Professional Documents
Culture Documents
Session 1a
Overview
Purpose of FSA
1
Human Reliability Analysis
No No
Options to decrease Risk Options to mitigate Step 3
Frequencies Controlled? Consequences
Risk Control Option
Yes
Traditional
Formal Safety Assessment
Approach
Step 1 What might go wrong? Hazard identification What did go wrong?
2
Difference: FSA and traditional regulatory
safety assessment approach
3
What is the relationship between
FSA and GBS/SLA?
GBS is defining a structure of
the regulations: Goals,
Functional Requirements, Rules
FSA is a methodology of
justifying the Rules
GBS/SLA is the combination of
FSA and GBS
End of Session 1A
4
IACS FSA PRESENTATION
Session 1b
Formal Safety Assessment
Step 1
Hazard Identification (HAZID)
Section Contents
Scenario definition
Risk Summation
No No
Options to decrease Risk Options to mitigate
Frequencies Controlled? Consequences
Yes
Reporting
1
Hazard Identification (HAZID)
HAZID:
• Brainstorming method applied by a team of expert
• Analyse system, process or operation for identifying all related
hazards, e.g. caused from failures or deviations from normal
operation
• Basic understanding
What can go wrong?
• Identify all causes of a failure and all effects
Phases of HAZID
2
Before starting the HAZID ...
• Method
– Variety of methods exists,
developed and applied in different industries,
for instance
• What-If Analysis / SWIFT
• Hazard and Operability Study (HAZOP)
• Failure Modes and Effects Analysis (FMEA)
• Task Analysis (TA) (for human errors)
• …
– Provide support for analysing the system and
collecting the results
– Select method based on objectives of HAZID
3
Failure Modes and Effects Analysis
(FMEA)
• Systematic method to
– identify the various failure modes of equipment items and
– to evaluates the effects of these failures on the system
• It accounts for single equipment failures, but not for
combinations of different failures
• Typically used for mechanical and electrical systems, but not
limited to these type of systems
• Often combined with a criticality analysis (FMECA)
• Types of results:
• A list of identified failure modes, their causes and possible effects
• Recommendations for further analysis
Task Analysis
1.1 Take to 1.2 Turn on 1.3 Check 1.4 Turn off 1.5 Take to
tap water level water socket
4
Before starting the HAZID ...
• Expertise
– Result of HAZID depends on knowledge and experiences
of participating experts
– Select experts to cover all areas relevant for HAZID
– Consider: group size per meeting ≤ 10 persons
• Important
• Experts abilities in addition to expertise and subject matter
know-how:
Interpersonal and communication skills
Commitment and availability
• Consider “back-up” experts in case of no shows. One
expert missing may shoot down the credibility of the entire
HAZID!
• Not to forget:
– The HAZID moderator or leader
Experienced in carrying out HAZIDs
Responsible for HAZID preparation,
Facilitates the analysis in a team,
Ensures that all experts contribute with their specific
experience and knowledge
• Timing
– A HAZID meeting should last maximum 3 days
– Not more than 5 to 6 hours exercise per day. Otherwise,
team gets exhausted and unfocussed.
HAZID Session
• Start session by
– Familiarise participants with used method
– Explanation of scope and objectives
– Inform about schedule
• Start hazard identification by asking the team
What can go wrong? How can something go wrong?
Why? What are the causes?
How often may it happen?
How serious can it be? What are the effects?
How significant are the consequences?
Are safeguards provided to either
prevent that fault or mitigate the effects?
5
HAZID Session
• Moderator
– Leads the discussion (motivate every participant to
contribute)
– Summarise the discussion (writing)
– Takes care that all aspects are considered
• Important: for ranking hazards the following
information must be collected
– Consequences
– Probability of failure leading to these consequences
Function / Failure Causes Effects / Frequency /
Component Modes Consequences Probability
Ranking of Hazards
Problem:
A HAZID may identify a large number of hazards.
Risk Definition
6
Ranking of Hazards
Attention: this estimation is only useful for ranking and not for
assessment!
Frequency Scale
Severity Scale
7
Risk Matrix
RISK MATRIX
SEVERITY (SI)
1 2 3 4
FI FREQUENCY Minor Significant Severe Catastrophic
7 Frequent 8 9 10 11
6 7 8 9 10
5 Reasonably probable 6 7 8 9
4 5 6 7 8
3 Remote 4 5 6 7
2 3 4 5 6
1 Extremely remote 2 3 4 5
HAZID Results
• Additionally:
• Description of system/process under consideration
• Summary of supporting information used
• Description of the method used
• Information about the HAZID team (name, background,
area of expertise)
8
Aim
HAZID Process
Define System
9
Define system to be analysed
Pu-1 IV-1
V-1 V-2
S-1
A1
RS
S-2
A2
V-3 V-4
Pu-2
IV-2
10
Identify the hazards / failure
modes for each component
Pu-1 IV-1
V-1 V-2
S-1
A1
RS
S-2
A2
V-3 V-4
Pu-2
IV-2
11
Identify possible failure causes
12
Recording in FMEA Worksheet
ID Failure Causes Effects Risk
Modes Control
Measures
M-1.1 No Electrical Pump Pu-1 not available. None
torque failure Steering gear power
reduced. Rudder turning
speed and ship’s steering
capability reduced.
Mechanical Same as above None
failure
...
A-1.1 Leakage Crack in Reduced torque provision Isolate A-1
pressure by Actuator A-1. by closing
chamber Reduced ship’s steering valves S-1
capability. and IV-1
After some time low
hydraulic oil level.
...
13
Assess severity of failure effects
(consequences)
...
14
Report results
End of Module 1b
15
IACS FSA PRESENTATION
Session 2:
Formal Safety Assessment
Step 2
Risk Analysis
Contents of Session 2
FSA Process
Scope of FSA Step 2
Measures of Risk
Risk analysis team
Methods and tools
Quantitative Analysis
Risk Models
Quantification
Common cause failure
FSA and Data
Sources of data
Challenges
Expert judgement
Uncertainty
Sensitivity analysis
Output of FSA Step 2
FSA Process
Definition of Goals, Systems, Operations
Hazard Identification
Scenario definition
No No
Options to decrease Risk Options to mitigate
Frequencies Controlled? Consequences
Yes
Reporting
1
Scope of FSA Step 2
• Detailed investigation of the causes of initiating
events and consequences of the more important
accident scenarios identified in step 1
– Attention to be focused upon high-risk areas
• Different types of risk
– People
– Environment
– Property
• Risk = Frequency * Consequence
Measures of Risk
• Individual Risk
– Probability of specific person dying in one year
• Societal Risk
– FN Curve
– Potential Loss of Life PLL
– tons of oil per ship year
2
Methods and Tools
• Fault Tree Analysis
• Event Tree Analysis
• Failure Mode and Effect Analysis (FMEA)
• Hazard and Operability Studies (HAZOP)
• What If Analysis
• Risk Contribution Tree
• Influence Diagrams
• Bayesian Network
Quantitative Analysis
Risk=9E-2
10-1
fatalities
per vessel year
per ship-year
Frequency
10-2 3 x 10-3
10-3
30
1 10 100
Consequence
Number of Fatalities
3
Main Components of Risk Models
Event Trees
4
Initiating Events
• The first of a sequence of events leading
to a hazardous situation or accident
• They are undesirable events which may
lead to damage of the vessel and/or
personnel
• They are usually identified in FSA Step 1
• Group Initiators according to similarities
in accident progression
• A separate event tree is developed for each
group of initiating events
Consequence Determination
5
Sample Fault Tree (bottom part)
OR Gate
G = A OR B OR C
Gate is TRUE if any of
ABC the input events occur
AND Gate
G = A AND B AND C
Gate is TRUE if all of
ABC the input events occur
6
Fault Tree Quantification
• Fault trees can be developed with a software package
– Top event probability/frequency
• Minimal cutsets (combination of failures) examples:
– Battery A unable to output AND Charger A unavailable
– Op error causes loss of Batt. A AND Power cable 480MCC fails
– Common Cause Failure of Batteries AND Transformer failure
– Plus All Combinations !
7
FSA and Data
Sources of Data
• There are different types of data:
– Accidents
• Casualty data sources
– Incidents/near misses and component failures
• Reliability databases
• Maintenance work orders and operating logs
• Internal reporting documents
• Industry bulletins
Casualty Databases
2 • IHS-Fairplay Database: www.ihs.com
– Provides most comprehensive details of current world
merchant fleet of 100 GT and above
– Casualties/Detentions and Register of Ships (Paid
Subscription)
– Full data export and built in reports
– Regular updates – choice of monthly or quarterly updates
• Other source of data
– Flag states databases and investigation reports (e.g. UK
MAIB, USCG, ATSB)
– IMO Global Integrated Shipping Information System
(GISIS): www.gisis.imo.org
8
Notes about the Databases
Usually databases report the failures/accidents, but
not the exposure (operating hours) in order to
estimate failure rates
Use other sources or estimates to calculate exposure
Failure definitions, accident classification, ship
type definitions, etc. varies, and sometimes are not
clearly defined
Use data sources that justify their applicability to the
scope of the FSA
Verify consistency on units used: per hour operation, per
year, per lifetime, per trip, per time used, per ship-year,
etc.
Some equipment show wear out behaviour, so
failure rates increase over time, and this is not
reflected in databases
Typically FSA assumes constant failure rate over time
9
Expert Judgement
Occupational accidents
10
Decisions are Always Made with
Cost Uncertainty
Information
Certainty
Uncertainty
Sensitivity Analysis
• It is possible to test how sensitive the
results are to certain assumptions or
parameters used in the analysis, e.g.:
– Examine key modelling assumptions
– Assess probability parameters felt to be
important (e.g. human factors)
• The process involves the change of one
parameter or assumption at a time, and
re-evaluate the results, comparing the
effect with the original results
11
Output of FSA Step 2
End of Session 2
12
IACS FSA PRESENTATION
Session 3a:
Formal Safety Assessment
Step 2
Risk Analysis
Examples
Contents of Session 3a
1
Vessel Specific Failure Rate Data
Failure Number of Failures
=
Frequency Number of tests or
Operating Hours Exposure
Sources of Data
I II III
Failure Rate (t)
Risk Assessment
normally uses rates in Time
this zone
Burn Wear
in out
2
SAFEDOR LNG Carrier FSA
3
SAFEDOR LNG Carrier FSA
4
SAFEDOR LNG Carrier FSA
5
SAFEDOR Containership FSA
6
IACS General Cargo Vessels FSA
XX CN
WS 1% 16% CT
22%
6%
MG
FD
0% 4%
FX
8%
HM
43%
XX
0% WS CN
19% 19%
MG
4% CT
HM 2%
2%
FX
11%
FD
43%
End of Session 3a
7
IACS FSA PRESENTATION
Session 3b:
Formal Safety Assessment
Step 3
Identification of
Risk Control Options
(RCO)
Contents of Session 3b
• Purpose of Step 3
Definition of Goals,
Systems, Operations
Hazard Identification
Scenario definition
Risk Summation
No No
Options to Options to
Risk
decrease
Frequencies
Controlled?
mitigate
Consequences
Step 3 //
Yes
Cost Benefit
Assessment
Reporting
1
Purpose of Step 3
2
Each top event in FT is combined
with ET
3
Event tree collision
Data A index=
Software=
SOLAS II-1
RCOs
– Damage Stability
– CFD calculations
– Fire simulations
– Evacuation simulations
– Strength calculations
– Etc.
RCOs
4
How to Reduce Risks?
O i l ta n k e rs
1 .0 E -0 2
In to le ra b le C h e m . ta n k e rs
Frequency of N or more fatalities (per ship
O i l/C h e m i c a l
ta n k e rs
1 .0 E -0 3 G a s ta n k e r
ALARP
year)
1 .0 E -0 4
1 .0 E -0 5
N e g li g i b le
1 .0 E -0 6
1 10 100
F a ta litie s (N )
O i l ta n k e rs
1 .0 E -0 2
In to le ra b le C h e m . ta n k e rs
Frequency of N or more fatalities (per ship
O i l/C h e m i c a l
ta n k e rs
1 .0 E -0 3 G a s ta n k e r
ALARP
year)
1 .0 E -0 4
1 .0 E -0 5
N e g li g ib le
1 .0 E -0 6
1 10 100
F a ta litie s (N )
Oil tankers
1.0E-02
Oil/C hemical
tankers
1.0E-03 Gas tanker
ALARP
year)
1.0E-04
1.0E-05
Negligible
1.0E-06
1 10 100
Fatalities (N)
5
Notes on RCOs
Notes on RCOs
Avoid CCF
6
Example-
Event Trees >> Causal Chain
For example:
– Vessel traffic separation -
Responsibility > Port Authority.
– Loading/unloading at port facilities
> Decrease ship structure stress
– Terminal moved out of congested
waters and cities > Reduce public
risk
– Life Saving >Improved SAR service
OR Improved LSA?
>>>Actions Required in some cases may
be outside the purview of IMO
– Psychological/Complacency: If we feel
over-confident, we may consume the
safety margin introduced.
7
Navigational accidents - Around
50% of the total
Distribution of navigational vs. non-
navigational accidents
All vessels, excluding Fishing and Miscellaneous categories (1990-
2012)
100 %
GNSS/GPS/AIS
90 %
80 %
Non-navigational
70 %
60 %
50 %
40 %
30 %
Navigational
20 %
10 %
0%
Example Cases:
8
Output of Step 3 to be used as
inputs in Step 4
1. a list of RCOs with their effectiveness in reducing
risk, including the method of analysis;
2. a list of interested entities affected by the identified
RCOs;
3. a table stating the interdependencies between the
identified RCOs; and
4. results of analysis of side effects of RCOs.
9
Session 4
Step 4
Step 5
Risk Criteria
Reporting
Contents of Session 4
• Quantification of Cost
• Quantification of Benefit
• Risk Acceptance Criteria
• Risk acceptance based on Cost
Effectiveness Assessment
• Recommendation for decision making
• Reporting
Definition of Goals,
Systems, Operations
Hazard Identification
Scenario definition
Risk Summation
No No
Options to Options to
Risk
decrease mitigate
Controlled?
Frequencies Consequences
Yes
Cost Benefit
Assessment Step 4
Reporting
1
Purpose of Step 4
Stages of Step 4
• Estimate the relevant costs and benefits for all proposed RCOs
Quantification of Costs
2
Variation of Costs
Quantification of Benefits
3
Other Benefits
Costs ($) < Benefits ($) is only carried out for loss of
property and environmental pollution (no fatalities)
4
GCAF
Cost of RCO
GCAF =
Reduction in PLL resulting from RCO
Purpose:
Is the RCO justified for its life saving capability?
NCAF
5
Cost Effectiveness Assessment for the
Shipping Industry (GCAF)
6
Individual Risk
Intolerable
ALARP
Negligible
DALY/QALY
Health index
expected health index, when RCO implemented
A
Perfect 1 B
health
Disability Adjusted Life Years
by implementing the RCO
A’ B’
Expected Health
when RCO not implemented
C
Death 0
Time (years)
No explicit risk criteria for injury & ill health in
FSA Guidelines (Cost effectiveness may be used)
7
Individual Risk: Known results
Societal Risk
FN - Diagram
Format:
F = Frequency (ship-year)
N = Number of fatalities
Cumulative distribution (N or
more fatalities)
Log-Log plot
Acceptance Criteria:
Inclination on log-log: -1 (used by most regulators)
Intolerable (not acceptable): Factor 10 above benchmark
Negligible (broadly acceptable): Factor 10 below benchmark
Benchmark Crew: fatalities per GDP
Benchmark Passengers: fatalities per turnover (airlines)
Ref: FSA Guidelines, Appendix 5, Chapter 5.2
8
Known Results: FN Diagrams
O il ta nke rs
1 .0 E -0 2
Into le ra b le C he m . ta nke rs
Frequency of N or more fatalities (per ship
O il/C he m ical
ta nke rs
1 .0 E -0 3 G a s ta nke r
A L A RP
year)
1 .0 E -0 4
1 .0 E -0 5
Ne g lig ib le
1 .0 E -0 6
1 10 100
F a ta litie s (N)
1.0E -02
Frequency of N or more fatalities (per ship year)
Intolerable
1.0E -03
1.0E -04 A LA RP
Negligible
1.0E -05
1 10 100 1000
Fatalities (N)
9
VSL
VSL (SLF55/INF.12)
‘It is noted that the $3million is in reality
derived from 1998 statistics.
If adjusted for US inflation rates until
2010, this figure should be updated to
$4.14 million (2010).
If adjusted for a 5% risk free rate of
return the figure should be $5,39million
(2010),
and if a full update based on LQI is
carried out the result is $7,45million
VSL
$12,00
$10,00
$8,00
$6,00
$4,00
$2,00
$0,00
PORTUGAL
AUSTRALIA
AUSTRIA
CHILE
CZECH REPUBLIC
BELGIUM
ESTONIA
FINLAND
ICELAND
IRELAND
ISRAEL
ITALY
LUXEMBOURG
MEXICO
NETHERLANDS
JAPAN
KOREA
NEW ZEALAND
NORWAY
SLOVAK REPUBLIC
SPAIN
SWEDEN
SWITZERLAND
UNITED KINGDOM
CANADA
DENMARK
FRANCE
GERMANY
GREECE
HUNGARY
POLAND
SLOVENIA
TURKEY
UNITED STATES
10
Discount Rates
Example-1
(Cost Effectiveness of a RCO)
Data:
Total number of lives lost in a fleet of 4000 ships,
over the lifetime of the ships is 80
11
CEA Exercise: Example-1-contd..
Answer:
(80 fatalities / 4000 ships ) x
(US$ 7 million / fatality averted)
= US$ 140,000 / ship
12
Step 5 in the FSA Process
Definition of Goals, Systems, Operations
Hazard Identification
Scenario definition
Risk Summation
No No
Options to decrease Risk Options to mitigate
Frequencies Controlled? Consequences
Yes
Purpose of Step 5
13
Standardized Presentation of Final
Results
Experienced has shown that IMO submissions present results in
different format, and consequently comparisons are difficult to
make. In order to simplify the evaluation of results obtained by
different bodies, IACS suggests standardizing the presentation of
final results as shown below:
Summary of recommendations
Output of Step 5
14