Some researchers talk about the third generation (Hale et al., 1998). However, remarkably few enterprises or companies in the transport area have developed a systematic, holistic approach to safety, health, external environment, working environment, and security. The traditional approach is often characterised by ad hoc initiatives in stead of continuous improvement, by reactive in stead of proactive measures and of lip service in stead of leadership commitment. Amongst all, it is characterised by a sectorial and bureaucratic organisation in stead of small, cross-disciplinary, cross-sectorial and effective staff units supporting and advising line mangers in such a way that they can fulfil their responsibilities and expectations. Modern SHE management systems (SHE SM) are the business answer to important safety, health and environmental challenges from external requirements and internal needs. SHE MS is based on international standards (like the ISO 9000- and 14000series) and/or industrial norms, like Det Norske Veritas' (OHSAS 18001, 1999) and is integrated in the company's total management system. Such a management system is far better than the traditional sectorial approach.
7.
Conclusions
Since the research project is still in the pilot study period, I am not in a position to draw conclusions at this stage. However, as some very preliminary observations, I will underline the following more general points of view: 1. Travel injuries in Europe still represent a major public health problem as well as economic and societal challenges - although the potential preventive effects of safety measures are enormous. 2. The lack of in-depth analyses of traffic accidents, e.g. by accident investigation commissions, results in low public and political awareness, limited professional knowledge and inadequate preventive implementation of safety measures. 3. Effective safety management in the transport sector is hampered by the lack of national and international co-operation between main actors in the different transport modes, in casu accident investigation commissions, control authorities, research institutes, travel companies and organisations. More specific conclusions concerning the proactive use of accident investigation commissions in the transport area, will be formulated at a later stage, based on scientific research and empirical findings.
39
References
Elvik, R., (1999). Risk of disasters in transport. TI report 417/1999 (in Norwegian). Oslo: Institute of Transport Economics. Rumar, K., (1999). Transport safety Visions, targets and strategies: Beyond 2000. The 1st European Transport Safety Lecture. Brussels: European Transport Safety Council. Paper. ESReDA, (1997). Directory of accident databases European Safety Reliability and Data Association, 1997. ESReDA Compendium, (1998). From the 15th Seminar, Antwerpen, 16-17 November,. In Norway, the Act of 4 February 1977 relating to worker protection and working environment, impose a duty on the employer to report injuries and diseases (21): "If, as the result of an occupational accident, an employee loses his life or is seriously injured, the employer shall immediately, and by the quickest possible means, notify the Labour Inspection and the nearest police authority. The employer shall confirm his notification in writing. The safety delegate shall receive a copy of the confirmation." SHK Homepage (www.havkom.se/english.htm), 04.06.99. SHK Homepage. Larsen, T. R., (1997). Safety and Environmental Management in the Transportation Industry, DNV Paper Series 97-P011. Oslo: Det Norske Veritas. NTSB Homepage (About the NTSB), 04.06.99. Midtland, K., Muskaug, Richard; Sagberg, Fridulv; Jrgensen, N.O., (1995). Evaluation of the In-depth accident Investigation of the Swedish National Road Administration, page 39. TI report 296/1995. Oslo: Institute of Transport Economics Hale, A. R. & Hovden, J., (1998). Management and culture: the third age of safety. A review of approaches to organizational aspects of safety, health and environment. In Occupational Injury - Risk, Prevention and Intervention, eds. Feyer, AnneMarie and Williamson, Ann, pp. 129-165. London: Taylor & Francis Ltd. OHSAS 18001, (1999). See e.g. the new Specification concerning Occupational health and safety management systems (OHSAS 18001), April 1999, which has been developed by a consortium of industrial parties. DNV has also developed a separate standard for a SHE Management System.
40
Database analyses and transport corridors

Parallel lines for accident research
Nils Rosmuller Delft University of Technology, Transport Policy and Logistics P.O. Box 5015, 2600 GA Delft, The Netherlands Pieter C. van Beek TNO, Environment, Energy and Process Innovation, Department of Industrial Safety P.O. Box 342, 7300 AH Apeldoorn, The Netherlands
Abstract 'New' infrastructures are generally constructed to resolve existing congestion problems. Increasing scarcity of land-availability in combination with more stringent environmental zoning restrain possibilities for developing new infrastructures. To this end, intentions to develop large-scale infrastructures are nowadays almost synonym with clustering these large-scale infrastructures with already existing line infrastructures, called transportation corridors. However, induced by clustering various authors already warned for unexpected interactions affecting safety levels. These warnings concerned both 'new' accident causes and 'increased' accident consequences. In this paper we focus on accident consequences. To find out whether or not clustering increases accident consequences, a database search is conducted. TNO's hazardous materials database FACTS is searched for consequences of transport corridor accidents, called domino-effects that are compared to consequences of similar accidents (the corridor aspect excepted). This database analyses revealed that pressure is put on safety when transport corridors are developed. In addition it showed that accident database analyses provide for elementary accident data for use in a transport safety assessment and subsequently in safety management systems. To realize improvements and to learn from past performances, these accidents should be archived and analyzed. Therefore, accident databases play an essential role in this context.
1.
Introduction
New infrastructures are generally constructed to resolve existing problems of congestion. However, increasing scarcity of land-availability in combination with more stringent environmental zoning constraints restrain possibilities for developing additional infrastructures.
41
To this end, intentions to develop large-scale infrastructures are nowadays almost synonym with 'clustering' these large scale infrastructures with already existing infrastructures. As a result, zones emerge that contain several parallel-aligned line infrastructures, called transport corridors. Once expanding infrastructure seems unavoidable environmentalists stress the positive effects of clustering line infrastructures. Safety analysts however, warn for unknown risks. Till now, less is known about safety aspects transport corridors. In this paper, we will present a database analysis that gives insights in ways clustering line infrastructures into transport corridors affects safety. In Section 2, main spatial aspects of transport corridors are presented followed by describing related articulated safety criticisms. The articulated safety criticisms are analyzed using real-life accident data. In Section 3, the accident database analysis is briefly described, selected accident data are presented and subsequently analyzed. In Section 4, the most essential conclusions from this research are presented.
2.
Transport corridors
Clustering line infrastructures implies that additional line infrastructures are developed close and parallel to already existing line infrastructures. Transport corridors are zones in which clustered line infrastructures handle main traffic and transport flows and in which other infrastructures for human activities are concentrated (Bovy & Sanders, 1997; Willems, 1996; Sottiaux, et al., 1994; Joachim, 1987; Weir & Eng, 1963). It seems, as transport corridors become the solution thought of by policymakers for expanding infrastructure thereby simultaneously protecting environmental qualities. Authorities voluntarily adopt clustering because clustering concentrates or even reduces negative environmental impacts such as noise, smell, fragmentation of areas, land-use, vibrations, and visual nuisance (Sottiaux, et al., 1994). Other authorities of countries such as Austria and Switzerland are forced to cluster infrastructures because of various topographical constraints including mountains, rivers and valleys. In this case authorities of mountainous countries are forced to cluster infrastructures. Regardless the reasons for clustering, transport corridors can be described using five spatial aspects, namely (after Willems, 1996): kind of infrastructure; the transport modality that facilitates traffic/transport flows, mutual distance; the distance between parallel running infrastructures, longitudinal distance; the length over which clustered infrastructures run parallel, method; infrastructures could be clustered in two ways, coordinated or mixed. Coordinated means that no single part of an infrastructure is within the boundaries of another infrastructure. Mixed stands for the opposite which means some parts of a infrastructure are within the boundaries of another infrastructure, arrangement; arrangement refers to the position of infrastructures with respect to each other or the environment.
42
Using a frontview, the spatial aspects of transport corridors, except for the longitudinal aspect, can be visualized as shown in Figure 1 below. Figure 1 concerns an example of a corridor near a residential area including a highway and a railway.
Figure 1. Example of a highway/railway corridor.
During the past years scientists, emergency response workers and public decision makers have been intensively discussing safety aspects of transport corridors by. In The Netherlands, with respect to freight railway B etuweroute, Thissen (1993) concludes that from a scientific point of view, relevant safety aspects of transport corridors have still been under exposed, and that additional thinking and analysis on these aspects is necessary. He states that in largescale systems there is more going on, then just the simple summation of single common aspects. He argues that mainports, transfer facilities and transport corridors have their intrinsic characteristics such as increase in scale, complexity, tight connections within logistical chains, complex decision making processes, spatial concentration and clustering infrastructures. Safety consequences of large scale infrastructure developments could result in dilemmas, such as conflicts with environmental aspects, 'mutual interferences' caused by vicinity of various infrastructures and criticality of capacity and accessibility of emergency response organizations after calamities occurred (Thissen, 1993). In respect to French Train au Grande Vitesse that is for substantial length clustered with French National Highway 1, Pronost (1992) addressed the safety concern induced by its largescale and complexity. From an emergency response point of view, Gorinchem's fire commander De Grunt mentioned the lack of attention in risk analysis to 'dominoeffects' (i.e. accidents propagation) as a result of clustering the Betuweroute with other major infrastructures (Orsel, 1993). From a public decision makers point of view articulated criticisms concerned the insufficient safety information to decide upon transport corridor alternatives resulting from transportation risk analysis. Two Dutch integral impact assessments concerning transport corridors concluded that prioritizing corridor alternatives based upon accompanying risk levels is impossible (De Graaf & Rosmuller, 1996). Recapitulating we could say that transport corridors seems to result in large scale and complex systems in which unexpected mechanisms may cause serious contributions putting safety under pressure. However, insights based upon empirical evidence in such unexpected mechanisms are absent yet.
43
3.
Transportation accident search and analysis
As a guide to examine safety impacts of clustering, Kaplan and Garrick's triplet conception of risk consisting accident scenarios, accident frequencies and accident consequences is used (1981). In this paper we will focus on accident scenarios and consequences. Insights in accident frequencies and accident causes as a result of clustering line infrastructures are presented in Rosmuller and Willems (1999). Basically our research approach for analyzing accident consequences consists three activities. Firstly, we search for transportation accidents in which clustered line infrastructures play a part. The according accident scenarios and consequences are briefly described. Clustering related accident consequences are sub-divided into: Domino-effects; accidents on line infrastructure A may lead to consequences on parallel line infrastructures or C. Synergism; the simultaneous occurrences of two or more accidents may have an impacts that exceeds the sum of the impact of the individual accidents. Secondly, we search for transport accidents that have a similar accident scenario as the clustering related transport accident, except for the clustered line infrastructure aspect. Again we will briefly describe accident consequences of the selected accidents. Thirdly, the accident consequences of the clustered and according similar accident scenarios are compared. The accident search is restricted to national highways, railways, pipelines and waterways. This implies that airways, electricity and information lines are excluded from the research just as local streets, distribution pipelines and ditches. In addition the search is restricted to world's most extensive database on hazardous material accidents, FACTS. FACTS is developed and maintained by the department of Industrial Safety of TNO (Dutch Organization for Applied Scientific Research) (FACTS, 1999). Step 1: Clustered transportation accidents To select transportation accidents containing domino-effects three types of transportation accidents were distinguished. Firstly, we distinguished 'single mode transportation accidents' in which only one (single) line infrastructure is involved. Secondly, we distinguished 'multi-modal transportation accidents' in which several line infrastructures are involved. Thirdly, we distinguished 'clustering related transportation accidents' which are accidents involving clustered line infrastructures. To find domino-effects firstly single mode transportation accident are selected. Out of these single mode accidents, multi-modal transportation accidents are filtered. Out of these multi-modal accidents, clustering related transportation accidents are filtered that are analyzed for identifying domino-effects. Figure 2 illustrates this procedure. By defining keywords per modality and applying the restriction of national scale, we found over 1200 single transportation accidents.
44
single mode transportation accident
multi-modal transportation accident
clustering related transportation accident
^ ^
^ ^ ^ F aecidtnl ^ Q B j
E> accident
C~ _____
SBqj
9 ^ iccidtm **QH
Figure 2. Finding clustering related transportation accidents.
Next, transportation accidents that contained several modalities were filtered out of the single mode transportation accidents by combining keywords of the various modes. As a result about 115 multi-modal transportation accidents remained. Then, clustering related transportation accidents were filtered out of the set of multi-modal transportation accidents by studying the accident reports. This selection resulted in 31 clustering related transportation accidents. These 31 clustering related accident were studied in depth to identify domino-effects and synergism. Annex A briefly presents these 31 accidents describing the accident scenario and the consequences. Table 1 below lists the identified domino-effects and synergism. The number between brackets represents how often a certain domino-effect was found.
Table 1: Domino-effects and synergism (Rosmuller, 1997). Explanation Domino-effects Accident may cause additional accidents (12). Accidents Emergency response Parallel line infrastructures may be used to respond to accidents but may also be barriers for emergency response workers to access accident spots (4). Traffic interruption Hazardous material accidents may cause parallel line infrastructures to be shutdown (31). Synergism Hazardous materials chemical reactions Hazardous material and physical mechanisms Explanation Simultaneous releases of hazardous materials may originate chemical reactions, increasing impact areas (0). Leaking gas may be confined under driving vehicles and at the same time being well mixed with oxygen by vehicle turbulence. Ignition of such clouds results in tremendous over pressures (1).
Step 2: Similar transportation accident s The scenarios of clustered accidents as listed in annex A are generalized by eliminating clustering related aspects out of these scenarios. Each of the clustered accident scenarios is generalized this way. Next, we defined search strings per generalized accident scenario to find similar accidents (comparable accident parameters) as the clustered accident in FACTS database. This first search string included keywords concerning transport mode, hazardous material involved, and physical phenomenon. In most cases a number of accidents met the keywords of this first search string.
45
To select the best match, we defined a second search string, using more specific keywords per accidents such as release amounts, pipe diameters, damage mechanisms, and in some cases year of occurrence. This second selection enabled us to find accidents that accurately match the clustered accidents. In 2 cases we could not find an accurate match. For the 29 remaining accidents, we collected the numbers of fatalities and injuries. To clarify our selection procedure we will use as an example FACTS accident number 370 in annex A. This accident concerns a clustered accident scenario in which a 219 mm diameter natural gas pipeline was ruptured, natural gas as released and subsequently ignited by a car (4 fatalities, no injuries). Generalizing this accident scenario means that the specific clustering aspect, namely the car as ignition source, is eliminated. Remains a 219 mm diameter natural gas pipeline rupture followed by an ignition. Subsequently we defined the first search string containing the keywords: pipetransport, natural gas, ignition. As a result, a number of accidents (accident 370 included) were selected. Next, we defined the second search string, containing the keywords: pipe diameter about 220 mm and rupture. A few accidents remained. After in depth analyzing these remaining accidents, we selected FACTS accident number 10061 as the best match for clustered accident number 370. Analyzing accident 10061 revealed that neither fatalities nor injuries occurred. Step 3: Comparing accident consequences Table 2 below contains the elementary data for generating insights in ways and extents clustering line infrastructures affects safety. In this table we summarized both clustering related and similar accidents, using the generalized accident scenarios as a corner stone.
46
Table 2: Summary of clustered and similar accidents. Accident scenario and hazardous ma teria linvolved Derailment of a freight train caused ammonia release
from tank wagon.
Clustered accidents Fatalities Facts no. 9 3894 1539
Similar accidents Injuries 53 Facts no. 269 3080
Fatalities 3
Injuries
46
Ignition o natural gas vapor-cloud released from a 1220 mm diameter Rupture of a 324 mm diameter natural gas pipeline. Detonation of tank wagon loaded with nwnomethylamine during switching operation. Ruptured 219 mm diameter natural gas liquids pipeline released vapor cloud that was ignited. A benzine loaded tank collided with viaduct during heavy rainstorm. Ignition of vaporized propane cloud released from a 203 mm diameter propane pipeline. A collision of two freight trains caused release o diesel and fuel oil pollution. A LPG loaded tank vehicle overturned and fell upon 50 mm diameter LPG pipeline. A main pipeline leaked natural gas. A bulldozer struck and ruptured a 219 mm diameter refined petroleum products pipeline. A ruptured 812 mm diameter kerosene pipeline caused oil release and pollution. An excavator ruptured a natural gas pipeline and natural gas was released. Derailment of tank wagons loaded with sulfuric acid ruptured pressurized natural gas pipelines. A truck loaded with light naphtha collided and got on fire.
712
2065
3 2 4 3 1 1 1
113
2531 376 10061 2205 716 12169 57 10061 716 6435 10061 4354 11113
3
Ol P C D
370 734 951

2476 1861
4-
614
3646 3064
V? 3
709
4416 7605
a.
_
"
Table 2: Continued. Short-circuiting caused rupture of natural gas pipeline (8 atm.). A backhoe hit inadvertently a valve of a gasoline pipeline causing spill and evacuation. Wreck of a derailed train lay above gasoline pipeline. Natural gas escaped from 711 mm diameter natural gas pipeline. And was subsequently ignited by the sparks. Groundwork activities damaged a main natural gas pipeline causing gas release. Damaged meterbox of a main natural gas pipeline. During digging a main natural gas pipeline was hit and natural gas was released developing in a vapor cloud. A loaded LPG truck sheared of its relief valves. Groundwork activities ruptured a 150 mm diameter pressurized na tura l gas pipeline. A tank vehicle leaked acetyl chloride. Collision with car and road (anker caused kerosene leakage. A ruptured 500 mm diameter crude oil pipeline caused oil spill Groundwork activities_punctured_/iflMra/ ga s pipeline. Train collision at level crossing causing train overturning over buried 152 mm diameter aviation fuel pipeline and 254 mm diameter unleaded gasoline pipeline. Ruptured 305 mm diameter crude oil pipeline. Digging caused failure of a main natural gas pipeline.
3955 8757 10742 10355 10133 10345 10964 10894 10726 12643 12292 11451 11419 14080
2 >600 1 >70 -
31 >700 5 >30 -
5292 9602
1 No accurate match No accurate match
2 >8 3 No accurate match 1 1 1 No accurate match

o o m n n.
5'
no
585 9245 6451 No accurate match 10061 11995 13595 14032 11259 10196 8964 No accurate match
Sti
5\ Sm
n o
>
O
in n
oo
P IO
12171 14005
27 -
30 -
3091 13349
Based upon Table 2 we conclude that: Comparing the number of fatalities and injuries per accident scenario reveals that on clustered line infrastructures the same scenario result in most cases in more severe accident consequences than in situations in which line infrastructures are not clustered. Analyzing involved transport modes reveals that pipelines are amply represented. However we do not think that pipelines are relatively dangerous. Moreover we think an explanation for this ample representation could be that pipelines are easier to cluster more tightly than other transport modes because of pipelines' underground dimension. Thereby, pipeline release volumes are relative unlimited compared to possible release volumes of tank vehicles, barges, and rail wagons. This relative unlimited hazardous material release opportunity of pipelines implies that effect areas of pipeline accidents may exceed effect areas of the other modes, other-thinks equal. As a result of the combination of this potential expanded effect area and possibility for tight clustering, pipeline accidents may easier involve other line infrastructures in accident scenarios. Opposite to pipelines, waterways are scarcely represented in clustered accidents (see also Annex A). Although inland navigation hazardous materials shipment volumes exceed road and rail shipment volumes, we assume that because of widths of waterways in combination with less possibilities for tight clustering, waterways are scarcely represented in our search results.
4.
Conclusions
Our goal was to give insights using empirical data in ways accidents consequences are affected when developing transport corridors. As a result of our database analysis, we conclude that given an accident, negative human accident consequences (fatalities and injuries) are more severe in case line infrastructures are clustered compared to line infrastructures that are not clustered. In addition, the analysis of clustered accidents (see annex A) revealed that accidents on clustered line infrastructures may result in various accident consequences that are particular related to this clustering aspect. These particular accident consequences include traffic interruption and both positive and negative opportunities for emergency response activities. As result of these findings we think safety should be given special attention in situations when one intends to cluster line infrastructures. As shown in this paper, database analyses could generate useful information to support safety analysts' even in situations that are less well known or even 'new'.
49
References
Bovy, P.H.L. & F.M. Sanders, (1997). Een ruimtelijk concept voor toekomstig vervoersmanagement, Stedebouw & Ruimtelijk Ordening, Themanummer Infrastructuur and Verstedelijking, Vol. 78, No. 3, pp. 27-31. De Graaf, F.T.G. & N. Rosmuller, (1996). Veiligheid in Grote Infra structurele Projecten; twee case-studies. Delft, The Netherlands. FACTS, (1999). Accident database with hazardous materials, developed and maintained by the department of Industrial Safety of TNO (Dutch Organization for Applied Scientific Research), April 8 th 1999, Apeldoorn, The Netherlands. Joachim, H., (1987). Pl a nungsrecht und Pl a nungsregeln beim B a u von Versorgungsleitungen, zum Problem der Leitungsbndelung, Raumforschung und Raumplanung, Vol. 4. Kaplan,- S. & Garrick, B.J., (1981). On The Qua ntita tive Definition of Risk, Risk Analysis, Vol. ,. ,. 11-27. Orsel, ., (1992). De risico's va n de Betuweroute moeten besproken worden, Alert, Vol. 6, No. 11, pp. 28-31. Rosmuller, ., (1997). Clustering Rela ted Tra nsporta tion Accident Ana lysis: Interferences a nd domino-effects, pp. 137-147, 14 th International System Safety Conference, Washington, System Safety Society, Virginia, USA. Rosmuller, . & Willems, J., (1999). Accident Frequencies a nd Ca uses within Transportation Corridors: ba la nce or imba la nce?, pp.577-587, 2nd World Congress Safety of Transportation: Imbalance between growth and safety?, Delftse Universitaire Pers, Delft, The Netherlands. Sottiaux. C , Journet & Philippe, (1994). Des ra lisa tions concrtes pour protger I'environment, Revue gnrale des chemins de fer. Thissen. W.A.H., (1993). Veiligheid van grootschalige infra structuren, pp. 160-165, in: Betuweroute; "Zegen of bedreiging?", NIROV/VLOB, Tiel, The Netherlands. Weir. C.H., & P. E ng, (1963). Some comments on Joint Usa ge of Utility Corridors, pp. 21-31, in: Joint Usage of Utility and Transportation Corridors, C.H. Klohn (red). American Society of Civil Engineers, New York, USA. Willems, J., (1996). Bundling infra structure: Theoiy a nd design structure, pp. 1-14, 2nd TRAIL PhD Congress, 1996, "Defence or Attack", TRAIL, Delft, The Netherlands.
50
Annex A: Clustering related transportation accidents. Scenario and involved hazardous material Involved Facts Location transport mode (country), Yr no.
3894 1539 712 2065 Crete (USA), 1969 Veendam (NL), 1973 Farminton (USA), 1974 Railway Highway Pipeline Highway Pipeline highway Derailment of a freight train caused ammonia release from tank wagon.
Traffic interruption
Highway shutdown for about 2 days
Sparks from high tension line ignited the natural gas vapor-cloud released from a Highway shut down for several hours leaking valve, as a part of a 1220.0 mm diameter natural gas pipeline. Rupture of a 324 mm diameter natural gas pipeline. An automobile probably ignited the released vapor cloud. Detonation of tank wagon loaded with monomethylamine during switching operation. Ruptured 219.1mm diameter natural gas liquids pipeline released vapor cloud that was ignited by a passing car. A benzine loaded tank collided with viaduct during heavy rainstorm. External mechanical damage failed a 203 mm diameter propane pipeline. An unknown source ignited the released vaporized propane cloud. A collision of two freight trains caused release of diesel and fuel oil pollution nearby lake and highway A tank vehicle overturned and fell upon 50 mm diameter LPG pipeline. A main pipeline leaked natural gas along highway. A bulldozer struck and ruptured a 203 mm diameter refined petroleum products pipeline. A ruptured 812 mm kerosene pipeline caused oil release and pollution. An excavator ruptured a natural gas pipeline. Natural gas was released. Unknown Highway shutdown
370
734 951
U\
Wenatchee (USA), 1974 Railway Highway River Pipeline Devers Railway (USA), 1975 Highway Highway Seattle Railway (USA), 1975 Donnelson (USA), 1978 Pipeline highway Railway highway Yverdon (CH), 1978 Noordwolde (NL), 1979 Highway pipeline Pipeline highway (NL), 1979 Bayanion (PR), 1980 Manssas (USA), 1980 Almen (NI), 1980 Pipeline highway waterway Pipeline River Pipeline Waterway Highway Railway Pipeline Highway Railway Railway pipeline
Interrupted rail and highway traffic for several days
High-voltage electric transmission lines (3 days shutdown) Melted electric power and telephone lines Highway shut down for several days Pipeline shutdown Highway traffic interruption for 48 hours Highway and river shut down (about 4 lir) Polluted reservoir and river 5 days shut down Waterway and highway traffic interruption
in
2476 1861 614 3646 3064 709
% o
P) 3 Q.
2.
Derailment of six tank wagons loaded with sulfuric acid ruptured three pressurized natural gas pipelines. A truck loaded with light naphtha collided and got on fire. Short circuiting caused rupture of natural gas pipeline. Pipeline shut down and railway traffic interruption Unknown Underground traffic interruption
3
O
4416 7605 3955
_
(USA), 1982 Weathcrford (USA), 1982 Rotterdam (NL), 1982
5' cr
Annex A: Continued.
8757 10742 10355 10133 10345 10964 Staten Island (USA), 1985 San Bcrnadino (USA), 1989 Novorsibirsk (SU), 1989 Rhcden (NL), 1989 Valkenburg (NL), 1990 Venlo (NI), 1990 Toronto (CDN), 1991 Vianen (NL), 1991 's -Gravendeel (NL), 1992 Runcorn (GB), 1993 Bad Dnenberg (D), 1993 Caracas (VZ), 1993 Intercession City (USA), 1993 Maturili (YV), 1994 Apeldoorn (NI), 1998 Pipeline Railway Railway Pipeline Pipeline Railway Pipeline highway Railway Pipeline highway Railway Pipeline Highway Railway Highway Railway Pipeline highway Highway Railway Highway Railway Pipeline highway Pipeline highway Railway pipelines Highway pipeline Pipeline During groundwork a backhoe hit inadvertently a valve of a gasoline pipeline causing spill and evacuation. Wreck of a derailed train lay above gasoline pipeline. Natural gas escaped from 711 mm diameter natural gas pipeline. Sparks of electric wires from passing train ignited the gas. Groundwork activities damaged a main natural gas pipeline causing gas released in sewer system. A parked trailer rolled down the slope of a highway and collided against mctcrbox of a main natural gas pipeline. During digging a main natural gas pipeline was hit. Natural gas was released, developing in a vapor cloud. A loaded LPG truck sheared of its relief valves. Grounwork activities ruptured a 150 mm pressurized natural gas pipeline. A tank vehicle leaked acetyl chloride causing enormous queues during start of holidays. Collision with car and road tanker caused kerosene leaking on railway. Overhead rail power lines ignited the fuel. A ruptured 500 mm diameter crude oil pipeline caused oil spill and highway traffic interruption During digging near a highway in rush hour traffic a main natural gas pipeline was punctured, the pipeline ruptured, and engulfed a parallel highway. Vehicle at level crossing was jammed and train collided ad overturned over buried aviation fuel pipelines that were not damaged Buses jammed to roadside and crushed a crude oil pipeline. Boring and digging at wrong place caused failure of a main natural gas pipeline. Gas and electricity shut down
o
13 days pipeline shutdown, railway traffic shutdown Unknown Railway shut down for half an hour Railway traffic interruption for several hours Railway and highway traffic interruption
era
o a n D. B'
ON
m
oo
S-
a
n in
3
10894 10726 12643

Ut
3 hours traffic interruption on gas and electricity supplies, highwayand railway Highway traffic interruption for 2 hours Railway interruption for several hours railway traffic shutdown Highway traffic interruption for several days Unknown Pipeline shutdown (about 13 days) Railway shutdown Unknown Railway traffic interruption for 7 hours
>
to
12292 11451 11419 14080 12171 14005
^<
to O
NO NO NO
Vulnerability in the road transportation system

Basic concepts and theoretical framework
Katja Berdica Div. of Transport and Location Analysis Dept of Infrastructure and Planning Royal Institute of Technology 100 44 Stockholm, Sweden
1.
1.1
Introduction
General about the project
The vulnerability of the road transportation system is an area of great economic importance. Incidents like collapsing bridges, extreme weather situations and traffic accidents may reduce the capacity of the system, resulting in loss of travel time and other traffic costs. The aim of the present project "Vulnerability in the Swedish Road Transportation System" is to study various aspects of vulnerability by: 1.2 surveying the main vulnerability problems, developing methods for evaluating reduced vulnerability, investigating possible measures that can be taken to reduce vulnerability, performing case studies, both from national and regional perspectives. Background
A literature review was carried out during 1998, with the aim to: shed some light on what has been published in terms of research on the subject of vulnerability in the road transportation system, discuss a number of definitions and concepts in a first step of a more concrete characterisation of the vulnerability of a road network. There has been little research carried out, both in Sweden and abroad, on the vulnerability of the road transportation system - at least from the point of view taken in this project. As a result, there is an overall need for a more concrete characterisation of the concept of vulnerability in the road transportation system. This paper is an excerpt/summary of the resulting report "Vulnerability in the road transportation system - State of the Art and Conceptualisation", which is an attempt to define a relevant terminology and to gradually build a more rigorous framework, which is currently missing, for the subject in question.
53
2.
2.1
Definitions and concepts

Serviceability
In this project, the vulnerability of the road transportation system is not regarded from a safety point of view, but rather as a problem of reduced accessibility that occurs because of various reasons. Also, in this case we stress the function of the system rather than the physical network itself, even if some of the reasons for discontinuities in the road network are indeed caused by physical failures. Even though accessibility depends on the degree to which the transportation system is functioning, it is actually approaching the issue from the demand side. At this stage it is however more interesting to regard the road network from the supply side, meaning the actual existence of a functioning route from one location to another. Therefore, it is in the case of this project better to describe the performance of the road transportation system in terms of serviceability: => the serviceability of a link/route/road network describes the possibility to use that link/route/road network at a given time. 2.2 Incidents
The events of interest in the case of vulnerability in the road transportation system are the ones causing disturbances in traffic. Some of these events can be of a more or less sudden/unpredictable nature (e.g. accidents), while others are planned in advance (e.g. road works). What they have in common though is that they could have a negative influence on the serviceability of the road network, either on their own or by starting a chain of events resulting in a disturbance. These events are therefore referred to as incidents. => an incident is an event that can cause reductions in the serviceability of a link/route/road network. 2.3 Risk
Risk is generally associated with something that has negative consequences on life, health and/or the environment. The definitions of the term vary, but most involve a combination of two parts: 1. the probability for an event of negative impact to occur, and 2. the extent of the resulting consequences once this event has taken place. The previously mentioned incidents, causing the road transportation system to "malfunction", cover a wide range of combinations where probabilities and consequences are concerned: from minor accidents that happen every now and then, to highly improbable failures (e.g. of a bridge) resulting in serious injuries.
54
This stresses the importance of a risk definition that takes both these aspects into account. By doing that, the expected consequences (in a probabilistic sense) could be one way of operationalising risk. => risk is a composite of 1) the probability for an incident to occur and 2) the resulting consequences should the incident occur. 2.4 Vulnerability
By using the terms that have been defined so far, it is possible to make a general definition of vulnerability: => vulnerability in the road transportation system is a susceptibility to high risks for incidents reducing the road network serviceability. Referring to the above definitions, vulnerability can be reduced in two ways: by approaching the problem from a fail-safe or a safe-fail perspective. The first means that the probability for e.g. a bridge to fail is reduced, while the second implies that different measures are taken in order to reduce the resulting consequences. 2.5 Reliability
For further characterisation, the term reliability is introduced and defined as the opposite of vulnerability. For this to hold, considering the composite risk concept, a wider interpretation of reliability must be chosen since reliability studies are generally concerned with probabilities only. This is accomplished by including performance "restrictions" in the definition. => reliability in the road transportation system is the "insurance" of adequate performance under the operating conditions encountered at a given time, and "vulnerability = 1 - reliability". 2.6 Wheel of concepts
By addressing the terms above in that order one can see a system of back tracking the issue at hand by a series of sequential definitions, each depending upon the other.
55
{risk
jrobabiH 'consequence
Figure 1. Vulnerability in the road transportation system: Wheel of Conceptions.
3.
3.1
Reliability theory approach

General
Since the subject of vulnerability in transportation systems has not been considered directly, an alternative approach is needed. To define vulnerability as the opposite if reliability allows us to address issues of vulnerability in transportation systems indirectly, by way of well established reliability theory. Reliability in transportation systems describes the possibility of successfully travelling from one place to another. Also, reliability in transportation networks has two aspects, that of connectivity (probability of at all reaching the chosen destination) and that of travel time (probability of reaching the chosen destination within a given time). The main difference from traditional systems reliability analysis is the identification of an acceptable level of service, exchanging the digital system states "functioning-not functioning" with "serviceability acceptable-not acceptable". Furthermore, changes in reliability can be observed as a result of either fluctuation in traffic flow ("normal" conditions) or fluctuation in capacity ("abnormal" conditions). This chapter gives rather detailed accounts of a number of interesting references pertaining to these matters. 3.2 Network reliability in general
Wakabayashi and Iida (1992) and Bell and Iida (1997) focus on reliability from the connectivity point of view, also referred to as terminal reliability. State variable x represents the state (of for example congestion) on link i and
56
x=
Tl if link i functions I 0 otherwise
The system reliability value is found through the structure function (), where is the system state vector containing the link state variables, and () = l if the system functions I 0 otherwise For systems that have or easily can be broken down into a series and/or parallel configuration, the structure function is simply () = n x I 1 n(l x) for a series system for a parallel system
or a combination of these. For more complicated systems the structure function is derived by different methods, of which "pathandcut" is the most practical. With this method system reliability is calculated directly from either the minimal paths = minimum number of successive links needed to connect a pair of nodes, regarded as series systems in parallel:
() = 1(1.()) = 1 ( 1 ^ )
.v=l .v=l
ie ,
where: = total number of minimal path sets; P5 = the s:th minimal path set; as = structure function for minimal path set s. As long as any one of the paths functions, the system functions. or the minimal cut sets = minimum number of links needed to disconnect a pair of nodes, regarded as parallel systems in series: k
k f
() = &( ) = iIl */) ie ,

where
k = total number of minimal cut sets; Ks = the s:th minimal cut set; s = structure function for minimal cut set s.
If any one of the cut sets fails, the system fails. Link reliability r is the expected value of the (assumed) random binary variable x and system reliability R is the expected value of the structure function. However, the evaluation of R requires Boolean algebra (since links can appear in more than one set) which involves complicated calculations.
57
Furthermore, large or very complicated networks result in a great amount of calculation. Therefore various heuristic methods for obtaining estimated values of reliability (for instance upper and lower bounds) with or without B oolean algebra and some using partial path/cut sets are most interesting. Areas for further research are identified, in order to solve the problem that: connectivity reliability studies overlook mutual relationships or dependencies among links, connectivity reliability does not take flow on links into account, studies of travel time reliability which is a completely different concept are scarce and lack theoretical profundity, the methods described so far cannot be used in "abnormal" situations, as there is insufficient knowledge about flow variation under such conditions. 3.3 Reliability and fluctuation of traffic flow
The main issue in Asakura and Kashiwadani (1991) is a simulation model for estimation of distributions of daytoday fluctuations of traffic flow during "ordinary" traffic conditions, that is when capacity is NOT reduced by road works, accidents, natural disaster etc These results are then used to define and estimate two reliability measures: 1. Connection measure = the probability of travel in an origindestination (OD) relation without encountering congestion beyond a certain level. 2. Time reliability measure = a) the probability of travel time in an ODrelation not exceeding the acceptable travel time, b) the upper limit of travel time in an ODrelation for a given probability. The traffic assignment simulation model is based on the assumption that travel demand between each ODpair fluctuates stochastically from day to day around its (observed/estimated) mean value and that this random variation can be described by two mutually independent random variables from the standard normal distribution. Each iteration n describes the network traffic flow of one day.
z; = x(\+;)
;=(-;+(\-)")
where X:0 Zjn a of
= = = =
mean ODdemand from itoj; ODdemand in n:th iteration; scale parameter of fluctuation; correlation parameter of fluctuation, 0 < < 1.
and
iideN(0,l)
58
As we can see, Sj represents ODspecific variation (e.g. special offer at a certain mall) while represents variation that affects the network as a whole (e.g. adverse weather). The parameter decides how much of each type is included in the total variation ,,. Hence A represents the correlation of fluctuation between ODpairs:
-
~ ~ 77v^^ ((1-4)" -')
correlation coefficient, and
if X = 0 => Eij = R=1 demand fluctuation is the same for every OD-pair if = 1 => ej = ajj R=Q completely independently fluctuating ODdemand 3.3.1. Connection measure A link in the network is regarded as disconnected if the level of congestion on it exceeds an acceptable level. Link congestion fluctuates in proportion to link traffic volume, which has been determined by the simulation model, and the following connection measure on link level can be defined: ra = where M Pr[ca<c0]=-ca CQ Ma TV = = = congestion on link a; congestion criterion; number of iteration cases when c a < c 0 ; total number of iterations.
which in fact means that link a has smooth traffic on Ma out of days. If the different routes (consisting of a number of links) between origin i and destination j can be regarded as parallel, the probability R: of ODpair ij being connected is:
Kîn^^nIIo
ke Kjj ke ae ,}i.
where
r,\ = Pr [k: th route between i and j is connected]; LM = set of links on the k:th route between i and j ; K; = set of routes between i and j .
in accordance with the theory (Wakabayashi & Iida, 1992; Bell & Iida, 1997) presented in the previous section. By defining connectivity in terms of congestion level, this connection measure describes the probability of travelling between i and j without encountering unacceptable congestion.
59
3.3.2. Time reliability measure Because of the stochastic variation in traffic volume, travel time between ODpairs is assumed to fluctuate randomly, following a normal distribution for which the parameters can be calibrated using the results of the simulation model. After identifying the probability density function 0.(T)of travel time between i and j , the two time reliability measures previously stated are defined as: a) b) where P;>(T) = Pr[iy<T] = Oy(T) ry(P) = Oyl(P) ,,() ..l (p) = = = = acceptable travel time; acceptable probability; distribution function of travel time; inverse distribution function of travel time.
The two time reliability measures mirror the fact that depending on the situation, different aspects of travel time are important when comparing alternatives. If cost minimisation is the objective, the alternative with minimum average travel time is more reliable but if there is a dead line involved, the alternative with the least variance would be preferred. 3.4 Improvement of reliability under traffic management
Wakabayashi and Iida (1993) propose new indicators of road network performance level, instead of the conventional quantitative (e.g. total length of road per unit) or static (e.g. average travel time) indicators of road network quality: terminal reliability = the probability that two given nodes are connected with a certain service level for a given time period, and travel time reliability = the probability that travel time between two given nodes will not exceed a given travel time, alternatively treated as the maximum travel time to arrive at a destination with given probability. Traffic variation is assumed to be the main factor influencing both of the above. The difference from Asakura and Kashiwadani (1991), however is the "abnormal conditions" approach, described in the statement that (quote): "A highly reliable road network provides sure and unfluctuating traffic service by offering drivers alternative routes even when some part of the network is unavailable due to traffic accidents, maintenance or natural disaster. " Terminal reliability is addressed on link level, with
1
ra=\f(ga)dgu=PT(vu<Ca)
60
= reliability of link a; attributed to stochastic traffic variation; f(ga) = probability density function of ga = f = degree of congestion; va Ca = demand flow on link a; varies stochastically with ODflow variation, which follows a normal distribution; = capacity of link a; given and fixed.
ra
In other words, link reliability of connectivity is the probability that demand flow does not exceed capacity on a certain link for given time periods. The variation in link flow originates in the variation in ODflow, and
a
/ F tin j ij
= 1
ijk! +^^PuijPUkl(Jijk j kl
where
pa; = portion of traffic T; using link a; OMI = covariance of ODflows between ODpairs ij and kl.
following the two assumptions that: 1. ODflows are normal distributed (;., o",,2). 2. ODportions using a certain link are constant => v a eN( v u ,a a 2 ). This is explained in a functional model in which the coefficients of variation (COV) are given by: COV=^L = ae
-(f+5)
, where , , , and are parameters.
Link reliability of travel time can then be converted from that of connectivity, by
dt
where
ha(t) = probability density function for travel time; fa(v) = probability density function for demand traffic volume.
and using for instance the B PR function as link performance function. Estimations can then be made by two methods, by assuming either independent or correlated link flow variations. By considering traffic flows explicitly, the method proposed here by Wakabayashi and Iida can be used to assess the effects of a change in traffic flow on reliability. It is however a method not taking into account elastic demand, varying levels of degradation, or interdependent component states, as is the case in the model proposed in the next section.
61
3.5
Degradable transportation systems - an integrated equilibrium model
Nicholson and Du (1997) introduce the term "degradable transportation system" (DTS), since (quote): "transportation systems are subject to degradation as a result of a wide variety of events (e.g. earthquakes, floods, traffic accidents, adverse weather, industrial action, and inadequate maintenance) " Their proposed integrated equilibrium model (Nicholson & Du, 1997) is described in the following, as is a sensitivity and reliability analysis (Du & Nicholson, 1997) of that model. "Lifeline engineering" is concerned with the importance and hence the vulnerability of lifeline systems, e.g. energy supply, communication etc. The emphasis has been on reducing direct repair costs, with little attention paid to the increased user costs during disruptions. However, the literature contains very little about the transportation system from a lifeline perspective, even though damage to this system affects the possibilities for repairing other lifeline systems. In transportation lifeline improvement, improving component reliability has been the focus, with other options being: improving network configuration, having stand-by components, monitoring critical degradation, undertaking regular preventive maintenance, identifying priorities for repairs. In reliability engineering, network reliability models have been developed for both pure networks and flow networks. Existing models are however lacking on a number of accounts when considering transportation networks: Pure network models concentrate on the connectivity of the network, ignoring flow demand, capacity constraints, user route choice, cost-flow relationships. Flow network models generally assume 1) fixed traffic demand, which is not true when a closed or partly closed route causes the generalised travel cost to change, and 2) maximum possible flow, which is virtually impossible to assure in a system of limited control. Existing network reliability models do not take proper account of changes in travel behaviour and they do not allow for components to have degradation levels between full and zero capacity. The general assumption of statistically independent component states does not always hold in transportation networks, e.g. snow storms influence roads in a whole area and limited clearing resources can cause "competition" between links. A graph theory approach, for assessing the reliability of travel between a pair of nodes in a transportation network, was developed by Wakabayashi and Iida (1993) but it does not allow for elastic demand, varying levels of degradation, or interdependent component states (see Section 4.2.2). This is the case in the proposed
62
integrated equilibrium model. Also, this model focuses on long duration capacity variations (as opposed to daytoday variations in traffic flow), since there is more scope for traffic to move toward a new equilibrium situation. The network configuration chosen for the DTS is a multimodal (as different modes are not necessarily affected equally by an event) network of arcs connecting a number of origin and destination nodes. One or more arcs make up possible paths between a given ODpair. Each arc pertains to a single mode, hence there is no modelling of interactions between different types of vehicles. Moreover, this means that path choice also implies mode choice. Both arcs and nodes are system components of the DTS, although all component degradation is considered to occur within arcs. The following flow and incidence variables are considered: f k = person flow1 between the k: th ODpair qh - person flow on path h va = vehicle flow2 on arc a
kh = 1 if path h connects the k.th ODpair I 0 otherwise 1 = 1 if arc a is on the path h 0 otherwise We can also at this stage define H k = {h \ ^ - 1}, i.e the set of paths connecting the &:th ODpair. The relationship between a given component state vector and its corresponding system state vector [f, v] (where f = f(x) is the vector of the components / and = v(x) is the vector of the components va) is defined using a combined model which solves the problems of traffic generation, distribution, modal split and assignment simultaneously within a framework based on the assumption of demandsupply equilibrium. It is assumed that demand in each ODpair can be formulated explicitly as a function of the generalised travel cost as fk = D^cj.), where fk > 0 is continuous and decreasing for c > 0 increasing. These assumptions are satisfied by various forms of demand function, including the logit, power, exponential, and elastic exponential functions. The supply function is a multivariable function and is therefore represented implicitly in the following. Path flows are determined from ODflows by assuming that individuals choose paths in order to minimise their generalised costs and in an equilibrium situation all used paths between any ODpair have equal generalised path costs gn, not greater than those on unused paths3. For /zeH^:
More appropriate since paths between ODpairs can include arcs of different modes. Here vehicle flow is appropriate, as it allows for modellii modelling effects of congestion * This is the usual Wardrop condition on user equilibrium.
63
= Sh <gh
h ifqh = 0 Qh = ah(fk) (i)
iia >0
2-1 ? khi h ~ Jk
We can now express ua, the person flow on the a:th arc, as
V j =
^ L
(0<Vfl<Xa)
Where ya = average vehicle occupancy rate (persons/vehicle) for arc a The travel time t on arc a (ta > 0) is a function of the vehicle flow and the component state and does in turn influence the generalised travel cost ea on the arc4, that is: K = ta(va,xa) ea=ea+(pta where = average value of time ( > 0). We can now write:
St, 2Lâhea
mm g, 6
()
Equations (i) and (ii) imply a supply function q. = Sk(f) and the supply-demand equilibrium condition gives us D^'1^*) = Sf*) = c*, where the star represents the equilibrium situation and D](-) is the inverse of the demand function Z)()
cost
equilibrium point supply curve
inverse demand curve

flow
Figure 1. Supply-demand interaction. (Source: Nicholson & Du, 1997; author's adaption).
( e ^ > 0) = fixed cost, e.g. public transport fare, car operation cost, road toll etc.
64
In the assessment of the socio-economic impact of system degradation, changes in both flow and travel cost are to be considered. System surplus = the sum of user and producer surpluses (area ABC in figure 2(a) below) is used and system degradation = a reduction in supply results in a decrease in system surplus (area BCDE in figure 2(b) below). (a) (b)
cost
supply curve after supply curve before
>
flow Figure 2. (a) System surplus; (b) Decrease in system surplus. (Source: Nicholson & Du, 1997; author's adaption).
The traditional system performance measure in reliability engineering "total cost" (i.e. the sum over k of cost multiplied with flow for each OD-pair k) is not a very suitable measure for a DTS, since distinctly different situations can give very similar total generalised costs (e.g. high generalised cost/low flow versus low generalised cost/high flow). It is clear that the areas ABEF and CDEG in the following figure can well be of the same size. Putting it to the extreme, cost minimisation could be obtained by simply prohibiting all traffic or by removing all roads, which would no doubt reduce travel time to a minimum! System surplus is hence deemed a better performance measure.
cost
supply curve after supply curve before
flow
Figure 3. Different conditions can give similar total generalised costs: ABEF = CDE G. (Source: Nicholson & Du, 1997; author's adaption).
The system surplus is denoted S5(q,x), since it is a function of the OD-flow, arc flow and component state vectors (f, and respectively) of which the first two are functions of the path flow vector q, which is in turn a function of x. Given the arc capacity vector x, find q = [qh | /zeH] to maximise:
65
SS(q,x)=JJ
\^1(/-
a
k o
J k+(Pta(v,xa)]Yadv
0
; qh>0
The authors refer to previous work that has shown that the equilibrium OD-flow and path flow vectors, and system surplus, are unique - although the equilibrium path flow vector generally is not (which is also the case in the standard traffic assignment problem) - provided that: D^-itf^) > 0 is real-valued, decreasing and differentiable over fk > 0, laiva >xa) > 0 is real-valued, increasing and differentiable over va > 0, and \dta/dxa\ > 0 and finite. This uniqueness is important when analysing how the system state and thereby its performance is affected by changes in component state, i.e. component degradation. As all the possible component state and system state vectors constitute their respective vector spaces, and all the possible values of SS(x) constitute a system performance index space, (quote): "the integrated equilibrium model can be regarded as a continuous mapping from the component state vector space X to the system state vector state () and then to the system performance index space A(X) " The application requires the same data as for strategic transportation planning purposes and the goal is to model what happens to system performance both as a result of various events and when system characteristics change. Since there are numerous combinations of component capacity degradation (especially in larger networks), it is better to approach the analysis of system performance by ways of a sensitivity analysis. First the important (= large impact on system performance as a whole if degraded) components of the DTS are identified, then their "weakness" (= probability of degradation) is assessed. Those components which are both important and weak are denoted as critical and should be prioritised for strengthening. The sensitivity analysis is hence the basis for: a reliability analysis of the system, and the design of preventive/remedial works. The reliability of a component is usually put down as the probability of it surviving an event, and the component is either fully functional or completely shut off. Terminal reliability is a function of component reliability, and it is simply the probability that the system is still connected. Since transportation network reliability should extend to everyday events and different levels of degradation, we are interested in more than the mere connectivity of the network. Therefore terminal reliability is not an appropriate measure in this case. Hence there is a need for a new reliability model and system reliability measure. 3.6 Degradable transportation systems - sensitivity and reliability analysis
In determining the sensitivity of the system state vector and the system performance index with respect to the component state vector x, it does not matter which path flow
66
vector is used, since different alternatives lead to the same (unique) ODflow vector, arc flow vector, and system surplus for a given x. The sensitivity analysis is based directly upon the partial derivatives of the system state vector and system performance index with respect to the component state vector, which allows for both independent and dependent degradation of component capacities. Reliability analysis of a DTS focuses on the effects of arc degradation on various flows, of which ODflows are emphasised since travel benefits are associated with completing journeys successfully. The definitions of component and system reliability for a DTS needs to take two facts into account: 1. The components often have more than the two states "on/off. 2. There is usually excess capacity = some degradation does not result in noticeable effects on component and system performance. Start by regarding the k:th ODpair and define the remaining traffic flow after degradation5 as
( 0 )
where XQ is the nondegraded component state vector within the component state vector space X. The reliability is then Rîco^) = Pr[x | rk(x) > CjJ, where ^ (0 < C D } , < 1) is the minimum acceptable remaining flow. Extended to the whole system, with the remaining flow defined as r(x) = ^ it can be shown that r(x) = JjVk(x0)rk(x) ;Vk(x0) = (*) F(X0) ; F(x) = X /,(x)
If the same flowweighted average assumption is taken for the minimum acceptable remaining flow, then
= 5.( 0 ),
k
and the reliability for the system is i?(co) = Pr[x | y(x) > ]. In calculating reliability when the probabilities of component capacity degradation are known, exact methods are efficient only for small or very regularly structured networks.
Here the notation has been changed slightly for simpler presentation.
67
Another possibility is to use an approximate recursive method, considering each component state vector in descending order of probability, and determine upper and lower bounds for the reliability measure. The detailed descriptions of an exact and an approximating algorithm given by the authors are however omitted here. 3.7 Degradable transportation systems - discussion
The focus is upon reliability and performance of the whole DTS. If all OD-subsystems are operational, so is the DTS. The system may however be "operational" even though one or more sub-systems may have failed, which stresses the fact that care is needed in defining system reliability. The sensitivity and reliability analysis based on the integrated equilibrium model and hence the model itself - are for a steady-state condition. It is however desirable to be able to consider differences in degradation duration (which as well as degradation occurrence can be regarded as a stochastic variable), since the socio-economic impact of component degradation clearly grows with increasing time for repair/replacement.
References
Asakura, Y. & Kashiwadani, M., (1991). Road Network Reliability Caused by Daily Fluctuation of Traffic Flow. Proceedings of 19tn PTRC Summer Annual Meeting (Seminar G), 73-84. Bell, M.G.H. & Iida, Y. (1997). Transportation Network Analysis. John Wiley & Sons Ltd, Chichester, West Sussex. Du. Z.P. & Nicholson, A. (1997). Degradable Transportation Systems: Sensitivity and Reliability Analysis. Transportation Research -B, vol. 31, no 3, 225-237. Nicholson, A. & Du, Z.P. (1997). Degradable Transportation Systems: an Integrated Equilibrium Model. Transportation Research -B, vol. 31, no 3, 209-223. Wakabayashi, H. & Iida, Y. (1992). Upper and Lower Bounds of Terminal Reliability in Road Networks: an Efficient Method With Boolean Algebra. Journal of Natural Disaster Science 14(1), 29-44. Wakabayashi, H. & Iida, Y. (1993). Improvement of Terminal Reliability and Travel Time Reliability Under Traffic Management. Proceedings of 3rd International Conference on Applications of Advanced Technologies in Transportation Engineering, Seattle 25-28 August 1993, 211-217. American Society of Civil Engineers.
68
Transport of dangerous goods through road tunnels: an integrated QRA model developed under the joint OECD/PIARC project ERS2
Didier Lacroix Chairman, joint OECD/PIARC Scientific Expert Group ERS2 Research Manager, Centre d'Etudes des Tunnels (CETU), 25 avenue F. Mitterrand, Case n 1, 69674 Bron Cedex, France Philippe Cassini Research Engineer, INERIS, Pare techn. ALATA, .P. 2, 60550 Verneuil en Halatte, France Robin Hall Research Engineer, W.S. ATKINS, Ashley Road, Epsom, Surrey KT 18 5BW, UK Frank Saccomanno Professor of Civil Engineering, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1
Abstract The Organisation for Economic Co-operation and Development (OECD) and the World Road Association (PIARC) have joined forces in a common research project on the Transport of Dangerous Goods through Road Tunnels. After a review of current national and international regulations, which has shown their discrepancies, the project is now devoted to risk assessment, decision process and risk reduction measures, in order to recommend appropriate methodologies and standard regulations to tunnel owners and authorities. This paper mainly describes the Quantitative Risk Assessment (QRA) model which was developed by an international consortium of consultants to compare the safety of tunnel routes with their open alternatives and possibly with absolute acceptance criteria. The general approach, the simplifying hypotheses and a general validation performed are described, as well as the principles of the computerised tools, their input and output.
1.
Background
Mainly for environmental reasons, the number of road tunnels is quickly increasing in many countries. While most techniques concerning tunnel construction and also safety have been steadily improving, the problem raised by dangerous goods (DG) has not been given a satisfactory answer yet. Although very unlikely, a serious underground accident involving such goods might result in a catastrophe with dramatic consequences on numerous human lives, property and possibly the
69
environment. On the other hand, needlessly banning dangerous goods from tunnels may create unjustified economic costs. Moreover it may force them to drive on more dangerous routes, through dense urban areas for instance, and thus increase the overall risk. Since its creation in 1957, the Committee on Road Tunnels of the World Road Association (PIARC) has been studying most issues connected with tunnel equipment, operation, safety, including dangerous goods also in the last ten years. The Organisation for Economic Co-operation and Development (OECD), as part of its Road Transport and Intermodal Linkage Research Program (RTR), has studied the safety of road transport of dangerous goods. Further to a joint seminar on Road Tunnel Management, these two bodies decided to pool their complementary skills and experience, as well as the necessary financial support, in order to launch a common research project on the transport of dangerous goods through road tunnels in 1995.
2.
The joint OECD/PIARC research project ERS2
The general purpose of the project is to improve the overall safety of the transportation of dangerous goods by road while facilitating its organisation and preventing unnecessary costs. The output should be recommendations on best methodologies to analyse risks, make decisions, apply them using standard formulations, and implement risk reduction measures. Financial support is needed to collect the necessary data, develop the methods and models and test them in practice with the final users. Several contributions from member countries have been obtained through the initiative of the RTR Steering Committee of OECD and PIARC. Additionally a substantial part of the Quantitative Risk Assessment (QRA) model development has been financed by a grant from the Directorate General for Transport (DG VII) of the European Commission. These bodies have created an Executive Committee, chaired by Dr K. Flaate (Norway), to oversee the financial and political issues. A Scientific Expert Group, with members from 14 countries, OECD and PIARC, has prepared the detailed objectives, plans and budget, and is responsible for the general advancement and results of the project. It is chaired by the first author and co-chaired by Mr J. Hart (UK). With the support of OECD secretariat and a Project Manager, Pr H. Knoflacher (Austria), three sub-groups organise and follow up the work of several consultants in charge 1 of various activities as described below.
'e -
Task 1: Review of current national and international regulations Under this task, co-ordinated by Mr J. Hart (UK), current regulations have been reviewed by a Norwegian consultant on the basis of questionnaires returned by 22 countries. It clearly appears that rules and regulations for the transport of dangerous goods in road tunnels vary considerably among countries and within countries. Often countries with few tunnels have more and stricter regulations than tunnel-rich countries.
70
In a second step, detailed information was gathered in nine countries and analysed. In most cases current decisions are not based on QRA, but several countries intend to implement this approach in the future. A number of problems arising from the existing regulations were identified as well as requirements for new regulations. The two reports are freely available on the internet: www.oecd.org/dsti/sti/transpor/road. Their conclusions have been used to better direct the other tasks of the project. Task 2: Methodologies relating to risk assessment and decision process The objectives of Task 2, coordinated by Pr. N. O. Jrgensen (Denmark), are to recommend methodologies and propose examples for evaluating the risks induced by dangerous goods transport in tunnels, comparing them with alternative routes and possibly risk acceptance criteria, and proposing decisions using standard formulations. An inventory and comparison of existing methods were presented at a seminar in Oslo in March 1996 and led the Scientific Expert Group to structure Task 2 as follows:
Technical data on tunnel/routes Traffic and DG transport data QRA - - model ^
Risk indicators
- DSM
choice of alternative
so that the Decision Support Model (DSM), which incorporates political aspects, is clearly separated from the QRA, which is purely technical. Also, in order to harmonise tunnel regulations, it was proposed to develop a grouping system (GS) for loadings of dangerous goods. Each tunnel would be characterised by the loadings grouping which is allowed through it. These groupings, in small number (3 to 5), would range from all dangerous goods to none. A first proposal on the principle of a GS has been submitted to the interested international bodies and is available at OECD. Detailed specifications for a QRA model were drafted and submitted to a peer review. Further to an international call for tenders, the QRA development was entrusted to a consortium led by INERIS (France) and including W.S. Atkins (UK) and the Institute for Risk Research (Canada). This activity is fully described in the next section. At the same time first thoughts were given to the DSM. A Danish consultant reviewed available models and analysed the decision problem. Two types of models are considered as promising and are currently being demonstrated on example cases before a decision is taken on the use of an existing DSM or the development of a new one. The next step will be to ensure the perfect consistency of the QRA model, GS and DSM: the loadings groupings in the GS must be characterised as well as possible by the accident scenarios included in the QRA model; the authorisation of any of these groupings must be the only possible alternatives for a tunnel regulation in the DSM. This step may include some finalisation of the QRA, GS and DSM.
71
Task 3: Risk reduction measures (including transport and tunnel operation) The objective of this task, co-ordinated originally by Mr Tan (Netherlands) and now by Mr Haastrup (European Commission), is to recommend measures well adapted to each specific case, with detailed specifications and an evaluation of the costs and benefits vis--vis the associated risks. A first phase has been undertaken by a specialised working group of the PIARC Road Tunnels Committee devoted to dangerous goods and led by Mr Bguin (Netherlands). With the help of a Dutch consultant, they have performed a literature survey, then a first cost and effectiveness ranking of 28 measures on the basis of interviews with tunnel operators. The report will be published by PIARC soon. A second phase will use and possibly refine the QRA and DSM developed under Task 2. It will aim at quantitatively taking into account the cost and benefits towards risk of measures when deciding on a tunnel equipment and operation. Task 4: Conclusions and recommendations The last task, co-ordinated by Mr A.S. Caserta (USA), uses the results of the previous tasks to draw lessons and recommendations. Its objectives are: to propose a standard international formulation for tunnel regulations concerning dangerous goods, to recommend a general methodology to prepare decisions on authorising or refusing dangerous goods (using the aforementioned loadings groupings if they prove to be effective), to recommend appropriate measures to reduce risks.
3.
3.1
The quantitative risk assessment (QRA) model

Scope
The purpose of the QRA model is to produce quantitative information about risk levels due to the transport of dangerous goods on given routes, some of them including tunnels. This information, referred to as 'risk indicators', will be used in the DSM to propose decisions which may be based on the comparison of: different possible routes to find the safer one, the risk level of a route with an absolute acceptability criterion. Risk is characterised by two aspects: occurrence probability and severity. Severity may be expressed as fatalities, injured people, destruction of buildings and structures, damage to the environment. The number of fatalities has been retained as the most pertinent severity criterion. To characterise the societal risk, the model plots F/N curves which give the yearly frequency F to have an accident with N fatalities or more. It also calculates the individual risk for permanent populations (yearly probability to die from the considered traffic). Injuries and damage to property and the environment are estimated in a qualitative way.
72
For open sections tools are available. Because of the specific nature of underground accidents, adapted modules had to be developed for the assessment of risk in tunnel sections. It is thus possible to quantify risks for routes including tunnel and open sections. 3.2 General approach
A complete assessment of risks due to DGs would require the examination of all possible meteorological conditions, all possible accidents, sizes of breaches, vehicles fully or partially loaded, etc. Such an assessment is totally impracticable and simplifications are needed. The developed QRA model relies on a methodology based on the following steps: Choose a small number of representative DGs. Imagine a small number of representative scenarios involving these DGs. Determine the physical effects of these scenarios (for open and tunnel sections). Determine the physiological effects of these scenarios on road users and local populations (fatalities). Take account of possibilities of escape/sheltering. Determine the associated probabilities of occurrence. Computations for scenarios leading to no fatality would be a waste of time. So a set of rather severe scenarios was chosen. They correspond to common types of DGs able to produce fatalities because of various effects: overpressure, thermal effect, toxicity. Two scenarios are relative to fires of medium and important intensity that could concern heavy goods vehicles (HGVs) without DGs and nevertheless represent a serious risk in a tunnel. The choice of representative DGs and scenarios was operated keeping in mind the future possible ranking of DG loadings in groupings to be used in tunnel regulations. The list of the 10 selected scenarios appears in Table 1.
Table 1: Main characteristics of the 10 selected scenarios. Scenario Description Capacity of No. tank 1 2 3 4 5 6 7 8 9 10 HGV fire 20 MW (no DG) N.A. . N.A. 50 kg 28 tonnes 28 tonnes 20 tonnes 18 tonnes 18 tonnes 18 tonnes 20 tonnes HGV fire 100 MW (no DG) BLEVE of LPG in cylinder Pool fire of motor spirit VCE of motor spirit Release of chlorine BLEVE of LPG in bulk VCE of LPG in bulk Torch fire of LPG in bulk Release of ammonia Diameter of breach (mm) N.A. N.A. N.A. 100 100 50 N.A. 50 50 50 Mass flow rate (kg/s) N.A. N.A. N.A. 20.6 20.6 45 N.A. 36 36 36
Two different software tools have been developed for computations in the open: The Fortran program Rk-DG deals with a 2D grid where population densities and a wind rose are set.
73
The spreadsheet-based tool Sk-DG uses a simpler representation: population densities are supposed to be homogeneous within each section, so that wind directions are not needed. Inside tunnels, only the spreadsheet-based tool Sk-DG is used. 3.3 Modelling of risk consequences and frequencies
In the open, models exist to calculate the consequences of the scenarios. Then probit equations allow the derivation of fatality percentage from physical exposure. These models and probit equations have been used to create contingency tables where calculation results are stored in such a way that the software tools Rk-DG and Sk-DG can use them directly. In Rk-DG the calculations are performed by interwoven do-loops in order to take into account" period of day (with associated traffic and population), direction of traffic, section of route (nature and related frequency of accidents), accident location on this section (discretisation), wind direction, wind velocity. Each calculation provides a number of victims and the corresponding yearly frequency. In Sk-DG, a smaller number of do-loops is necessary. They are operated by spreadsheet macro-command modules. The probability for a scenario related to a given DG to occur in one year on a 1 km section is assessed according to the following methodology: find the yearly frequency for a HGV to be involved in an event (traffic accident, spontaneous fire, loss of containment, etc.) on the route section (function of country, road type, global traffic, HGV traffic), find the conditional probability that this HGV transports the given DG (function of traffic composition), use the conditional probability to develop the scenario once a HGV with the given DG is involved in an event. In tunnels, the techniques used for consequence modelling of scenarios in the open do not apply and a specific treatment is needed to derive: the zones of the tunnel that will be affected, the effects that will go out of the tunnel and create a risk in the surroundings. A specific spreadsheet tool called hereafter 'pre-conditioner' has been developed. It determines the zones in the tunnel that will be affected by each scenario and the corresponding effect levels. For instance in case of a fire in a tunnel, the spreading of smoke is very dependent of the ventilation regimes. After a delay, the emergency ventilation is generally activated. The ventilation regimes may be very different from a tunnel to another. Even for the same tunnel, the emergency ventilation may vary drastically according to the fire location. The extent, duration and heat release of a motor spirit fire are also very dependent of the drainage provisions. Because of the complexity of the assessment of the zones affected and the numerous possible cases (one or two bores, longitudinal, semi-transverse or transverse ventilation), the pre-conditioner uses simplified models.
74
Appropriate measures in a tunnel may reduce the frequency of accidents, their severity, the delays for detection and allow greater possibilities of escape/sheltering. Some of these measures are taken into consideration in the pre-conditioner and the QRA. It is thus possible to explore the influence of mitigation measures on the F/N curves. 3.4 Input/output of the software
Spreadsheet-based tool Sk-DG. The tool Sk-DG produces the following quantitative outputs for fatalities: F/N curves (global and also for each DG involved at least in one scenario), expected values (number of fatalities per year). It also provides qualitative indications on risks of injuries, structural damage in the tunnel sections, environmental pollution. For the open, the software computations are based on : contingency tables in which the shape and extent of the zones of physical effects for the scenarios in the open have been stored, contingency tables in which the translation of physical effects into physiological ones has been stored, contingency tables in which the elements needed for the yearly frequency assessment have been stored. They are derived from accident statistics issued from France and Canada. For the tunnel sections, the software computations are based on : the aforementioned pre-conditioner which performs a simplified assessment of the physical and physiological effects in a tunnel, contingency tables in which the elements needed for the yearly frequency assessment have been stored. They are derived from accident statistics relative to tunnels issued by Canada, France and Norway. All these contingency tables store input data that have been calculated and validated by the developers and should not be changed. Nevertheless if changes were to be performed, for example use a new probit equation for chlorine, this could be performed inside the contingency tables by an expert user. More generally, expert users may change values in contingency tables so as to: modify the physiological effects of the phenomena (change probit equations, etc.), modify the way the escape/sheltering possibilities are taken into account, modify a scenario (this requires specialists), modify default values (traffic composition, ratio of fires not induced by an accident, etc.). Expert users may also change values in some parts of the pre-conditioner. The final users will not have such possibilities. The inputs they will have to provide for the spreadsheet-based tool Sk-DG, are: traffic description, route description, distribution of wind velocities if available, indications on weather conditions that may affect the frequency of accidents: fog, rain, etc. Some elements are typically relevant
75
to the site: global traffic, layout of the route, length and nature of each section and must be entered. Other inputs may be omitted and a default value accepted. Fortran program RkDG. Data to be supplied to this software are very similar to those needed by SkDG, except that a 2D description of the population density is needed and a wind rose indicating time ratio of wind velocity for 18 (adjustable number) direction sectors is needed. Tunnel preconditioner. Input data are: geometry of tunnel (number of bores, layout of lanes, length, crosssection, gradient, camber, drainage possibilities, etc.), normal and emergency ventilation regimes (longitudinal, extraction if any), delays for activation of the emergency ventilation. 3.5 Test cases
A panel of 4 test cases was used during the development to validate the contingency tables and submodels, clearly feel the difficulty for a final user, help in writing user guides. For each case, a comparison of risk between a route including a tunnel and an alternative open route was conducted. The 4 tunnels were intentionally chosen to be very different. Figure 1 shows an example of the outputs obtained with SkDG for one of the test cases: F/N curves per type of transport (cumulating the risks for all scenarios relative to that transport) and their global contribution.
Example of F/N curves for a given route
HGV_fires BLEVE 50kg Propane *~ 1
m
* a
MotorSpirit Ammonia
~4 " I
35
*
1
Propane in Bulk All Scenarios
S
\
Fatalities woo
Figure 1. Example of F/N curves produced by the QRA model.
76
3.6
Validation procedure
A QRA model may calculate systematically biased levels of risk, especially if it is based on a very limited number of DGs and scenarios. This may have limited incidence when comparing two alternative routes, if both have been miscalculated in the same manner. It may lead to wrong conclusions if risk levels have to be compared with 'absolute' acceptance criteria. Sources of possible error when assessing risk are everywhere. They are present in: input parameters, physical models used for the consequence assessment, statistics available for the probability aspects and derived contingency tables, physiological aspects, people behaviour and ability to escape, emergency procedures. So it appeared important to check that a correct order of magnitude was reached in the assessment. This has been performed by a comparison between: fatalities produced by real accidents available in a database indicating the number of fatalities due to DGs during a few years in France, calculations performed with the model for 3 open air sections representing: * motorways in rural areas, * national roads in rural areas, * urban routes, each with corresponding surrounding population densities, traffic rates and with lengths proportional to their ratio in the French road system. Dividing the calculated number of fatalities by the numbers of kilometres and DG vehicles used to run the model leads to a result of: 1.4 . IO-9 fatalities due to DGs / (year . DG vehicle . kilometre). Knowledge of the French DG traffic expressed in vehicle . kilometre per year allowed to derive from the database a mean figure of: 1.9 . 10"9 fatalities due to DGs / (year . DG vehicle . kilometre). So, it appears that the model seems to correctly evaluate the order of magnitude of risk on open sections. A sensitivity analysis has been performed in order to indicate how the model reacts to different input parameters relative to open and/or tunnel sections. This is useful for the final users: if a parameter does not affect the results too much, it may be determined with less accuracy.
77
4.
Conclusions
The joint OECD/PIARC research project ERS2 investigates the most important fields related to the transport of dangerous goods through road tunnels: current and future regulations, risk assessment, decision making, risk reduction measures. A Quantitative Risk Assessment (QRA) model was developed by international consultants in order to provide risk indicators which can be used in a decision support model to compare a route including one or several tunnels with alternative open routes, and possibly with risk acceptance criteria. The QRA model consists of spreadsheet-based tools and a Fortran program for some finer results. It is aimed at being simple to use, but experts may make changes to take account of specific situations or data. The main outputs are F/N curves and individual risk contours for fatalities. Risks of injuries, damage to the tunnel and the environment are dealt with in a more qualitative way. The development has included four test cases to try the various sub-models and the user-friendliness. A complementary check is ongoing in several countries: real future users are testing the model on their own cases before it is accepted. A later phase will include a detailed examination of the consistency of the QRA with the Decision Support Model (DSM) and the grouping system (GS) planned for future harmonised tunnel regulations. The whole research project is expected to be completed in the first half of 2000. All final results will be made available by OECD and PIARC, including the computerised tools. A special session will be devoted to the project at the XXIst World Road Congress organised by PIARC in Kuala Lumpur (Malaysia) in October 1999. Another conference or seminar is envisaged in Europe and North America in 20002001.
78
An update of the risks from the transport of dangerous goods in Great Britain
T.N.K. Riley and R. Rowlands Health and Safety Executive, St Annes House, University Road, Bootle L20 3RA, UK S.A. Gadd Health and Safety Laboratory, Broad Lane, Sheffield, S3 7HQ, UK
Abstract In 1991, the UK Health and Safety Commission published a report by its Advisory Committee on Dangerous Substances (ACDS) on the "Major hazard aspects of the transport of dangerous substances". This report used quantitative risk assessment to assess the national risks from the transport of toxic and flammable substances by road and rail in Great Britain. The report concluded that although none of the risks examined were intolerable, in most cases, the risks should still be reduced to a level as low as is reasonably practicable. The report included a number of recommendations on risk reduction measures. The transport data used in the ACDS study dated from the mid-late 1980s. Since then the patterns of transport of dangerous goods in Great Britain have changed significantly (for instance there is no longer any rail transport of either chlorine or ammonia) and risk reduction measures have been applied. This paper examines the conclusions of the ACDS report relating to the transport of toxic and flammable substances by road and rail in the light of more recent data, from the mid 1990s, and seeks to determine whether national risks remain tolerable.
1.
Introduction
In the mid-1980s, the European Seveso Directive [1] defined a major hazard installation in terms of threshold inventories of dangerous substances stored or processed at a site. Those thresholds were similar to, or exceeded by, the quantities transported in road and rail tankers in Great Britain. The Health and Safety Commission (HSC), in order to assess the risks of carrying dangerous goods throughout the transport network, initiated a study by its Advisory Committee on Dangerous Substances (ACDS). The report [2], published in 1991, was the outcome of a quantitative risk assessment to determine the national level of risk. The report set a benchmark in its conclusion that the bulk transport of four representative substances by road and rail did not present 'intolerable' individual or societal risks.
79
Although the risks were assessed as 'tolerable,' very few of the risks were considered to be 'negligible'. Therefore, measures were needed to reduce them within the framework of control established in Great Britain. The criterion applied is that of 'reasonable practicability', that is to say, taking due account of costs, a measure to reduce risks should be implemented provided the costs are not in 'gross disproportion' to the benefit achieved. An implication of the requirement that residual risks are reduced to a level as low as is reasonably practicable (ALARP) is that the level of risk is monitored to ensure that changes in the underlying situation are taken into account and any alterations in risk are reviewed. It is now more than 10 years since some of the rail and road data were collected for the HSC report. Significant changes in the underlying situation have taken place. The rail industry has been privatised. Rail passengers and freight traffic have seen ups and downs during the decade. Now, after a period of uncertainty, an upward trend in rail passenger traffic is emerging. On the roads, a moratorium on major road building was introduced. Overall road traffic volume, as measured by the average daily flow of vehicles, increased by 50% between 1981 and 1996 in Great Britain. This was due mainly due to the increase in private car ownership which, at 375 cars per thousand population (in 1994), is a slightly lower rate than the EU average [3]. Despite the increased traffic, the annual number of fatalities in road accidents fell to 3,600 in 1996. the lowest figures since records began 70 years ago and 36% lower than the 1981-85 baseline figure [4].
2.
2.1
Methodology
Rail traffic data
The HSC report selected chlorine, ammonia and liquefied petroleum gas (LPG) as potentially the most hazardous substances transported. Motor spirit was chosen as the dangerous substance carried in the greatest quantities. In order to compare the changes in the levels of risk in the decade since the traffic data for the HSC report were collected, the data for the same dangerous substances were resurveyed [5]. This task was not straightforward as these data are not collected as part of the normal reporting procedures. In the case of rail transport, the most significant changes were that the transport of chlorine and ammonia had ceased. The changes in the transport of flammables by rail are summarised in Table 1.
Table 1: Flammables traffic by rail. LPG Total Loaded wagon km Total tonnes Journeys per year Tanker Capacity te 2-axle 4-axle (bogie mounted) 1985 1,390,590 113,140 4,334 20 40 1994 2,756,144 245,736 11,212 20 40 Motor Spirit 1985 1994 10,199,095 9,764,500 2,643,600 2,910,196 55,814 35,248 32 75 32-35 75
80
Over the period surveyed, the transport of motor spirit by rail declined, although some of the reduction in traffic was attributable to the greater use of larger capacity tankers. Nevertheless, in 1998, one of the larger refineries announced plans to close its rail export terminal. The pattern of rail traffic in motor spirit has also changed. Route lengths tend to be longer and the major route has altered. By 1994, the Humberside to Berkshire route had replaced the major route identified in the HSC report from Merseyside to Leeds and Humberside. Although a similar proportion of the national traffic, in terms of 'loaded tanker- kilometres' (-20%) was carried on the major route, the tonnage of motor spirit carried had fallen by 10% when the two surveys were compared. In contrast, the tonnage of LPG transported by rail has more than doubled over the same period. Also, the major route has changed with a very high proportion of the national, traffic travelling from Dorset to Avon now that the gas condensate field supplying the route has come fully on stream. Details of the representative routes are shown in Table 2.
Table 2: Representative routes for rail transport. Representative Routes LPG 1985 HampshireMidlands Major Route Route Length km tankers/yr tanker- km/yr % national traffic 329 1,323 435,267 31 Motor Spirit 1985 1994 MerseysideHumbersideLeedsBerkshire Humberside 223 405 5,300 32te 5,200 75 te 3,900 75te 2,051,600 2,106,300 20 22
1994 Dorset -Avon
237 10,137 x20te 2,402,469 87
2.2
Road traffic data
The transfer of chlorine traffic from rail to road increased road movements substantially. Deliveries are now made by one main haulier in higher capacity tankers and, on average, the journeys have become longer. Anhydrous ammonia traffic by road, on the other hand, has fallen despite the cessation of rail traffic. This is due to the reduction in usage of ammonia as ammonium nitrate imports led to the closure of manufacturing plants in Britain. Again, the size of cargoes has increased, so that overall, 25% fewer journeys are now made than before. The data for road transport of toxic products is summarised in Table 3.
Table 3: Toxics traffic by road. Chlorine Total Loaded tanker km Total Deliveries tonnes Journeys per year Mean loaded Journey km Tanker Capacity te 1987 1,121,358 169,438 9,871 114 17 1994 2,012,500 230,000 11,500 175 20 Ammonia 1987 632,233 45,061 2,974 213 15 1994 503,520 34,620 2,098 240 16.5
81
The total tonnage of LPG transported in bulk remained relatively unchanged on trunk routes, the larger tanker capacity effectively balancing the smaller number of journeys needed. The pattern of transport had altered with the onward distribution of LPG from the terminals supplied by the trunk routes being undertaken in smaller tankers to the end consumer. This break bulk traffic, in small 6 to 7.5 tonne tankers, accounted for more than half the total tonnage delivered to consumers. Such tankers complete in excess of 92,000 journeys per year. The traffic is summarised in Table 4.
Table 4: Flammables traffic by road. LPG 1987 Total Loaded tanker km Total tonnes 19.5 IO 955,000
6
Motor Spirit 1994 16.2 IO

6
1987 82 IO
6
1994 129 IO 6 22.8 IO 6 1.4 IO 6 92 20-28
1,446,000
32 IO 6 (22.2)* IO 6 1.3 IO 6 64 20-25
Journeys per year Mean loaded Journey km Tanker Capacity te
63,667 307 15
76,106 213 19
* UKPIA: total motor spirit delivered in 1987 (ACDS assumed a value of half of all petroleum products delivered in the same year).
The first impression of the transport of motor spirit by road is that the total tonnage has declined considerably since the HSC report. Given the growth in road traffic this is unlikely to be the case. The explanation appears to be that the 1987 HSC figure (derived from 50% of all petroleum products transported) was an over-estimate. According to the UK Petroleum Industry Association (UKPIA) data for 1987 [5], only 22.2 million tonnes were transported by road and the tonnage has remained reasonably unchanged, although tanker capacities have increased, as have the lengths of journeys.
3.
Rail risk assessment
The spreadsheets used to assess the risks were modified to remove inconsistencies and to improve the modelling. Further directional events were added. Population surveys were reassessed and updated. New surveys were undertaken where the major routes had changed. 3.1 Societal risk from the transport of LPG
Societal risk results have been calculated for the off rail, rail passenger and total population (i.e. both off rail plus passengers), on the Dorset to Avon and Hampshire to Midlands routes. Supplementary route information was supplied by the rail operator and the off rail population data was updated. The total societal risk from the transport of LPG on both routes, scaled up to the national traffic in LPG is shown in Table 5.
82
Table 5: Total national societal risk from the transport of LPG by rail. (Dorset to Avon and Hampshire to Midlands Routes). Frequency of N or more fatalities (*106 per year) Off Rail Passengers Total >= 1 2,534 944 2,943 >=3 1,596 942 2,299 >=10 1,009 936 1,867 >=30 477 880 1,331 >=100 151 51 229 >=300 57 0 57
The national comparison between the previous study and the current traffic are shown in Figure 1 (for this and subsequent figures, the results are 'faired' to permit direct comparison). There is clearly an increase in overall risk due to the increase in traffic. 3.2 Societal risk from the transport of Motor Spirit
Sixteen significant trunk routes were identified, forming the majority of the national rail traffic in motor spirit. The national traffic was used to scale up the output from the representative route and the results are listed in Table 6. The increase in risk, shown in Figure 1, appears to be due to the increase in the length of journeys and the more general use of larger capacity tankers on the bulk routes than formerly.
Table 6: Total national societal risk from the transport of Motor Spirit by rail Frequency of or more fatalities (*106 per year) Total >= 1 25,131 >=3 15,041 >=10 5,763 >=30 0
4.
4.1
Road risk assessment

Societal risk from the transport of Chlorine
Five major road routes were identified. The Runcorn to Amlwch route, which carried 60% of the national rail traffic in the HSC report, accounted for only 20% of the national road traffic in 1994. Societal risk results have been calculated for the off road, on road and total population on the Runcorn to Amlwch route, scaled up to the national traffic and average route length. The national societal risk is outlined in Table 7. A comparison of the levels of risk in the two studies is shown in Figure 2. This shows an increase in risk due to the increase in traffic.
Table 7: Total national societal risk from the transport of Chlorine by road Frequency of or more fatalities (*106 per year) Off Road On Road Total >= 1 126 168 191 >=3 75 114 142 >=10 65 98 131 >=30 30 85 100 >= 100 12 28 49 >=300 7 13 17 >=1000 2 0 2
83
4.2
Societal risk from the transport of Ammonia
Anhydrous ammonia was transported by road on three major routes in 1994. A route was selected as representative, based on up-to-date information from the operators. Adjusted to national traffic and the average route length, the national societal risk is summarised in Table 8 and compared with the results from the earlier study in Figure 3. The reduction in risk reflects the fall in traffic.
Table 8: Total national societal risk from the transport of Ammonia by road Frequency of N or more fatalities (*106 per year) > = 100 >= 1 >=30 >=10 >=3 1 5 13 27 35 Off Road 34 8 122 122 161 On Road 12 37 132 143 191 Total
>=300 0 0 0
4.3
Societal risk from the transport of LPG
In the time available for this project, we were unable to examine the risks from the smaller 6 to 7.5 tonne tankers. The results in Table 9 are based on the conservative assumption that all the national traffic is carried in 19 tonne tankers. From Figure 4, it is clear that, despite this assumption, there has been little change in the level of national societal risk arising from the transport of LPG by road.
Table 9: Total national societal risk from the transport of LPG by road Frequency of or more fatalities (*106 per year) >= 1 >=3 >=30 >= 100 >=10 1,242 84 Off Road 2,631 540 182 On Road 6,505 6,485 5,320 4,082 1,601 Total 6,589 5,571 4,142 6,559 1,660
>=300 25 174 238
4.4
Societal risk from the transport of Motor Spirit
The population densities along two of the typical routes, assessed for the HSC study, were resurveyed in order to include a wide range of roadside population densities in the representative result shown in Table 10. The increase in the loaded tanker-km has produced an apparent increase in risk as shown in Figure 5.
Table 10: Total national societal risk from the transport of Motor Spirit by road. Frequency of or more fatalities (*106 per year) >= 1 >=3 >= 10 Combined 130,940 14,606 5,486
>=30 0
5.
Discussion
When the previous HSC study was undertaken, working parties were set up to ensure rigorous examination and debate of the results. In the absence of such working parties for the present study, we had to make some important assumptions. The reported data
84
for releases from tankers were not considered to be sufficiently reliable to update the release frequencies derived for the previous HSC report. Consequently, we continued to use the release frequencies from the previous report in the present update. This may tend to over-estimate the level of risk in some instances. For example, the effect of changes to tanker design and driver training, introduced specifically to reduce the major contributors to the overall risk as highlighted in the HSC report, was not taken into account. A project has been initiated to derive up-to-date release frequencies but the work was not completed in time for this paper. It is of interest to examine the effect of the transfer of liquefied toxic gas traffic from rail to road on the total overall national risk in Britain. The significant fall in the frequencies of high N events in the overall risk for rail traffic is shown in Figure 6. The corresponding increase in the overall risk for road transport due to the contribution from the additional liquefied toxic gas traffic is shown in Figure 7 and is far less significant. Clearly, the transport of flammables by road makes the predominant contribution to the overall risks.
6.
Conclusions
Significant changes have taken place in the transport of dangerous substances in Great Britain in the past decade, notably the cessation in rail transport of liquefied chlorine and ammonia and the partial transfer of this traffic to the road network. The representative substances considered in the HSC study have been re-assessed. Overall, the significant decrease in the total risk from dangerous substances on the rail network has not resulted in a corresponding increase in total risk from dangerous substances on the road. Therefore the conclusion in the HSC report that the risks are tolerable continues to be valid. However, the risks are not negligible and the need to reduce risks to a level as low as is reasonably practicable continues. Further work, to assess the effectiveness of the risk reduction measures introduced since the previous study and their impact on release frequencies, is indicated and further work is planned.
7.
Disclaimer
The views expressed in this paper are those of the authors and not necessarily those of HSE.
8.
Acknowledgement
The authors wish to acknowledge the assistance of all the managers from the oil, chemical, and transport industries without whose willing co-operation this work would not have been completed.
85
References
[1] The 'Seveso' Directive, (82/501/EEC). [2] HSC Report on the Major hazard aspects of the transport of dangerous substances, HMSO, 1991. [3] Social Trends, Office for National Statistics, HMSO, 1998. [4] Road Casualties Great Britain-Main Results 1997, The Department of Environment Transport and the Regions (DETR), June 1998. [5] 1994 Data on the Transport of Dangerous Substances, Research report, AM5072,WS Atkins for Health and Safety Executive, July 1997.
86
Suitable criteria for managing land transport of hazardous materials

Roberto Bubbico Gruppo Nazionale Difesa dai Rischi Chimico-Industriali ed Ecologici, C.N.R., via Eudossiana 18, 00184 Rome, Italy Sergio Di Cave, Barbara Mazzarotta Dipartimento di Ingegneria Chimica, Universit di Roma "La Sapienza", Rome, Italy
1.
Introduction
The term "hazardous materials" covers a wide variety of substances addressed to a multitude of purposes in the social and economic activities. The greatest part of them is represented by chemicals and fuels, whose single or combined properties of flammability, explosivity, corrosiveness and toxicity give rise to situations of hazard during any step of their manipulation. For several decades this critical aspect has been the object of systematic concern with reference to manufacturing plants and storage facilities, where large amounts of such materials are usually manipulated and severe operating conditions may favour an incident to occur. More and more accurate methodologies of risk analysis have been developed in order to permit a quantitative evaluation of the level of hazard proper to each specific case, while the preparation of emergency plans to adequately face the occurrence of an incident has become a common practice inside all industrial settlements. In most countries the use of these techniques is expressly considered or even enforced by a number of law regulations directed to risk prevention (Council Directives 82/501/EEC & 96/82/EC) . The transport of such materials, on the contrary, has become the object of similar concern more recently and also the relevant regulations are at present time less defined. This probably depends on the fact that the limited quantities involved in the single events of transport may have initially induced to underestimate the corresponding risks. Indeed, a number of accidents occurred during transport activities have demonstrated that under certain conditions proper of transport, like crossing populated areas or following routes with intense traffic, also limited quantities may produce serious consequences accompanied by multiple casualties; moreover, the total amounts transported on a day or week basis within certain geographical areas may result comparable with those present in fixed plants, thus assuming an important role in the determination of the overall risk. The methods for risk assessment developed with regard to fixed installations are conceptually valid also for transport; in practice, however, their extension is not direct because of some peculiar differences existing between the two situations. A fixed installation can be considered as a point source of risk surrounded by an environment
87
slightly variable and well known. A transport, on the contrary, determines a travelling source whose environment is subject to continuous changes according to the characteristics of the sites progressively crossed by the route; this makes the procedures for risk assessment very complex, requiring the knowledge of the conditions characterizing all the single sites along the itinerary and a great computational effort due to the need of repeating the calculations as many times as the environment has changed. A reliable quantification of the risk related to transport is of great interest also to exploit the unique advantage associated to a mobile source, that is the possibility of changing some of the characterizing variables, like the means used, the route, the time, in order to obtain safer conditions. Nevertheless, the search of this optimum introduces a further complication as it requires to repeat the calculations for the different scenarios to be compared. The problem of transport risk assessment has been frequently treated in the recent years, often by the initiative of public institutions, showing different ways of approach (Health and Safety Commission, 1991; Tiemessen & van Zweeden, 1998; Gadd et al. 1998). In many cases purely methodological solutions were suggested while in other the elaboration has been referred to the specific situation of some country with direct application targets. But one common aspect appears: the need of finding simplified procedures capable to reduce the amount of work required without significantly reducing the reliability of the results. This work analyzes the problem of land transport risk assessment and describes a procedure developed in Italy with the purpose of making available a tool easily exploitable but sufficiently accurate for the assessment of the risk related to the land transport of hazardous materials over the country territory.
2.
Land transport systems and related risks of incidental events
The need of moving goods from one site to another concerns some specific steps of all industrial activities: the supply of raw materials, the exchange of intermediate products, and the distribution of the final products to the markets. More than one half of these goods falls in the class of hazardous materials. Apart from the long distance displacements, for which the maritime way is common, most of such transports take place overland, also in those countries where the availability of internal waterways offers some alternatives. Limiting therefore the discussion to land transport, the ways commonly used are three: road, rail and pipe, each having its own peculiarities under the aspects of exploitability and risk. With regard to this last, it is important to recall that the risk here considered is that deriving from the hazardous properties of the material transported and therefore it is related to the occurrence of some release of the material. Accidents not involving releases of hazardous materials, even though producing physical damages to the carrier and/or fatalities having different origin, must be disregarded in the evaluation of the type of risk here considered.
88
Pipelines are used for medium and long distance continuous transport of fluid or fluidized materials. For direct distribution purposes a pipeline can be locally developed into one or more networks, but its general path univocally defined does not allow to serve out-of-route customers. With regard to the aspect of risk, in spite of being a fixed installation, a pipeline shows the characteristics of a mobile source, since a spill of the conveyed material in principle could take place at any point of the line length with the possibility of encountering different environments. The simple structure and the protection offered by a generally underground placement reduce the probability of damage with consequent release of material; furthermore, the path followed is generally set outside cities and highly populated areas. On the other hand, if for any reason a failure occurs, the amount of material potentially released is quite large, up to the full hold-up of the involved section of line. The road and rail modes have several common characteristics: they are both suitable for transport at any distance and for materials in any physical state but their principal peculiarity is that of being discontinuous systems operated by batches of limited unit capacity. The road mode is the most flexible, allowing to reach practically any site in virtue of the broad extension of the road networks; the transport batch corresponds to the capacity of a single lorry so that the number of trips required to move a given amount of material may result high. The rail mode is more rigid being submitted to the configuration of the track network; on the other hand, even though the unit capacity of a rail car is comparable with that of a lorry, a train may include several cars filled with the same material, so that the overall transport batch becomes larger thus reducing the number of required trips. With regard to risk aspects, some differences must be noted. The rail traffic is well scheduled and is submitted to a continuous control so that the probability of accidents related to the motion is relatively low. The larger capacity of the transport batches, however, plays a negative role toward the consequences of accidents generating multiple releases of the transported material. Another critical aspect of the rail mode comes from the possible accumulation of cars carrying hazardous materials in the freight yards which very often are located inside the cities. In the road mode the situation is to some extent reversed: the traffic is much more chaotic and scarcely controllable and also the quality of the roads may be significantly different depending on the site, the weather conditions and the time of the day; moreover human errors are more frequent and all this increases the probability of accidents related to the motion. By opposite, the smaller capacity of the transport batch in this case acts favourably on the consequences of a release.
3.
Transport risk analysis
A release of material from the transport means can be originated by different causes. In the modes based on mobile means (road and rail transport) the prevailing one is the rupture of the container as the consequence of a motion accident, like a crash, an upset, a derailment; (Cannalire et al., 1995) but also fixed installations like the pipelines are subject to accidental impacts by mobile devices, especially excavators.
89
Less frequent causes of release are the formation of openings due to undetected corrosion or bursting of the container or pipe, the failure or the imperfect tightening of valves, leakages from gaskets, etc. The consequences produced by the release of a hazardous material depend in turn on a large number of variables ranging from the properties of the material and the amount released to the environmental conditions existing at the site and at the moment of the spill. In order to perform a quantitative risk analysis concerning transport all the conditions influencing both the occurrence and the consequences of a release must be known in details and taken into consideration along the entire route. These elements of information can be classified into five groups of data: i) ii) iii) iv) characteristics of the material: physico-chemical and hazardous properties; temperature and pressure at which transport is performed; characteristics of the transport: type of transport means (mobile container(s) or pipe), its capacity and structure; number of containers involved per trip, in case of road or rail transport; intrinsic characteristics of the route: class of the road (motorway, national, local) or of the rail track (high traffic, principal or secondary branch); presence of safety measures (guard rail, speed limits); relevant incidentality rates; environmental characteristics along the route: shape of the territory (flat, hilly, mountainous), type of area (urban, suburban, industrial, rural) and related population densities; direct crossing or siding populated sites; presence of people concentrations (hospitals, schools, commercial or business centers); weather conditions (temperature, direction and intensity of the winds, class of stability, presence of rain, snow, ice); light conditions (day or night); other peculiar conditions (possibility of natural upsets as earthquake, floodings, etc); characteristics of the accidental scenario: estimated size of the produced opening or rate of leakage, duration of the release, evolution of the accidental scenario into the possible final accidental events, consequences analysis for these final accidental events.
v)
All these parameters can variously combine each other contributing to determine the occurrence of the release and its consequences. Quantitative risk analysis requires to identify the possible origins of release, to estimate the frequency of their occurrence, and then to evaluate the consequences produced against the exposed population. When this technique is to be applied to a case of transport all the relevant steps must be repeated as many times as each of the recalled parameters changes significantly along the route. This implies the collection of a large extent of information and the execution of a heavy load of calculations. The accuracy of the analysis is strongly affected by the availability of detailed and reliable information concerning the involved parameters and their variations along the route. The main obstacle encountered in performing a rigorous risk analysis concerning transport is really that of finding accurate and complete quantification of all the
90
relevant parameters, being in practice quite different the availability of data for the single ones. For example information about the design and capacity of the carriers, as well as that of the pipelines, is well known according to construction standards; and the same happens with regard to the residential population, whose data derived from census are very detailed and periodically updated. On the contrary, information concerning some other important parameters such as the incidentality rate and most environmental conditions accompanying the release is affected by a much greater uncertainty. These data, in fact, are generally recorded on a statistical basis, i.e. as average values along a given period of time and a given extension of territory; so they can not account for very local or transient conditions. Furthermore the data concerning incidentality are usually available only for the most important roads or track lines, while very little is reported about the secondary routes. Finally, for certain parameters having a more random character, like the size and shape of the rupture the existing data are very scarce. A rigorous transport risk analysis would require to follow the carrier along the entire route (or to follow the total length of the pipeline) and to repeat the calculations point by point. In practice the route is divided into a discrete number of portions whose length mainly depends on the degree of details of the available data concerning the single parameters. An extension of one kilometer is considered reasonable and inside each portion each parameter is assumed as constant. The results of a quantitative risk analysis are generally expressed by two typical parameters: the Individual Risk and the Societal Risk. The Individual Risk is a number indicating the probability that an individual will die within a fixed time interval as the consequence of the transport hazard at a specific geographical location within each portion of route, as previously defined. It is calculated by the expression (CCPS, 1995):
n i=l m j=l S,
IRX;y = T A E R r X L i i r W r Z P i d , k
k=l
(1)
where indicates the number of trips per year, A the incidentality rate per kilometer, R the release probability for the ith release size, L the length of release location zone j , W: the probability that wind blows in the direction of concern, P ; k the probability of a fatality at location x,y given that the accident outcome k occurs. For the individual risk some threshold or acceptability levels have been proposed (Health and Safety Commission, 1991). The societal risk is expressed in the form of a curve called FN, where F is the cumulative frequency of all the possible incidental events causing a number N of fatalities. The curve can be derived from the following couple of expressions: Fg,i,k = A R Lg Pi,k (2)
91
Proceedings of the 16th ESReDA Seminar, Oslo, May 2021, 1999
Ng,i,k = CAi;k PD g PF iik
(3)
where CA k indicates the consequence area associated with incident outcome k, PD g the population density for the portion g, and PF k the probability of fatality. The results of this calculations are the frequency FCT k of incident outcome k for release size i on the portion g, and the associated number of fatalities k . For societal risk, some countries have defined threshold values in the form of a couple of parallel straight lines with negative slope (Health and Safety Commission, 1991; Dutch National, 1989; ITSA, 1989); the zone below the lower line indicates acceptable levels of societal risk, that above the upper line corresponds, by contrary, to unacceptable risk, while the intermediate zone indicates levels of risk which are still acceptable but must be reduced As Low As Reasonably Possible. By applying the previous definitions to each unit portion and by properly combining the results, the values of individual an societal risk can be obtained for the entire extension of the route or pipeline.
4.
The approach developed for the Italian territory
The long time necessary to cany out a rigorous quantitative risk analysis for transport represents an obstacle to a wide adoption of this precious tool and becomes fully unacceptable in some specific circumstances like the a preliminary discrimination about risk acceptability, or a fast evaluation of the expectable consequences after the occurrence of a release. The possibility of introducing some significant simplification in the procedure without reducing excessively the reliability of the results is the object of several activities in progress in different countries. With reference to the Italian situation an interesting approach has been developed which represents a flexible tool, suitable for both simplified and rigorous risk analysis. The procedure is founded on the combination of different computing codes, two of which have been expressly built. The first step has been the preparation of a database containing all the information presently available about the parameters required to characterize the territorial environment and statistical data about incidentality. The database has been then combined with a Geographic Information System (GIS) thus establishing a correspondence between any location and its relevant information. The product is a comprehensive code which has been named MapRisk. At present time it can be considered rather complete as far as the road transport is concerned, while the implementation for rail and pipeline is in progress. The GIS included in MapRisk is supported by the commercial code ArcView which has a wide diffusion and is capable to exchange information with other common software packages. The map of the Italian territory reports the full network of motorways, national and provincial roads; each one of these roads has been subdivided into georeferenciated segments of 1 km length to which the relevant data
92
example, the population densities and the incidentality rates match the step of segmentation, while meteorological data are available for a number of meteorological station, covering regions within a distance of averagely 100 km. Beyond the road network, other indications of interest for the safety of transport have been expressly reported, like the cities capital of province, the principal industrial areas, the location of the motorway gates, the location of the meteorological stations. The map of the country is first displayed in its whole extension, as shown in Figure 1, but a multiple zooming system allows to show every selected portion with an increasing degree of visual details. ETE K
I n c i d e n t a l s media V ' Auto strada 0 Fino a 1 v Dal a 2 DB 2 4 .' Otre 4 V Strade Statali 0 /\/flrroa 1 Dal a 2 Da 2a 4 Otre 4
m
anni 1992/1995
<tf Localit if Casa!

m
V ' Stazio ni m efeo '
*
<lf Ftrovte / / V f Confini 3J Sfondo
Figure 1. Global state road accident view over Italy.
In correspondence of each segment of road the relevant data can be recalled by clicking over the segment; different layers of information can be recalled, showing the requested data both by different colours directly on the map and by means of specific tables superimposed to the map (Figure 2). More information, like, for example, the names of the cities or those of the motorways gates, which are usually hidden to prevent excessive overlapping, can be immediately recalled just clicking over the proper button of the tool bar.
93
MKtrmfflmima te * Vw D m fiupfct
ftidow H *
una
in ii \ew&m mmrei a MMOB
AS COU PICENO
BAGNI DI TIVOU
Figure 2. Information available for al km portion of state road . 12.
MapRisk represent a precious source of territorial information for transport risk analysis, from which it is easy to identity the most critical aspects of a given itinerary, like the sites where the incidentality rate or the population density are particularly high, the coexistence of two or more of such critical situations, etc. All the recorded data can be manipulated to obtain averaged values over multiple segments of assigned lengths of route (Bubbico et al., 1999). Another important feature is that MapRisk can interact with other codes supplying directly the individual or averaged data necessary for risk analysis calculations and, conversely, receiving the results of these calculations which can be superimposed to the site maps thus showing the extension of the areas interested by different levels or risk. The second code expressly developed has been named TrHaz and performs the risk analysis for transport according to a simplified approach, which can make use of either approximated or detailed information about the itinerary. The adopted simplified approach is based on the consideration that the real burden of required calculations concerns the consequence analysis, which has to be repeated for each possible final event descending from each release scenario, under each weather condition of concern. To perform such analysis several specialized computation codes are commercially available which consider all the possible options of evolution, like the rate of release, the possible occurrence of a flash or aerosols generation, the evaporation rate from a pool and the dispersion of the vapours, as well as the thermal radiation from a jet fire, pool fire, fireball and flash fire, the overpressure and the concentration field.
94
The correct use of such codes is not simple so that skilled analysts are necessary; the time requested to run all the different cases remains, however, in the order of several hours if not days. The simplifying philosophy of TrHaz starts from the consideration that what is really needed from a consequence analysis is the maximum distance at which lethal effects are possible, the surface of the zone at risk and its angular width. Therefore, the entire procedure can be substantially speeded up if these data are preventively estimated for each type of final event and the results are then recorded in a database, together with other information about the product. Accordingly, two release scenarios have been selected, basing on the historical data listed in the Fire Brigades records (Banca Dati VV.F, 1993), corresponding to a medium and a catastrophic release (Bubbico et al., 1998b), together with 6 typical weather conditions, listed in Table 1, derived from the data recorded over a 7 years period in about 30 meteorological stations (ISTAT, 1994). Then, the evolution of each release scenario into the possible final accidental events have been simulated using a commercial consequence analysis code (DuPont, 1996), obtaining the values of the three parameters previously cited, under each weather condition. This information is contained in the product data bank of TrHaz, which also include the relevant probability of the release scenarios and of the final accidental events.
Table 1: Reference weather conditions used in TrHaz. 1 Weather condition (#) 5 Temperature (C) 3 Wind velocity (m/s) 77 Humidity (%) 2 5 6 77 3 14 3 71 4 14 6 71 5 26 3 68 6 26 6 68
As far as the information about the itinerary is concerned, the starting point of the approximated procedure is the observation that simplifications in many cases are intrinsically introduced by the lack of sufficiently detailed data and this obliges to assume constant values of one or more parameters over a long section of the road. A first way to simplify the risk analysis for transport is that of grouping the many involved parameters into a limited number of classes represented by leading ones which are naturally correlated to some of the others. For example, the incidentality rate mainly depends on the type of road (or railway); the population density is correlated to the definition of the area; etc. The default values of such leading parameters, assessed on the basis of a statistical analysis of the available historical data recorded in Italy (Bubbico et al., 1998b) are reported in Tables 2 and 3.
Table 2: Accident rates used in TrHaz. Route type Accident rate (#/km year / vehicle/year) Highway 1.5 IO"7 National road 4 IO"8 Provincial road 9 IO"9 Urban street 5 IO"7 Railway 6.6 IO8
95
Table 3: Population density classes used in TrHaz Population density (Arn 2 ) Class 10 Remote 200 Rural 1500 Suburban 10000 Urban
According to this approach a simplified risk analysis can be carried out quite rapidly by selecting for each single or multiple segment of route (railway or pipeline) the proper values of the leading parameters among the default ones, picking out from the consequences database the relevant figures and then performing the calculations necessary to determine the level of risk, according to eqs. (13). In very short time (typically 12 minutes) TrHaz performs the necessary calculations and outputs for each type of road the individual geographical risk as function of the perpendicular distance from the road, and the FN curves, as shown in Figures 3 and 4. The typical risk thresholds according to the Health and Safety Commission (1991) standards are also shown, to give immediately an indication about the order of magnitude of the risk.
IRx,3(#/year) 1E04 ; . 1E05 \ urban street ;
B
motorway
^
~~
national road
'. 7.
:
^ ^
. i
A
1E06 =1
___
;W,
1E07 _ r

mmmM
"v
^ r
"" ^mmm ^ ^ "
;
;
:

'
I
X

^
V
_
I I
.
I
I I
I 1E08
I I I
"^:
I
V
I
200
400
600
800
1000
Distance from the road (m) Figure 3. Typical individual risk diagram calculated by TrHaz.
It is obvious that any simplification introduced in the procedure of risk analysis implies a loss of accuracy. The reliability of the results obtained by TrHaz using the simplified information about the route remains however notably good in spite of the drastic reduction of total time required, as it may be noticed by the plot of Figure 4, referred to a transport of ethylene oxide over a southern Italy itinerary, described in details elsewhere (B ubbico et al., 1998a), where the FN curve obtained using TrHaz is compared with that coming out from a rigorously performed procedure (B ubbico et
96
al., 1998b).
F (#/year)
's
V
. X.
: :.
1 F Ca A
i
*
~~"
^rrii::

: : ;:I j
1 'S
\ N. >
s
1E05
:
i 1 'i
_.
s
!r
S
;._ 1
1
1
% ...
; !
'
1E06
:
de tailed Haz
~ ~ " Hign iisK
s
'! ' I j *
fff
>
! : j il
I I ,
" "
s
! I
Low risk
1E07
10
100
1000
10000
100000
Figure 4. Typical FN curve calculated by TrHaz.
The improved version of TrHaz making use of detailed route information, which is almost ready, will be able to interact with the code MapRisk in order to get directly from it all the route dependent information for each 1 km portion of the itinerary. This more detailed approach will ensure a greater accuracy to the calculated risk levels and will simplify the data input step. At the same time the interactions between TrHaz and MapRisk software will also allow to superimpose the impact areas calculated by the former over the proper maps displayed by the latter. This will allow to properly display the extension of the zone at risk or the position of the isorisk curves over the map, showing a number of related information useful in case of emergency, like people concentrations, connecting roads, the location of public services, fire brigades, hospitals, etc.
5.
Conclusions
A rigorous risk analysis for transport of hazardous materials is a much more complex and time consuming task than one referred to fixed installations because of the larger number of parameters involved and of their continuous variability along the route. On the other hand, not ever the required data are available in a complete and reliable form and this limits the accuracy of the attainable results.
97
Simplified procedures are therefore appreciated, especially when a great accuracy is non requested, as, for example, to discriminate about risk acceptability, compare different trip alternatives, or when the analysis must be carried out in a short time, like in emergency conditions. In this sense is oriented the approach here illustrated which joins a vast collection of the basic data which are directly referred to the territory by means of a Geographic Information System, and a procedure based on the pre-estimation of the zone at risk by means of the usual consequence analysis tools using approximated or detailed route information for performing the final risk assessment. The approach is founded on the combined use of the two expressly developed computation codes MapRisk and TrHaz which, in turn, contain or exploit some commercial softwares. The procedure is presently ready for road transport and considers 15 products selected among the chemicals and fuels most frequently and quantitatively subject to transport. The completion for rail and pipeline transport is in progress, as well as the extension of the materials list. Also the structure of the procedure is under improvement with the objective of a full interaction between the two computation codes which should allow the automatic mutual transfer of data, thus reducing on one side the input preparation time and offering, on the other, a more complete and meaningful showing of the results. The procedure has been obviously referred to Italy, but the approach and the computational structure are valid for any other territorial situation, requiring to introduce the proper collections of data.
6.
Acknowledgement
The financial support of the National Group for Preventing Chemical, Industrial and Ecological Risks of C.N.R., Italy, is gratefully acknowledged.
References
Banca Dati Incidenti, VV. F., (1993), Roma. Bubbico, R., Di Cave, S., Mazzarotta, ., (1998a). Prov. Proc. SRA 1998 Annual Conference "Risk analysis: opening the process", 4.3, 1-10, Paris, 11-14.10.1998. Bubbico, R., Di Cave, S., Mazzarotta, B., (1998b). J.Loss Prev. Proc. Ind. 11, 49-54 Bubbico, R., Di Cave, S., Mazzarotta, B., (1999). "Transportation risk analysis: a GIS approach", to be presented at EMChiE 99, Krakow, 1-3.9.1999. Cannalire, C , Di Cave, S., Mazzarotta, B., Spagnesi, P., (1995). Loss Prev. Saf. Prom. In the Proc. Ind., Ed. J.J.Mevis, HJ.Pasman , E.E.Rademaeker, Vol.II, Elsevier Science B.V., Amsterdam. CCPS, (1995). "Guidelines for chemical transportation risk analysis", AIChE, New York.
98
Council Directive 82/501/EEC of 24 June 1982 on the major accident hazard of certain industrial activities ("Seveso ' Directive). Council Directive 96/82/EC of 9 December 1996 on the control of major accident hazard involving dangerous substances ("Seveso " Directive). DuPont, (1996). Safer System "TRACE 8 User Guide", Westlake Village. Dutch National Environmental Policy Plan, (1995) "Premises for risk management", Second Chamber of the State General, Session 1988-89 (Vol.5) The Netherlands. Gadd, S.A., Leeming, D.G., Riley, T.N.K., (1998). Proc. 9-th Int. Symp. Loss Prevention and Safety Promotion in the Process Industry, Vol.1, 308, Barcelona, 4-7.5.1998. Health and Safety Commission (1991). "Major Hazard Aspects of the Transport of Dangerous Substances", HMSO, London. ISTAT, (1994). "Statistiche Meteorologiche anni 1984-1991", Annuario n.25, Roma. Tiemessen, G., van Zweeden, J.P., (1998). Proc. 9-th Int. Symp. Loss Prevention and Safety Promotion in the Process Industry, Vol.1, 299, Barcelona, 4-7.5.1998.
99
100
Simulation of port traffic regularity, possible future traffic scenarios

Siegfried Eisinger, Inger Anne F. Stermo Det Norske Veritas AS Veritasveien 1, 1322 Hvik, Norway
Abstract This paper demonstrates how modern simulation techniques can be used to make detailed regularity analyses of traffic situations. Limitations inherent in analytical techniques can be overcome by using simulation, such that models become virtually as realistic as the resources allow. Due to simple relations between reality and the model, results based on simulation can be easily communicated to decision-makers. In addition, it is easier to deal with criticism against model simplifications, since more sophisticated modelling will, at least in principle, be possible. As an example we present a traffic regularity study of the port at Lisas Point, Trinidad. In connection with the new aluminium smelter project in Trinidad, Norsk Hydro ASA [1] has commissioned DNV to carry out a regularity assessment of an expansion of the already existing Hydro Agri Port. The expansion will exist of two new jetties (Smelter Bulk and Smelter Cargo) for transportation of alumina, petrol coke, Liquid pitch, general cargo and metal. The objective of the study was to investigate whether the expansion will lead to appreciable negative effects for the current users of the port and for Hydro Aluminium as new user.
1.
The model
Figure 1 shows the physical configuration of the port at Lisas Point, with the sketched new Smelter jetties Smelter Bulk (SB) and Smelter Cargo (SC). The port configuration is such, that the traffic is subject to constraints and rules, e.g. only one ship can operate in the channel at any time, ships beyond a certain size cannot operate in the port during night. In addition the regularity analysis should be based on real assumptions concerning all operational times, e.g. loading/ unloading, which is given by the operators. To implement these features as realistic as possible it was decided to use a simulation approach. As a simulator, EXTEND [2] is used. Beyond a good performance as a discrete event simulator, the management of the simulation flow with items (ships in our case) is a well-suited feature for this case. The total port model is built up in two levels: The top level model is shown in Figure 2. This level includes all ship types, the port entrances, the 'In Channels', the jetties, the 'Out Channels' and ship exits. The details of most of these sub-systems are modelled in hierarchical blocks on the next lower level. In this way the simulation model is kept well arranged.
101
ia c
i-I
rt U :
Q.
o
3oo 5"0,
o o
g.
5
> OQ
Q. fa Q. -a O
&
Cl H
ON
m U
00
>
5'
o to
5
to o
VD NO NO
TRIM
(SAS Se* te
ALU
P/?ojt^r
PORT ALTCRNAffue Cr?8
/ : lOCo
F-J- 03./2-
ooura
H&t
IK
Figure 2. Top level simulation model for one of the new jetties (Smelter Cargo in this case).
Figure 2 shows the general layout of the port model. Due to limited space, only one jetty is shown here (jetty SC), in addition to the management facilities on the left. The 'Executive' block on the upper left is present in all discrete event simulations and manages the event and time flow in the model. The blocks 'Channel&Basin', 'InnerChannel' and 'Inner Harbour' are resource pools. At the start of each simulation these contain exactly one resource of the different types. These resources are then used to implement most of the constraints. The model for the jetties works in the following manner (from left to right in Figure 2). Ships enter the model according to a "randomised schedule", taking account of all relevant properties. The block 'Schedule' contains information on all types of ship dedicated to the relevant jetty. The following information is entered for every type of ship: the number of ships of that type which are expected during one year and the total required time in the port for that type of ship. N other information is accessible (e.g. ships arriving periodically), therefore the schedule is randomised with respect to the sequence between ships. The schedule is passed on to the program block of the respective ships (modelled within 'SC, *'). Note that the schedules for different jetties are assumed independent, i.e. the different jetties will not co-ordinate their activities. All ships related to a jetty are merged and will sail through the 'Closed Harbour' gate to the 'Entrance' queue. The 'Closed Harbour' gate can be used to model special situations (e.g. bad weather) which require the harbour to close. The model base case is defined such, that the harbour will close randomly for one day per year. In the 'Entrance' queue, a ship waits, until the jetty becomes idle. Through a special gate mechanism (modelled within 'In channel') it is ensured, that only one boat may stay in a jetty section at any time. Additional ships will wait in the 'Entrance' queue. When the jetty becomes idle, the first arrived ship enters the 'In Channel' block. This block ensures, that the ship waits until all relevant constraints are fulfilled (e.g. max.
103
one boat in the outer channel) and allows then the ship to sail to its jetty (modelled within 'SC'). At the jetty (to the right of Figure 2) the ship will disconnect tugs, connect to jetty, load/unload, perform administrative duties and wait for the channel to be free again for departure (modelled within 'SC'). When the channel becomes free the ship will disconnect, connect tugs, turn and sail out of the port. These activities are performed in the block 'Out Channel'. In the 'Finished' block the arrived ships are counted and deleted from the model.
2.
Model verification
Model verification must be performed to ensure that the model is complete and consistent and that it provides reasonable output. Some elements for verification can be: Separate simulation runs on sub-systems. Simulation runs on special situations which lead to simplified, more easily verifiable results. E.g. waiting at the entrance should go to zero if the port is never closed and the ships arrive perfectly planned. Monitoring of control variables, e.g. queue lengths. Model animation, which should be supported by the simulator. 2.1 Simulation results
Simulation runs have been performed with Base case settings with two configurations: with the new Smelter jetties and without them. The simulation time has been set to 10 years of port operation, which gives good statistical estimates. Maximum values will also refer to these ten years. Here we give some main results from the Base case and discuss important sensitivities. 2.1.1 Base case From the simulation runs a lot of numbers are obtained and stored. The most important of these numbers are given in the table below.
Table 1: Key results from simulation run of base case for both with and without new SB and SC Mean waiting time due to occupied jetty SB and SC included 0.78 SB and SC not included 0.18 Max. waiting time due to occupied jetty 61.8 31.5 Mean waiting Max. waiting time due to time due to occupied channel occupied channel 0.042 2.48 0.009 1.08
Clearly, the waiting times due to an occupied channel are acceptable and no alarming increase for this waiting time is found, when the new Smelter jetties are added. The waiting time due to occupied jetty increases when the Smelter jetties are added. This increase is solely attributed to the Smelter jetties and they are mainly due to the Smelter bulk jetty that is assumed to have an utilisation as high as 40% in the base case. This is also confirmed by Figure 3, where the waiting time for a free channel is shown as function of increased general traffic. All waiting times are perfectly acceptable.
104
10.00
-WaitAv, with SB & SC
e
3
1.00-
"*
*--
-MaxWAv, with SB & SC -WaitAv, without SB & SC -MaxWAv, without SB & SC
0.10
0.01 0% 50 % 100 % 150 % Traffic Increase [%]
Figure 3. Effects of traffic increase on waitingtimefor a free channel. (WaitAv: Average Waiting time, MaxWAv: Maximum Waiting time).
2.2
Waiting times due to occupied Jetty
In addition to the waiting times caused by a non-free channel or basin or by harbour closure, the possibility for waiting caused by an occupied jetty exists. Note, that the simulation model keeps these waiting times completely separate, such that consequences can be clearly attributed to their causes. This is important, since waiting for a free jetty does not disturb other port operators and the total port regularity. Figure 4 shows the effect of the planning situation on the waiting times for free jetties 'Smelter bulk' and 'Smelter cargo'. The x-axis shows a typical deviation from perfect planning, i.e. the ship is typically early or late by this amount of time. For perfect planning (ships arrive just when they should) no waiting occurs, but with increasing deviations the waiting times increase until some saturation is reached when ships arrive completely at random.
Figure 4. Mean waiting times at the entrance of the port caused by occupied jetties in dependence on deviations to perfect planning.
105
The utilisation of especially the Smelter B ulk jetty is planned quite high (40%) and poses special importance on planning. Similarly, increased traffic increases the waiting times for a free jetty, especially for highly utilised jetties. This is shown in Figure 5 for the Smelter B ulk and Smelter Cargo jetties.
Figure 5. Mean waiting times at the entrance of the port in dependence on increased traffic level (number of ships pr. year).
Waiting times may be compensated by increased efficiency concerning loading and unloading. This is shown in Figure 6, also for the two Smelter jetties.
^ -
2.5^ g 2.03 O
^ ^ ^ ^ > --SB --SC
E. 1.5>
S io
0.5 0% 5% 10% 15% 20% 25% 30 % Reduced (un)load time [%]
Figure 6. Mean waiting times at the entrance of the port in dependence on reduced loading/unloading times.
106
2.3
Result summary
From a regularity point of view, no objections against two new jetties at the existing port can be seen. Given that our input numbers represent the system well, the average waiting time due to an occupied channel will increase by about 2 min. (see Table 1), which is negligible in practical operations. The corresponding maximum waiting times in 10 years of operation are increasing from about 1 hour to 2.5 hours. Out study shows that the waiting time does not increase appreciably even if: the number of days with harbour closures is increased from 1 to 10, the total traffic load is doubled. This illustrates that traffic restrictions in the channel should not occur when the new jetties are added. Note, that only waiting times are considered, which influence other parties in the port. Waiting times caused by internal problems (like occupied jetties) are not included. For the Smelter Bulk and Smelter Cargo jetties more detailed analysis have been performed. The waiting times due to occupied jetty were given special consideration. Due to a utilisation factor of about 40% for the Smelter Bulk jetty (for the traffic level in the base case), the waiting time due to occupied jetty is quite high (about 2.7) in the base case. Moreover, this waiting time is quite sensitive on all relevant parameter changes: Traffic increases within the jetty cause much increased waiting times. The scheduling of ships is an important activity. Increased arrival deviations can cause much increased waiting times for all ships dedicated to this jetty. Increased efficiency in loading/unloading will reduce the waiting times considerably. These considerations should be kept in mind when more detailed operational plans are made for the new jetties. Higher utilisation numbers require better planning of operations.
References
[ 1 ] Norsk Hydro ASA, TrinAlum Berth Project. DNV report. Project No. 99-67010432 [2] Extend. Imagine That, Inc. 6830. Via Del Oro, Suite 230. San Jose, CA 95119-1353 USA
107
108
Effectiveness of safety measures in maritime operations

Svein Kristiansen, Torkel Soma Norwegian University of Science and Technology Division of Marine Systems Design 7491 Trondheim, Norway
Abstract An approach for assessing the effect safety controls on the policy level is proposed, outlined, and demonstrated with a limited set of empirical data. Focusing on impact accidents the probability of loss of navigational control may be taken as a safety level criteria. The paper describes how this criteria can be estimated on the basis of direct and basic causal factors in a fault tree like way. It is further proposed a way of expressing the effect of safety control areas on the probability of causal factors. The parameters in the model have been estimated on the basis of a Delphi type questionnaire study. Preliminary findings based on the model gives an indication of the potential effect of the ISM Code. An interesting observation is that the maximum risk reduction is already obtained around 50 % implementation of the code.
1.
Introduction
The understanding of why maritime accidents happen and how they might be prevented is still not very well developed. This fact can partly be explained by the complexity of the accident itself and that it often involves a series of critical events and a multitude of causal factors. Even the cause as a concept, is a source of confusion in the sense that it might be defined and analyzed in different and often competing scientific perspectives. (Kristiansen, 1995). The work towards higher safety is taken place on many arenas: Regulations, certification, technological innovations, training, human factors and quality management. This effort has given significant results but but there is still a considerable pressure on the industry dictated by such concerns as environmental protection. There has always been a certain conflict between commercial efficiency and safety. This very fact makes necessary that the resources available for safety is spent in the most cost-effective way. This might be obtained by applying cost-benefit analysis and probabilistic risk analysis. The key question here is to assess the effectiveness of potential safety measures. As already pointed out this raises certain problems related to the inadequate understanding of maritime accidents. With these reservations in mind this paper will outline an approach for estimating the effect of preventive measures within the framework of impact-accidents (collision and grounding).
109
2.
Safety performance
The safety in international shipping has been a subject of increasing concern during this century. Major milestones in the work towards higher safety were the introduction of SOLAS, MARPOL, STCW and ISM codes of IMO. The average loss rate has decreased with an annual rate of 2.4 % (Lancaster, 1996). This improvement has also been witnessed for navigational or impact related casualties such as collision and grounding. Although the collision rate has been moderate for a considerable period as can be seen from Figure 1, further improvement has been gained. The decrease in loss rate due to grounding has however been more distinct. In 50 years it has gone down from 3 to 0.6 losses/ship-year which represents a reduction with a factor of 5, which is dramatic.
-Collision 0.012 Wrecked "Tola! lost
0.008
0,006
0.004
zWVS^y
"? t.N 1? li5 I? 4,"1 ? < <? h"1 t ? ii 1 ( i? ^ 11 1^ ^
K#
i"1 #
lv1 > 1? ti1 <? c1

Kc?
<? N # N
& & jr
f * N
& . = ? > s#
N#
& $> $> N # & =? .< $ &

Year
$ ^ ^p ^
$> ^ #
Figure 1. Loss ratio of world merchant fleet. Loss ratio: Total losses per 1000 shipyear (Source: Lloyd's Register).
It is however a problem that the different segments of shipping show a significant variation in performance. Figure 2 gives an indication of the spread in loss rate within the world fleet. It appears that the performance varies with a factor of 10 between the best and the worst flag state fleets. It has been established that there is a correlation between accident rate and safety standard expressed in terms of deficiency rate and detention rate (Kristiansen & Olofsson, 1997). See Figure 3. It can be concluded from this observation that there are still room for safety improvement in shipping, but that the effort will have greatest payoff when directed towards the lowest performing segments of the fleet. That is not least a fact when implementing the ISM Code.
110
. -,
. '
12 10 8 6 4 2 n
- ?: -
-, -
: . . .
' .
r:;.;'
. . . :
_. ' : - ~ -
I-
Worst
e M d.
e M an
North
Top
Figure 2. Loss rate for different segment of the world merchant fleet. Number of losses per 1000 ship-year. 1990-93. Data source: Lloyd's Register. Worst: Group with highest loss rate; Med: Mediterranean Mean: Mean for world fleet; North: Northern Europe; Top: Group with lowest loss rate.
Figure 3. Loss rate versus detention and deficiency rate. Percentage of vessels inspected by Port State Control. Deficiency. Non-conformity. Detention: Vessel withheld due to seriousness of non-conformity.
3.
ISM - Quality management in shipping
The regulation of safety in shipping has to a large degree been based on the principle of prescription where the industry is given rules and regulations to follow. For example, the provisions of SOLAS 1974, MARPOL 73/78, Collision Regulations, Load Line Convention and STCW 78/95 provide the basis of the external regulatory framework. A more ambitious stage is presently entered by the creation of a culture of self-regula tion of safety, where regulation goes beyond the setting of externally imposed compliance criteria. The new approach concentrates on the role of internal management and organisation for safety and encourages individual companies to set there own targets for safety performance. Self-regulation also emphasises the need for
111
every company and individual to be responsible for the actions taken to improve safety, rather than seeing them imposed from outside. This requires the development of company specific, and in the case of shipping, vessel specific, safety management systems (SMS). Another important principle is that safety problems are addressed by those who are directly involved and affected by the operations and potential unwanted consequences. The ISM Code itself is a fairly short document of about 9 pages (, 1994 &1995). The main purpose with ISM is to demand that individual ship operators create a safety management system that works. The Code does not prescribe in detail how the company should undertake this, but just states that some main areas of measures have to be addressed. The philosophy behind ISM is commitment from the top, verification of positive attitudes and competence, clear placement of responsibility and quality control of work. IMO has stated following objectives for the adoption of a management system: 1. to provide for safe practices in ship operation and a safe working environment, 2. to establish safeguards against all identified risks, 3. to continuously improve the safety management skills of personnel ashore, 4. aboard, including preparing for emergencies related both to safety, 5. environmental protection. This clearly shows that ISM has a relation to existing or traditional approaches such as technical solutions, training, emergency preparedness and risk analysis. The ISM Code is specifying certain requirements for a safety management system (SMS) of the operating Company. In order to have the SMS to work, certain distinct functions have to be in place. The different chapters in the ISM Code cover these elements or roles of the system. The objective and policy element states how the safety and environmental protection is approached in the SMS. The requirements-element both points to applicable rules and regulations and the functions that constitutes the system. The core of the SMS is made up of certain controls which are defined in terms of (Kristiansen & Olofsson, 1997): responsibility and authority, supply of resources and support, procedures for checking of competence and operational readiness, training, shipboard operations, minimum standards of the maintenance system. Chapter 11 of ISM states that the SMS shall be adequately documented and may be seen as a product of the establishment of controls. Another key feature of the ISM concept is the definition of a monitoring function, which is based on audits and reporting of events. The auditing shall ensure that errors and shortcoming in the SMS are corrected and that the system is updated in view of new requirements and conditions.
112
The auditing and event reporting will also address system errors and hazards directly and this may lead to corrective actions in terms of modified systems and improved human competence. Chapter 13 mainly states that the company should have a certificate of approval that states that its SMS is in accordance with the intention and specific requirements of the ISM Code. This item is therefore not relevant for the material content of the SMS and will not be addressed further in this project. The interaction of the different elements in the ISM Code is outlined in Figure 4.
2. SAFETY & ENVIRONMENTAL PROTECTION POLICY SAFETY POLICY REQUIREMENTS
RELEVANT IMO CONV BEIONS LEGISLATIVE REQUIREMENTS
THE DEVELOPMENT OF CONTROLS HAZARD IDENTIFICATION & RISK ASSESSMENT 1.2.2.2 ESTABLISH SAFEGUARDS 10.3 IDENTIFY CRTICAL SYSTEMS 3. RESPONSIBILITIES & AUTHORITY 4. DESIGNATED PERSONS 6. RESOURCES & PERSONNEL 7. PLANS FOR OPERATIONS 8. EMERGENCY PREPAREDNESS
SAFETY MANAGEMENT SYSTEM (SMS) 11. DOCUMENTATION
THE IMPLEMENTATION OF CONTROLS S. MASTER'S RESPONSIBILITY & ALrmoRTTY
PERIODIC SYSTEM REVIEW 12. INTERNAL COMPANY VERIFICATION. REVIEW AND EVALUATION
MONITORING THE SM SYSTEM
t
PROACTIVELY 12. THEISM AUDIT
A
REACT1VELY 9. REPORTS & ' ANALYSIS OF ACCIDENTS :
Figure 4. ISM - Functional interrelationships.
4.
Risk assessment model
A well known and often applied approach for estimating the frequency for impact related accidents is to take the product of two probabilities, namely the probability of loss of navigational control and the conditional probability of being on a critical course (Kristiansen, 1983). This can be expressed as follows: P(C) = P(K) P(SIK)
113
where: P(C) P(K) P(SIK)
Probability of accident due to loss of navigational control; Probability of loss of navigational control; Conditionally probability of colliding, grounding or stranding if navigational control is lost.
The conditional probability of a critical course assumes that the vessel maintains a fixed straight course and not giving way to fairway obstructions and maritime traffic. This means that it is dependent of geometrical factors such as the dimensions of shoals and approaching vessels. This element of the assessment model is represented by the left hand side in the structural diagram of the model given in Figure 5. The model can therefore be applied for specific routes and traffic scenarios (Soma, 1998).
Casualty Grounding & Collision
/
Vessel on hazardous course
X
Loss of navigational control Visibility
Fairway
Marine traffic
Drect Cause Failure or error onboard vessel 9 DC groups - 2S DC
RISK FACTORS
Navigation
Vessel control
t
Basic Cause Casualty inducing factors 3 EC groups - 14 BC Individuals Organisation Work place
t
Risk control areas 5CA Technical / Ftersonnel/ Operations/ Safety rmgt/ Top level rmgt/lnfrastructure
t
Safety measure : ISM
Figure 5. Assesment model - structure of functional modules.
114
The probability of loss of control may be seen as the cut-set or union of all potential failures and errors that might take place onboard the vessel. It involves technical failure, operator error and extreme environmental effects. These so called Direct Causes are organized in 9 groups and 29 unwanted events. They are related in a fault tree that for simplicity reasons only has "or-gates": P(K) = U i=29 [P(DCj)] where: P(DC) = probability of the i'th direct cause. It is acknowledged that most accidents are a function of more than one critical event but the lack of data dictates this simplification. A more detailed description of the direct calases are given in the Appendix. It is generally accepted today that the unwanted events should be seen in the light of the available resources within the managing company: Personnel, organization and management, and job factors. Firstly, the individuals may have mental or physical limitations and inadequate competence and skills. The organization may in the same way be ridden by different "health problems" and have inadequate management to ensure quality in the decisions. Thirdly, it is well established that physical conditions and the ergonomics of the work place are vital for a safe operation. These factors are termed Basic Causes in the model and consist of 14 factors which are defined in greater detail in the Appendix. Numerically each direct cause, DC , can be expressed by a weighted sum of the probabilities of the basic causes: PPCiÎÛLPBCp.Wy] where: wy = weight of BG with respect to DC. The last modeling level is the set of Risk Control Factors which express the broad areas for safety improvement: Technical, Personnel, Operational, Safety Management, Top level management and Infrastructure. The nature of these areas are described by keywords in the Appendix. The control factor represents a conceptual problem in a sense that it can be not be defined exhaustively because new innovations are seen continuously. It is in other words an unbounded set of known and potential safety measures. Each control area have a certain impact on the basic causes. The model expresses this impact by stating the relative reduction of the probability of a basic cause given a 100% implementation of the control area in question. The modeling approach will be outlined further in the following chapter.
115
5.
Model estimation
As pointed out in the introduction there exists little systematic data on the frequency of causal factors. Alternative research designs for estimation of the frequencies were assessed (Soma, 1998). It was decided to do a Delphi type of questionnaire survey with maritime college students. The first part of the survey was to estimate the frequencies of the direct and basic causes. An approach using pairwise comparison was applied. This implies that the relative importance of causal factors are assessed two-by-two. The fact that the number of combination of factors were quite large required that certain simplifications were made. Following approach were taken: Exercise 1 : Ranking of direct causes within each direct cause group. Exercise 2: Ranking of the effect of basic cause groups on each direct cause. Exercise 3: Ranking of basic causes within each basic cause group. The design of the questionnaires for these exercises are shown in Table 1 to Table 3. The respondents were asked to assess the relative importance of pairs of causal factors on a bipolar scale. The scale has 7 values which gives following alternatives to the respondent: Equal importance, slightly higher, higher and much higher. Numerically the ranking has been given following numbers: 1, 3, 5 and 7. Each set of coded answers may be processed in order to give an absolute ranking of all factors within each group. This process involves certain matrix and normalization operations. One technicality is that the bipolar scale has to be transformed to an unipolar scale as shown in Table 4. This can be explained by following statement: If A is 3 times as important as B, it follows that the importance of is 1/3 of that of A.
Table 1: Questionnaire for Exercise 1. Ranking within Direct cause group. Case example: Group "Incapacitation of OOW". Much Higher Slightly Equal Slightly Higher Much higher higher higher higher Direct cause OOW absent, absorbed OOW absent, absorbed OOW inattention 7 5 3 1 3 5 7 Direct cause OOW inattention Too high work load Too high work load
Table 2: Questionnaire for Exercise 2: Effect of Basic cause group on Direct cause. Case example: Incapacitation of OOW. Much Higher Slightly Equal Slightly Higher Much higher higher higher higher Basic cause group Personnel factors Personnel factors Job factors 7 5 3 1 3 5 7 Basic cause group Job factors Org. and management Org. and management
116
Table 3: Questionnaire for Exercise 3: Ranking of Basic causes within Group. Case example: Personal factors. Much Higher Slightly Equal Slightly Higher Much higher higher higher higher Basic cause Lack of skill Lack of skill Lack of skill Lack of skill Inadeq. physical capability Inadeq. physical capability Inadeq. physical capability Lack of motivation Lack of motivation Lack of knowledge 7 5 3 1 3 5 7 Basic cause Inadeq. physical capability Lack of motivation Lack of knowledge Inadeq. mental capability Lack of motivation Lack of knowledge Inadeq. mental capability Lack of motivation Lack of knowledge Inadeq. mental capability
Table 4: Transformation of pairwise comparison scales 3 Bipolar scale 7 5 Unipolar scale Arithmetic scale 1/7 1 1/5 2 1/3 3
1 1 4
3 3 5
5 5 6
7 7 7
In order to compute statistical parameters like mean and variance for the whole set of answers, a so called arithmetic scale also had to be introduced. As seen from Table 4 this ranged from 1 to 7 in equal steps. The two last exercises in the questionnaire survey was to assess the effectiveness of preventive measures on the basic causes. Exercise 4a: Assess the effect of each control area on each basic cause. The importance is expressed with a scale ranging from "None effect" to "Complete effect" as illustrated by the example in Table 5. This scale corresponds to a reduction of the probability of the basic cause in the range of 0 % to 95 %. The questionnaire form in Table 5 was presented for each of the 6 control areas. The final set of questions relate to the ultimate objective of the study namely the effect of the ISM Code and is formulated as follows: Exercise 4b: Given that the potential effect of a given Control area is set to 100 %, how much will be attained by the implementation of the ISM Code?
117
Table 5: Questionnaire for Exercise 4a: Effect of Control area on Basic causes. Case: Technical control area. Subjective effect None Moderate Considerable Reduction in % 0 20 50 BC Group Basic Cause Lack of skill Personnel Inadequate physical & factors physiological capability Lack of motivation Lack of knowledge Inadequate mental or physiological state Inadequate tools and equipment Job factors Inadequate environmental conditions Physical stress LTA ergonomie conditions Lack of supervision Organisation Inadequate organisational & values/ climate management Inadequate cultural and social factors factors Inadeq management and communication Inadequate manning and job content Table 6: Questionnaire for Exercise 4b: Importance of ISM within Control area. Case: Technical control.
Control Area : Technical
Strong Complets 80 95
Total of Technical Specific Measures Improved Human-Machine interface Improved Reliability and Availability Improved performance of existing systems Instrumentation Monitoring Automation Improved work place conditions
Technical Specific Measures in the ISM -Code General : - Objective - Establish Safeguards against all identified risks - Maintenance according to relevant rules at a minimum - ADDiODriate actions are taken - Inspection held at appropriate intervals - Reporting of non-conformities - Records of these actions are maintained - Critical equipment is identified and its reliability: promoted
Maintenance of Ship Equipment :
If the left group cover a 100 % of potential safety improvement due to Technical improvement, how would YOU quantify the potential of the measures listed in the ISM
Code.
TECHNICAL Control Area 100 % | ISM safety potential in Technical improvement 0 % P% 10 % ] 20 i f ] 30 "/* 40 f ] 50 /f] 60 f ] 70 f ] 80 f ] 90 i f ] 100 %
118
The approach is illustrated in Table 6 which addresses the effect of ISM on the Technical control area. The left hand side of the screen presents the main technical means in keyword form, whereas the right hand side highlights the key technical topics mentioned in the ISM Code. The respondent is asked to rate the importance of ISM on a scale from 0 % to 100 %.
6.
Results of study
The questionnaire study was performed on 3 groups of students at: Maritime Master's students at NTNU. Maritime students at lesund Maritime College. Maritime students at Vestfold Maritime College. The study was in principle undertaken as a Delphi study in the following manner: 1. 2. 3. 4. 5. 6. Presentation of objective, questionnaire forms and supporting information. Filling out of forms by respondents. Processing of results. Discussion of results in a plenary session with the students. Revised filling out of the forms. Processing of second set of results.
For practical reasons and from experienced gained the 3 studies were not performed in an identical manner. They differed somewhat with respect to ordering of questions, use of written and oral information, and individual (take home) and plenary sessions for filling out. The students had also differing background and study programs. The students at NTNU had already completed the College level. The knowledge and experience with the ISM Code were also slightly different for the groups.
Table 7: Variance in answers: S- for scores. Comp utations are based on arithmetic scales. Exercise s
13
C/2
o JS - C O
-3 C 3
IA
Characteristics Variables Respondents First session - average s2 Second session - average s 2 Truncated - average s2 Respondents First session - average s2 Second session - average s2 Truncated - average s Respondents First session - average s2 Second session - average s 2 Truncated - average s 2
2
1 38 8 2.24 1.06 0.71 7 1.16 0.57 0.34 42 1.93 1.62 1.31
2 26 8 1.97 1.18 0.68 8 1.22 0.75 0.47 42 1.90 1.68 1.33
3 27 8 1.93 1.45 0.83 7 1.37 0.62 0.41 43 1.49 1.32 1.02
4a 84 9 0.91 0.50 0.21 7 1.07 0.30 0.17 43 0.87 0.73 0.58
4b 6 9 5.35 3.30 1.85 7 9.25 1.74 0.97 42 5.95 4.56 3.57
2
2.
>
119
An analysis of the variation in responses within each exercise are summarized in Table 7. Firstly, it can be observed that it was major differences between the 3 groups with respect the average variance. Exercise 4a which addressed the potential effect of control areas on basic causes, showed least disagreement. The potential effect of ISM (4b) showed on other side considerable disagreement. The three first sets of answers relating to the frequency of causes also showed some variation, a little more than for exercise 4a but quite less than for 4b. The obtained results for the frequencies of causal factors are summarized in Table 8. For readability the frequencies are expressed in a relative mode. It can be seen that the major Direct causal groups are "Incompetence of OOW" (46 %) and "Incapacitation of OOW" (25 %).
Table 8 : Relative frequencies o f Direct and Basic causes.
Groups of Basic Causes Personnel factors Job Factors Organisation and Management Factors Groups of Direct ^ ^ ^ ^ Basic Causes Ladeai Physical Motivati Knovrfeu Mental Toots & Environ Pnys. Ergano Supervis Values/ Curtural Commi [Storming Causes Equip ment ton Cmate /Sod ai ni cation] Stall capatx on State Stress mtcs 9 D'rect Causes "'^-^ Absent 12,6% 39.2% 39.6 % 212 % 17.4% 21.7% 23.7% 22.9% 27,0% 3 3 5 % 16.5% 1 8 2 % 14.1 % 20.0% 27,9% I 19,8% Inattention 55,6% 29,8% 7.4% Too high Work load LTA Bridge Equipment LTA Radar Equipment Chart not updated No Course Alarm No Depth Alarm LTA Trip Han 31.7 % 11,8% 16% 3 3 3 % 29.8% 335% 9,7% 6,6% M% 50.3 % 17,4% 21.7% 23,7% 22.9% 16,6% 27,0 % 33,5% 33.1 % 7.6% 1,9% 4.4% 5,5% 6.0% 7,6% 9.0% 112% 7,4% 23% 6,9% 25,5% 17,4% 21.7% 23,7% 22.9% 8,6% 9.4 % 9,0% 10,6% 27.0% 13,1 % 6,5% 3.9% 182% 3,0% 14,1 % 42% 41.1 % 20,0% 27.9% | 19,8%
Incap acitati OOW 25.0
5,9% 1 42%
33.4% 335% | 165% j 55% 7.5% 5,8%
82%
11.5%
8.1%
Inadequate Navig. Pertor. 23,6 % 29.8% | 7,4%
ias%
27%
182%
14.1 %
20.0 %
27,9% | 19.8%
IS*
LTA Lookout an plotting AIL Equip, not used No double checking
30,5% 1 4 5 % 15,0% 23.0% 40,9% 12.2 % 2 9 3 % | 7.4% 293% 17,0% 11.9% 3.0% 39.9% 17,4% 7,0% 46.6% 17.4% 8,1% 57,1 % 29.8% 7,4% 4,2% 17,4% 9.9% 54,1 % 9.4% I 11.7% 41.0% 7 , 1 % | 8,9% 38.1 % 6.6% | 8.3% 9.0% 6.9% 9,7% 72% 128% 5.4% 21.7% 124% 23.7% 133% 22.9% 4.9% 21.7% 10,1 % 23.7% 11.1 % 22.9% 6.4% 21.7% 8,7% 23,7% 9,5% 223% 52% 223% 27.0% 62% 33,5% | 16,5% 7.6% 3,8% 182% 6,8% 14,1 % 5.3% 37,3% 20,0% 7,5% 27.9% | 19.8% 10,4% 7.4% 3,7%
a8%
10.9%
11,9%
3.8%
4.5%
5,6%
6.0%
4,7 %
6.6%
9 2 % ! 6.6%
LTA External LTA Support Pilot Support LTA Support VTMS 3,0% LTA Markers & Buoys Few Visual Cues Techncal FaUure 1,0% Failure of Rudder / Hydr. Faure of Anchor
Failure of Control System 5 5 3 % 33,5% 29.8 % | 7,4 % 10,6% 13.9% | 3,5% 21,1% 4M%
28,1 % 27.0% 7,6% 335% 9.4% 165 % 4,7% 182% 4,6% 182% 3.9%
252% 14,1 % 20,0% 3,6% 14,1 % 3,0 % 5,0% 215% 20,0% 4,3% 222%
27.9% 7,0% 27.9% 6,0%
19.8% 5,0 % 19,8% 4,3%
Incompetent Inadequate Operation Control Too Ugh Speed 10,0% LTA Stip Handing External Extreme W,nd, Current Facas Shallow water eft. 9.0% Manoeuvring Course Unstable 1,0% Too large turning Radius Tug 1,0%
21,4% 27,0% 5.8% 335% 72% 16,5% 35%
33,4% 17.0% 75,4%
23.7% 6.4% I 7,9% | 3,9% 315% 8,5% | 10.6% | 5 2 % 30,0% 8 . 1 % | 10.1% I 5.0% 5.8 % 4.5 % 5.0% 3.9% 4.0% 3,1 %
24,6 % 16,1 % I 4.0 % 59.1% 4 0 3 % 1 2 2 % | 3.0%
4,4% I 6 2 % I 4,4% 27,5% 5 5 % I 7.7% | 5,4% 31.9% 6.4% t 8.9% j 6.3%
inadequate Tug Operation 74,4% Inadequate Tuq Power 25.6% 11.3% I 2.8%
Within "Incompetence of OOW" following weight are put on the basic causes: "Personnel factors" are given higher weight (50 %) than "Organization & management" (33 %) and "Job factors" (17 %). For "Incapacitation of OOW" the picture is quite different in that "Personnel" and "Job" are set equal (39 %) and higher than "Org. & Man." (21 %). The dominating trait of this part of the study was the weight put on personnel or individual factors. This can be seen in at least two alternative perspectives: The present dominating view to put strong weight on inadequate working conditions is overrated; or that the survey conveys the traditional view to put the liability on the individual. Table 9 gives a summary of the results from Exercise 4a which assessed the effect of the 6 control areas on the basic causes. The table gives the percentage reduction of the probabilities for the basic causes for each control area.
120
Table !h Effect of Control areas on Basic causes. Reduction o 'probability in percent. Tech Pers Op SM TM LTA Skill 54 45 34 47 35 LTA Physical capability 30 20 19 14 20 e o 42 LTA Motivation 34 39 36 37 co o LTA Knowledge 34 59 45 49 39 , 32 21 21 LTA Mental capability 18 29 41 26 40 Inadeq. Tools / Equipment 39 26 25 26 26 25 Environmental conditions 35 -O 37 34 37 31 Physical Stress 29 22 24 22 21 Ergonomie conditions 33 33 38 41 LTA Supervision 25 46 1) 27 33 33 Org. climate 24 29 BO 34 22 33 33 33 Social Factors 41 03 34 39 45 35 Management/Com 35 31 33 28 Job Content 29
I
I 25 11 23 30 19 36 30 32 28 26 24 21 33 25
The results from the final exercise are summarized in Table 10. It can be seen that the ISM Code seems to contribute most to the "Personnel" and "Operations" areas by around 55 %. The lowest effect is found for "Infrastructure" whereas the other areas have an intermediate effect (45 % - 48 %). It can also for this exercise be questioned whether the small variation is correct. However, in this instance one may suspect that the objective of the exercise was too demanding: The ISM Code has just been introduced and therefore difficult to assess. The Control areas are fairly broad and may therefore be difficult to relate to ISM.
Table 10: Contribution of ISM Code to Control Main control area 1 Technical 2 Personnel 3 Operation 4 Safety Management 5 Top Level Management 6 Infrastructure area. 44,6 48,3 53,7 55,6 48,1 38,1
7.
Findings
The results of the questionnaire study were outlined in the preceding chapter. It was here described how each modeling level affect the one above as outlined in Figure 5: ISM Code => Control area => Basic cause => Direct cause => Loss of navigational control By entering these results into the integrated assessment model we are in the position to estimate the effect of the ISM Code on the top event in the fault tree, namely "Loss of navigational control".
121
Personnel
19%
Figure 6. The relative effect of the measures within the ISM Code on "Loss of navigational control". The measures are allocated to the main Control areas.
In Figure 6 there is a break down of the relative effect of the different components in the ISM Code assuming full implementation. It appears that the strongest effect is obtained in the area of "Safety management". This reflects perhaps the fact that ISM in its very nature focuses the management of safety related functions. Next follows "Operations" and "Personnel" both areas that can been seen as so called "soft" solutions. These control areas are in contrast with 'Technical" measures which traditionally has been given strongest emphasis in safety programs. It may be seen as a little surprising that 'Top level management" was given relatively low weight. It has in the current debate been pointed out that top management has a key role if further progress shall be seen. On the other side it may more realistically underline that company policies and objectives have a certain limitation compared to the other control areas which reflect the more demanding implementation aspect of safety management. It may be interesting to study possible differences of what that can be obtained by ISM and what that can be obtained not restricted to that Code. This is illustrated in Figure 7 by comparing the profiles of the two policies. It basically reinforcing what we have stated already. Finally, the implementation aspect shall be commented. Figure 8 shows the reduction of the probability of the top event as function of the degree of implementation of ISM. It is interesting to observe that the model indicates the potential in terms of risk reduction is reached already at 54 % implementation.
122
1,40E-04
4.00E-05
2,0OE-05--
0,00E+00 + Technical e Pe rsonn l e Op rational Saf e ty Managm. Top Level Infrastructur e
Maximum reduction by implementation of ISM -code Potential reduction by implementation of all measures within Control Area
Managm.
Figure 7. Reduction of the probability of "Loss of navigational control".
0,00035
0,0003
0,00025 --
0,0002
0,00015
0,0001
0,00005 -
'
1 1 1
0 -
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
Grade of Implement at ion
Figure 8. Reduction of top event as function of degree of ISM implementation.
123
o -
Sh ip los. s rat e(/ 10 00 15 shi Pye ar s)
\
1 / C H I P I fi 0 , 0 7
LTI / SHIPLOSS = 4,8
\\
LT/SHIPLOSS = 11,
A \\
\\ \ \ ^
- w
n0,25 0,5
=e=;
0,75
Degree of SMS implementation
Figure 9. Ship loss rate versus implementation of a Safety management system. This finding is supported by another study which was based on a different approach to the problem (Kristiansen & Olofsson, 1997). As a general conclusion it can be stated that ISM and other safety management approaches will be subject to decreasing results as the degree of implementation approaches 50 %.
8.
Acknowledgement
The initial work on the estimation model was undertaken in a Master's Thesis by Kalve (1997). Further progress was done in the SAFECO project (Kristiansen & Olofsson, 1997; Olofsson & Kristiansen, 1998) as part of EU's 4.th Framework Programme and cosponsored by the Norwegian Shipowner's Association, Vesta Insurance & UNI Insurance. The present model was developed in Master's Thesis study by Soma (1998).
124
Appendix
The following three tables give a more detailed definition of basic and direct causes and control areas. Basic cause Basic causes are structured in 3 groups and 14 factors.
Basic cause Lack of skill Inadequate physical and physiological capability Lack of motivation "3 c c
Vi
u
Q*
Lack of knowledge Inadequate mental or physiological state Inadequate tools and equipment
'A
Inadequate environm. conditions Physical stress
Description, keywords Task knowledge, instruction, practice, routine, infrequent performance, seaman-ship, lack of familiarity with vessel and systems, inadequate psychomotoric ability. LTA height, reach, range of body movement, senses: vision or hearing deficiency, respiratory incapacity, permanent sickness: allergies etc., sensitivity to extreme conditions, otherwise functionally retarded, disabled. Lack of discipline, "cut comers", lack of personal integrity, prestige, hardheadedness, abuse, misuse, improper conduct, sabotage, macho-culture, "horse-play", practical skills. LTA language and communication ability, LTA computation, logic and reasoning, mental models and spatial orientation inadequate, limited experience, training for position in general is inadequate. Frustration, preoccupation with problems, negative attitude, LTA co ordination, reaction time, inability to comprehend, poor judgement, "tunnel vision", reaction to mental overload, mental illness, fears, phobias Right tools and equipment unavailable. LTA assessment of needs and risks, inadequate tool or aid, inadequate standards or specifications, use of wrong equipment. Too high traffic density, hindrances in the seaway, restricted fairway.
C/5 i-
ti
ni
Ci
ce
C
"3 c s s 'c a
u O
M
Noise, vibration, sea motion, acceleration, climate, temperature, toxic substances, other health hazards, sea sickness, lack of oxygen, other extreme environmental loads. LTA ergonomie Antropometrie factors, dimensions, lack of information, inadequately presented information, display design, controls, inadequate illumination, conditions workplace messed up, disorder. Lack of supervision Lack of instructions, supervision, coaching and feedback, unclear orders, conflict orders, too many "bosses", expectations of supervisor is unclear or not presented, cross-pressure from schedule and economy, inappropriate peer pressure, inappropriate supervisory example, initiated unusual task without proper planning and preparation, lack of initiative to deal with unplanned situations or emergencies, supervisors not in touch with daily operations. Inadequate organizational Unable to communicate safety policy and ethical values, do not set standards values / climate by own example, lack of concern and vigor for quality improvement, incentive, LTA reward system, failure to value results, lack of recognition, personal liability, do not invite incident reporting and improvement suggestion, lack of company loyalty and commitment, do not accept company values, high turn over and absenteeism, lack of continuity, opportunity for learning, personal growth and advancement. Inadequate cultural and Language problems, social and cultural conflicts, person-to-person conflicts social factors and animosity, tendency to "cut corners", LTA safety awareness, "cowboy" attitudes, horseplay, resistance to change, inability to learn Inadequate management Too wide span, lack of delegation, authoritarian, hierarchic, command style and communication management, unclear rules and responsibility, unresponsive to feedback information and signals from employees, lack of communication and co ordination across functions/departments. Inadequate Manning and Inadequate manning, too high workload, idleness, waiting. Job is Job content unattractive, lack of Job satisfaction and variation, monotony, lack of responsibility for own Job or responsibility not stated clearly.
125
Direct causes The direct causes are related to navigation and shiphandling and consists of 9 groups and 29 factors. See following table.
Direct cause Absent, absorbed O O
SM
Inattention Too High Work Load
.

S
LTA Bridge Equipment
. '
)
LTA Radar Equipment Chart not updated No Course Alarm No Depth Alarm LTA Trip Plan
a <
S:
O O
CM
Inadeq navigation performance No Double Checking LTA Lookout and Plotting Alternative equipment not used LTA Support Pilot
CU
c
O) OJ
c
B
LTA Support VTMS LTA Markers & Buoys Few Visual Cues Failure of Control System Failure of Rudder, Hydraulic system Failure of Anchor
eu
M
'3 "c
cu
Description, keywords Frequency per hour where an officer on watch is not present at the bridge when he should be there, or that an officer on watch is absorbed and do not detect that a hazardous situation is coming up, and this causes Loss of Navigational Control. Frequency per hour where an officer for some reason is inattentive and therefore do not detect that a hazardous situation is coming up, and this results in Loss of Navigational Control. Frequency per hour where an officer has too high work load and due to that doesn't carry out his tasks satisfactorily, and this causes Loss of Navigational Control. Frequency per hour where the conditions concerning design of the equipment on the bridge are less than adequate, e.g. unfortunate design of bridge, lacking or wrong location of equipment, equipment not placed where it is natural to use it, poor and worn out equipment etc., and this results in Loss of Navigational Control. Frequency per hour where the radar equipment doesn't work satisfactory, and this causes Loss of Navigational Control. Frequency per hour where there are faults with charts or publications, or the charts or other document for the voyage are not amended, and this causes Loss of Navigational Control. Frequency per hour where there is no course alarm which indicates when the ship is out of course, and this results in Loss of Navigational Control. Frequency per hour where there is no depth alarm which indicates when the depth and draught ratio is critical, and this causes Loss of Navigational Control. Frequency per hour where the trip plan is not adequate, e.g. tasks as maneuvering, night voyage etc. are not well enough planned, and this causes Loss of Navigational Control. Frequency per hour where the navigation performance is inadequate, e.g. try to go through with the operation even though the conditions are not favorable, and this causes Loss of Navigational Control Frequency per hour where no double checking take place and this results in Loss of Navigational Control. Frequency per hour where inadequate lookout and plotting, e.g. misjudgment of own vessel's movements or not adequate observation of own position, results in Loss of Navigational Control. Frequency per hour where alternative available equipment, as for instance available navigation aids or alternative navigation systems, are not used and this causes Loss of Navigational Control. Frequency per hour where the support of a pilot is inadequate and this causes Loss of Navigational Control. Frequency per hour where the support of VTMS is lees then adequate and this results in Loss of Navigational Control. Frequency per hour where markers and buoys are less then adequate causing Loss of Navigational Control. Frequency per hour where few visual cues causes Loss of Navigational Control of control. Frequency per hour where there is a failure of the control system, e.g. a technical fault with the steering systems or a technical fault with the control/ remote control/ automatic controls/ warning equipment, or wrong design of control, steering system etc., and this causes Loss of Navigational Control. Frequency per hour where a technical rudder or hydraulic failure causes Loss of Navigational Control. Frequency per hour where a technical fault with the anchor and /or its equipment results in Loss of Navigational Control.
LTA External Support
126
Direct cause Too High Speed "3 u

O
cu cu
Inadequate operation of Control System
c E c
LTA Ship Handling
External Factors
Extreme Wind, Current etc. Channel / shallow Course unstable Too large turning Radius
il .=BC.
Description, keywords Frequency per hour where too high speed, e.g. caused by insufficient formal or competence, or other conditions concerning routines, procedures, communication and organization, causes Loss of Navigational Control. Frequency per hour where inadequate operation of the control system, e.g. caused by insufficient formal or competence, or other conditions concerning routines, procedures, communication and organization, results in Loss of Navigational Control. Frequency per hour where less then adequate ship handling, e.g. caused by insufficient formal or competence, or other conditions concerning routines, procedures, communication and organization, causes Loss of Navigational Control. Frequency per hour where current in the sea, wind etc. lead to strong drift or other maneuver difficulties which result in Loss of Navigational Control. Frequency per hour where channel or shallow water effect causes Loss of Navigational Control. Frequency per hour where the course is unstable due to the ships maneuvering characteristics and this results in Loss of Navigational Control. Frequency per hour where the ship's turning radius causes Loss of Navigational Control. Frequency per hour where an inadequate tug operation, e.g. failure of procedure or co-operation between vessel and towboat, poor organization from the shore or suchlike, will result in Loss of Navigational Control. Frequency per hour where the tug has less than adequate power and this causes Loss of Navigational Control.
Inadequate Tug a Operation 1 r s ** . LTA Tug Power
Main control areas

1 Main Control Areas Technical Description of specific measures Improved reliability and availability improved performance of existing systems New function of aids Instrumentation Monitoring Automation Improved human- machine interface Improved work-place conditions Selection and check of competence Education and training Leadership and supervision Motivation: Modification of attitudes Development of social climate Inspection methods Maintenance procedures and methods Operation procedures / systems Documentation Manning and watch systems Management: Organisation, routines Risk analysis: Safety case Inspection and auditing Experience feedback, learning Health, environment, safety work Develop safety policy Budgeting, rescue allocation Leadership philosophy Weather forecasting, routing service Development of tug and salvage service Strengthen Port State control Upgrade VTMS facilities and service
Personnel
Operational
Safety Management
Top Level Management
Infrastructure
127
Proceedings of the 16 th ESReDA Seminar, Oslo, Mav 20-21, 1999
References
LMO, (1994). International Safety Management Code for the Safe Operation of Ships and for Pollution Preven tion . (ISM Code). International Maritime Organization, London. , (1995). Guidelin es on Implementation of the International Safety Management (ISM) Code by Admin istration s. Resolution A.788(19). 8 December 1995. International Maritime Organization, London. Kristiansen, S., (1983). Platform Collision Risk on the Norwegian Continental Shelf. IABSE Colloquium "Ship Collision with Bridges and Offshore Structures. Copenhagen. Kristiansen, S., (1995). An approach to systematic learning from accidents. IMAS '95: Management an d Operation of Ships. London, 24 - 25 May. The Institute of Marine Engineers, London. Kristiansen, S. & M. Olofsson, (1997). Criteria for management. SAFECO Work package II.5.1. Marintek Report MT23-F97-0175/233509.00.02. Trondheim. Lancaster, J ., (1996). Engineering Catastrophes - Causes and effects of major accidents, Abington Publishing. Cambridge, UK. Olofsson, M. & S. Kristiansen, (1998). An assessment of the effects of management control. SAFECO Work package .5.2. DNV Report 98 - 0158. Det Norske Veritas, Hvik. Soma, T., (1998). Effectiveness of Maritime Safety Measures. Master's Thesis. Division of Marine systems design. Norwegian University of Science and Technology. Trondheim.
128
Modelling of the communication process on ships

Svein Inge Masdal, Helle Moen Research Engineers Section of Technical Operations/Division of Machinery and Operation Technology Norwegian Marine Technology Research Institute AS, MARINTEK P.O. Box 4125 Valentinlyst 7002 Trondheim, Norway
Abstract As an activity within the EU project SAFECO II (Safety of Shipping in Coastal Waters) [1] MARINTEK has been responsible for the development of models of the communication process on board ships. Focus is put on external communication (e.g. ship-to-ship and ship-to-VTS), and the main objective is to identify communication related problem areas where improvement measures may have a visible effect. The models are developed as fault trees, and a method for estimation of effect of improvement measures with respect to communication is described. The fault trees are based on work process diagrams of typical bridge communication processes. Data acquisition has been an important part of the activity, as the probability of occurrence of the basic causes in the fault tree was to be estimated. Keywords: Operation Technology, Safety, Fault tree models, Communication, Data acquisition.
1.
Objectives
The overall objective for the SAFECO II project is to devise improved technologies and organisation for internal/external communication and to demonstrate the application of risk analysis methods to assess economical benefits and safety improvements of the devised solutions for total quality operations. The objective of MARLNTEK's part of the project, WPIII.2, has been to develop models of the communication function, which will be integrated in the existing MARCS model. In addition, methods for assessment of the cost-effectiveness of communication related measures have been addressed. Such measures include operational training, language training and improvement of the communication systems, including the man-machine interface aspects. Also, an objective has been to try to use accident reporting data as input data to the fault trees.
129
2.
Work process
The work process used to establish the fault tree models of the communication process on the bridge consists of four steps: 1. Identify typical scenarios where the communication process is vital for ship safety: Passage in restricted waters (heavy traffic, communication equipment og high importance). Approaching port (pilot involved in the communication process). 2. Create work process diagrams for the identified scenarios: Identification of the "ideal" process and possible problem areas. 3. Create fault trees for the accident scenarios collision and powered grounding: As the fault trees may be used as a basis for future data collection, two sets of fault trees were created. 4. Colle'ct input data for the basic events in the fault trees: Acquisition of accident details from available sources.
3.
Work process diagrams
To help understanding and visualising the internal and external communication process on the bridge, MARINTEK performed interviews with both a pilot and a mate. Based on these interviews Work Process Models of the communication process on the bridge were constructed. The methodology used is derived from IDEF-0 [2], but is less stringent. The "box and arrow" graphics of a Work Process Models diagram show the function as a box and the interfaces to or from the function as arrows entering or leaving the box. To express functions, boxes operate simultaneously with other boxes, with the interface arrows "constraining" when and how operations are triggered and controlled. In this project we constructed Work Process Model diagrams for two scenarios: Passage in restricted waters. Approaching port. These scenarios were chosen as they both represent situations were the communication process is vital to the ships safety. Overviews of the work process diagrams can be found in Figure 2. Work process diagram for Approaching Port and Figure 4. Work Process Diagram for Passage in Restricted Waters at the end of the paper.
4.
Fault tree models
Fault tree models have been created for two typical accident scenarios: Powered grounding. Collision.
130
The dilemma of modelling is always the same: Shall the models be accurate representations of the actual process, showing the interaction of events in an approximately correct manner, or is it better to reduce the demand for accuracy and choose a model for which it is possible to find quantitative estimates for the basic events? This problem was solved by creating two sets of fault trees for each accident scenario: One set (advanced approach) where the main focus was to mirror the communication process on board, which can be used when (and if) the accident data reporting becomes more specific. One set (simplified approach) where the main focus was to describe failure causes that could be identified in our data sources, and thus makes it possible to evaluate effects of risk reducing measures. The two approaches are discussed in separate chapters below. In this paper, only one accident scenario is described for each approach. 4.1 Advanced fault tree, powered grounding
4.1.1 Assumptions 1. The fault tree probability is derived under the assumption that a critical situation is present. The critical situation is calculated by MARCS based on the traffic data. A critical situation is defined as "the ship will go aground within 20 minutes if course change do not take place". 2. Propulsion and steering failure is not included. Such failures resulting in grounding is defined as "drift grounding", and not powered grounding. 3. The fault tree is based on four main categories of errors: (i) the navigational data for planning are erroneous (ii) correct data, but erroneous planning with track that will result in a powered grounding, (iii) the actual track deviates from the planned safe track and (iv) the bridge crew is incapacitated from data analysis, plan making and executing of plans. In real life, these phases will merge together more or less, with data collection, judgement, planning and re-planning and execution going on more or less continuously. However, for modelling purposes, we need simplifications. 4. Procedural error (lack of, not used) are related to the internal vigilance of track planning and track deviation from planned track that should take place to secure that the planned track is safe and that the actual track follows a safe planned track. This is a simplification because other procedures than quality assurance are present as well. 5. The execution of navigational tasks is by simplification considered to be a technical issue, while the planning stage is considered to be the brain-work where competence and consciousness is required. The top fault tree for Powered Grounding is shown in Figure 5. Advanced fault tree for "Powered Grounding". All the basic causes identified are explained in Table 4: Basic events description and derived probabilities (Powered Grounding, adv.).
131
The basic causes identified in the fault tree were then linked to the communication process as shown in Figure 1. Basic causes for "Powered Grounding" linked to the communication process.
Input from sensors and systems Error: 6, 7, 8, 9, 10
Compilation of navigational data Error: 4, 5
Quality assurance of data: internal and external vigilance Error: 3
Quality assurance to secure that crew is not absent or absentminded: internal and external vigilance
Communication of data Error: 19
Error: 1,2
Acting crew
Error: 11, 12. 13. 14, 15
Planning for navigational task Error: 20, 21, 22
Quality assurance of plan: internal and external vigilance Error: 16, 17, 18,31,32,33,34,35
Communication of plan Error: 41
Execution of planned navigational task Error: 23, 24, 25, 26, 27, 28, 29, 30. 36, 37, 42, 43, 44
Quality assurance of executed plan internal and external vigilance Error: 38. 39, 40, 45, 46, 47, 48,49.
Figure 1. Basic causes for "Powered Grounding" linked to the communication process.
4.1.2 Probabilities of basic events Input data for the advanced fault tree was not easy to find, but by using the results from the DAMA database, the probabilities of basic event occurrence were derived as shown in Table 4: Basic events description and derived probabilities (Powered Grounding, adv.). 4.1.3 Calculations in CARA To investigate the basic events that give the highest contribution to the top event, component importance calculations were performed by means of the program CARA [5]. By ranking the basic events using the Criticality Importance Measure [4], the following basic events are the major contributions to the top event powered grounding (Table 1: Main contributors to Powered Grounding):
132
Table 1: Main contributors to Powered Grounding. Basic event Basic Event Text number 2 12 25 42 30
Criticality Importance Measure 52,3 % External vigilance error with respect to incapacitation 25,8 % Officer on watch asleep 17,1 % Less than adequate competence in judgement and decision making 16,5 % Error in setting planned course 15,8 % Ship control lost due to wind, currents and ship manoeuvring capabilities
4.2
Simplified fault trees
To enable the use of other data sources it was decided to make fault trees with a lower degree of complexity, as it was difficult to derive probabilities for the basic events in the advanced fault trees. The simplified fault trees consist of only or-gates, which certainly is a simplification, but it should still be possible to identify the most frequent basic events, and make estimates of the effectiveness of the various risk reducing measures. 4.3 Simple FT for collision
The fault tree has two main branches: "Does not discover other ship or other ships movement" and "Discover other ship, but cannot avoid collision". This means that either the other ship is not discovered, or that the avoiding manoeuvre fails. The fault trees can be seen in Figure 6. Simplified fault tree for Collision. 4.3.1 Interface to tentative risk control options In other work packages in the SAFECO II project, various possible risk control options have been studied [1]. These may have effect on the error probability for the basic causes as shown in Table 2: Risk control options, "Grounding", simplified fault tree below.
Table 2: Risk control options, "Grounding", simplified fault tree. Risk control option Basic cause reference CAAS, ECDIS, Transponder (KH; 1,2,4,5,6,16 tested together with MSR and KNCS) Verbal Communication (SIRC) 11,14
4.3.2 Historical accident cause data Data is derived from two different data sources: DAMA [3] and [6]. The final data set is shown in Figure 2.
133
rvtrvMiflrelrtelciB IrtrrreJ dablcrsftrJIcr* dBtostreBiTfjQBUt&rmrirjftdnru fti-nrirfi ptlWi) (rsoTUtyccrftikri Irford 1 crgjrjrppdJtm MsuTtjltrargilutolakcftrclrg BaJcOTHkJirdse MsLrriJstafdrQCltokT&uppcaffn GrtcaJ crosHp Otu sHprr Irstulrg GntmlcflcnrTHn eu d creo WcTfjuied aîrJTHl Li Aiioc tagtanfllqîfs rrtrîlepjiciTnroBcJ COW ITALactaJ Tamed fatue tmrrxlLKXrcill Tcortrtispi DBUUKia
. ' .
D/VW\ IMNB
l'., ; -v
ESI
i
^^
srm
'':
, C HO RG 2orm arm , 3SOD% dscc% mora
Q%
Figure 2. Historical accident cause data, "Collision"
5.
Method for evaluation of risk reducing measures
To evaluate the effect of the various possible risk reducing measures, an interesting approach may be to use the experience of sailors and other professionals within the area. The method is based on interviews with a range of experienced personnel, where they are asked to estimate the reduction in basic event probability if the various risk reducing measures are introduced. An average is then found, and an estimate of the risk reducing effect of certain measures on the probability of the top event in the fault trees can then be established. To systemise and structure the information from these sources the questionnaires in Table 3: Questionnaire for risk reducing measures effect for "Collision" may be used.
6.
6.1
Data acquisition
Data sources and collection methods
As several risk analyzers have experienced, the acquisition of good statistical accident data is not always easy. In this project, MARINTEK decided to look into three different sources; DAMA, and insurance companies' files. The results and experiences from the data collection are summarized below.
134
Table 3: Questionnaire for risk reducing measures effect for "Collision". Assumed reduction in probability Ship to shore Language CAAS Initial event communication training by means of transponder X X 1 Too high speed X X 2 Incorrect use of radar X X X 3 Technical failure X X 4 LTA Lookout X X 5 Inadequate performance of OOW X X 6 LTA use of fog horn/flags/lights X X X 7 Wrong use of equipment X X X 8 Communication means out of order X X X 9 Other ship not listening X X X 10 Contacted wrong ship X X 11 Misunderstanding due to language problems X X X 12 Bad connection/noise X X X 13 Misunderstanding due to lack of training X X 14 Internal language problems X X X 15 Procedural problems (responsibility confusion) X 16 Incorrect decisions/actions due to X stress/fatigue/undermanning/training 17 Man -Machine Interface X X X The risk reduction may be calculated as follows: Risk Reduction = Basic events probability * Average value of Assumed Reduction of Probability
6.1.1 DAMA (Databank for the Safety of Maritime Operations) DAMA is developed and maintained by the Norwegian Directorate of Shipping and Navigation (Sjfartsdirektoratet), the Norwegian Coast Administration (Kystverket) and Det Norske Veritas. DAMA contains details of all reported incidents involving Norwegian merchant ships, independent of where in the world the incident occurred. Foreign merchant ships that have been involved in incidents in Norwegian waters are also included (as from 1991). Both serious incidents and incidents where the ship was not damaged are included as long as they meet the requirements of being incidents which have to be reported to Norwegian Authorities. The DAMA data are categorized into 21 various accident types, and the accident causes are divided into 7 main categories, which are then each divided into a number of sub categories. Direct and basic causes are not reported separately. 6.1.2 (Marine Accident Investigation Branch) The Marine Accident Investigation Branch () was set up in J uly 1989 under Section 33 of The Merchant Shipping Act 1988 and operates under the Merchant Shipping (Accident Reporting and Investigation) Regulations 1994 as an independent arm of the Department of the Environment, Transport and the Regions. The Chief Inspector of reports directly to the Secretary of State for the Environment, Transport and the Regions and has the power to investigate accidents
135
involving or occurring on board any UK registered ship worldwide or any other ship within UK territorial waters. Reports on accidents are published and these include recommendations and lessons to be learned. In addition, short articles describing accident investigations are gathered and published throughout each year in the Safety Digest. To identify the causes of an accident in the database, the description fields in the database had to be read. The description fields were entered as free text, and the text was formed as a short description of the accident. The causes were not always easily identified based on the sparse information in this field. The description fields needed to be analyzed and coded manually to fit into the fault tree model developed. 6.1.3 Insurance companies files As two major Norwegian insurance companies were involved in project, MARINTEK was supplied with some data from their files on accidents to see if the information gathered there could be used as input to the models. However, it turned out that all information about the accident details was on a free text paper format. Thus, it was rather inconvenient to go through the files to search for relevant information, and a considerable effort was needed to transform the raw data into a statistical database. Also, the accident causes found in the insurance companies' files were in most cases concentrated on the "other ships' failure" and technical categories, whereas procedural and human error failure types were prevailing in the other databases. This result is not all that surprising, as the objective of the data reporter is to receive an insurance payment, not to identify the basic causes or event chains. In the future, when the reporting standards in SAFER, and similar reporting systems are more commonly used, the reports will be available on an electronic format. This will render the information more available and the process of extracting the accident causes will be less time consuming. In addition, if the reporting systems introduce more standard codes and keywords for accident reporting, the files may be an interesting and useful data source for accident investigation. 6.2 Proposed format for reporting of accident data in the future
6.2.1 Why report accident data? The first question one needs to ask before introducing rigorous and time consuming models for the reporting of accident data is what will these reports be used for? Of course, the answer to this question will vary, but the main objective of data acquisition usually is that there is a lesson to be learned from occurring accidents, and that similar accident may be avoided in the future by removing the accident causes. To identify the real causes for accidents, good reporting that is sufficiently detailed and on a sensible format is of crucial importance.
136
The main information topics should then be: 1. Direct information about the accident (who, when, where and other "technical" information). 2. Causes for and contributions to the accident events. 3. Consequences of the accident(s). 6.2.2 Reporting of causes and contributions to accidents Objective: Get sufficient information to identify the chain of events that led to the accident, thus making it possible to avoid similar accidents. Suggested report information: Accident description (Type of accident, location, involved parties etc.). Direct accident causes (Dangerous actions/situations/conditions etc). Basic accident causes (Personal, job and organisational factors). Additional free text description. To ensure consistency in reported data, standard codes and keywords should be used as far as possible when reporting direct and basic accident causes. The list of standard choices should not be too extensive, as this is liable to confuse the user. In stead, additional comments may be added as free text for all information fields. As it was beyond the scope of the project to standardize accident reporting formats, we did not to go further into details. However, the need for standards is definite. For further work, contact should be made with standardisation bodies and those responsible for systems like SAFIR and Synergi to work out reporting formats and standard code lists that may fulfill most (if not all) needs for accident data.
137
Procedures Handbooks COLREG
o r>
Ci
Procedures A1 Traffic & weather info Chart info

Planning of call Procedures
tra
. '
A2
Inform pilot communication center
A3
Receive confirmation from pilot org.
Commands Irom bridge to E/R
Sm >
Procedures Procedures
charts, radar, GPS, master
A4
e-mail, telefax, telex, agent e-mail, telefax, telex, agent
Embarking of pilot
1
A5
00 C D 3
00
Navigation with assistance from pilot
A6
Maneuvering with tug as standby vessel '
Procedures
-<
(O
(a
VHF, Internal comm. flags, lights etc.
Command (vocal) Pilot charts Command (vocal), VHF
A7
come alongside the quay
KD
Internal communication
master, mate, pilot
Figure 3. Work process diagram for Approaching Port.
Procedures
A1 Communication with other ships
Procedures
A2
Tracking of other/own ships' position Master, mate, Radar, VHF
Procedures
A3 Agreement on course Procedures
VO
Radar, mate, GPS, Charts
1
A3 Manouvering of own ship
00 w n> V*
Mate, Master
&>
3
Mate (Master, helmsman) Figure 4. Work Process Diagram for Passage in Restricted Waters.
3
T3 O
P r o c e e d i n g s of the 1 6 t h E S R e D A S e m i n a r , O s l o , M a y 2 0 - 2 1 , 1999
powered grounding, given a critical situation tl Less than adequate crew performance Absent or absent-minded bridge-crew
incapacitation
6
Error in navigational data or significant lack of data Error in quality assurance of navigational data
internal vigilance error with respect to incapacitation
H_ external vigilance error with respect to incapacitation
(1)
(2)
Error in track planning resulting in an unsafe desired track
Course deviates from desired safe track
(3)
Available navigational aids not used
Information error or wrong use of data systems
Error in perception or interpretation of navigational data
(4)
error in charts and publications systematic radar failure
incorrect use of radar
(5)
fault in external navigational systems (9) position measurement error (incl. sensor fault) (10)
(6)
(7)
(S)
F i g u r e 5. A d v a n c e d fault tree for "Powered G r o u n d i n g " T a b l e 4 : B a s i c e v e n t s description and derived probabilities ( P o w e r e d G r o u n d i n g , adv.).
Ref 1 2
Wording Internal vigilance error with respect to incapacitation External vigilance error with respect to incapacitation Error in quality assurance of navigational data
Description The internal vigilance fails if the situation is not identified and communicated so that a present and acting crew is re-instated on the bridge The external vigilance fails if the situation is not identified and communicated so that a present and acting crew is re-instated on the bridge A proper quality assurance will by applying all available navigational means identify sensor and system errors as well as perception and interpretation faults.
Prob. 50,0%
100,0%
3,1%
140
Table 4: Continued. Ref Wording 4 Available navigational means not used 5 Error in perception or interpretation of navigational data Error in charts and publications Systematic radar failure Incorrect use of radar
6 7 8
Fault in external navigational systems Position measurement error Officer on watch absorbed
10 11
12
Officer on watch asleep
13
Officer on watch intoxicates (drugs/alcohol)
14 15 16 17
Officer on watch injured, ill Officer on watch absent Guidance error by external vigilance Communication error between ship and external vigilance Unsafe track not identified and/or communicated by external vigilance Communication lapse of navigational data Navigational data not used properly Less than adequate competence - risk willingness Stress/fatigue - less than adequate mental condition
18
19 20
21
22
Prob. Description The officer of the watch may trust his perception of the 0,8% situation and assume that the situation is according to previous plans without updating data basis. Available navigational data may be correct, but the perception and interpretation of the data may be wrong. 3,1% This may be related to other ship movements and shoreline location from radar images, etc. This error includes lack of update of charts and 4,0% publication. A radar image is shown, but it does not reflect the 0,7% actual situation due to systematic failure. The radar is actually used wrong. This error does not 0,7% relate to the perception and interpretation of the radar image. This fault is mainly related to buoys and lighthouse, 2,3% which may be wrong located, missing, are give wrong signals. The actual ship position may be erroneous due to 0,3% sensor error, or miss-calculated. The officer on watch may be absorbed with other tasks and is not paying attention to navigational data, re1,5% planning, and the execution of navigational tasks. The officer on the watch may have fallen asleep. This does not include micro-sleep, which is related to 4.0% stress/fatigue and reduces the ability to plan navigational tasks. The ability of the officer on watch is reduced by e.g. alcohol and drugs to an extent that analysis of data, 0,7% planning and execution is significantly below standards. The officer on the watch is unable to execute tasks 0,37 because he has become injured or ill while on duty. The officer on watch is performing other tasks while on 1,5% duty and is therefor not present. The planned unsafe track is identified, but the proposed 1,0% changes are erroneous. The planned unsafe track is identified, a safe change of situation is proposed and communicated by external 1,0% vigilance, but results in wrong respond. The planned unsafe track is not identified by external vigilance and/or no attempt is made to communicate 1,0% the identified situation. Communicated data required for planning is 0,0% misinterpreted to result in a unsafe desired track. The navigational data is correct and understood. However, it is not used properly to form a proper 17,8% decision basis, e.g. position plotting. The decision basis is correct, the officer is alert, but the evaluation and judgement results in a desired unsafe 6,2% track. The mental condition of the officer results in too little attention to the situation and the required judgement, 0,3% which results in a unsafe desired track.
141
Table 4: Continued. Prob. Description Ref Wording 23 Grounding unavoidable as Other ship movements forces own ship to change 1,8% a result of course change course to avoid collision, but powered grounding is unavoidable as a result. Other ship movements forces own ship to change 24 Loss of ship control as a course to avoid collision and navigational control is result of rapid course change 1,8% lost due to rapid course changes, lack of plan and less than adequate experience with ship manoeuvrability capabilities. The actual track is identified to deviate from planned. 25 Less than adequate 7,1% competence in judgement However, the decided correction is erroneous. and decision making The actual track is identified to deviate from planned 26 Misinterpretation of and the decided correction is safe. However, the commands given 0.2% commands given are misinterpreted to result in erroneous action. The actual track is identified to deviate from planned. 27 Confusion of However, no action or uncoordinated action results 0,2% responsibility and from confusion and unclear resDonsibilities. commands given 28 Less than adequate bridge The actual track is identified to deviate from planned. The untimely action may result in less than adequate design (location of and 0,2% performance due to bridge design and lack of lack of equipment) equipment and instrumentation at hand while executing, re-planning and compiling information. The actual track is identified to deviate from planned. 29 Stress/fatigue - not The untimely action may be due to lack of personnel enough crew1,77c for the required task or it may be due to stress and fatigue of bridge crew that results in less than adequate performance. The actual track is identified to deviate from planned. 30 Ship control lost due to wind, currents and ship However, attempts made to correct the ship course fail 6,6% manoeuvre capabilities due to severe external conditions (wind and currents) in combination with ship manoeuvre capabilities. 31 i Lack of procedures or The planned unsafe track was not identified. This may I monitoring and warning be due to lack of quality assurance procedures and 0.7% I systems monitoring/warning systems for track planning. 32 Procedures not followed The planned unsafe track was not identified. or monitoring systems not Procedures and systems for quality assurance of 1,9% planned tracks may be in place, but are not used or used followed. 33 Warning (by crew or The unsafe planned track is identified and a warning is 0,2% systems) disregarded given, but disregarded by officer in command. 34 Warning (by crew or The unsafe planned track is identified and a warning is 0,17c systems) misunderstood given, but misunderstood by officer in command. The unsafe planned track is identified but warning is 35 Warning (by crew or 0,37c systems) not given not given. This could be technical fault or human error. 36 Operational fault on other A rapid and unplanned course change has to be made due to course changes on other ship(s) in area, which is ship 0,77c against the rules. 37 Misjudgement of other A rapid and unplanned course change have to be made due to course changes on other ship(s) in area which is ship movements 0,17c according to rules but unforeseen.
142
Table 4: Continued. Prob. Description Ref Wording The deviation from planned track is identified by Guidance error by external 38 1,07c external vigilance. However, the guidance given and vigilance fully understood results in an unsafe track. The deviation from planned track is identified and 39 Communication error 1,07c between ship and external communicated by external vigilance, but the guidance given is not understood or misinterpreted. vigilance The deviation from planned track was not identified or 40 Track deviation not communicated by external vigilance. identified and/or 1,07c communicated by external vigilance The safe decided track is misinterpreted so that another 41 Communication lapse of 0,07c unsafe track is followed. decided track The safe decided track is understood correctly but 42 Error in setting planned 9,2% implemented erroneous to result in a track deviation course that is unsafe. The planned track is understood correctly and attempts 43 Misjudgement of own are made to respond to the plan. However, the ship vessel movements 6,57c movements as a result of manoeuvre capabilities are misjudged to result in an unsafe track deviation. 44 Wind and currents causes The planned track is understood correctly and attempts are made to respond to plan. However, wind and deviation from desired 5,6% currents are not taken properly into account, resulting track in unsafe track deviations. The unsafe deviation from planned track was not 45 Lack of procedures or identified. This may be due to lack of quality assurance monitoring and warning 0,77c systems procedures and monitoring/warning systems for track planning. It would include lack of position plotting. The unsafe deviation from planned track was not 46 Procedures not followed or monitoring systems not identified. Procedures and systems for quality 1,97c used assurance of planned tracks may be in place, but are not used or followed. 47 Warning (by crew or The unsafe deviation from planned track is identified and a warning is given, but disregarded by officer in systems) disregarded 0,27c command 48 Warning (by crew or The unsafe deviation from planned track is identified systems) misunderstood and a warning is given, but misunderstood by officer in 0,17c command. 49 Warning (by crew or The unsafe deviation from planned track is identified systems) not given but warning is not given. This could be technical fault 0,3% or human error.
143
Collision, whilst on dangerous course
Does not discover other ship or other ships movement
Discover other ship, but cannot avoid collision
n
Unsuccessful in contacting other ship Misunderstanding when communicating with other ship
Own avoidance manouvre unsuccessful dueto internal comm. problems
Figure 6. Simplified fault tree for Collision.
144
Does not ciscover other ship or other ships movement
1 Too high speed CMS ! Incorrect use of radar CAAS Technical failure LTA Lookout CMS Inadequate performance of COW CAAS LTA use of fog-hom/f lags /lights CMS
Unsuccessful in contacting other ship
Wrong use of equipment
8 Communication means out of order
10 Other ship not listening Contacted wrong ship
Figure 6. Continued.
145
Misunderstanding when communicating with other ship
11
Misunderstanding due to language problems Language training
12
Bad connection/noise
13
Misunderstanding due to lack of training
Own avoidance manouver unsuccessful due to internal comm.problems
u
14
Internal language problems Language training CAAS 15 Procedural problems (responsibility confusion)
16
Incorrect decisions/actions due to stress/fatigue/ undermannlng/training
17
Man-Machine Interface
Figure 6. Continued.
146
References
[1] [2] [3] [4] [5] [6] SAFECO 2 homepages - http://research.dnv.no/safeco2/. IDEF-0 homepages - http://www.idef.com. DAMA info: http://tekstbaser.interpost.no/nou/1994-9/kapll03.htm. System reliability Theory (., Hyland, M., Rausand) ISBN 0-471-59397-4. CARA homepages - http://www.sintef.no/sipaa/prosjekt/cara/. MAEB homepages - http://www.gtnet.gov.uk/maib/maibhome.htm.
147
148
Integration of FTA and RCM - a case from shipping

Svein Inge Masdal, Research Engineer, Roar Bye, Senior Research Engineer Section of Technical Operations/ Division of Machinery and Operation Tehnology Norwegian Marine Technology Research Institute AS, MARINTEK P.O. Box 4125 Valentinlyst 7002 Trondheim, Norway
Abstract There is-no common practice of structured transfer of results from risk and reliability analysis in design to operation requirements in shipping. There is also a general lack of experience feedback from operation to design. This paper describes a method for utilisation of results from Fault Tree Analysis, FTA, in Reliability Centered Maintenance, RCM, to improve operational performance, in terms of increased availability and reliability and reduced maintenance costs. The paper also presents a methodology for continuous improvement of both operation and design. Continuous improvement necessitates sufficient relevant data, which again requires a rigid regime for data collection. In order to gather sufficient number of data, data from additional sources may be required. A data collection from various sources will be eased by applying standardised datafonnats. Rules governing shipping have traditionally been prescriptive. In an attempt to address this issue, IMO (UN maritime body) has arrived at an interim set of guidelines for the application of Formal Safety Assessment, FSA, in the rule-making process. This paper describes how requirements from an FSA can be applied in FTA. The issues raised above have been developed and. implemented in the EU-founded project MOSys (Models for Operational Reliability, Availability and Integrity Analysis of Ship Machinery Systems). Experiences from MOSys are presented in the paper. Keywords: Ship Operation, RAM analysis, STEP, AP 226, Fault Tree Continuous Improvement, Formal Safety Assessment Analysis,
1.
Motivation
A study of the state of art regarding application of Reliability, Availability and Maintainability, RAM, revealed that in the aircraft industry, as well as in nuclear and space industries, the employment of RAM data is and has been a vital element in design and in operation of equipment and systems [1].
149
The study, however, revealed a complete lack of utilisation of RAM data within the European shipbuilding and shipping industry. The current shipyard design practices are not based on the life-cycle view and has no formal link to operational experience. A life-cycle view in design must be built upon an in-service feedback of parameters relevant for design improvement. The application of RAM technology to ship machinery systems feedback has yet to be realised. Although there has been some attempts of collection of RAM data, the overall picture shows a lack of consistency in terms of collection, analysis, utilisation and employment of data. This paper describes a method for applying RAM data in fault tree analyses, FTA, supporting Reliability Centred Maintenance, RCM, ending up in a set of maintenance strategies assigned to vital equipment. The methodology described is based on the fact that maintenance is needed to obtain a requested availability, and thus also directly influencing - and influenced by - the reliability of an item. It is generally recognised that RCM analyses often suffer from lack of reliable and applicable failure data. It is further assumed that applying FTA to strengthen the criticality1 assessment part of the RCM would increase the quality of the analysis as such and in addition implant design knowledge in the traditionally operation focused RCM analysis.
2.
The MOSys project
MOSys (Models for Operational Reliability, Integrity and Availability Analysis of Ship Machinery Systems) is a research project that is funded by the European Commission under the Brite/EuRam programme. It aims to enhance the operational efficiency and profitability of ship plant systems through reliability, availability and maintainability (RAM) analysis at ship design stage and implementation of Technical Asset Integrity Management () technology during the rest of the ship life cycle. In particular it seeks to harness the power of information technology in handling the life-cycle data which is an essential requirement for achieving the above objectives. To achieve these goals, MOSys will develop techniques and tools for: - RAM and maintenance cost analysis, based on ship machinery historical data, FMEA and criticality analysis. - Survey, Inspection and Repair (SIR) planning, for harmonisation of the logistic support for ship survey, inspection and repair in support of operational availability. - Technical asset management with assets' design, functional and operational data capture and data analysis capability in support of RAM, SIR, maintenance cost analysis, and the life-cycle tracking of the asset's conditions. This is targeted at the ship operation phase.
1
The term "Criticality" used in RCM is synonymous to the term "Risk" used in FTA.
150
- T he above modules will be supported by development of a distributed SEMDR (Ship Equipment and Machinery Data Repository) that will be based on the ISO 10303 (STEP) Application Protocol 226 (Ship Mechanical Systems) [2]. The project consortium comprises Lloyds Register (UK), Germanischer Lloyd (D), BIBA (D), Marenostrum (POR), Lisnave (POR), Fordest (POR), HDW (D) and MARINTEK (N).
2.1
Integration of FTA and RCM
In the MOSys project, FT A and RCM is integrated to increase the quality of the criticality assessment, which is an important part of the RCM analysis [3]. A simplified overall dataflow in the RAM module developed in MOSys is shown in Figure 1:
RCM
FTA
Data capture and preparation
Data Repository
Figure 1. Simplified dataflow schematics of the RAM module developed in MOSys.
In the following, the focus is put on the dataflow between the RCM and FTA. RCM comprises the following main parts: Function/system breakdown Function analysis Criticality analysis (FMECA) Maintenance assignment Job packing 2.2 Criticality analysis
The Criticality analysis is a major part of the RCM analysis, since the criticality of failure modes often affects the maintenance strategy. Criticality is often derived from the following formula:
151
CR = P(x)xS CR P(x) S = Criticality. = Probability of occurrence of the failure mode x for component i. = Severity factor (function of consequences).
[4]
In many cases the system architecture is complex, and a single failure mode does not always lead to a system failure (e.g. two pumps may stand in parallel, and both pumps must stop to cause a critical situation). A more explicit measure for criticality may therefore be derived from the following formula: CR = P(xi)xP(H\xi)xS
CR = Criticality P(x) = Probability of occurrence of failure mode for component i. P(H I Xj) = The conditional probability of the overall hazardous condition given failure mode jq for component i. S = Severity factor. FTA may be used to model such a situation. The top event in the fault tree should be the overall hazardous condition, and the basic events should be the failure modes. Birnbaum's measure of importance of component i at time t is defined in the following formula: / B ( / l i ) = ^ M l f o r i = l,2,...,n dq,(t) Q0(t) = Probability that the top event occurs at time t. qj(t) = Probability that basic event i occurs at time t. An alternative definition of Birnbaum's measure is: Birnbaum's measure of reliability importance of component i at time t is equal to the probability that the system is in such a state at time t that component t is critical for the system [5]. We can therefore say that: P(Hbci) = I B [5]
152
2.3
Practical implementation
The integration between RCM and FTA is implemented in a software prototype, where the prototype version of RCMTool2 and CARA Fault Tree3 are linked together. The RCM analysis is performed in RCMTool, while fault tree definition and fault tree calculations are performed by CARA Fault Tree. All data for RCMTool is stored in a database. In the same database the name of the fault trees is defined with connections to specified functions in the function hierarchy. RCMTool comprises the following main parts: - Function tree - Equipment assignment - Function analyses - FMECA (Failure Mode Effect and Criticality Analysis) - Maintenance task assignment Figure 2 shows how functions, equipment, functional failures, parts and failure modes are logically connected in RCMTool:
Function code
J Function failure
Equipm. #1
Equipm. #2
Equipm. #3
Part#l
Function failure #2
If
Function failure #3 Part #3
Failure mode #1
Failure mode #2
Failure mode #3
Figure 2. Logical description of connected elements in RCMTool.
RCMTool is a software product developed by MARINTEK. CARA Fault Tree is a software product developed by SINTEF.
153
Each new fault tree is connected to a function in the function hierarchy. Figure 3 shows how the function hierarchy appears in RCMTool. The fault tree can be linked to any function at any level in the function hierarchy. There can be no exact recipe for linking fault trees to the functional hierarchy. This excerise must be performed on a case to case basis; it is, however, possible to give some rules of thumb. The fault tree methodology should mainly be used on the most critical functions, since it is time consuming to analyse all functions. The functions where fault trees are used should also be complicated enough to justify the use of fault tree analysis. The fault trees should be linked to a level in the functional hierarchy, which give useful results. This will probably vary in the systems life cycle. In the design phase, one might be interested in comparing the reliability of two different lubrication oil systems. In such a case, lubrication of main engines, may be an appropriate function level. In another cases, one might be interested in identifying the main contributors to risk for grounding. In such a study propulsion might be a more suitable level. Definitions of new fault trees is performed in the screen picture shown in Figure 4. Function code and name is automatically displayed in the first field, and top event must be chosen from a set of predefined top events in the following field. The weight factor, which is assigned to each fault tree, is a consequence measure, for comparison of results from different fault trees. This is useful if e.g. a failure mode is part of two different fault trees. In one fault tree, the failure mode is a big contributor to the probability of the top event, while the failure mode is ranked low in the other fault tree. In such an example the result from the fault tree with highest weight factor should be paid most attention. The fault tree must be assigned to at least one of the four categories (Safety, Environment, Production Down Time, Maintenance Cost). The categories found here are the same as the criticality codes used in RCMTool. It is important to select the correct categories as it may be used later in the FMECA part of RCMTool. When all attributes have been defined, it is possible to start constructing the fault tree. So far the new fault tree and its attributes have been defined in the RCMTool database, and the fault tree name is linked to function code. Construction of the new fault tree is done manually, meaning the user defines appropriate gates and basic events in the fault tree. However, some support from RCMTool is offered. When basic events have been defined it is necessary to supply them with data. These data are often already entered into the RCM database during the FMECA. This integrated software makes it possible to retrieve data from the RCM database to ease the FTA. An example of a fault tree is showed in Figure 5. The data presented in Figure 6 come from RCMTool, and all equipment and assigned failure modes that are found below selected function (in this example function 1.1.7) will be in this list. Basic events in the fault tree often correspond with the identified
154
Figure 3. Screen picture from Function Tree part of RCMTool.
Top Event | Loss Of Main Propulsion Power Generation eeejoejiBBBBa Catena*. t? S|Srety) E (Environment)
17 [Production down linei [7 C (maintenance Cost inducing equipment damage)
Top event Loss Of Main Propulsion Power Generation
Feu* trees connected to function code ICateoorvS | Categor E | Categor | Categor C | Weight | Calculation t i | 760 2 c s
J_
" 1
O K
Delete
Figure 4. Screen picture from CARA dialog window in RCMTool.
155
V'ifffllir, 1 IB B i.riHII.il I'LIJ!1"!"*, ".'."IHI.I.IIM.IJ.faTJ

i* lbh ItM fin tbm )Hrtkm Hi
1'
iDlDl^lJj
~|MUM"
Figure 5. Example of fault tree defined in CARA.
IJ.ll.1 l-li.in H I M
Detorpton
" .1.07 ' - DrtriblUion pass - C-C ' .1.07 " D atribulion p b w D <L
..07 5.=-;_
1 7 ' - F>-:I ".I.U/b.l j x c l p r M w o i n d c c b FAI,UUH .1.075.; JXcltenperetue indreto -FAI.0CR
M.073-Cvli-derLi:rk:et3-rAI .I.O/^-Pbec-rxL " .1.07 D.1 Twu-wev uuuk - EX.. CLO

' .1.Ur" b.b 1 cnp3O.li.r3 consol -Al
Lamtca I 1.DXC00e-CC6 I.JICOOe-CCG E.55eE67eC8 1 irrnnrrrrfi ^JXLUUoLLr' 2.3XC00eC7 IDXCOOetCC I.DXC00e-CC& H53eE67BtC8
.JJLLUUcLLr
MTTR C.DXCOOe-COD
Tsetlnierv*.
0 0OOOD D e-.CC OOOOOJJCC 0 0000D D &.CC
OK L'once)
1.DXCOOe-001 C.DXCOOe-OOD 1 Trrnnrt-nm L.JJLLUUo UUJ CDXCOOe-OOD UXCOOe-001 l.3XC00-00l CJXC00e-00D L.JJLLUUc UUJ
nnnmiTWtrr
UUUUUJJciLL O0OOODDS4CC
OOOOODlrtCL. OOOOODDruCC
OOOOOJJSCC UUUUUJJCILL
1 n7?-Pri=R.FW M.075.;-pe-D<LCLO
1 irrnnftrrR CDXCGTe-Cra
1 i-rrnno-nm
CDXCOOe-OOD
nnnnim*rr
OOOOOJDeiCM
Figure 6. Example of output from RCMTool in CARA. failure modes in RCMTool, and it is therefore possible to reuse much of the information entered during the RCM analysis. Basic events in a fault tree may also be human failures that seldom are considered in an RCM analysis. Data for such basic events must therefore be entered manually. When data for all basic events have been defined, it is possible to perform calculations for the fault tree using available functions in CARA. These functions are found in the "Analysis" menu, but the functions will not be discussed here. Results from fault tree calculations will be performed automatically when the FMECA is carried out in RCMTool at a later stage.
156
In the FMECA part of RCMTool, criticality analysis is performed. The criticality is a measure of the product of the consequence and its related frequency, as a result of an equipment failure, which in next turn causes a functional failure. Criticality is often expressed with respect to the following four parameters: Safety (S) Environment (E) Production down time (P) Maintenance cost, incl. equipment damage (M) Criticality is detetmined for each of the four parameters, in this case the values 0,1,2 or 3 are used, but other parameters may also be used. Results from fault tree analysis is intended to support the user in detenmning the criticality. This can be done in cases where selected equipment and functional failure in FMECA is also found in one or more fault trees. When defuiing new fault trees some equipment and functional failure is included in fault trees as basic events. In such cases it is possible to perform fault tree analysis from FMECA without having to remember details from definition of fault trees. The system will automatically find all fault trees where selected equipment and functional failures were included, and then present results from fault tree calculations. From the screen picture shown in Figure 7 it is possible to display the results from the FTA to improve the Criticality Assessment. Figure 8 shows results from fault tree calculations.
net
-art
king
m Hait
M B H
Q.00047SD2 Z9253 Reduced onora perfonranco
1'
'
Ail
tese
3g
Figure 7. Screen picture from FMECA part of RCMTool.
157
Us suits from Fault T r e e Amalysos | Weight | Seneiation 0 0 Reliibilrty | 1168E12 35.01E-12 Birnbiaa | 5B3BE-5 17.SE-4 Lambda | Time | 2 0 E - 9 87B0 20 E 9 8760
__ Loss Of Hain Propulsion Powa

Sadun Firn In Erryiie Ft uuur
Cnticaiity decision r 1
1 0K 1
Figure 8. Example of result from fault tree analysis for use in criticality assessment in FMECA part of RCMTool.
Theoretically it is possible to rank all failure modes with respect criticality using the following formula:
m
Crit, = p ( x f ) x P ( t f .
;=i
lx.)xSj
Critj = Criticality measure for failure mode i. P(jq) = Probability of occurrence of failure mode i. P(Hjbcj) = The conditional probability of top event j , given failure mode xi for component i. S = Severity factor for top event j . m = number of top events. This formula assume that all critical events are modelled by means of FTA. Within MOSys the following syntax is used: Crit = Y lambda x I B x weight.
H
m
(The term "Reliability" used in Figure 8 is the product of B irnbaum's number and Lambda (Lambda = 1/MTTF)). In a practical situation it may be unrealistic to use this method to rank all failure modes automatically. Often expert opinions from experienced operators and designers could give extra information, which it may be difficult to model fully by means of FTA. Perforating FTA for all critical events, may also be too time consuming.
4
P(x) is not equal to lambda, P(r;) connection to lambda is dependant of the failure distribution used. () is strongly increasing with increasing values of lambda. For ranking purposes lambda may be used instead of PO).
158
Within the Mosys project, the results from the FTA are used more as decision support, to adjust the criticality after an ordinary criticality assessment is done based on expert judgement. The measures "Reliability" and "Weight" are therefore not discussed further. 2.4 Continuous improvement
As stated in the introduction, there is, within the maritime industry, a strong need for a more systematic feedback of historical data from operation to design. In order to improve equipment design based on experience data, a system must be available for collection and analysis of failure data. In addition to the continuous improvement of design based on operational data, there is a significant potential for improvement of maintenance and spare part stock in operation. Normally in shipping and most industries, continuous improvement of maintenance is based on deviation analysis on macro level, e.g.: Ratio Planned Maint./Corrective Maint, or Back-log - (jobs not carried out according to plan). Unfortunalely, corrective actions are, more the rule than the exception, characterised as accidental, unsystematic, time and cost intensive. The TAIM module in MOSys includes among other features, a solution for continuous improvement of maintenance. The idea is to analyse extensive amounts of historical data in order to reveal deviations between planned and reported maintenance. The methods for continuous improvement analysis of RAM data, is conceptually shown in Figure 9.
Figure 9. Continuous Improvement of RAM data in MOSys.
159
2.5
Data collection
RAM analysis requires high quality input data to obtain good results. Today, the lack of high quality RAM data is one of the main problems concerning performance of RAM analysis within the maritime industry. Only a few initiatives are made to ease this situation. RAM/SHIPNET has probably been the most successful of these initiatives [6,7]. RAM/SHIPNET was established in the US under the umbrella of the Ship Operations Cooperative Program (SOCP). The project was set up as an information network, which should support the optimisation of reliability, safety and the operation costs of the ship operation. Involved in this project are a number of government organisations and regulatory bodies as well as ship operators and research institutes. Consisting of a distributed and shared Reliability, Availability and Maintainability (RAM) database, RAM/SHIPNET was designed to collect, process, disseminate and to store marine equipment failure informations. Data input for this database is coming from Chief Engineers, ship-operation managers, regulatory agencies, equipment manufacturer and shipyards. Software to ease the data collection has been developed within RAM/SHIPNET, and these software products are today used on several ships to collect data. The MOSys consortium soon realised the need for RAM data, and MOSys has therefore formalised co-operation with RAM/SHIPNET. 2.6 Standardisation
Building a ship or to manufacture ship equipment based on operational data requires fast access to common data in a database. In order to make this methodology applicable obligates a standardisation of data types for populating such a database. Use of information technology for enhanced engineering and cost analysis, concurrent engineering and life cycle data handling is essential to meet the coming requirements to reliability, availability and technical asset management. An essential part of the MOSys project is to apply the existing ISO AP226 Protocol especially for design applications, and in addition extend the AP226 to embrace operational data. 2.7 FTA - FSA
Rules governing shipping have traditionally been prescriptive. In an attempt to address this issue, (UN maritime body) has arrived at an interim set of guidelines for the application of Formal Safety Assessment, FSA, in the rule-making process. The FSA is in principle a guideline for carrying out risk analyses.
160
One of the activities in MOSys regarding FSA, was identify information types by applying the FSA guideline on a selected case (ship propulsion system). The FSA comprises five steps: Hazard identification Risk Assessment Evaluation of risk-control options Cost-benefit assessment Recommendations for decision-making Prior to the FSA, the study comprised definition of the system in terms of boundaries, secondly to describe a general mission (manoeuvring, sailing in restricted waters and deep seas) for the case study. The objective of the FSA carried out was to make recommendations for which information types that should be established and exchanged between parties handling ship propulsion systems. A possible application of the FSA in the future will be to identify top events and acceptance levels (acceptable reliability) for the fault tree analyses. This is illustrated in Figure 10.
3.
Conclusion
The aircraft industry, nuclear industry and space industry has applied RAM analyses in design and operation great success. MARINTEK has, through the MOSys project, presented a methodology for integrating fault tree analysis and RCM analyses. The intention has been to improve the decision base upon which the maintenance plan has been founded. We have in addition demonstrated that a link between a prototype RCMTool and a commercial FTA tool (CARA) can be established and operate satisfactory. The integration has been based on the fact that in accordance with the definition, maintenance is needed to ensure availability, and is thus also directly influencing and influenced by - the reliability of an item. The worse the reliability, the more maintenance is required. A failure may result in downtime and it may also result in hazardous situations and accidents. It is thus important that safety functions and systems/equipment with inherent risks are properly maintained. There is an increasing focus on continuous improvement in terms of improved design and operation regularity. However, the systematic feedback of expert knowledge from design to operation and feedback of historical experience data from operation back to design has suffered from lack of data and if existing, the data quality has been poor.
161
o o a n .
tra
5'
03
5
3-
m
GO
EXL OOR CLO FAI

to
>
S O o
TOD Event! Fire Loss of Propulsion
Hazard Event Drift grounding Powered grounding Contact Fire Explosion
Od cu
O
C/)
IO
o
VD
Basic a B asic B asic B asica
\D
KD
Figure 10. Conceptual view of FTA and ETA interface.
The evident need for quality RAM data may only be remedied by employing existing standards for data reporting and interchange. Another issue, which most probably will have an impact on the dissemination of the application of integration of RCM and FSA, is the introduction of authority requirements, e.g. rule making in the classification societies.
References
[1] "Evaluation of Existing RAM and Maintenance Cost Analysis Concepts", Alfred Mechsner & al., MOSys Report D2.1-1, 1998. [2] "AP226 STEP Standard", 1998 ISO TC184/SC4/WG3 N730, ISO/WD 10303226 Ship Mechanical Systems. Edited By Dr. Bazari, March 1998. [3] Design and Development of RAM and Maintenance Analysis Models and Implementation Specifications", Svein Inge Masdal, Roar Bye & al., MOSys Report D2.2-1, 1998. [4] "Reliability Centred Maintenance", Anderson and Neri, ELSEVIER Applied Science 1990. [5] "System Reliability Theory, Models and Statistical Methods", Arnljot Hyland & Marvin Rausand, John Wiley & Sons, 1994. [6] "Interim Report of SOCP Reliability", Availability, Maintainability Data Bank for Ships, Dr. Bahadir Inozu, Nov. 1993. [7] "Reliability Data Collection for Ship Machinery", Dr. Bahadir Inozu & al., Marine Technology, April 1998.
163
164
Development of the railtrack safety & standards directorate's safety risk model
A. Symons Railtrack pic Railtrack House, Euston Square, London NW1 2EE, UK C.R. Dennis WS Atkins pic Ashley Road, Epsom, Surrey KT 18 5BW, UK
1.
Introduction
The national railway network in Great B ritain consists of 31,000 km of track, 2469 stations and covers a wide range of services from high speed long distance intercity services to high density commuter services and freight. The railway system was restructured in 1994 and privatised between 1994 and 1997. Railtrack pic took responsibility for the control of the infrastructure (tracks and signalling), 25 train operating companies (TOC) operate train services over the Railtrack controlled infrastructure (RCI), 3 companies lease trains to the TOCs and there are 25 infrastructure renewal and maintenance companies all of which make up the Railway Group. Railtrack has responsibility for system safety and safe interworking of the railway and for the health and safety of those who may be affected by the company's activities. As the infrastructure controller, its responsibilities extend to assuring safety within the entire Railway Group. Railtrack meets this responsibility through its Safety & Standards Directorate (S&SD). S&SD is independent of Railtrack's operational and commercial management. o
v >
S&SD has a responsibility derived from Railtrack's Railway Safety Case to co ordinate the Railway Group's safety management arrangements and provide leadership to the industry in safety matters. This responsibility is met through the railway safety case acceptance process, the production of railway group standards (RGS), Railtrack approved codes of practice (RACOP), guidance notes, safety management systems audits, production of the railway group safety plan and through its current risk assessments and the Safety Management Information System (SMIS). It is essential, however, that the control of the risks and hazards on Railtrack controlled infrastructure (RCI) are carried out in an open and explicit manner, so that the end users in the Railway Group can be assured that the controls imposed are effective yet do not cost disproportionately more than the benefits they provide.
165
S&SD is currently developing a safety risk model that will provide a structured representation of the cause and consequences of potential accidents arising from railway operations on the RCI. This paper describes the methodology, summarised in the form of a flow diagram in Figure 1 below, which is being used in the development of the S&SD Safety Risk Model (SRM).
D e v e l o p Project Specification
I d e n t i f i c a t i o n of H a z a r d o u s Events
I d e n t i f i c a t i o n of t h e precursors for e a c h Hazardous Event
Develop project database
D e v e l o p b a s i c risk m o d e l structure
R e v i e w of d a t a s o u r c e s
P r e p a r e risk m o d e l s : Train a c c i d e n t s Movement accidents Non-movement accidents
Develop consequences rule sets
D e v e l o p RiskVu files for results p r o c e s s i n g
P r e p a r e a n d p r e s e n t results
Prepare project report
Figure 1. Risk Model Development Flowchart.
2.
Safety risk model objectives
The objectives of the SRM are to: Provide an understanding of the nature of the current risk on the RCI. Provide the risk assessments which form part of Railtracks Railway Safety Case. Assist in the development of the long term strategies and priorities for the Railway Group Safety Plan that sets 10 year goals, which is reviewed and published annually. Identify and prioritise the railway group standards which should be considered for revision in terms of their contribution to risk. Enable as low as reasonably practicable (ALARP) assessments and cost benefit analyses to be carried out: (i) to assist in the decision making process regarding the merits of technical changes/modifications and new infrastructure investment and (ii) to assist in the development of safety justifications for proposed changes.
166
Assist in identifying additional control measures which would reduce risk.. Understand the contribution of a particular item of equipment or failure mode to the overall risk. Assist in the validation of train and station operator's railway safety cases. Identify and prioritise issues for audit. Understand the risk and risk profiles across the network. Provide the facilities for undertaking general safety research and investigations.
3.
System boundaries
In order to create a safety risk model of the RCI it has been necessary to define clearly the boundaries of the system being modelled. The SRM is to include the safety risk from incidents which could occur during the operation and maintenance of the RCI within the boundaries defined in Sections 3.1 to 3.5 below. The SRM will exclude not include quantification of risk to staff due long term occupational health issues. 3.1 People
The SRM will include the risk to the following groups of people who could be affected by the operation and maintenance of the RCI: passengers on trains; passengers at stations; railway workers on trains; railway workers at stations; railway workers working on or about the track; members of the public (not passengers) outside the RCI or legitimately crossing the RCI, for example on level crossings. 3.2 Stations
It will be the intention for the SRM to consider ultimately all the potentially hazardous events which could be associated with the movement of passengers and staff inside the physical boundaries of stations. However, in order to contain the scope of work during the initial risk model development phase, the boundary at stations has been taken as the platform/train interface. No events beyond the platform/train interface will be modelled initially except where events could result in the platform/train interface being affected e.g. by preventing passengers evacuating from the trains. 3.3 Trains
The boundary within the trains operating on the RCI will be defined by events on the trains which are caused by events on the RCI or events on the trains which themselves cause events on the RCI.
167
3.4
Depots
Events occurring within depots will not be included within the SRM. However, events relating to the movement of trains entering and leaving depots and events relating to the condition of trains joining the system from the depots will be included. 3.5 Members of the public
Events occurring on the RCI which have the potential to affect members of the public living or working outside the RCI boundary lines will be included. Events associated with members of the public falling onto the RCI, trespass onto the RCI, vandalism and suicides will also be included.
4.
Identification of events to be modelled
The SRM is to be based on the quantification of the risk resulting from hazardous events occurring on the RCI which have the potential to lead to fatalities, major injuries or minor injuries to passengers, staff or members of the public. In the context of the SRM a 'hazardous event' is taken to mean an event which has the potential to lead directly to death or injury. For each hazardous event there could be a single or combination of precursors (system failures, sub-system failures, component failures, human errors or physical effects) which could result in the occurrence of the hazardous event. For example, a derailment would be considered to be a hazardous event as it can lead directly to injuries, whereas a broken rail would be classified as a precursor because without the occurrence of a subsequent derailment, no injury would occur. For the purposes of developing the SRM it has been necessary to identify the hazardous events covering train accidents, movement accidents and non-movement accidents relevant to the operation and maintenance of the RCI. The following definitions are used: Train accidents are accidents to trains and rolling stock. Movement accidents are accidents to people caused by the movement of trains but excluding those involved in train accidents. Non-movement accidents are accidents to people on railway premises but not connected with the movement of railway vehicles. In formulating the strategy to be used for the development of the SRM, it was recognised that over the years there have been several comprehensive hazard identification studies carried out on railway systems in the UK which could be utilised in the development of the SRM, thereby avoiding the need for further detailed hazard identification assessments. It has, however, still been necessary to develop a full list of hazardous events and their associated precursors for inclusion in the SRM. Traditionally, hazard identification has considered whether fatalities or injuries to people occur as a result of equipment, system or procedures. However, to ensure that
168
all possible events leading to fatalities or injuries were identified for inclusion in the SRM, in addition to referencing the existing hazard identification studies it was decided to consider the hazards using novel approach whereby the generic injury mechanisms by which a person can be killed or injured are identified. The question is then asked "how can this type of injury be caused on a railway system?" The following assessment process was used: Development of a generic list of the mechanisms which could lead to injuries to people; see list in Table 1.
Table 1: List of generic injury mechanisms. Generic injury Example types of injury mechanisms 1. Being Crushed Death, amputation, broken limbs, cuts and bruises, (whole body) trauma 2. Being Trapped Amputation, broken limbs, (individual cuts and bruises, limbs) suffocation, trauma Death, broken limbs, cuts 3. Falling and bruises, Trauma, concussion 4. Being hit Death, blinded, cuts and bruises, concussion, trauma Death, burns, trauma, 5. Being Burned blinded Death, burns, trauma, loss 6. Electrocution of consciousness 7. Asphyxiation Example causes Collapsed vehicle, collapsed structure, crushed by moving vehicles, crushed by large falling object In doors, in machines, between vehicles, between vehicle and structure Tripping, loss of balance, falling from heights, falling down holes, being pushed Vehicles, flying objects and debris, dropped object, rupture of pressure vessels, criminal act Fires, chemical burns, explosions Contact with high voltage traction supplies, contact with low voltage industrial/domestic/lighting/power tool supplies, equipment short circuits Smoke, drowning, Reduce breathing air supply, faulty breathing apparatus Exposure to biological agent, infected materials Luggage, tools, objects
Death, brain damage, trauma 8. Illness Death, disabled, trauma, 9. Manual Bad back, dislocated handling limbs, pulled muscles Contamination/ 10. Death, burns, lung disease, Exposure to hazardous substances due explosions, poisoning skin disease, brain tank ruptures, spilled substances damage, blinded 11. Noise Deafness, shock, trauma Work environment, power tools, on track machines Vibration 12 Carpel tunnel syndrome, Power tools, on track machines white finger 13. Electromagneti Cataract, cancer Exposure traction supplies, high voltage electrical c radiation equipment, microwaves Cancer 14. Ionising Non-destructive testing radiation 15. Extreme cold Hypothermia, frost bite Winter on track maintenance, falling into water 16. Extreme heat Heat Exhaustion, loss of Train stalled in tunnel with high ambient (other than fire) consciousness temperatures, working in confined spaces, inadequate protection when working in the sun during the summer 17. Repetitive tasks RSI Prolonged periods of repetitive movements of fingers, hand or arm 18. Violence Death, blinded, cuts and Annoyed passengers/staff/members of the public, bruises, concussion, drunk passengers/members of the public, criminal trauma behaviour
169
For each group of people defined in Section 3.1, consideration was given to the ways in which each injury mechanism listed in Table 1 could be caused. For each injury cause identified all the events associated with the operation and maintenance of the railway which could result in the particular injury cause were determined. For each event identified, consideration was then given to which events could be related to the RCI and a clear hazardous event definition applicable to the people group being considered was produced. Once the hazardous events for each group defined in Section 3.1 were identified, in order to give confidence that all known injury related hazardous events had been identified, the existing hazard identification studies were reviewed and compared with lists of hazardous events developed. Any hazardous events identified in studies which were not included were, where relevant, added to the new list of hazardous events. Once the above process has been completed for each people group, a full rationalised list of the hazardous events for use in the SRM was developed. The number of hazardous events being considered is 118. In order to provide greater detail to the modelling process it has been necessary to subdivide further some of the hazardous events where the precursors, frequency of failure or the overall consequences could be significantly different. For example the hazardous event 'collision between two passenger trains' could be broken down into the type of collision (rear end, head-on and side-on) and location specific issues such as on open track at grade, on embankment, in tunnel, on bridges or viaducts, on level crossings or in station. At the same time as the hazardous events were being confirmed, the existing hazard identification studies were also used to identify and extract the precursors and the control measures and safeguards which are applicable to each hazardous event. This information forms the basis of the development of the SRM for each hazardous event.
5.
Basis for the SRM
The SRM is being developed in the form of a cause and consequence analysis using fault trees and event trees to represent each of the hazardous events. Diagrammatic representations of the relationship between the fault tree analysis and the event tree analysis in the context of the overall SRM are presented in Figures 2 and 3. The SRM will enable risk to be calculated in terms of: Collective risk - the average number of equivalent fatalities per year occurring on the RCI. The term equivalent fatality allows for the influence of major injuries and minor injuries to be considered where 10 major injuries or 200 minor injuries are equivalent to one fatality.
170
Component Failure Data
Fault Tree Analysis Event Tree Analysis Results Processing
Figure 2. Information flows within the SRM.
Node dsfnriion
^ ^
Dca herwenen Mtrhslnemafc envelcoe?

Y/M
Doei t o i ccuct cnccjoceritne?
t tes acoten wiltonen He ojocentine? lili
SW31C5 Frequence (Evens/)!}
Caiseances (rcfjfler; Falcftesveni
Bli (qwdert taaria/yr)
Y
3 a;5 ^s*
ai
EXAMPLE FAULTTREE (not developed fully)

4tats/yr
Fait Sequences
Hazardous event defirsnon
a s
xx-v.
as
dl
aos
A
definition ^ ^ 1
in tvfwerr;
0.25
N 1
tefeffiM
OtnSm
04
Oc
1
Witt,4;
1
>=
0.4
0 . 5
AND Gote
taon: noua CM
1 ut
A*
- O R Gaie
'jrx-r Mfttxi 0W
02 Y G jOecrve sit= 1.75
ai
10
j
Example Basic Eventi (Piearas) /
tin:
0
^
ta IB
EXAMPLE EVENTTREE (not developed fully)
\ ^
,1
: - -
enScCK SSM
twd.-
Figure 3. Relationship between Fault Tree and Event Tree Analysis.
171
Individual risk - the annual probability of fatality per year for particular passenger or staff groups using the railway. Societal risk - a measure of the frequency of accidents which lead to multiple fatalities. In developing the SRM it is recognised that the RCI has many differing characteristics, combined with a significant variety of trains and service intensities, which will affect the estimates of risk, in terms of differing causes, frequency of failures and consequences of accidents. While it is the intention for the SRM to recognise ultimately these differences, initially a single system wide SRM is being developed. Neverthless in relation to train accidents the system wide SRM will, include: the passenger loading (night, off-peak, peak and crush loaded); the train speed; whether secondary effects occur such as collision with a train on an adjacent line, fires, collisions with lineside structures or structural collapse onto train. This system wide SRM will enable Railtrack to: develop the basic fault tree and event tree models required to analyse each hazardous event.; determine the full range of data requirements for each hazardous event.; demonstrate that the concept of the SRM and the software is viable.
6.
Input data requirements
In order to quantify the risk from each of the hazardous events it will be necessary to populate the fault trees and event trees with input data relating to the frequency and probability of component, equipment, system, human failures, the probability of circumstantial events occurring, and the consequences of each fault sequence. 6.1 Failure frequency/probability data
In general, quantified risk assessments carried out for industries such as nuclear power or oil and gas suffer from the lack of actual failure rate data associated with the equipment being analysed, and therefore tend to be based largely on generic failure rate data. In the railway industry, however, a comprehensive record of train accidents, accidents leading to staff fatalities, injuries and system failures and, in most cases, their associated causes has been kept on computer databases. Therefore whenever possible, the frequencies and probabilities which form the input to the fault tree and event trees will be derived from historical data. When actual data is not available, one of the following techniques will be used: Human error probability assessments using the Human Error Assessment and Reduction Technique (HEART).
172
Expert judgement using in-house expertise within Railtrack. Generic failure data sources. 6.2 Assessment of consequences
As noted above, the types of accidents on the railway fall into three main categories, namely train accidents, movement accidents and non-movement accidents. From a review of these accident types it has been concluded that movement and nonmovement accidents tend to be relatively frequent and generally lead to a single fatality or injury. As these are relatively frequent events there is a large amount of historical data available which will be used as the basis of the assessment of the consequences of each type of movement and non-movement accident. For train accidents, however, there is little recorded experience particularly of the infrequent and potentially high consequence train accidents most notably collisions, derailments and fires. In relation to the consequences resulting from train collisions, work carried out recently on the variation of passenger fatalities and major injuries resulting from collisions involving different types of rolling stock and impact speeds by WS Atkins for Railtrack [1] will be used as the basis of the consequences for fault sequences associated with collisions. The assessment of the consequences for the other types of train accidents will be based on judgement taking into account: historical data on train accidents; the characteristics of the particular fault sequence; the train speed; the passenger loading; the incident location; the conditions for evacuation etc. which are relevant to the fault sequence; the differences between two similar fault sequences.
7.
Project database
As a part of the development of the SRM, a project database is being established to record: Fault tree basic event data; Event tree node probability data; Event tree consequences data; Modelling assumptions. In each case the database provides information on any data sources, calculations, assumptions and justifications used to produce the numbers for input to the SRM. The
173
database will record separately the number of passenger, staff and members of the public who suffer fatalities, major injuries or minor injuries attributable to each fault sequence within the event trees. This will enable a range of database consequences outputs to be created such that the event trees can be quantified in terms of passenger equivalent fatalities, staff equivalent fatalities, member of the public equivalent fatalities as well as the total number of equivalent fatalities.
8.
Software
The software used in the development of the SRM is as follows: SRM task Fault tree/event tree analysis Results analysis - overall risk, risk profiles, risk contribution factors, risk sensitivity factors Project database Possible additional results analysis Software FaultTree+ by Item Software RiskVu by Item Software
MS Access MS Excel
9.
Conclusions
This paper has described the methodology being used currently to develop the Railtrack S&SD Safety Risk Model. The SRM, when complete, will represent a significant step forward in the understanding of the risk and the risk profiles on the Railtrack Controlled Infrastructure. The SRM will allow sensitivity analyses to be carried out to determine the risk reduction that could be obtained from the introduction of new risk control measures, improving the reliability of systems, sub-systems or components, changes to operating and maintenance procedures, and the introduction of new systems or technologies. Using a value of life approach, these risk reductions can be compared with the cost of providing the changes to determine whether the changes would be reasonably practicable to implement. Once the initial system wide SRM covering all the hazardous events has been developed, there will be a greater level of understanding of the process, the areas of difficulty and uncertainty and the areas for improvement such that it will then be easier and more resource efficient when developing the specific models for each type of line and service.
174
References
Accident consequence modelling (finite element and survival space analysis of Mark 1 and Mark 3 stock). WS Atkins Science & Technology. AM3468/R002 Issue 1. December 1997.
175
176
Overview of effective benefits of a speed control system

Francine Keravel, Alain Montadert Rseau Ferr de France Service de l'Exploitation et de la Scurit Tour Pascal ., 6 Place des Degrs 92045 Paris la dfense Cedex, France
Abstract Starting from the formula ted needs a nd the description of the forma l technica l choices which ha ve been done ten yea rs a go, the pa per proposes to a na lyse the feedback experience a t two levels: the impa cts of a speed control system on the practice of tra in driving a nd risk perception, a nd the impa cts on the global system performance. Through the a na lysis of nea r misses, the discussion concerns twopoints: - some perverse effects with the alert curve and the evolution of the driver beha viour in front of a danger, which impacts the line capacity; - the impa ct of the driver beha viour (detection of danger, a nticipa tion, errors and recovery,...), the technica l failures a nd a ny other defect on the efficiency of a speed control. The conclusion proposes a framework of references to better foresee the variability of the situa tions in which the control system will be a pplied, especia lly concerning human factors.
1.
Foreword
Rseau Ferr de France (RFF) a new player in railway public service, was founded at the beginning of 1997 to answer to three closely inter related concerns vital for railway future: - to clarify responsibilities between the state and SNCF - especially regarding infrastructure- within the context of the public service mission; - to enable a railway system on the verge of paralysis to regain a sound financial footing; - to foster the railway system modernisation in order to respond more effectively to customers and society's expectations. RFF grows slowly with 55 people at the end of 1997 and now nearly 200 and little more expected.
177
RFF, the infrastructure owner, is responsible for planning, funding and implementing investments on the national railway network as well as for running and maintaining the network. It defines the objectives and the management principles for technical and safety installations operation and maintenance, as well as the facilities for management of traffic and movements on the network. It makes proposals on the basis of identified requirements for the needed adaptations. It defines the terms and conditions for investment as well as the associated financing plans. It RFF exercises its responsibility for investment itself or assigns SNCF which maintains and manages the network on behalf of RFF and according to objectives and principles which are defined by RFF. With its connections with seven neighbour countries, RFF implements the railway network in the European framework. For example, RFF is the project developer for the French part of a European project called ERTMS European Rail traffic Management System: the project involves new train control-command systems based on intensive or virtually exclusive, use of telecommunications and information technology. As owner of the railway network, RFF is responsible for overseeing investment in renewal and extension of infrastructure and also managing a large debt of about 25 GEuros. RFF prepares the terms and conditions for investment along the technical programme and ensures efficient investment, especially in risk assessment, dependability (RAMS). Numbered among the assets of the French National railway network are: 31 868 km of mainline, 49 230 km of mainline track and connecting tracks, 540 km of private siding feeders and port feeders, 72 540 points and crossings, 26 184 of which are on mainline track, 19 918 level crossings, 2300 signal boxes, 1516 tunnels, 27 739 rail bridges, with an annual network utilisation of 529 397 507 train.km.
2.
The speed control system
After many heavy railway accidents, in 1987 and 1988, there have been a strong political and public influence for implementing a system which works as a control loop of the train driver. As a matter of fact, a train passing a signal at danger, or exceeding the speed limit, leads to an immediate dangerous situation and can cause an accident, such as derailment, head-on or lateral collision. Therefore, in 1989, the SNCF took the decision of implementing an ATP system(Automatic Train Protection): the KVB system (Controle de Vitesse par Balise) (Cozzi, 1993).
178
Figure 1. French mainline network.
3.
Technical description of the KVB system
The KVB system is an ATP intermittent system (with information transmission at certain locations, normally at signals or speed reduction locations) which offers a complete speed supervision. It consists of an onboard calculator, processing train data (braking performance, for instance) and track data, transmitted trough beacons lying in the middle of the track. Each one of these two sub-systems has different functions.
179
4.
The onboard calculator
It receives data from: The tachometer. The cab panel on which the train driver enters the train data as length, braking performance, speed limit... The antenna receiving track data from beacons. Processing these data, the calculator checks continuously the train speed: It warns the driver through a sound signal when the actual speed is 5km/h over the allowed speed. It stops the train through an emergency braking until full stop, when the actual speed is 10 km/h over the allowed speed.
CONTROL CURVE
ALERT CURVE
CO
CSI
Figure 2. Control and alert curves (speed reduction case).
The calculator also checks the train deceleration, until a speed of 15 km/h or 40 km/h (depending on the safe distance beyond the signal) while approaching a signal at danger: It warns the driver through a sound signal, when the braking distance becomes too short, according to the actual speed. It stops the train through an emergency braking until full stop, if the driver doesn't react correctly after 5 seconds.
CONTROL CURVE
Figure 3. Control and alert curves (stop signal approach).
STOP SIGNAL
180
It gives information to the driver through the cab panel: KVB working. Speed reduction approaching. Speed reduction. Safe approach speed of 15 km/h (in front of a signal at danger). Safe approach speed of 40 km/h (in front of a signal at danger). Drive on sight. Onboard failure. Lineside failure.
Maximum speed D eceleration / Lengtti
o
Train category
8:;il|8i:l
: . o
1 41
"t-r"
VO ME
MA
| D ATA INPUT PANEL
Main display Photocell Auxiliary display
Overspeed Emergency braking Signai repetition
1
. - 1 o G i O I - '_ (_' l(_'
O Olii
PANNE
3BB
Validation Shunting movement DISPLAY PANEL
SOL
o, o
ENSN
Failure indicator Test Stop signal overrun
Figure 4. In-cab devices.
181
5.
The lineside equipment
Figure 5. Beacon.
The beacons lying in the middle of the track send track data as: Aspects of signals ahead (distance to go). Kind of approach speed if the next signal is at danger (15 km/h or 40 km/h, depending from the safe distance left beyond the signal. Beginning of speed reduction. End of speed reduction. This short description shows that, although the KVB system is split into two subsystems, its global efficiency on the safety level lies on both sub-systems' efficiency. For this reason, RFF, in charge of financing the lineside equipment, is involved in measuring and analysing the KVB efficiency, including the onboard sub-system, in comparison with the initial requirements.
6.
Expected efficiency
Before launching such a heavy investment like the KVB system, a study had to be made to determine its efficiency on safety level. Of course, a 100% efficiency could be obtained by fitting every engine and every signal or restricted speed zone, but the cost of implementing the KVB system all over the network and on every engine was out of reach. Because most of the engines working on the French network are not dedicated to a specific line, it was not possible to define specific areas to fit with the KVB system. The necessity of spreading nationwide the KVB system has pushed to modelize its efficiency, according to the balance between fitting engines and fitting signals. The model has been built on the analysis of near misses during the 3 previous years.
182
It shows the number of near misses avoided, Z, as a function of the number of fitted signals, C, and the number of fitted engines, E: Z=K.Ca.Eb With: a=0,453492; b=0,451112; K=0,02645 Further calculations show that the investment is optimised when: C/E=Ce/Cc.a/b (Cc is the unit cost for fitting a signal; Ce is the unit cost for fitting an engine). This model has led to the KVB strategy which the SNCF set out in 1989: An equal investment between onboard and fixed equipment could maximise the efficiency. The investment upon the KVB system had a constant cost/benefit rate until a total investment of 700 MEuros. Any KVB extension had a lower rate. These measures were estimated to reduce the total risk from signals being passed at danger by about 80%. Based on these conclusions, decision was taken to move firmly into the implementation phase: Fitting of about 4700 engines. Fitting of about 16000 signals, on electrified mainlines.
EXPECTED KVB EFFICIENCY

100
Proportion of near misses avoided
Number of fitted signals
Number of fitted engines
Figure 6. Expected KVB efficiency.
This phase started in 1990.
7.
The present situation
Nearly 10 years after the launching of the KVB system, the implementation phase is still in progress: 13000 signals are fitted, on 14000 km of railway lines, the ones with the heaviest traffic, for a total investment of 400 MEuros.
183
4700 locomotives are fitted (100% of what was foreseen), for a total investment of 300 MEuros. 3000 signals are still to be fitted, for an extra cost of 100 MEuros.
8.
The feed back experience
With a further investment of about 100 MEuros, RFF has a good reason to bend on the feed back experience, 10 years after the launching decision. The feed back experience is looking at the critical events which are: The number of trains overspeed (derailment risk). The number of near misses (train having passed a signal at a danger aspect and gone beyond the point, we can know as the protected point, where it could occur a major accident -head on or lateral collision between trains).
MAIN SIGNAL PROTECTED POINT
Figure 7. Protected point.
Evolution of near misses
0
1990 1991 1992 1993 1994 1995 1996 1997 1998 Years
Figure 8. Feedback experience results.
184
The number of train's overspeed has consequently decreased during the observation period. The number of near misses has decreased too, although the following parameters haven't changed significantly: rolling stock, traffic, population of drivers, the network constituency. But, as the figure shows, the efficiency of the system is not as great as anticipated, in particular for the number of near misses. Among the different reasons for this (slow pace of investment, insufficient reliability or availability, environment factors...), the main reason seems to be the driver's behaviour, when analysing the causes of near misses and noticing that the SNCF changed, in 1996, the driving rules after passing a warning signal, for two main reasons: Securing the approach of a signal at danger, either fitted with KVB or not. Taking in account the performances of the KVB system, which, because of its intermittent character, keeps a speed restriction, even if the aspect of the next signal has changed from "danger" to "go". If nothing is done to understand that, we can fear a stabilisation of of the KVB system efficiency. That is why RFF and the train operator, SNCF have now to focus on the driver's behaviour.
9.
The driver's behaviour
Audits and focus analysis of the driver's behaviour have shown slight changes between before and after the implementation of the KVB system. The main results observed are successively: In 1998, the KVB system integrates totally the human driving process: each irregular behaviour induces a "prise en charge" which is done by the hierarchy and assimilated to a frustration, the KVB appears as a constrained device, but, in fact, the driving behaviour is not a real habit and the drivers adapt their attitude and observance depending of the implemented location, they anxiously look for these locations. The respect of speed is more important than the driving process by itself. During a journey, each possible or known change of information on the panels is scanned by the driver to verify the coherence between technical process and the signalling information which is observed. This new device increases a certain submission and vigilance for the drivers with, for some of them, the memorisation of the behaviour they must have concerning location, signalling state and their experience. It has been difficult for the drivers to understand really the priorities of KVB implementation, for example, in some places, switches were equipped with KVB beacons only for one of their branches. The limited speed below 15 km/h at certain location could obsess the driver to focus his mind to that kind of information and change his functional knowledge of the system process. So, different equipment and codification of the beacon, generate different modes of driving behaviour. The drivers memorise a lot of details, which are not necessarily interesting for driving.
185
In his cab, the driver has, among other things, a KVB panel which displays informations: Generally, the driver must not take into account the KVB display. The informations given by the KVB in-cab panel can be used in situations unforeseen by the designers and lead to an inadapted behaviour in regard of rules. From individual feedback and knowledge, some drivers look for, by their own style, to appropriate the device to decrease the constraints by controlling the system. The set up and the input (parameter): No control is made by the driver upon the different phases of the set up and inputs: switch on, switch off, auditory informations are successively achieved without any human control, but the driver is in charge of setting the train's parameters. Some mistakes have been observed on speed limit and train length as well as deceleration parameter. Progressively, the gap between the behaviour on equipped and unequipped lines decreases. But, we must be careful in regard of a specific risk: "not to be caught by the KVB system" can be favoured to the respect of the global signalling system and respect of functional driving behaviour. Discussion: Different types of information and knowledge processing occur to proactive the driver. They involve the spreading activation networks in declarative and procedural memory, the symbols in working memory and the production of rules in the control unit. A cognitive model has been developed (Keravel, 1993) to analyse the error production process in decision making. The feedback experience illustrate the main defect of driver as a focused attention upon a predictive event as: not to forget to stop in the next station or, take care the next tunnel entrance. Because the model only implements the near misses, the scope of the method is limited to specific classes of failed reliability situations and of user-system interaction situations. New devices and new technologies are supposed to decrease human errors but their influence are never systematic. To react in front of the signalling system and adapt his decision and acting process, the driver involves three subtasks include a control loop (Norman,1988): Situation assessment: the driver monitors and assesses the system's state, either for detecting an unforecast constraint, and uncommanded technical or environmental state or for verifying the end result of a transition, for example a decreased speed in time ... Strategic planning: the driver generate strategic action plans to reactive planning for bringing back the speed within the normal state envelope or involve a large number of scanning when the task corresponds to a problem-solving situation.
186
Tactical planning: the driver generate also tactical action plans, made of interactions with the user-system interface, dispatcher, track yard, taking some information on a display, and by phone, and in the implementation of commanded state transitions, as speed reductions ... Spreading activation networks, symbols with variable activation levels and production rules are used for storing knowledge and information. Symbols are used to stored knowledge or information in working memory. From that process, a knowledge of how to manipulate the symbols set up rules in the control of human acting process. As we described before, the impact of information on panels is deeply involved in human treatment information processing. Before KVB device Track signalling system observed After KVB Track signalling system AND cab signalling
Coherence with cab symbols

Figure 9. Cognitive frame in scanning level.
Coherence with the situation assessment
Knowledge distortion and simplification in long term memory occur in each human acting process. One of the distortions and simplifications concerns the combination of factors, creating implicit learning and the recurrent experience of specific pairs of elements picked out from the environment or recognition. Contextual instantiation is the real background of the driving activity. A very known defect of human behaviour consists in an inadequate attention resources. Progressively, the long term memory is modified by simplification and lose the real significance of facts (Javaux, 1998). So incomplete mental model exhibited by driver can occur, on which will be connected the new devices and new interfaces. These observations could be summarised in three steps: - The system gives information to the driver (in order, out of order, kind of control...). The driver could be tempted to pay more attention to the in-cab KVB panel than to the driving of the train (especially by looking outside the cab). - The driver becomes too confident, although the KVB system is not a safe device and won't never been implemented on the whole network. The driver could be tempted to act according to the alert signals, even if he hasn't correctly guessed the aspect of a line side signal. - The training of "safe approach speed" has changed the driver's reaction in front of a danger signal. The mental image of the driver has changed: he could be more concentrated on applying a "safe approach speed" than actually stopping the train before the signal at "danger aspect".
187
In total: the KVB system urges on the respect of safety, with the target: "not to get over the protected point", which can be different from" to respect the stop signal"; but could this incentive influence have a died down evolution? A survey of driver comportment has to be done to prevent this evolution and limit the decrease of vigilance which could occur because a diverted use of the informations given by KVB device.
10. What is the matter for RFF?

The history of the KVB system shows that a new investment is not just limited to a new device interface or a target of dependability targets. To modify just a sub-system has no sense, if the attempts are not seen in the whole functional railway system. In particular, a local search for a better safety control could affect the global performance of the railway system. That is what the KVB system did, affecting suburban lines capacity, because of its poor performances (intermittent ATP). It has been shown that an important change like the one involving new driving rules, makes difficult the measurement of the KVB efficiency itself (system and device). In a general point of view, each choice of investment must be laid down with clear safety targets focused upon danger and risk management system approach. The efficiency of any device needs to be connected with its own impact upon the safety and risk assessment. Costs and benefits have to be taken in account as well as the performance to be obtained. To be efficient and really perform a better risk assessment, any device or sub system has to supply a specific feedback experience, forecasted since the first step of the project. To be efficient and really perform a better risk assessment, any device or sub subsystem has to refer to the usual operators' practices and their foreseeable evolutions, knowledge and implicits, and real work situation, and not only the theoretical references. RFF is concerned by the security level on its network, therefore in the maximum efficiency of the investment in the KVB system. RFF is very much involved in comparing the efficiency of investment between ATP system and other devices (hot box detector, broken rail detector, interlockings ...). As the project developer for such a project as European Railway Transport Management System (ERTMS), RFF intends to enforce the previous guidelines, especially to respect the European interoperability requirements.
188
11. Conclusion
A technical investment doesn't improve itself the safety of the railway system. The KVB example shows that the MMI is as important as the "black box" in managing the railway system. That's why the man must be integrated from the initial planning of a system; his actual behaviour could change in accordance to the interface he has to work with. It is important, for such a system, which checks the man's action, to have, from the start, a clear idea of the MMI: either transparent, either giving full assistance. The more the choice is clear, the more efficient the system is. The necessity of interoperability and the industrial standardisation implies a narrow co-operation between the European network owners and train operators.
References
Cozzi, ., (1993). The implementation of the KVB (ATP) system on the SNCF network, Angers, France. Javaux, D., (1998). Anxplaining Sarterand Woods'classical results. The cognitive complexity of pilot-autopilot interaction on the Boeing 737. Proceeding of HESSD, Seattle USA. Keravel, F., (1993). Feedback analysis on human error for a better management of risk. International Railway Safety Seminar Proceedings. Angers France. Norman, D.A., (1988). The Psychology of everyday things. Basic Books.
189
190
Safety effects of automatic traffic control and lineblock

Johan Bckman1 Royal Institute of Technology, Div. of Traffic and Transport Planning 10044 Stockholm, Sweden
1.
Introduction
This article deals with the possibility to use databases to find the effects of automatic signal systems for the railway. Lineblock is a system that control the traffic so that only one train at a time can traffic a given part of a line. Automatic Train Control (ATC) is a system that intervene when the driver makes faults and for example passes signal at danger or is speeding. Line block has been installed since 1950 and the installation of ATC started in 1980. In this report a comparison is made between the number of accidents on lines with the mentioned signal systems and lines where the traffic is controlled through traditional manual train clearance. The article is the result of an evaluation of a new traffic control system for county lines called Radioblock. This system replaces traditional lineblock and has been evaluated within the research project "Railway safety rules in an economic perspective" at the Royal Institute of Technology, Stockholm (Johansson, 1998). The Swedish State Railways were, until 1989, responsible for handling the statistics on accidents and incidents. 1989 this responsibility was overtaken by the Swedish National Rail Administration and the Swedish Railway Inspectorate. This means that statistics have been available for a long time and an overview over the accident statistics have been made by the Railway Inspectorate (Lundstrm & Sngberg, 1996). This report treats the possibility to use the available computerised databases to make analyses. In the article, the concept "Automatic Traffic Control Systems" (ATCS) is used to denote automatic lineblock and ATC together. TAM is the Swedish concept for manual train dispatching and TAM-events are events that occur on lines with manual train dispatching. ATCS-events are events on lines with automatic lineblock and ATC. This article is basically a summary of the work with the databases and the procedures to correlate the information in the different databases used. It contains a short review of the work, a presentation of the results and an analysis of the data. The article is based on a separate working report that also contains three appendices that in detail demonstrates the work with the databases (Johansson, 1998). This working report is though written in Swedish. The databases and the extraction of data has been made with the software Microsoft Access.
Johan Bckman has a Licentiate exam and is a Ph.D student at the Royal Institute of Technology, Div. of Traffic and Transport planning. Before August 1997 his family name was Johansson.
191
2.
Correlating the databases
The database JAS of the Swedish Railway Inspectorate has been used (Swedish Railway Inspectorate, 1989-). The database contained data on 2408 incidents and accidents from 1989 and on. To correlate the information to some measure of exponation, the kilometre production on the different lines was used. This information was collected from the Swedish State Railways database TRACK and at the time of the project, contained data on the traffic production from 1991 till Novemberl997 (Swedish State Railways, 1997). The Railway Inspectorate has used a system of its own for classifying and labelling the lines and the different parts of the tracks. This system did not correspond to the system used by the National Rail Administration or The Swedish State Railways. It was therefore necessary to assign some common denominator for the location of the accidents on the different lines or part of lines. The system used by the National Rail Administration and The Swedish State Railways was chosen. This system uses numbers to label every part of the railway system. 1997 the railway system consisted of 217 different parts. A specific track number had to be added to every accident post in the JAS database. This could partly be done automatically, partly had to be done manually. A second problem was that The Swedish State Railways changed the labelling system between 1994 and 1995. The work started with seven files with information on the production of trainkilometres and traincar kilometres per year on every track part, one file each for the years from 1991 to 1997. The file for 1997 contained information for 217 track sections. 1991 only had 162 track sections. And only 89 of the track sections were labelled exactly in the same way for the whole period 1991 - 1997. The reason was that between 1994 and 1995 several track sections were divided into two or more track sections with new numbers. Furthermore some track sections simply had changed label and some new tracks have been built. This caused more problems and work than was first expected. In order not to loose in grade of detail it was decided to use the actual labelling system, that is, as according to the file for 1997. This meant that the information in for example the 1991 file had to be handled in some way. Let us, as an example, take a line from 1991 that in the 1997 system is labelled as two separate sections with different track section numbers. The train kilometre figure for 1991 can then only be compared with the sum of the train kilometre figures of the two track sections in the 1997 system. This will then be a problem if the signal system is different on the two sections. This was the reason of using the 1997 labelling system. The 1991 line was then divided into two sections according to the 1997 system. The train kilometre figures for the two sections was calculated from the figure for the whole line. Based on the assumption that the traffic was homogenous along the line the figure was divided according to the length of the two track sections. The work resulted in a list with information on the production of trainkilometres and traincar kilometres on 191 track sections for the years 1991-1997.
192
The possible errors produced by this procedure are diminished in the following analysis when the information for the track sections with the same traffic control system (manual or automatic) are added. The figures that was split are then put together again if the traffic control system are the same on the new track parts. Should this not be the case the result would anyway get closer to the real values than with any other procedure. The third problem that had to be addressed was that the signal systems are different on different track sections and that there have been investments in signal technology during the analysed period. The situation today is different from the situation 1991. Selecting all the accidents on a specific track section that has ATCS today will not give a correct result if the signal system has been installed during the period. Accidents that occurred before the system was installed will wrongly be labelled as accidents on tracks with ATCS. Therefore a list of the date when ATCS were installed and taken in use had to be set up. The information on the signal systems before the year 1991 was found in a book on infrastructure data from the Swedish Railway Club (Aghult et al., 1992). The information on the change of the systems after 1991 has been published in the Swedish journal "TG" (Olson, 1998). The list has been checked by Bengt Hultin, Anders Lundstrm and Christer Sdergren at the Swedish Railway Inspectorate. Having set up the list with data on the in service date of the signal systems on the track sections it was possible to get all the accidents right and avoid classifying accidents as ATCS accidents when the signal system was in service after the accident happened.
3.
Searching out data
We then had three different databases. The accident database JAS, where all the accidents now were located according the system with track numbers, used by the National Rail Administration. TRACK contained information on the traffic production on the different tracks. And the database with historical information contained information on the in service date of the different types of signal system. It was then possible to search out all the accidents that has occurred on parts with and parts without automatic signal systems respectively and sum up the traffic production on these parts. This then gave a list of accidents of which many had no relevance to the existence of a signal system. Therefore the search was qualified and the accidents that was labelled according to the list to the right was excluded.
Excluded types of accidents Level crossing accidents Trespassing accidents Technical faults Unallowed movements Narrow escape to accidents Other accidents Discharge
193
Accidents on double track lines was also excluded mainly for reasons of comparability. The difference in traffic production between the double track lines and small county lines makes comparisons misleading.
4.
The results
Through the selection made, the number of events were found to be 192 on lines with ATCS and 57 on lines with manual train dispatching. A review of these events had to be made. Irrelevant events as for example derailments due to track faults could be sorted out. All events where the cause could be classified as "not dependent on the signal system or the traffic" were sorted out. That left us with 73 ATCS events and 24 TAM events. These events are described in detail in the appendices of the working report. The table below summarises the results in terms of the distribution of different types of accidents and the number of fatalities and injured of each accident type.
Table 1: Accidents on lines with and without automatic signal systems respectively. Source: JAS (Swedish Railway Inspectorate, 1989-). Manual ATCS Manual ATCS Collisions 33 9 Dead Seriously Injured Dead Seriously Injured injured injured 2 4 with ordinar traffic 1 17 1 16 pure work accidents 5 5 1 1 12 at shunting 2 Derailments due to traffic 16 with ordinar traffic 2 6 pure work accidents at shunting 10 Total number of traffic incidents Derailments, cause unknown Total number of incidents 49 24 73 11 13 24 1 3 17 1 1
But even these figures have to be qualified. 24 of the 73 accidents on the lines with signal systems are derailments. The cause of these accidents are not given in the descriptions in the database. It is though most likely that they have happened due to faults on the tracks or the rolling stock. This is certainly the case with the low trafficked cargo lines in the northern part of Sweden. It is of course possible that some accident might have occurred due to too high speed or other erratic behaviour of the driver or the dispatchers. These rare accidents are though normally more investigated. It is therefore unlikely that the mentioned derailments would have occurred as a result of the traffic control system or errors in the function of these systems. These events were therefore also sorted out before the analysis were made. Furthermore, out of the 49 ATCS accidents, 12 collisions and 10 derailments happened at shunting on stations with signals systems comparable to ATCS. For 9 of these, the cause had no relation to the signal system or the traffic control system. These events were therefore also sorted out. The situation is not the same on the TAM-lines and the same qualifications does not have to be made except for the derailments with cause unknown, which are excluded from the analysis.
194
This leaves us with 40 accidents on lines with ATCS and 11 on lines with TAM. These accidents have occurred as a result of the traffic control system or the traffic itself. The accidents on the TAM lines are accidents that could have been prevented by the installation of ATCS. The accidents on the ATCS lines, on the other hand, occurred in spite of the existence of a signal system. Relating the information to the production on the lines shows that, on lines with signal systems, there are about 0.21 accidents per million train kilometres. The same figure for lines without signal systems are 0.44. Is it then possible to say anything sure about this observed difference? Let us make a simple statistical test to see if there's a significant difference between lines with and without automatic signal systems.
5.
Statistical analysis
We can view the occurrence of accidents as a Poisson distributed random variable. Poisson distributions are used to describe random variables that count the number of occurrences in a specified interval of time. The kilometre production is a continuos variable like time and we can view the production on the selected parts as a specified interval of a continuos variable. The conditions for a Poisson distribution is fulfilled. Most importantly, the probability that two accidents will occur at the same time in a given very small interval is close to zero and that the accidents are independent meaning that the probability of an accident for a given interval is not changed if an accident happens in another interval prior to the first specified. Furthermore, the probability of an event is proportional to the length of the interval and independent to where the interval starts. The material is then defined as two samples from different populations. We will then make a comparison between the samples to test the difference between the intensities or proportions of the variable. The sample sizes are the number of train kilometres and the number of accidents the observed variable. MePo(25*pJ S e P o ( l 89* ,) : = 25 x: = 11 n^ = 189 \ = 40 ;=25*! ;=189* signal signal signal signal
the length in million train kilometres on tracks without automatic systems; the number of observed accidents on tracks without automatic systems; the length in million train kilometres on tracks with automatic systems; the number of observed accidents on tracks with automatic systems.
195
, = = 0.44 n, 25 B = pm-ps
v
=0.440.21 = 0.23
T,
189
'" + ^=. + =1.37

, .
25
189
Let us test the following hypotheses: H0: #>: Pm-P,.=0 Pm-P.t>0
with the risklevel a = 5% The number of accidents in both cases is sufficiently big to make an approximation of the Poisson distribution to a normal standard distribution. The test statistic will then be approximately normal distributed with the mean 0 and the variance 1. The test statistic is given by the formula:
The decision rule is given by: a = 5% _ I => Reject when r > Pm - P,

0.05
05
= 1.6449
=
D-D= ,
D
0^3-0 0.137
r = 1.68>A005 =1.6449 . H0 is rejected with the risklevel 5% This means in other words that we can demonstrate at a 95% confidence level that lines without automatic signal systems have a higher frequency of accidents than lines with automatic signal systems. It is though not possible to make any certain
196
statements on the magnitude of the differences as the material is far too limited for that.
6.
Discussion
No remarks have so far been made on the number of injuries in the material. It is of course also impossible to make any certain statements on that. It is though worth noticing that the high number of injuries on lines with ATCS is due to one major accident in lvsj south of Stockholm in April 1994 when 13 persons were injured. Major accidents will happen and that we have not seen one on the lines without signal systems might be explained by the relatively low traffic production on these lines. It is also possible that the difference in occupancy on the trains can explain this difference in number of injured. The most loaded train on the common county lines normally carries at most about 50-60 people at the same time. This is certainly not the case in the Stockholm area. If all conditions were equal it is possible that a similar accident could have occurred on lines without ATCS. Whether this is true or not can only be decided by a broader study on the subject. This project has enabled further studies on the effects of different signal systems. It is fully possible to add information to the databases. It would for example be possible to add accident statistics for the years 1980 till 1989 and figures for the traffic production for these years. This would enable calculations on the magnitude of the difference in accident risk on lines with different signal systems. Further, it is possible to use the databases to extract data on for example differences in risk between single track and double track lines. It would also be possible to make an analysis of the safety effect of ATC, not including Lineblock as in this study.
7.
Acknowledgements
The author would like to thank Anders Lundstrm, Bengt Hultin and Christer Sdergren at the National Railway Inspectorate that have given a lot of help in retrieving data and reviewing the accidents selected in the study. Thanks to Paul Larsson at the Swedish National Rail Administration that have assisted with information from the database TRACK. Finally, many thanks to Karin Krstrm at Rail Administration, computer support section, that have sent information and data in all possible and impossible formats.
197
References
Aghult, K., LindL.O., et al., (1992). Jrnvgsdata (Railway data). Stockholm, Svenska jrnvgsklubben (Swedish Railway Club). Johansson, J., (1998). Om skerhetseffekten av ATC och linjeblockering (On the safety effects of ATC and Automatic line block). Stockholm, Infrastructure and Planning, Division of Traffic and Transport planning. Johansson, J., (1998). Radioblock - An economic evaluation of a traffic control system for county lines. Stockholm, Dep. of Infrastructure and Planning. Lundstrm, A. & Sngberg E., (1996). Statistik ver olyckor och tillbud i sprtrafik. Borlnge, Jrnvgsinspektionen. Olson, D., (1998). Frndringar i infrastrukturen (Changes in the infrastructure). TG (Train). Swedish Railway Inspectorate, T., (1989 -). JAS (The Railway Inspectorate Accident Database). Borlnge. Swedish State Railways, T., (1997). TRACK (Traffic information database). Stockholm.
198
Cross-border railway operations: a human factors analysis

Martin Anderson Human Reliability Associates Ltd 1 School House, Higher Lane, Dalton, Wigan, Lancashire, WN8 7RP, UK
Abstract This paper describes aspects of a research project entitled "Managing the Human Factor in Multicultural and Multilingual Rail Environments". This project is part of the EC DG VII Rail Transport Research Programme: "Task Force Trams and Railway Systems of the Future". The overall aim of this research is to establish a common method for evaluating and improving human management in order to increase safety and reliability for European cross-border railway lines. The project will produce essential guidance to rail operators for designing a wide range of rules and procedures to ensure safe cross-border operation.
1.
Introduction
The greater integration of the European rail transport systems means that freight and passenger trains will increasingly have to operate extensively across the borders of countries with widely different technological systems, rules and procedures, in addition to language and cultural characteristics. The existence of these differing systems of rules, procedures and systems can have profound implications for crossborder operations, particularly from the point of view of the human aspects of the management of safety and risk. There is considerable evidence from major accidents in the transport sector and other industries to show that the major sources of risk lie in human error rather than in the failure of hardware systems. Human related issues thus need to be addressed as cross-border rail operations, are expanded throughout Europe. Currently there are wide variations in rules, procedures and operating practises for railways across Europe due to different languages, safety philosophy and different technical developments in the single countries. As a consequence, safety risks arise for border-crossing trains. Although international and European railway agreements exist, up to now there are only a few rules and regulations concerning border-crossing trains. The existing agreements mainly regulate technical standardisation, for example, gauge of track, technical details of rolling stock - or administrative items, for example tariffs, liability, conditions of transportation. Generally, rules to manage human behaviour in railways have mostly been based on experience. This has led to the situation that traditions have evolved, rather than scientifically developed procedures. In addition, devices for use by operators have not been systematically designed according to ergonomie principles, but predominantly with respect to technical requirements of the equipment.
[99
There is also a lack of standardisation in reliability analysis, risk evaluation criteria, safety analysis and methods for managing the introduction of new technology, (for example automation in the field of train protection systems). This situation strongly demands improvement, especially if one takes into consideration the increasing number of border-crossing trains as a result of the market between the countries of the European Union and the development and planned introduction of ERTMS'. The overall aims of this research project are thus to identify the high risk tasks of cross-border operation, to determine the requirements for rules and procedures to minimise human error and to develop a set of analytical tools which can be applied by individual rail operators to improve safety. This project will identify and assess the risks involved in cross-border railway operations and deliver guidelines for European standardisation organisations, railway authorities, political and other institutions, for the development of European standards and rules and regulations concerning the safety aspects of the human management of cross-border railway operations. 1.1 The Partners
The consortium of Partners working in this project come from a number of European countries and brings together extensive expertise in the analysis of human factors. The Partners from SNCF and Halcrow Transmark are closely connected to rail operators, the remaining partners come from specialist organisations with experience in systems safety and human reliability. TV EURORAIL, Germany is the project co-ordinator; this is an accredited organisation with extensive experience in the safety of rail operations and new systems such as Transrapid. DNV, Norway brings expertise in the field of systems safety and human factors, together with knowledge of rail operation and signalling systems in Scandinavian countries. ERRI, Netherlands has extensive in-house expertise and invaluable connections to European rail operators. Human Reliability Associates, UK have extensive experience in the field of human reliability in a wide range of technological areas. They have contributed to the Clapham Junction enquiry, analysed Signal Passed At Danger incidents and carried out various studies for UK Rail Operators. Halcrow-Transmark, UK has its roots in the British Railways Board. Following privatisation, consultation work in rail operation has been continued by former members of the BRB Safety Directorate and this expertise will be brought to the project. SNCF, France - the human factors department of SNCF will bring invaluable experience and knowledge of French national rail and Eurostar operation. TAT TV Rheinland, Germany has lengthy and extensive experience of safety in technological systems. TAT will contribute human factors expertise and research experience in the area of human behaviour in complex tasks.
European Rail Traffic Management System.
200
2.
Cross-border rail operations: human factor concerns
The basic function of a rail control system is the transportation of passengers and goods from the initial location to the final location on a traffic line. Critical failures of this "system" (leading to train collision, train impact or train derailment) may cause significant injuries to humans, in addition to extensive damage to property and equipment. In order to examine the human factors aspects of such incidents, it is necessary to identify and assess the factors particular to railway operations that have an effect on human performance. Several characteristics of train operation are considered significant from a human factors perspective. These factors include (but are not limited to): 1. Time stress (such as meeting timetable/operational requirements, often a significant measure of performance in the railway industry). 2. The fact that limited information may be available (for example, lineside signals). 3. This information may only be available for a limited time (particularly with increasing speeds), with no way of returning to the information for clarification (again, line side signals). 4. Automation of control systems and the effects upon human performance (for example, boredom, fatigue or ability to intervene in the event of system failure or unexpected circumstances). 5. Communications between train drivers, signallers and other personnel. Several features of the European railway industry have led to an increased requirement to consider human factors concerns. An increased awareness of human factors concerns may be attributed to four primary factors: 1. there is an increasing emphasis on safety and occupational health generally; 2. an increased use of new technologies such as computerised signalling and control systems and the new human interface/performance issues raised as a result; 3. increased commercial pressures leading to driver-only operation, higher operating speeds, increased passenger densities, minimum station dwell times and reduced maintenance downtimes; 4. a need to improve design standards in line with changing passenger expectations and in order to compete with other modes of transport (or possibly other rail operating companies). For example, services such as the French TGV and the German ICE trains now compete effectively with air services. Cross-border rail operation generates new human factors problems and exacerbates several factors associated with traditional railway operations. As trains pass through national and infrastructure borders, the different technological systems, rules, procedures and cultural characteristics all have profound implications for safe operation. These differences become particularly significant in degraded operations and emergencies, where a high level of co-operation and co-ordination are essential. In addition, it is noted that the majority of cross-border operations involve high-speed lines, further complicating inter-operability issues. For example, the increased line speeds reduce the time that signs and signals are available, in addition to reducing the time available to react in the event of a degraded situation.
201
The operation of trains across international borders is associated with a range of human factors issues. Significant variables in cross-border operation can be listed under the following headings: 1. 2. 3. 4. 5. 6. Language, communications, culture and social conditions. Training, selection and assessment systems / standards. Infrastructure technology and systems. Rules and procedures. Geographical differences. Topographical differences.
Discussions within the project team concluded that the following three issues are the most significant: 1. Rules and procedures, specifically rule clashes, procedural violations and lack of knowledge. 2. Language and communications, specifically the failure of communications. 3. Infrastructure and environment, in particular the scope for misreading signals etc. in an unfamiliar infrastructure.
3.
Methodology
A methodology has been developed within this project in order to identify and analyse the human factors aspects of cross-border railway operations. This methodology consists of several phases, as described below. 3.1 Function inventories
Firstly, generic function inventories were produced to use as a basis for further analysis and methodology development. These function inventories are similar to task analysis - they are structured lists of the functions and main tasks carried out by onboard train staff, platform staff and signallers. Inventories have been produced for a wide variety of situations and scenarios and have focussed on both train operation and signalling tasks. These inventories provide the project team with a common understanding of the tasks that are performed in cross-border operations and will provide the basis for the subsequent human factors analysis. Inventories have been developed for three categories of operations: 1. Normal operations (for example, "depart station", "take passengers on board"). 2. Degraded operations (for example, "hot box detected", "loss of traction power"). 3. Incidents and emergencies (for example, "train on fire", "derailment"). These generic function inventories have subsequently been validated by comparing them with inventories for specific cross-border routes such as the Thalys operation between Cologne and Paris and the Eurostar route (England-France-Belgium).
202
3.2
Test Scenarios
This phase of the project was concerned with generating test scenarios that involve human interfaces relevant to cross-border operations. These were selected with regard to safety critical tasks and to expected variance in cross-border operation. These selected scenarios are currently being utilised to structure the collection of data on rules and procedures in the participating countries. These scenarios have a high risk potential, so that the benefits of improvements can be readily demonstrated. The test scenarios are as follows: 1. 2. 3. 4. 5. 6. 7. 8. hot axle box; lack of appropriate speed adjustment; obstacle on level crossing; signal passed at danger (SPAD); detection of errors in track routing; depart station; assisting a failed train as a result of a complete loss of train power; response to incident management.
A detailed specification of the common framework has been produced including the tasks, man-machine interfaces and communication channels embedded in each of the selected scenarios. A narrative, function inventory (comprising of the selected functions of the main tasks within the scenario) and preliminary discussion of the human factor issues, describes each scenario. In addition, a review of important technical information associated with each test scenario is included in the description as an aid to data collection. The narrative is a brief textual description of the scenario, outlining significant stages in the incident and the sequences of events. This includes the pre-conditions, the initiating events, the safety critical tasks and possible errors. In some cases possible actions for pre-consequence recovery or post consequence mitigation have been described. A function inventory for each test scenario has been constructed using the generic function inventories developed in phase one. If a function inventory has been validated for the test scenario in the infrastructure to be analysed, then this will be used as the source to construct the dedicated function inventory for the test scenario. The human factor issues are specific aspects of the safety critical tasks within the cross-border context. They are instrumental in the generation of the scenario and influence the development of the scenario narrative. The test scenarios have been fine-tuned to create realistic situations in which these issues can be addressed. Further human factor issues will be elucidated during the subsequent data collection and analysis work. For example, scenario 1 is described as follows: Scenario 1: "Response to Hot Axle Box Detection" The focus in this test scenario will be on fault detection and diagnosis on a "foreign"
203
infrastructure. In this scenario, the automatic system for detecting hot axle boxes is infrastructure-specific and is not fitted to the train. Narrative A Eurostar train is in service in France with a UK driver. An infrastructure-based hot axle box detection system detects heat as the train passes and this system sends a signal to a control centre. The signalman in the control centre then alerts the driver of the potential problem and the train is stopped. The driver is informed of the location of the hot axle box and proceeds to confirm the fault in situ by checking the particular axle(s). In this scenario the safety critical task is the correct diagnosis of the hot axle box. There are many opportunities for human error that lead to the train with a fault continuing on its journey as normal. It is possible that the fault may escalate to the extent that the train is derailed and, in a worst case scenario, is in collision with an on-coming train. Function Inventory The function inventory for this scenario is comprised of aspects of the function inventory focussed on signalling operations for a passenger train in cross-border operation, along with aspects of an event tree detailing the correct response to hot axle box detection. Human Factor Issues The diagnosis and location of the hot axle box will be influenced by the information supplied to the driver. The ergonomics of information displayed to the signaller and the communication between the signaller, driver and other agents on the "foreign" infrastructure need to be evaluated. The exchange of information is complex because specific details, such as the identity and location of the train, the location of the fault and the appropriate procedures, need to be accurately transmitted and understood. Codes may be implemented for this purpose or they may be too inflexible or restrictive to be used in a fault situation. One particular aspect associated with communication is that the driver should be clear about the area of competence of the infrastructure agent, so that he can be sure the advice or instructions he receives are authoritative. This in turn will be influenced by the driver's model of the organisation of the infrastructure. The allocation of responsibility for critical tasks such as track protection may vary between infrastructures. The selection and use of procedures will also be addressed in the analysis of this test scenario. Technical issues Hot axle box detectors are installed at certain locations to detect abnormal high temperatures in axle boxes in order to stop trains before an accident occurs. Behind the detector location, at an appropriate braking distance, a track section should be suitably equipped for visitation of a train that has received a hot axle box indication. This could be a part of the main track, or more likely a "pocket track" at the side of the main track. Important questions with regard to the equipment set-up and the procedures for handling such situations are: Will the hot axle box indication result in an automatic stop signal to the train at the first appropriate signal behind the detector, or does the indication go to the control centre where the signalman/train dispatcher has to determine what action to take?
204
Will the train driver at the stop location get direct information about which axle and what side of the train has triggered the hot axle box indication, or is such information communicated through the control centre? Is the track section where the train is stopped laid out in such way that the train can be inspected from both sides without requesting traffic on neighbouring tracks to stop? To what extent is the train driver qualified to make a judgement of whether the train can proceed, under what conditions and which persons are available to give him advise on this matter? Who makes the final authorisation for the train to proceed and under what conditions? 3.3 Data collection
Following the identification and description of the test scenarios, the next phase of the research is to collect relevant data from a selection of European infrastructures. The objective of this phase of the work is to collect and extract relevant national safety rules, procedures and systems for railway operations on specified main routes in Europe for the test scenarios. This work is currently in progress and two approaches to data collection are being utilised. First of all, data is being collected from documented sources such as rulebooks, procedure handbooks and standards. Secondly, information that may not be accessible from these sources will be obtained through discussion with experts from the rail industry. Data collection proformas have been developed for the purpose of recording information in a structured format. Data extraction is differentiated between tasks, the factors influencing performance of these tasks and competence issues that have a more indirect influence. 3.4 Data Comparison
The rules, procedures and systems are being compared between rail infrastructures in order to identify differences that may affect operation and create safety critical situations. Also differences between infrastructures in their approaches to human factor issues will be identified. This will provide input data for the subsequent qualitative human factor analysis of cross-border operation. Again, proformas have been developed on which identified differences between infrastructures for each function (with respect to tasks, influencing factors and competencies) are summarised. 3.5 Human Factors Analysis
Following completion of the data collection proformas and the identification of differences between infrastructures, the aim of the human factor analysis is to examine those factors that influence human performance in more detail. This stage commenced with a review of the techniques currently available for performing human reliability analyses and developing standards and procedures. The application of these techniques in the rail sector was described, together with examples of their use in other industries such as nuclear power, petrochemicals, and marine safety. This review is intended to be a reference source for the human factors techniques which will be applied during the project.
205
A further review provided an analysis of the human factors issues that need to be addressed for ensuring safe cross-border rail operations. Selected issues are presented below, subdivided into ten categories. Information presentation. Man-machine interface. Communication systems and feedback. Roles and responsibilities - task agents. Job design, allocation of function and workload. Task characteristics. Technical / hardware systems. Documentation, job aids and procedures. Operational characteristics (e.g. train speed, timetable constraints). Personnel, training and competence issues. Several examples of issues within each category have been generated to stimulate the analyst's thinking about the error potential associated with a particular task or scenario. This review considered issues that are not currently covered comprehensively in rail industry analyses, such as procedural violations, cognitive errors and support for recovering errors. The extent to which there are tools currently available for addressing these areas has been evaluated, and recommendations made for the development of new tools where gaps are identified. The role of these human factor issues will possibly vary according to whether the scenario under consideration is a normal, degraded or emergency situation. Human factors in degraded and emergency situations warrant special attention, as these scenarios require intensive co-operation and communication. For example, although personnel may have received language training, or routine communications may have been formalised (using code-words etc.), personnel may not have the language capabilities for "unexpected" situations, particularly as these situations occur infrequently. Furthermore, drivers and other personnel may be more prone to the negative effects of stress should an incident occur when they are not in their native infrastructure. A qualitative human factors analysis is conducted following the identification of differences between the selected infrastructures. Each function or main task where a difference was identified in the data analysis or where a human factors issue was identified is thus assessed further by completion of a human factors analysis proforma. This proforma prompts the analyst to consider the human failures that may occur for each function or main task that has been identified as a cross-border issue. The analyst selects possible failures from an error classification scheme that includes all of the common types of errors that may occur. For example, in the case of a train departing a station, two possible errors may occur: "Correct check on wrong object". The driver reads the lineside depart signal for an adjacent line and departs early. "Wrong information obtained". The driver misreads a signal aspect and departs early.
206
The next part of the proforma records the potential consequences that may occur as a result of the human failures(s) described above. For the railway industry, severe undesirable consequences include derailment, collisions and impact with obstacles. For example, for the above errors: "As a result of the driver departing early, the train may be in collision with a correctly departing or arriving train on an adjacent line, with possible damage to train and infrastructure and injuries to passengers". Following an error, there may be opportunities for recovery from the error before the consequences detailed in the previous column. For example: "Traffic control personnel may be able to intervene or alert the driver by radio or in-cab display. Additionally, the driver of another train may apply brakes and sound a warning in order to avoid a collision". Practical suggestions as to how to prevent the error from occurring are then identified and detailed on the proforma, which may include engineering modifications to the train or infrastructure, changes to rules and procedures, or changes to signal aspects and locations. Guidance documents and a case study have been produced to assist in the completion of the various aspects of this human factors analysis proforma.
4.
Conclusions
This paper has described aspects of a current research project aimed at increasing the safety of cross-border railway operations. It has outlined some of the human factors issues that arise as a result of such operations and described a methodology for the identification and analysis of such concerns. Although a human error analysis is resource-intensive, the analysis is reduced by only considering those tasks where cross-border differences have been identified in the initial data collection and analysis exercise. It is considered that this methodology will significantly improve the safety of international rail operations through a structured consideration of the role and influence of human factors on interoperability issues.
207
208
Human reliability and railway safety

Terje Andersen Det Norske Veritas AS Veritasveien 1 1322 Hvik, Norway
Abstract Railway operations are safety critical in many respects, and the safety of railway traffic is based upon a blend of safety management, rail traffic rules, technical safety equipment and human reliability. Human factors still plays a significant part in many railway accidents. With increasing train speed and traffic density a range of technical safety systems have been introduced in the various railway systems, but the safety of rail traffic is still to a high degree dependant upon reliable human operations. The reliability of the railway staff, and in particular the train drivers in terms of doing the correct actions is dependent upon a range of circumstances around the various work tasks. This paper discusses some human factor issues in rail transport, and is based upon the knowledge gained through risk assessment work for rail infrastructure organisations and train operating companies, as well as for the European Commission in the HUSARE project. The latter project is described in more detail in another paper presented at this seminar [IJ. The paper will present railway accident statistics from UK and Noi~way subdivided on various accident causes. Typical safety critical railway operating situations involving the human factor will also be presented including: 1. Situations involving human factors where a very high human reliability is experienced and proved through a small number or complete lack of accidents, and 2. Situations where the human factors have proved less reliable and been a significant cause to severe railway accidents in a range of countries. The characteristics of the above situations process will briefly be discussed. with regard to the human cognitive
Human reliability in typical railway operations have also been the subject of studies and research reports from a number of countries where human reliability figures under various conditions have been presented. The paper will present and discuss the result of some of these papers with a focus on indicating typical human reliability figures under various conditions.
209
1.
Introduction
The railways have traditionally provided one of the safest modes of transport, and has done so since the early days of railways. However, due to the high velocity and long braking distances of trains, railway safety can only be achieved by a combination of: 1. 2. 3. 4. Appropriate technology including dedicated safety systems. Safety management systems. Detailed rules and regulations for rail traffic. Trained and qualified staff.
This paper will mainly focus on the human factor side of accidents, as it is clearly the dominant cause, but will also describe some of the technology introduced to reduce the number of accidents due to human failures. As mentioned above human failures have traditionally proved to be the dominant cause of railway accidents as can be shown from different sources. Definition of human error Within the context of this paper human errors are defined as errors made by humans in traffic operation as well as maintenance of infrastructure and rolling stock which leads to an immediate dangerous situation or accident. Typical examples are; signal passed at danger (SPAD) incidents, overspeeding, conflicting train route settings, wrong wiring in interlocking etc. Humans are involved at all stages of construction and maintenance of rail infrastructure and rolling stock. It can be argued that when such safety critical elements of the railway system develop a dangerous fault causing an accident it must be due to some degree of human error, and not being a mechanical failure or act of nature. A too wide definition of human error is not very useful when analysing accident causes. The latter type of accidents can, according to my opinion, more fruitfully be classified as organisational errors.
2.
Existing human factor work within railways
According to information received during the data collection phase of the Husare project, surprisingly little human factor competence and methods are used within the railway sector in the Scandinavian countries. The only area where such competence is used systematically is for staff selection to some safety critical positions. Special psychological tests are used in order to select the most suitable persons when recruiting for positions with main safety critical work, including train drivers and traffic controllers. Neither in Norway nor Denmark has such competence been professionally used when developing or assessing new traffic safety rules, regulations and procedures. However, the main aim of the latest revisions of the Norwegian traffic safety rules were to simplify where human factors are involved, and in particular those places involving several persons or positions. In short one can say that the Scandinavian
210
railways have directed their effort more towards recruitment of suitable human minds and competence for the existing traffic safety rules and work environment than trying to adapt the work environment and man machine interface to the human mind. In Sweden, the project TRAIN (Trafikskerhet och INformationsmilj fr togfrare) has been launched to look into the information environment for train drivers. On the European Scene a position paper has been prepared by a European committee under ISRE on this matter [8].
3.
3.1
Accident statistics
UK
Table 1 shows a distribution of causes of railway accidents on four of the principal railway -lines in UK during this century up until 1997 as presented by Stanley Hall. [2].
Table 1: Distribution of railway accident causes on 4 British main lines over two time periods. 1970-97 1900-97 Main classification Subclasses Number Percentage Number Percentage of of of of accidents accidents accidents accidents 24.1 12.8 5 34 SPAD (no ATC/AWS) Driver Error 18.0 7 4,3 SPAD (AWS 6 ineffective) 5.1 2 4.3 Too fast over junctions 6 2 Other excessive speed 5.1 7.8 11 2 Maloperation of brakes 5.1 0 11.3 0.0 16 Two trains in a section Signalman's error/ etc. 17.7 25 Miscellaneous errors b y various staff 12.8 5 Total; all human erre>r causes 23 69.5 98 59 Faulty track 4 10.6 10.3 15 Obstruction on track 4 7.7 3 2.8 Rolling stock failure 17 12.1 15.4 6 Fire on train 7 7.7 3 5 Total 39 100 141 100
The lines chosen are: WCML West Coast Main Line ECML East Coast Main Line GWML Great Western Main Line SWML South Western Main Line In order to see whether there is a strong shift in the cause of railway accidents a private classification of the accidents during the period 1970-97 has been made, which is shown in the two last columns. In total approximately 70% of the accidents were caused by direct human error during the whole period, whereas this percentage has dropped to 59 if looking at the period 1970-97 only.
211
Driver error accounts for a total of 57 accidents or approximately 40 % of all the registered accidents during the period 1900-97, while it rose to 46 % of the registered accidents during the period 1970-97. The most noticeable change is that signalman's error has more or less vanished as a cause of railway accidents. This is to be expected as most lines and tracks are fitted with track circuits and route interlocking which prevents the signaller from setting "proceed" signals to two conflicting train routes. More remarkable to some extent is the fact that the SPAD (Signal Passed at Danger) group of accidents has not been further reduced with the introduction of the AWSsystem. It still remains as the single most important cause of railway accidents in the UK. 3.2 Norway
Jernbanverket issues an annual leaflet with statistics on railway safety [3]. The publication also includes a historic list of the most severe traffic accidents at Norwegian railways. The list includes 13 severe accidents that have happened after 1970 and have caused human fatalities or multiple injuries. Level crossing accidents are excluded. The accidents are distributed as follows according to category: Train crew error 5 Signalman error 1 Miscellaneous or multiple human error 2 Track failure 3 Rolling stock failure 1 Fire (arson) 1 Out of a total of 13 accidents 8 are due to human error which is 61.5 % of all listed accidents. During the period 1970-98 an automatic train protection system, ATC, was installed on the major lines in Norway and 3 of the accidents could most likely have been avoided if such a system had been in operation on the line where those accidents occurred. Disregarding those three accidents human error has accounted for 5 out of 10 accidents. However, it is worthwhile to mention that two of the more disastrous head on collisions are among those that could have been avoided and they account for more than 50 % of the fatalities of the listed accidents. The Norwegian figures comply well with the more detailed figures from UK.
4.
4.1
Typical human error situations in railway operation

SPAD (Signal Passed at Danger)
Passing a signal displaying a stop aspect to the train is a very dangerous occurrence with the risk of an immediate conflict with another train. SPAD occurrences have traditionally been relatively frequent incident. This is to be expected as a SPAD can
212
be caused by a single failure of a driver who approaches hundreds of signalling points every day. Fortunately, it is only a small fraction of all SPAD occurrences that leads to real accidents, but when they occur they are often of a catastrophic nature. A SPAD can occur due to several reasons: 1. Misjudging the effectiveness of the brakes under particular circumstances (leaf fall, snow etc). 2. Overspeeding in relation to braking performance and warning signal distance. 3. Broken driving sequence (i.e. the train stops to exchange passengers between the warning signal and the main signal and the driver forgets the signalling aspect during the stop due to distraction). 4. Misjudging of which signal applies to the train in question (i.e. the train proceeds based upon observation of a signal that was meant for another train). 5. Misunderstanding of signalling aspect. 6. Signal not seen due to bad visibility. 7. Complete oversight or disregard of a signal. 8. Driver is unconscious or falls asleep. In order to account for the more common SPAD situations as mentioned under 1 and 2, the main signals are normally placed with an overlap (safety distance) in relation to the conflict point the signal are controlling the access to. The length of the overlap may vary from country to country. In Norway and several other railways a minimum of 200 m are specified for the main railways. Over the years various technical systems have been introduced to limit the number of SPAD occurrences and their accident potential and they have contributed to a reduction in the accident frequency and consequences over the years. Some of these systems are further described in Section 5 of this paper. However, other types of accidents have also become scarcer due to improved rolling stock and line infrastructure. Human failures of various kinds are therefore still the dominant accident cause at railways. The Annual Report of HM Chief Inspecting Officer of Railways 1996/97 [4] quotes some figures for SPAD incidents at British railways which can be compared to the traffic production during the same year: SPAD incidents 653 Train traffic production 528 million trainkm SPAD incidents per million trainkm 1.2 Assuming that a train in Britain passes a signal with the ability to show a stop aspect every 3 kilometer, and that 10 % of those signals actually shows a stop aspect, the SPAD frequency per stop signal approach is approximately 1 in 40 000. This is actually a reasonable good standard of performance in human factor terms, but the fact remains that the outcome of such an error can be immeasurably more serious than the original action. '' A research study into SPAD incidents has been launched by the Railway Inspectorate with the aim to predict SPAD probability, considering both the human factor in a generic framework, and its application to specific categories of signals [4].
213
Another source of information about SPAD incidents is a paper by van der Flier and Schoonman [5] presenting a summary of an investigation into SPAD incidents during the years 1983-84 in the Netherlands. Their main findings and some of the implications are briefly described below: 1. A total of 214 SPAD incidents were reported in the Netherlands in the years 1983 and 84, resulting from a total traffic production of 220 million trainkm. The average SPAD frequency is then 1 per million trainkm. This result commensurate very well with the British figures quoted above. 2. About 3500 train drivers were engaged by NS over the actual years resulting in approximately 0.03 SPAD-incidents per driver per year. Over an active working lifetime as a train driver of approximately 35 years, a train driver will at average experience approximately 1 SPAD incident during his working life. 3. No significant differences in SPAD frequencies were found between the various months of the year or the days of the week, i.e. the number of SPAD incidents was proportional to the traffic production. 4. An increased frequency of SPAD occurrences, compared to the scheduled duties, was experienced during the night time 00-06, and the morning hours 08-12, than for the rest of the day. 5. More SPAD incidents seemed to occur during the initial hours of a work shift compared to the late hours of the shift. However, for very early shifts starting between 4 and 6 am, the frequency of SPAD cases seems to increase towards the end of the shift. Together these two observations can explain the overrepresentation of SPADs during the period 08-12. 6. No significant correlation seemed to exist between the train driver's experience or route knowledge and the frequency of SPAD occurrences. However, a significant verrepresentation of SPAD occurrences were noticed for drivers of age 40-45 years compared to younger or older drivers. 7. Local factors including the actual position of the signal may have a significant effect of the SPAD frequency. Approximately 30 % of the SPAD-events (149) during the period 1980-84 occurred at 7 % of the signals (51). 8. 90 % of the SPAD occurrences took place at stations or marshalling yards, half of these being with arrival trains. Departures proved to produce less than 20 % of the incidents at yard and stations. (However, those incidents may have a higher risk of producing severe consequences.) Slightly more than 20 % of all SPAD mishaps occurred during shunting manoeuvres. 9. Local trains or stop trains (slow trains) have a much higher frequency of SPAD incidents than inter-cities. This factor can also be due to a higher propensity of receiving stop aspects for such trains due to lower track prioirity. However, it can also be due to broken driving sequence events i.e. the train has a scheduled stop to pick up passengers between the warning signal and the main signal. 4.2 Excessive speed
Another type of train driver error that has led to numerous accidents is failure to reduce the train speed according to relevant route information for the train. The likelihood of overspeeding and the consequences in that respect depends upon the type of speed restriction and the circumstances around it.
214
The type of speed restrictions requiring driver response as seen from the train driver's side are: Permanent speed restrictions due to track curves or other permanent infrastructure conditions which are permanently present on that particular track section. Temporary or emergency speed restrictions due to track maintenance work or temporary track deficiencies (e.g. stability problems, frost heave or risk of suncurves). The temporary speed restrictions are normally announced in circulars to the drivers ahead of implementation, whereas emergency restrictions can be introduced at a short notice. Conditional speed restriction due to train route setting at a station or junction and the signalling aspect displayed in that respect. Below we will briefly discuss the above mentioned speed restrictions and their criticality with regard to accident probability. 4.2.1 Permanent speed restrictions The frequency of permanent speed restrictions generally depends upon the topography and quality of the line. On some lines, as for most of the Norwegain rail network, they are very frequent. Permanent speed restrictions are normally well known by the drivers due to their route knowledge, and in Norway and most other countries they are signed in advance by boards to allow the driver to comfortably adjust the train speed before entering the actual line section. The speed signing practice and the dimensioning braking performance may vary from one country to another. European or UIC standards recommend the warning distance to be based upon a retardation of 0.7 m/s2 with an appropriate margin for driver reaction time and brake response time. However, the above figures are not uniformly applied for determining braking distances throughout all countries. Under certain extreme weather condition or during leaf fall periods, the wheel-rail adhesion may be so reduced at particular track sections that a retardation of 0.7 m/s 2 may not be reached. It is assumed that the drivers must be aware of such conditions and adjust the speed accordingly. Maximum train velocity in curves is generally set due to passenger comfort or infrastructure maintenance criteria. The margins before overspeeding becomes safety critical are therefore to some extent generous. Special passenger trains with good dynamic performance and/or tilting mechanisms can be allowed increased speed. Such special speed allowances are either signed with additional speed boards or indicated in the driver panel via in-track information systems. For high speed trains, cab signalling information systems combined with ATP-systems to protect against overspeeding are mandatory in many countries. With appropriate driver route knowledge and proper speed signing, safety critical over-speeding in relation to permanent speed restrictions is not very likely. However, the increased braking distance due to overspeeding may be a risk contributing factor with regard to SPAD incidents. The Dovre line, a typical Norwegian main line, has 120 signed speed reductions between Eidsvoll and Trondheim, a distance of 485 km. This gives an average of one
215
speed restriction per 4 km of line and can be considered a typical average for the Norwegian rail network. The annual traffic performance at Norwegian railways is 37 million trainkm. With one speed restriction per 4 km of train operation this gives approximately 10 million train speed adjustments per year due to permanent speed restrictions on the Norwegian rail network. Only a small percentage (i.e. 5-10 %) of the speed restrictions are so severe that they could directly lead to an accident if they were not adhered to. This means that there are about 0.5 - 1 million safety critical speed reductions to be done in Norwegian rail traffic every year. Over a period of at least 20 years there has not been any accidents in Norwegian rail traffic due to failure to reduce the speed at safety critical speed reduction spots. This means that the human failure rate for this situation is less than 10"7 per safety critical speed reduction, which is extremely good. The activity of applying brakes and reduce the train speed is quite a simple task for modern trains, and a driver error must be due to an error in the cognitive process of realising that brakes has to be applied. In the permanent speed reduction situation, the driver receives information about the requirement for a speed reduction through his route knowledge as well as through the wayside boards, and the driver knows this is a fixed situation, which does not change from day to day. 4.2.2 Temporary and emergency speed restrictions Temporary and emergency speed restrictions may be initiated on short notice and may be much more restrictive than permanent speed restrictions. Reductions from general route velocity down to 40 km/h or less are not uncommon. These speed restrictions are announced to the drivers by written notices with their location indicated by chanage information (km location). A typical practice is to announce planned temporary speed restrictions through a weekly or bi-weekly notice covering a certain route or district. Such notices can contain information about a large number of speed restrictions and can be quite voluminous. By necessity such speed restrictions are less known to the drivers than permanent speed restrictions. Temporary and emergency speed restrictions are also signed on the line at sufficient braking distance. In some countries different speed boards are used for temporary reductions corn-pared to the permanent speed boards. ATP-devices through ATCbalises, AWS magnets or similar systems may also be installed, but such protective devices are not mandatory in all countries or at all lines. Due to the often strong speed reductions involved, and the reduced driver knowledge of temporary speed restrictions they are generally more hazardous than permanent speed restrictions, and oversight of temporary speed restrictions may cause direct accidents. A failure initiation event may be that the sign has fallen down or are not visible and/or that the driver has not received the written notice. Several causes are possible. Derailments at temporary speed restrictions are not uncommon at Norwegian railways. Normally such incidents are due to unacceptable track standard compared to
216
the allowed speed, but some of them might have been caused by excessive speed. Any figures for human reliability at such situations are not known. 4.2.3 Conditional speed restriction across stations/junctions (turnouts) The train speed normally has to be significantly reduced when passing turnouts (deviation routes). Different conventions are used in the various European countries to inform about what route has been set across a junction or station, and what is the allowable speed for the various parts of that particular route setting. Most railways use various warning and home signal aspects with one or more colours in combination with figures or letters and other types of form signals to indicate the route setting and the allowable speed. Fixed signs may also be used. The number and colour of lamps used may not give the full information about what track is set, or what speed is allowed at what sections of the route. Form signals with lit numbers, letters or other geometric forms are therefore often used to supplement the general signalling aspect. This can be done in several ways: 1. either by giving direct speed information (e.g. a lit 7 or 70 may indicate that a speed of 70 km/h is allowed), 2. by giving supplemental route information through one or more letters (e.g. lit A, B, H, WU or any other letter(s)), indicating a route setting for a particular line, 3. by an number indication of the track number setting at stations (e.g. a lit 7 to indicate that the route is set for track 7), or 4. by other type of form signals. The additional information may allow higher train speeds when lit, but such additional information are often conveyed at insufficient braking distance if preparations for the most restrictive speed have not been made in advance. The risk therefore exist that a driver may anticipate that the train will receive the "high-speed" route normally received for that particular train and station and fails to adjust the speed according to the general warning signal aspect. Too late he may discover that at this particular day the route is set for another track which does not allow the increased speed, and/or where the turnout are located earlier in the route. Such misconceptions have caused severe accidents at several occasions. Deviated route settings may also tolerate some overspeed before a severe accident occurs. However, such incidents may likely occur near stations when many passengers are standing to prepare for disembarkation. Too high speed (e.g. 50 % above allowed speed) at turnouts may cause people to tumble around and get injured. Very excessive speed at (i.e. more than twice the allowed speed e.g. 90 instead of 40) is likely to cause immediate derailment. A list of some accidents in the Nordic countries due this failure mode is given in an attachment to the paper. The human reliability when responding to deviation route signalling aspects is certainly no better than for stop signals, but can be much worse. 4.3 Signalman or train dispatcher error
Human errors of signalmen and train dispatchers have traditionally caused many railway accidents. However, with the technical standards of main lines including
217
track occupancy detection through track circuits or axle counters and signal interlocking the potential for safety critical failures of this staff group have been reduced significantly as is shown from Table 1. On less trafficked branch lines manual train dispatching procedures may still be used, and on the Norwegian railways an accident caused by such a failure was experienced a couple of years ago.
5.
Automatic train protection and control
Over the years various technical systems have been introduced to avoid SPADs or over-speeding occurrences due to train driver error. The functionality of some of these systems are briefly described in this section The systems may be divided into two main categories [6]: Continuous systems (systems with line continuos transmission). Intermittent systems (systems with information transmission at certain locations, normally at signals or speed reduction locations). Semi-continuous systems combining some of the advantages of continuous and intermittent systems also exist. 5.1 Continuous systems
The continuous systems are the most powerful systems in terms of performance but are very costly, especially the track equipment. Continuous systems are used for high speed lines or lines where an increase in capacity is required. Some of the existing continuous systems are briefly mentioned below: cab signalling with overspeed detection (BACC/NS); cab signalling with fail-safe speed monitoring (ATB/NS); cab signalling with speed monitoring (TVM/SNCF, Eurotunnel); fail-safe speed control used with or without cab signalling (LZB/BB, DB, RENFE). Continous systems are so far not very widely used in terms of track coverage compared to the total rail network. They are mainly used for purpose built high speed lines or for lines with special high capacity requirements. 5.2 Intermittent systems
Intermittent systems are less effective since data are not refreshed in real time. Intermittent systems are cheaper and allow for a quicker and larger protection of risky equipment with the same amount of investment. Intermittent systems include two categories: signal warning or repetition on board; complete speed supervision.
218
5.2.1 Signal warning or repetiton on board This type of system is installed in order to increase the driver's vigilance and check that the driver has observed a warning signal. When passing a restrictive warning signal a bell or horn in the cab will sound and the driver has to acknowledge the information by pressing a button within a certain time limit; if not emergency braking is automatically applied. The functionality has been achieved through various technologies: electrical contact between train (brush) and metallic piece in the track (Crocodile); magnet or electromagnet influence (AWS); inductive coupling (INDUS!). The disadvantages of these systems are their low transmission capacity, the fact that the driver must not "forget" this information and their lack of redundancy and fail safe performance. Crocodile (France) This system supervises the driver's reaction to the restrictive aspects of distant or warning signals. The system delivers audible and visual alarms to the driver who has to acknowledge the information prior to passing that signal - if not the brakes are automatically applied. Line sections under 40 km/h maximum speed is not fitted with the system. AWS (Britain) AWS is fitted on approximately 98 % of the Railtrack network where its use is appropriate. All main lines and rolling stock are AWS-equipped. It is used at signals and temporary speed restrictions and some permanent speed restrictions. The track equipment consists of two magnets: Permanent magnet type south pole oriented. Electromagnet from a 12 or 24V supply, and energised only when the signal displays the green aspect. The role of the first magnet is to activate the on board equipment, and the second to give the status information for the signal in question. If the signalling aspect is green a bell in the cab will sound for 1 second, and the visual indicator will show a full black disc. If the signal does not show a green aspect (double yellow, yellow or red) a horn will sound continuously. Without an acknowledgement reaction from the driver the brakes will be applied and stop the train. When the driver respond by pressing a button the horn will stop, and if the brakes are already applied they will be released. The board indicator disc will display a black-yellow aspect to remind the driver of the caution aspect displayed by the line side signal. The visual indicators are restored at the next signal or at the speed restriction end point. One of the main problems with the AWS-system is that it gives a similar warning for all non-clear signalling aspects, and during heavy traffic the driver may repeatedly have to cancel the AWS-warning for double yellow aspects. Hence, pressing the
219
AWS acknowledgement button may become a conditional response to the warning alarm. Indusi (Germany) The German Indusi system supervises the driver's vigilance as well as provides brake application if necessary. When passing a warning signal announcing a stop aspect an alarm is sounded in the cab, and the driver has to acknowledge the signal by pushing a button. If not, the brakes are activated within 4 seconds. Further, the system check the train speed at the information points against a typical train type braking curves, and if the train speed is too high, emergency braking is applied. A main signal overrun at danger will bring an immediate automatic train stop. A special override button allows the driver to pass the signal at danger (2000 Hz influence) with a supervised speed limited at 40 km/h as long as the override button is operated. If the on board equipment fails, the maximum speed is limited to 100 km/h. The system has no protection against failure of the wayside equipment and is in this respect not fail-safe. 5.2.2 Speed supervision system Much more information is transmitted from the track to the train with these systems, as the target distance to the next or main signal, the track gradient to the target point, the forward signal aspect. Combined with detailed train information put into the train computer, a theoretical maximum train speed curve which brings the train speed down to the required speed at the next signal can be calculated. The computer supervises the actual speed against this curve and if the speed is in excess, the driver is alarmed, and service and/or emergency braking is applied dependent upon the excess speed. The information transfer can also be used for cab signalling. The system is used in several countries including all the Scandinavian countries (ATC) and France (KVB). Large scale installation is also underway in Finland. The final function is more or less the same for all existing systems in Europe; differences occur in technology, transmission path and operating rules. ATC (Nordic countries) In Sweden and Denmark the lines are fully equipped with ATC installations providing cab signalling information, as well as supervising the train speed at main signals and at permanent and temporary speed restrictions. In Norway permanent speed restrictions due to track alignment etc are protected by ATC-installations on some newly built lines only, including Gardermobanen. Main signals are protected by ATC system on most lines. Sweden has the most extensive use of ATC, and Swedish drivers have adapted to a much more stringent ATC-protection of their driving actions. If they are unsure of the
220
actions to do they may await for the ATC-system to take action. This opens for new human factor issues, and ATC-influenced driver behaviour has been the subject of several reports in Sweden over the last 10 years [7]. Presently the whole information environment of the train driver is the subject of an extensice research project in Sweden. The name of the project is abbreviated TRAIN.
6.
Conclusion
Regardless of large investment in various forms of train protection systems, and the fact that such systems have proved effective, human failures are still the single most dominating cause of accidents at European railways. In order to achieve a prolonged and continuous improvement in safety performance in a cost effective way, the introduction of technical safety systems must be directed to the highest risk areas and otherv/ise supplemented by an increased effort into human factor issues and man-machine interface problems.
221
Annex I: Derailments due to overspeeding in deviated route settings
Below is given a description of some accidents in the Nordic countries due to overspeeding through points set for deviated routes. The accidents, apart from the Skldinge accidents happened at places or with trains that were not equipped with ATP at the time of accident.
1.
Finland
Jokela April 1996 A night express train from Oulu to Helsinki derailed at Jokela close to Helsinki where its train route due to track work was diverted to the neighbouring track. The locomotive and 10 out of 11 coaches of the train derailed. Four persons (including the driver) where killed and 75 injured. The maximum allowable speed across the deviated point was 35 km/h, while on the actual day the train entered the point with a speed of 124 km/h. The train had a speed of 133 km/h when passing the main signal in front of the crossover where the route diversion was finally signalled. Warning signal had been given earlier. Due to the high speed and dense fog (visibility might have been as low as 5 10 m) the driver did probably not notice the signal indicating speed restriction (flashing green instead of permanent green). The line was not equipped with ATP systems. Further he might not have read the weekly notice about the track work and the route diversion which had recently been introduced. The weekly warning was also written misleadingly. Jyvskyl March 6th 1998 Train 105 from Turku to Pieksmki derailed when entering Jyvskyl station. The locomotive and 7 out of 11 carriages ended up on their sides. 10 persons died and 47 were injured. The reason for the accident was too high speed across points set for a deviated train route. According to the timetable, the route for Train 105 was set for track 3 passing an early turnout with a maximum allowable speed of 35 km/h. At the time of the accident, the home signal for the station properly signalled the deviated route. However, most other passenger trains used track 1 or 2 which allowed a much higher speed across this point. When passing the home signal warning signal for the station located 1300 m in front of the point, the speed was 133 km/h and the driver cut the traction power but did not immediately apply the brakes. When passing the main signal 450m in front of the point, the speed was still 128 km/h. The driver then applied full braking power, but was not able to take down the speed sufficiently and the train derailed at a speed of approximately 100 km/h. The driver probably misunderstood what route was set for the train, as his driving was reasonably consistent with a route setting for track 1 or 2.
222
2.
Denmark
Sor; April 25th 1988 IC-train 104 derailed at a deviated point in a track crossover at the entry to Sor station. Due to track maintenance work the train was routed along the track for the opposite direction (left track) from Slagelse to Sor. At entry to Sor station the train was re-routed back to the right track. The maximum allowable speed in the deviated route setting at Sor station was 40 km/h, whereas IC 104 was running at approximately 100 km/h. Train IC 104 derailed and several of the cars turned over. Eight passengers were killed, 11 severely injured, and another 60 lightly injured. Roskilde; December 28th 1992 The night train "Natteravnen" derailed at the entry to Roskilde station due to far too high speed across a deviated point. The maximum allowable speed for the deviated route setting across the point was 40 km/h whereas the derailed train had a much higher speed. The train driver was killed, but no passengers or other persons of the train crew were seriously injured. The above accidents happened prior to any ATP installation in Denmark. After the last accident ATP installation was given priority and today most of the main lines have ATP installed.
3.
Sweden
Rrvik; 1954-09-06 Fast train 12 derailed at the entry to the station across a deviated point. In the derailment 6 persons were killed and 53 persons injured. The derailment was caused by too high speed across the deviated point. Alvik; 1964-09-05: Nine carriages derailed when express train 95 passed a deviated exit point for the station. Eight persons were killed and 26 injured of which 2 in a nearby house. The cause of the accident was too high speed across the deviated point. Stehag; 1978-08-10 Motor carriage train 286 derailed with all cars when entering a new track. Four persons including the driver were killed and 12 injured. The reason for the accident was too high speed across the point set for a deviated route. Skldinge; 1990-04-10 Train B29 on the main Stockholm - Gothenburg line derailed with the entire train when not slowing down for a deviated point. The locomotive and the first car ended on their sides. Two persons were killed and 53 injured. Material damages were large. The train route was set for the neighbouring track due to track-work and the allowed maximum speed across the deviated point was 40 km/h, but the train did not slow down until too late, and entered the point in excess of 100 km/h.
223
In the last case ATP was installed on the line and in the train, but the ATP was for some reason not working on that particular train. After the accident Banverket has limited the maximum speed of trains without functional ATP to 80 km/h when operating on lines fitted with ATP installations. TerA 1999.
224
References
[1] Anderson, Martin. Cross-border railway operations; A human factors analysis 16th ESReDA Seminar on Safety and Reliability in Transport. [2] Hall, Stanley. Railway accidents. Ian Allan Publishing, 1997. [3] Jernbaneverket. versikt over driftsulykker og sikringstiltak i 1998, JDMS Mars 1999. [4] Health and Safety Executive. Railway Safety: HM Chief Inspector of Railway's Annual Report on the safety of the railways in Great Britain during 1996/97. HSE Books 1997. [5] van der Flier, H & Schoonman, W. Railway signals passed at danger; situational and personal factors underlying stop signal abuse. Applied Ergonomics June 1988, 19.2 135-141. [6] Bailey, Colin Ed. European Railway Signalling, compiled by a project group under the auspices of the Institution of Railway Signal Engineers, A & C Black, London, 1995. [7] Harms, Lisbeth & Freden, Sven. Human and automatic train control in Scandinavian ATC-applications; A pilot study VTI-meddelande No 783A, 1986 [8] Institution of Railway Signalling Engineers Technical Committee Report No. 3. The Influence of Human Factors on the Performance of Railway Systems. Institution of Railway Signalling Engineers, May 1996.
225
226
The reliability/safety analyses of transport airplane systems in process of their certification

Rudolf Holub and Zdenek Vintr Military Academy, K-201, Kounicova Str. 65 61200 Brno, Czech Republic
Abstract At the Aeronautical Works LET (Czech Republic) has been developed the transport airplane L-601 G with a pressurized cabin. This article deals with international standard safety requirements, which this airplane must to satisfy, and describes the reliability and safety analyses, which have been used during the airplane development - Preliminary Hazard Analysis, Failure Mode Effect and Criticality Analysis, Fault Tree Analysis and Reliability Block Diagram Analysis. Keywords: System safety, Integrated safely program, Reliability Block Diagram, Preliminary Hazard Analysis, System Failure Mode Effect and Criticality Analysis, Fault Tree Analysis, Design for Safety. Acronyms: AC - Advisor Circular APC - Autopilot Computer AWL - Aeronautical Works LET CH - Channel EFIS - Electronic Flight Indication System FAA - Federal Aviation Administration FAR - Federal Aviation Regulations FBD - Failure Block Diagram FCP - Flight Control Panel FMEA - Failure Mode and Effect Analysis FMECA - Failure Mode Effect and Critically Analysis FTA - Fault Tree Analysis LRU - Line Replaceable Unit PHA - Preliminary Hazard Analysis RBD - Reliability Block Diagram RBDA - Reliability Block Diagram Analysis
1.
Introduction
Special attention has always been dedicated to air transport safety. During the development of air-traffic technologies a lot of national and international standards specifying requirements on airplane safety were prepared [2,3]. The main goal of all of them is to ensure maximum safety of the airplane, flying public and public-at-
227
large. According to these standards every producer of an airplane has to prove, that his product satisfies the airworthiness requirements. Any airplane failing to complete these requirements will not be put into use in air transport. There are two basic ways, which are acceptable for demonstration of compliance with safety requirements - testing and analyses. This article deals with the safety and reliability analyses, which have been used during the design and certification processes of the transport airplane L-610 G (see Figure 1).
Figure 1. Airplane L-610 G.
This airplane has been developed and prepared for production by the Aeronautical Works LET and the authors of this article have participated on the reliability/safety analyses of its basic systems.
2.
Brief history of safety development tools
During the development of the older generations of airplane in the AWL, like the L200 taxi and L-410, engineers drew upon prior designs, engineering practices and manufacturing techniques to create reliable and safe designs (see Table 1). This traditional approach has two weaknesses: it requires a long period of time to fully develop and test the design; it usually causes problems for early customers of the design. With the new airplane L-610 G, which has a pressurized cabin, development of every corresponding airplane system grew in complexity to meet the operational requirements. It became clear that the traditional approach to a safe design was too costly and simply took too long. As result of these facts new methods were introduced to show that the individual airplane systems met all safety requirements. During the development of the L-610 G airplane the following methods of safety and reliability analyses have been used (see Table 1):
228
Table 1: Development of Reliability and Safety Techniques in AWL. Applied Analysis Load and Stress Analysis Development Testing Technological Testing Material Standardisation and Quality Control Component Selection Program Failure Mode and Effect Analysis - FMEA Preliminary Hazard Analysis - PHA Failure Mode Effect and Critically Analysis - FMECA Fault Tree Analysis - FTA Reliability Block Diagram Analysis - RBDA L-200 YES YES YES YES Type of Aeroplane L-410 L-610 G YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES
Preliminary Hazard Analysis - PHA; Failure Mode Effect and Critically Analysis - FMECA; Fault Tree Analysis - FTA; Reliability Block Diagram Analysis - RBDA.
These methods were involved in an integrated safety program (see Figure 2) [1], which has been used for every new or major-modified system of the airplane. The frequent using of the integrated safety program as a primary design tool for any airplane system is a particularly satisfying example of what the AWL calls "Design for Safety". Components and system PHA, FMECA, FTA and RBDA make it possible to fully analyze a system's set of intended functions thus to determine if a system is safe prior to any production commitment.
3.
Design for L-610 G systems safety
The most important standard, which is necessary to accept, is the Part 25 of Federal Aviation Regulations and especially 25.1309 [2]. This paragraph provides general requirements for a logical and acceptable inverse relationship between the probability and the severity of each failure condition and requires that compliance be shown primarily by analysis. 3.1 Definition of systems safety requirements
FAR Part 25.1309 defined the requirements for reliability/safety of equipment, systems, and installations as follows: a) The equipment, systems, and installations must be designed to ensure that they perform their intended functions under any foreseeable operation condition. b) The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that: the occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and
229
Aircraft Design Description
Preliminary Hazard Analysis
+
Functional Failures
I
fc, Severity of Failures w

I
FMECA of Individual Items
NO
Design Modification
RBDA 1
4 ^
OR
w w V
FTA
1
Failure Probability Determination
NO
Figure 2. Integrate safety program.
the occurrence of any other failure conditions, which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions, is improbable. c) Warning information must be provided to alert the crew to unsafe system operating, and to enable them to take appropriate corrective action. System, controls, and associated monitoring and warning means must be designed to minimize crew errors, which could create additional hazards. d) Compliance with the requirements of paragraph (b) of this section must be shown by analyses, and where necessary, by appropriate ground, flight, or simulator tests. The analyses must consider:
230
possible modes of failure, including malfunctions and damage from external sources; the probability of multiple failures and undetected failures; the resulting effects on the airplane and occupants, considering the stage of flight and operating conditions, and the crew warning cues, corrective action required, and the capability of detecting faults. e) Additional and similar requirements exist for power supply systems and other systems. 3.2 Basic acceptable means for showing compliance with requirements
The requirements from FAR Part 25 are very brief and do not bring any practical instruction on how to show compliance with them. For this reason the Federal Aviation Administration (U.S. Department of Transportation) worked out a more detailed direction - the Advisory Circular FAA AC 25.1309 [3]. This AC describes various acceptable means for showing compliance with the requirements of FAR Part 25.1309. These means are intended to provide guidance for the experienced engineering and operational judgment that must form the basis for compliance findings. They are not mandatory. Other means may be used if they show compliance with this section of FAR. a) The FAA "Fail - Safe" design concept: The Part 25 airworthiness standards are based on the fail-safe design concept, which considers the effects of failures and combinations of failures in defining a safe design. The following basic objectives pertaining to failures apply: In any system or subsystem, the failure of any single item, component or connection during any one flight should be assumed, regardless of its probability. Such single failures should not prevent continued safe flight and landing, or significantly reduce the capability of the airplane or the ability of the crew to cope with the resulting failure condition. Subsequent failures during the same flight, whether detected or latent, and combinations thereof, should also be assumed, unless their joint probability with the first failure is shown to be extremely improbable. b) Failure and failure conditions: Failure is defined as a loss of a function or a malfunction of a system or part thereof. Failure condition is defined as any effects on the airplane and its occupants, both direct and consequential, caused or contributed to by one or more failures, considering relevant adverse operational or environmental conditions. Failure conditions may be classified according to their severity as follows: Minor - failure conditions which would not significantly reduce airplane safety, and which involve crew actions that are well within their capabilities. Major - failure conditions, which could reduce the capability of the airplane, or the ability of the crew to cope with adverse operating conditions to the extent, that there would be. For example, a significant reduction in safety margin or
231
functional capabilities, in more sever cases a large reduction in safety margin or functional capabilities. Catastrophic - failure conditions, which would prevent continued safe flight and landing. c) Severity of failure conditions: The severity of failure conditions is evaluated according to the following considerations: Effects on the airplane, such as reductions in safety margins, degradations in performance, loss of capability to conduct certain flight operations, or potential or consequential effects on structural integrity. Effects on the crewmembers, such as increases above their normal workload that would affect their ability to cope with adverse operational or environmental conditions or subsequent failures. Effects on the occupants, i.e. passengers and crewmembers. d) Acceptable probability offailure conditions: Each failure condition should have a probability that is inversely related to its severity. Minor failure conditions may be probable. Probable failure conditions are those having a probability greater than on the order of 1 IO-5 and are anticipated to occur one or more times during the entire operational life of each airplane. Major failure conditions must be improbable. Improbable failure conditions are those having a probability on the order of 1 IO-5 or less, but greater than on the order of 1 IO"9 and are not anticipated to occur one or more times during the entire operational life of a single random airplane. However, they may occur occasionally during the entire operational life of all airplanes of one type. Catastrophic failure conditions must be extremely improbable. Extremely improbable failure conditions are those having a probability on the order of 1 10"9 or less and those so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of one type. e) Type of failure conditions assessment: On assessment to identify and classify failure conditions the use of qualitative or quantitative properties are used in conjunction with each other. The depth and scope of an analysis depends on the types of functions performed by the system, the severity of system failure conditions and whether or not the system is complex. Regardless of its type an analyses should show that the system and its installation can tolerate failures to the extent that major failure conditions are improbable and catastrophic failure conditions are extremely improbable. f) Single and common-cause failure modes: In general a failure condition resulting from a single item failure mode cannot be accepted as being extremely improbable in particular when flight- crew or ground-crew checks have no value if a catastrophic failure mode would occur suddenly and without any prior indication or warning. The design concept would give special attention to prevent single failure or other events from damaging or otherwise adversely affecting more than one redundant system, performing operationally similar functions. When
232
considering such so-called common-cause failures or other events, consequential or cascading effects should be taken into account if they would be inevitable or reasonably likely.
4.
Acceptable analyses techniques
The analyst is responsible for applying a reasonable criteria and experienced engineering and operational judgment to identify and classify each failure condition and to choose the methods of assessment to be used to determine compliance with FAR Part 25.1309 requirements. In AC 25.1309 recommended analyses techniques are as follows. 4.1 Preliminary hazard analysis
The PHA is a logical and comprehensive examination of system's functions to determine potential hazards to the airplane that the components and systems respectively can cause or contribute to, not only if it malfunctions, but also in its normal operation. The PHA establishes the airplane systems failure, its severity and the scope of additional safety analyses and it provides a critical assessment of each function in terms of its loss, malfunction, misuse or effects due to external events. The PHA also provides design requirements for redundancy, special testing, operational checks, and/or control, warning systems and software design requirements. The PHA is conducted early in the design development phase so that the safety design requirements can be implemented with minimal developmental impact. As a result of the PHA failure severity definitions and its classifications, the following list of hazardous entities and situations may be generated: Functions; Hazardous situation and its descriptions; Hazardous entities and its combinations; Events phases; Events causing hazardous situations; Classification in order of severity; Effects or consequences. An example of the airplane systems PHA is presented in the Table 2. 4.2 Failure mode effect and criticality analysis
The FMEA/FMACA is created to assure that equipment, system, component and installations are designed to prevent hazards when a malfunction or failure occurs, by systematically determining all possible modes of failure or error and their associated effects on the system and airplane.
233
5' era
o n ra O.
S
ON
to
4^
Table 2. Example of Preliminary Hazard Analysis of some airplane systems. Hazardous Phase of Flight Hazardous Situation System No Entities Before take off Hydraulic pump Total loss of pump 1 Hydraulic function system Hydraulic pump In flight Total loss of pump 2 Hydraulic function system Hydraulic pump In flight Total loss of function of 3 Hydraulic all (3) pumps system 4 5 6 7 Take off & landing system Nose landing gear Wing (laps Wing flaps Flight (before lending) After take off In night (v > 300 km/h) In night (v < 300 km/h) Main landing gear Nose gear lock Control system of wing Haps Control system of wing naps
& m
Effect or Consequences
LO
Total loss of pressure liquid in one circuit Total loss of pressure liquid in one circuit Total loss of pressure liquid in both circuits (main & stand-by) Loss of possibility to open Landing is disabled Failure of lock Undesirable denection Unsymmetrical denection
Classification in Order of Severity MINOR MAJOR CATASTROPHIC
Remarks
GO
>
ra 3 $
en "
en
Due to stand-by function Some basic airplane functions are disabled Safe way of landing does not exist Safe way of landing exists
CATASTROPHIC
Locking of gear in open MINOR position is not possible Mechanical destruction of CATASTROPHIC ttaps MAJOR Flight instability exists
KD KD KD
The parts and subsystems are similarly analyzed through so-called Line Replaceable Unit (LRU) [8] by the FMEA and the results are incorporated into the system FMECAs. The system FMECAs must be completed enough to disclose all possible single failure situations that could be unsafe for required specific operator response. Additionally, latent and selected multiple failures must be analyzed for secondary failure modes and effects. The preliminary system FMECA is conducted on the functional basis during the initial design phase so that single functional failures can be identified and those with undesirable airplane failure conditions may be "designed out" (item re-designation). Initial system FMECA is prepared to make the transition from functional failures to hardware failures. A simplified example of airplane components FMECA is shown in the Table 3. 4.3 Fault tree analysis
The FTA is a technique represented by logic diagram that displays the interrelationships between a potential undesired TOP failure (critical) event (accident) in a system and all reasonably probable primary events (causes) which alone or in combination could result in undesired, significant safety failure conditions. The reasons for environmental conditions can be, human error, normal events (failure events which are expected to occur during the life span of the system) and specific component failures. Safety-significant airplane failure conditions in the FTAs, generally called the "TOP events" are derived from the PHA, whereas most bottom events (primary events) are the system FMEAs failure modes. Therefore completion of the FTA follows completion of the PHA and system FMEA. A properly constructed fault tree provides a good illustration of the various combinations of failures and other events, which can lead to a specified the TOP event (see Figure 3). To determine if an initial design meets the qualitative probability requirements indirectly described in the PHA, the preliminary and initial FTAs are conducted parallel with the preliminary and initial system FMEAs. The catastrophic hazard class failure conditions must be qualitatively described as "extremely improbable", and must show quantitative probability of failure of Q(s) < 1.0 x 10"9. 4.4 Reliability block diagram analysis - RBDA
The RBD is a success-oriented diagram, which represents pictorially the logical functions of the system. The RBD are developed through analysis of the functional relationships among items shown by the functional block diagrams and the system function schematics. The interrelation of events is expressed by the way that the blocks are interconnected in the function block diagram. The general procedure for constructing a reliability block diagram is as follows: a) Define the mission so that the completion of the mission yields system success. If the system has more than one mission, than each mission must be considered individually.
235
o o ra ra * '
f/Q
Table 3. Example of fuel system FMECA. Failure Function Item Item mode description No. description
Mission phase
Failure effect Local effect System effect Loss of fuel Fire risk Loss of engine function Danger of fire Loss of fuel Fire risk Fuel to engine is stopped Danger of fuel overfilling Disable to fill fuel Possibility of fuel overflow No effect
Seventy class
Failure rate
Failure rate data sources
m
GO
rV
ra
1,2 4
IO LO
Fuel tank Fuel pump
Seal fuel storage device Fuel transport devices
Leakage Rupture Fuel transport fails
Take off &
Loss of function Loss of function
night
Take off & (light
MAJOR MAJOR MAJOR MAJOR MINOR MAJOR MINOR MINOR MINOR MINOR MINOR
= l.OxlO"6 = l.OxlO"6 = l.OxlO 6 = l.OxlO"6 = 1.5xl0"6 = 5.010"6 =5.010" 6 = l.OxlO"

6
Database of producer Database of producer
> GO ra 3. 5
O
O
Fire valve
Leakage Opens & closes a Fails open pipe line Fails shut Opens & shuts a pipe line during fuel filling Automatically shuts and opens fuel pipe line Fails open Fails shut Fails open Fails shut
26
Differential valve Floating valve
In flight Before take off Fuel filling Disable to shut before lake off Disable to open In llight and on ground Disable to shut Disable to open
Outttow of fuel Disable to shut Disable to open
to
Database of producer Database of producer Database of producer
KD VD VO
16 21 27
= l.OxlO"6 = l.OxlO"8 = l.OxlO"6
AUTOTRIM INOPERATIVE WITHOUT WARNING 15 = 6,393x10
NO TRIM IN MOTION AND TRIM FAIL ANNUNCIATION P= 1.269 x IO'10
TRIM INOPERATIVE P = 5,038xl0""
FAULTS DISABLING ENGAGE CLUTCH OPERETIONS P=1.98xl0" 5
FAULTS DISABLING ELEVATOR TRIM MOTOROPER. P = 2,958xl0
TRIM SERVO CLUTCH SLIPS P= 1,0x10*
CHII FAIL TO SEND ANNUNCIATION DATA P = 3,07 Iff5 NO FROM CH II TRIM FAIL = 3,749 x 10*
TRIM FAIL DRIVE CIRCUIT FAILURE P=1.897xlO J NOMISTRIM ONEFISANDFCP P = 6,219xl0"*
SERVO MOTOR INTERCONNECT WIRE OPENS P= l.OxlO'7 SERVO MOTOR ARMATURE BRUSH FAILS P = 2.05xl0' 5
SERVO MOTOR CONNECTOR PIN FAILS OPEN P=l,0369xl0" 7 CH I MOTOR DRIVE CIRCUIT FAILS
= 4,044 10*
CH II MOTOR DRIVE CIRCUIT FAILS
NO MISTRIM ONEFIS = 3.0 x IO'5
APC FAILS TO SEND MISTRIM INFORMATION

TOEFIS
NOMISTRIM ANNUNCIATION
ONFCP
P= 1,075 x 10*
= 2,0x10"'
APC FAILS TO SENDMISTRIM INFORMATION TOFCP P=l,118x10*
F i g u r e 3 . E x a m p l e of Fault T r e e Analysis.
b) From functional diagram, the FMEA, and other applicable data, define all of the elements and number all of the nodes, and consequently construct the RBD. Each block in the diagram represents the applicable true function mode of the component identified. c) Investigate the reliability block diagram to ensure that all possible functional paths leading to success have been included.
237
The reliability block diagram corresponds closely to the system functional diagram and allows the visual understanding of the normal functioning of the system. When the failure block diagram (FBD) is used for system failure modeling, the same principles and steps are used but instead applying the success of blocks the failure of blocks are used (see Figure 4). The so-called "dual principles" is valid.
OIL TANK LEAKS P = 2.0xlCT'; SAFETY VALVE FAILS OPEN P= l.OxlO"8 PRESSURE OIL ACCUMULATOR LEAKS P = 2.0x 10"8 LEFT HYDRAULIC PUMP FAILS P = 5.0x ltr4 LEFT OIL DISTRIBUTION LEAKS = 4.023 IO'8 LEFT FIRE-FIGHTING VALVE FAILS CLOSED P= 1.25 IO"7 RIGHT HYDRAULIC PUMP FAILS = 5.0 IO"4 RIGHT OIL DISTRIBUTION LEAKS = 4.023 IO"8 RIGHT FIRE-FIGHTING VALVE FAILS CLOSED P= 1.25 IO"7
Figure 4. Example of Failure Block Diagram. The diagram models the failure "Loss of pressure in the airplane hydraulic systems".
5.
Results and conclusion
Every new or major-modified system designed for L-610G airplane incorporates the integrated safety program. The examples of how PHA, FMECA, FTA and RBD are used in the system design have been shown and the detailed examples of several systems show how the L-610G airplane has benefited from the integrated safety program. The process of L-610 G certification has not been finished yet, because the flight test program has not been completed. However the integrated safety program, which was implemented, has yielded beneficial design guidance at each step of design evolution and has retained design focus upon intended functions, as well as unintended functions. This design focus minimizes costly design and maximizes safety for the airplane and the flying public.
238
References
[1] Holub, R., & Vintr, Z., Reliability and Safety Analyses of L-610 G Airplane Systems. Aeronautical Works LET, Kunovice, 1996-1998. [2] Federal Aviation Administration (U.S. Department of Transport): Federal Aviation Regulations - FAR Part 25. Washington, 1988. [3] Federal Aviation Administration (U.S. Department of Transport): Advisory Circular 25.1309-1A: System Design and Analysis. Washington, June 1988. [4] EEC 812, Analysis Techniques for System Reliability - Procedure for Failure Mode and Effect Analysis (FMEA). [5] LEC 1025, Fault Tree Analysis (FTA). [6] LEC 1078, Analysis Techniques for Dependability - Reliability Block Diagram Method. [7] MLL-STD-1629A, Procedures for Performing a Failure Mode, Effects, and Criticality. [8] LEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protection Systems, The LEEE, Inc., 1975. [9] Villemeur, ., Reliability, Availability, Maintainability and safety Assessment; John Wiley and Sons, NY, 1992. [10] Redgate, M.L., Mc.Kelvey, M.H. & Jolly, C.L., Implementation of Integrated Safety-Program MD-90 Antiskid System; Proceedings Annual R&M Symposium; Anaheim, California USA, 1994.
239
240
Append ix list participants in me l^KeJDA 16 seminar

P. Adams K. Adjallah T. Andersen M. Anderson B. Andriq K. Berdica J. Blombach R. Bubbico P. Buckley J. Bckman P. Cassini S. Eisinger R. Elvik L. Emmet A. Fernndez S. Fosser E. Funnemark S. Gadd K. 0 . Gilje C. Gundersen R. Hartman B. Inozu N. Kawka F. Keravel H. Kortner S. Kristiansen S. I. Masdal . Miller H. Moen A. Montardet B. Moss A. Nelson T. Nilsen J. Ohvo L. Petterson H. Procaccia S. Quale N. Riley S. RoedLarsen N. Rosmller I. A. Saetermo . Sandve 0. Skovdahl A. Sola T. Soma M. Stryken Volvo Universit de Troyes Det Norske Veritas AS Human Reliability Associates Ltd EdFSepten Royal Institute of Technology Siemens C.N.R. Health & Safety Executive Royal Institute of Technology INERIS Det Norske Veritas AS Institute of Transport Economics Adelard IBERDROLA NSB BA (Norwegian State Railways) Det Norske Veritas AS Health & Safety Laboratories Dovre Safetec Vectra Technologies Jernbaneverket University of New Orleans ENCONET Consulting Rseau Ferr de France Det Norske Veritas AS Norwegian University of Science and Technology Norwegian Marine Technology Research Institute Vectra Technologies Norwegian Marine Technology Research Institute Rseau Ferr de France RM Consulting Railtrack PLC Scandpower VRLtd Vattenfall ISDF Statens Jernbanetilsyn (Norwegian Railway Inspectorate) Health & Safety Executive Norwegian State Railways ADKNSB BA Delft University of Technology, Transport Policy and Logistics Det Norske Veritas AS Rogaland University Jernbaneverket IBERDROLA Norwegian University of Science and Technology Jernbaneverket Sweden France Norway UK France Sweden Germany Italy UK Sweden France Norway Norway UK Madrid Norway Norway UK Norway UK Norway USA Austria France Norway Norway Norway UK Norway France UK UK Norway Finland Sweden France Norway UK Norway The Netherlands Norway Norway Norway Spain Norway Norway
th
241
I. Svedung A. Symons P. C. van Beek B. van den Horn Z. Vintr F. Vollen H. J. Wingender
University of Karlstad Railtrack PLC TNO, Environment, Energy and Process Innovation Ministry of Transport, Public Works and Water Management Military Academy of Brno Dovre Safetec NUKEM
Sweden UK The Netherlands The Netherlands Czech Republic Norway Germany
242
cri
CD
:
I
>
CO
i.
Cri
m
:
co
ISBN
* * *, O g * T^~,* OFFICE FOR OFFICIAL PUBLICATIONS OF THE EUROPEA.N COMMUNITIES L-2985 Luxembourg
---?
789282"891438

Safety and Reliability in Transport

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safety and Reliability in Transport

Uploaded by

Copyright:

Available Formats

tf