FSA PRESENTATION

Session 1a

Formal Safety Assessment

Overview

Historical Background for FSA

• Nuclear Industry in 60s: Probabilistic Safety Assessments

• Chemical Industry in 70s: QRA, Seveso Directive I and II

• Offshore Industry in 80s:

– QRA, Industrial Self Regulation Regime in Norway, Safety Case Regimes in UK

• Shipping Industry since 90s: FSA

1992, UK House of Lords, Lord Carver Report
1993, MSC 62: UK proposes FSA concept at IMO
1997, MSC 68: FSA Interim Guidelines
2001, MSC 741: FSA Guidelines

2007, MSC 832: Consolidated Text for FSA Guidelines

(including acceptance criteria for safety and FSA review
process)

2013, MSC 923: Revised FSA Guidelines (including criteria

for oil pollution, and separate guidelines for FSA and
HEAP) 1MSC/Circ.1023
2MSC 83/INF.2
3MSC-MEPC.2/Circ.12

Purpose of FSA

• FSA is intended to be a tool for rule-making at IMO:

– To make the decision process at IMO more

rational,
– reduce ad-hoc proposals/implementation,
– give less room for politics
– To provide a proactive, holistic approach,
comprising technical as well as operational
aspects
• To generate information achieved in a way which is
structured, systematic, comprehensive, objective,
rational, auditable and documented
• To demonstrate that suitable techniques have been
applied and sufficient efforts have been made to
identify hazards and to manage the associated risk

1
 Human Reliability Analysis

• The human element plays an important role in

ship safety, it is believed that up to 80% of
accidents are caused or influenced by human
errors

• Regulations sometimes concentrate too much on

hardware issues, forgetting the role of people

• This can be incorporated into FSA through the use

of human reliability analysis (HRA)

• Appendix 1 in the current FSA Guidelines

describes the steps to perform an HRA in an FSA

FSA - a risk based approach

Definition of Goals, Systems, Operations
Preparatory Step
Hazard Identification Step 1
Hazard Identification
Scenario definition

Cause and Consequence

Frequency Analysis Analysis
Step 2
Risk Summation Risk Analysis

No No
Options to decrease Risk Options to mitigate Step 3
Frequencies Controlled? Consequences
Risk Control Option
Yes

Cost Benefit Assessment

Step 4 Cost
Benefit assessment
Reporting Step 5:
Recommendations
for Decision
Making

Difference between FSA and traditional

regulatory safety assessment approach

Traditional
Formal Safety Assessment
Approach
Step 1 What might go wrong? Hazard identification What did go wrong?

Step 2 Risk analysis

How often, how likely? Frequencies, probabilities
How bad? Consequences
Risk = frequency x
consequence
Step 3 How can matters be Risk control options How can matters be
improved? identification improved?
Step 4 How much? Cost benefit evaluation
How much better?
Step 5 What actions are Recommendation What actions are
worthwile to take? worthwhile to take?

2
 Difference: FSA and traditional regulatory
safety assessment approach

FSA - Risk Based Approach Traditional Approach

 proactive, trying to identify all  reactive, responding to accidents

conceivable hazards -
before they lead to accidents
 continuous amendments of
regulations
 regulations, consistent with safety  prescriptive regulations
objectives
 principle of safety equivalency  principle of technical equivalency
 encompasses technical, human and  contains mainly technical
organisational aspects requirements
 cost of safety identified

Is an FSA a regulatory impact

assessment?
‘Impact Assessment (IA) simply defined is the
process of identifying the future consequences
of a current or proposed action. The “impact”
is the difference between what would happen
with the action and what would happen without
it’
International Association of Impact assessment (IAIA)

Is an FSA a regulatory impact

assessment?
Formal Safety Assessment (FSA) is IMO’s
Regulatory Impact Assessment, limited mainly
to safety issues and accidental losses

 The impact of safety, security and

environmental regulation often is risk
reduction: ΔRisk; or
 The benefit part of a cost-benefit estimation
is often ΔRisk

Today e.g. all OECD member countries (and EU)

have requirements on performing impact
assessment

3
What is the relationship between
FSA and GBS/SLA?
 GBS is defining a structure of
the regulations: Goals,
Functional Requirements, Rules
 FSA is a methodology of
justifying the Rules
 GBS/SLA is the combination of
FSA and GBS

What has been achieved at IMO

by the use of FSAs?
Examples:
• Helicopter Landing Area on Cruise Ships –
Not Justified/Repealed
• Bulk Carrier Safety Improved (a series of
measures)
• Dangers of Ballast Water Exchange
• Justification of ECDIS as a cost effective
safety measure
• Justification for Inert Gas Systems for
chemical/product tankers < 20.000 dwt
• Documentation of safety levels for Tankers,
Container Ships, LNG Carriers, RoPAX, Cruise,
GCS
• Improved Damage Stability for Passenger
ships

End of Session 1A

4
IACS FSA PRESENTATION

Session 1b
Formal Safety Assessment
Step 1
Hazard Identification (HAZID)

Section Contents

Context of HAZID in FSA

Purpose of HAZID
What do we need to carry out a HAZID?
How do we analyse? – Methods available
How can we rank the hazards found?
Output from HAZID

HAZID context in FSA

Definition of Goals, Systems, Operations Preparatory Step

Hazard Identification Step 1

Scenario definition

Cause and Consequence

Frequency Analysis Analysis

Risk Summation

No No
Options to decrease Risk Options to mitigate
Frequencies Controlled? Consequences
Yes

Cost Benefit Assessment

Reporting

1
 Hazard Identification (HAZID)

HAZID:
• Brainstorming method applied by a team of expert
• Analyse system, process or operation for identifying all related
hazards, e.g. caused from failures or deviations from normal
operation
• Basic understanding
What can go wrong?
• Identify all causes of a failure and all effects

The Purposes of the HAZID in context of FSA are:

• Identify all potential hazards including causes and effects
• Rank hazards by their risk in order to focus further analysis on
relevant risk contributors
• Provide information (causes) for identification of risk reducing
measures

Phases of HAZID

Specify system/process under consideration

Select method for HAZID
Preparation
Determine required expertise
Prepare expert session

Explain system/process under consideration

Hazard Discuss step-by-step and identify failures,

identification causes and effects (consequences)
Estimate probabilities

Evaluate / rank hazards on basis of

Evaluation probabilities and consequences

Describe system/process under consideration

Reporting
Summarise results

Before starting the HAZID ...

What is important before we start analysing something?

• We need to define what exactly we are going to analyse,
i.e. specify:
– objectives of the analysis
– the scope (considering also the available resources)
– what is excluded from scope, limitations
– the systems (boundaries and their functions),
operational aspects (modes, profiles, environment),
crew qualification, etc.
– the time frame of analysis
• Collect information
– In principle: As much information as possible, but
prepared in a useful format for the analysis

2
 Before starting the HAZID ...

• Method
– Variety of methods exists,
developed and applied in different industries,
for instance
• What-If Analysis / SWIFT
• Hazard and Operability Study (HAZOP)
• Failure Modes and Effects Analysis (FMEA)
• Task Analysis (TA) (for human errors)
• …
– Provide support for analysing the system and
collecting the results
– Select method based on objectives of HAZID

Example: SWIFT of ballast system

Hazard brainstorming 1. The SWIFT starts by Generic SWIFT checklist
What if .... defining the relevant • Operating errors and other
1. ... the ballast water system is operations and then human factors
inadequately designed? brainstorming hazards • Measurement errors
2. ... the valve xyz fails? • Equipment / instrumentation
3. ... the pump xyz fails? 2. A generic checklist is malfunction
4. ... a pipeline fails? used to prompt for • Maintenance
5. ... there is overpressure in a tank? additional hazards • Utility failure
6. ... the remote system operation 3. The worksheet covers • Integrity failure or loss of containment
fails? the hazards in a logical • Emergency operation
7. ... the valve control system fails? sequence • External factors or influences
8. ... there is power failure
9.
Ref .... the gauging system
What-If? Causesfails? Consequences Safeguards Recommendations
etc.
1 Inadequate Lack of experience at shipyard; lack of Pump system capacity too low. Class/IMO rules
ballast system regulation; poor design process or quality Inability to ballast efficiently. Plan approval
design checking; financial constraints process.
2 Failure of Failure of pumps, valves, pipes etc.; Inability or reduced ability to Design Ballast system should be
ballast system suction blockage ballast. Unable to correct heel. Redundancy surveyed in operation and
Maintenance performance tested
3 Inadequate Inadequate training; time pressure; Potential incorrect ballast Training Training should emphasize
planning of inaccurate weather forecast operation. Procedures hazards associated with
ballast ballasting.
operation
4 Maloperation of Failure to follow ballast plan; unclear Unfavourable heel/trim or Training Ballast procedures should
ballast system ballast procedures; maloperation of valve; draught Procedures include requirements for
wrong sequence of valve operation; Planning monitoring
[HSE, 2001] inadequate training; time pressure Monitoring

Hazard and Operability Study (HAZOP)

Formal, systematic method of identifying hazards by

• postulating ‘deviations’ from normal operation and
• assessing the consequences
Primarily used for identifying hazards and operability
problems of process systems, such as
fluid systems, thermal systems
Also used for reviews of procedures and other sequential
operations

3
 Failure Modes and Effects Analysis
(FMEA)
• Systematic method to
– identify the various failure modes of equipment items and
– to evaluates the effects of these failures on the system
• It accounts for single equipment failures, but not for
combinations of different failures
• Typically used for mechanical and electrical systems, but not
limited to these type of systems
• Often combined with a criticality analysis (FMECA)
• Types of results:
• A list of identified failure modes, their causes and possible effects
• Recommendations for further analysis

Methods for Human Hazard Identification

The purpose is to identify

• the key human tasks and
• the key human interactions with the technical systems
In general, standard HAZID techniques can be used, i.e.
HAZOP, FMEA
However, specific techniques are available:
• Human Error HAZOP or Task HAZOP
• Human Hazard Checklists
• Task Analysis (TA)

Task Analysis

• Task data is collected - in a variety of ways e.g.

interviews, observation, normal and emergency
operating procedures
0 Boil kettle
Plan 0: 1 - 2 -3 - 4 -5

1 Fill kettle 2 Switch 3 Check water 4 Switch 5 Pour water

kettle on in kettle kettle off
Plan 2: 1 - 2 Plan 5: 1 - 2 - 3 - 4
2.1 Plug into 2.2 Turn on 5.1 Lift 5.2 Direct 5.3 Tilt 5.4. Replace
socket power kettle spout kettle kettle

Plan 1: 1 - 2 -3 (if full then 4 else 3) - 5

1.1 Take to 1.2 Turn on 1.3 Check 1.4 Turn off 1.5 Take to
tap water level water socket

4
 Before starting the HAZID ...

• Expertise
– Result of HAZID depends on knowledge and experiences
of participating experts
– Select experts to cover all areas relevant for HAZID
– Consider: group size per meeting ≤ 10 persons
• Important
• Experts abilities in addition to expertise and subject matter
know-how:
 Interpersonal and communication skills
 Commitment and availability
• Consider “back-up” experts in case of no shows. One
expert missing may shoot down the credibility of the entire
HAZID!

Before starting the HAZID ...

• Not to forget:
– The HAZID moderator or leader
 Experienced in carrying out HAZIDs
 Responsible for HAZID preparation,
 Facilitates the analysis in a team,
 Ensures that all experts contribute with their specific
experience and knowledge
• Timing
– A HAZID meeting should last maximum 3 days
– Not more than 5 to 6 hours exercise per day. Otherwise,
team gets exhausted and unfocussed.

HAZID Session

• Start session by
– Familiarise participants with used method
– Explanation of scope and objectives
– Inform about schedule
• Start hazard identification by asking the team
What can go wrong? How can something go wrong?
Why? What are the causes?
How often may it happen?
How serious can it be? What are the effects?
How significant are the consequences?
Are safeguards provided to either
prevent that fault or mitigate the effects?

5
 HAZID Session

• Moderator
– Leads the discussion (motivate every participant to
contribute)
– Summarise the discussion (writing)
– Takes care that all aspects are considered
• Important: for ranking hazards the following
information must be collected
– Consequences
– Probability of failure leading to these consequences
Function / Failure Causes Effects / Frequency /
Component Modes Consequences Probability

Ranking of Hazards

Problem:
A HAZID may identify a large number of hazards.

Too large to handle all?

(budget, capacity, time constraints)

Which ones are the “important” ones?

Which ones should be analysed in more detail in the

following FSA steps?
Solution:
Ranking of the hazards by their risk
(risk to people or environment or assets)

Risk Definition

Risk = Frequency x Consequence

This can be either a quantitative or a
qualitative measure!
Risk has a dimension!
E.g. Casualties per year

6
 Ranking of Hazards

In FSA risk index is used to estimate risk for ranking:

• Use indices for frequency (FI) and consequence (SI)
• Both indices are specified in tables and on logarithmic scale

Risk = Frequency x Consequence

log(Risk) = log (Frequency) + log (Consequence)
Risk index = FI + SI

Attention: this estimation is only useful for ranking and not for
assessment!

Frequency Scale

FI Frequency Definition F (per ship

year)

7 Frequent Likely to occur once per month on one ship 10

5 Reasonable Likely to occur once per year in a fleet of 10 0.1

probable ships, a few times in a ship’s life

3 Remote Likely to occur once per year in a fleet of 1000 0.001

ships, once in the total life of several similar
ships

1 Extremely remote Likely to occur once in 10 years in a fleet of 0.00001

10,000 ships

Source: IMO FSA Guidelines

Severity Scale

SI Severity Effects on Effects on Effects on Environment S

Human Safety Ship (Equivalent
fatalities)

1 Minor Single or Local Non significant spill up to 0.01

minor injuries equipment a few barrels of pollution
/ structural to sea
damage
2 Significant Multiple or Non-severe A few tonnes of pollution 0.1
severe injuries ship to sea. Situation is
damage manageable
3 Severe Single fatality Severe Significant pollution 1
or multiple damage demanding urgent
severe injuries measures for the control of
the situation and / or the
cleaning of affected areas
4 Catastrophic Multiple Total loss Major pollution with 10
fatalities difficult control of situation
and / or difficult cleaning
to affected areas

Source: IMO FSA Guidelines

7
 Risk Matrix

RISK MATRIX
SEVERITY (SI)
1 2 3 4
FI FREQUENCY Minor Significant Severe Catastrophic
7 Frequent 8 9 10 11
6 7 8 9 10
5 Reasonably probable 6 7 8 9
4 5 6 7 8
3 Remote 4 5 6 7
2 3 4 5 6
1 Extremely remote 2 3 4 5

Source: IMO FSA Guidelines

HAZID Results

• Prioritised list of hazards including

– Description of their causes
– Description of associated consequence scenarios
• Estimations of Frequency and consequence Severity
• Risk Ranking

• Additionally:
• Description of system/process under consideration
• Summary of supporting information used
• Description of the method used
• Information about the HAZID team (name, background,
area of expertise)

HAZID Case Study

Analysis of a steering gear

8
 Aim

The aim of this case study is

to identify a list of hazards of
a steering system and their
associated risks

HAZID Process

Define the system

Select expert team for analysis

Identify hazards / failure modes

Identify possible failure causes
Identify possible consequences
Assess failure frequency
Assess consequence of failure
Rank hazards according to risk
Document results

Define System

• Define the system to be analysed

– where are the boundaries?
• Collect information
Here:
– steering gear system drawings
– understand system functions
– failure statistics available?

9
 Define system to be analysed

Pu-1 IV-1

V-1 V-2

S-1
A1

RS
S-2

A2

V-3 V-4

Pu-2
IV-2

„Activators“ „Valve system“ „Actuators“

Establish analysis team

• Establish a team of analysts with sufficient

expertise in the engineering fields relevant
to the system

• Assign additional team members who act

as FMEA moderator and recorder

Select Experts for FMEA Team

Name Profession / Role Experience

Assessor Piping systems design, 9 years of work
John Q. Public
experience
Peter Pancake Designer Mechanical Engineer, 10 years experience
Alfred Hitch Captain Naval architect, 13 years in command
Maria Rise Fleet manager Naval architect, 21 years work experience
Kevin Porter LSA Expert Naval architect, 16 years in classification

Gonzo Gonzales Automation Electronics engineer, 8 years of work experience

W. Shakespeare Designer Structural engineer, 4 years work experience

(recorder)
Joe Bloggs Safety Engineer Safety Critical Systems Engineering, 8 years R&D,
(moderator) certified moderator

10
 Identify the hazards / failure
modes for each component

Pu-1 IV-1

V-1 V-2

S-1
A1

RS
S-2

A2

V-3 V-4

Pu-2
IV-2

„Activators“ „Valve system“ „Actuators“

Motors M-1 and M-2 No torque, High torque, Slow torque

Pumps Pu-1 and Pu-2 Blocked: No flow, Stuck, Leakage,
Pumping too fast, Pumping too slow
Isolation Valves IV-1 and IV-2 Stuck to close, Stuck to open, Leakage

Valves V-1 to V-4 Stuck to close, Stuck to open, Leakage

SAFEMATIC Valves S-1 and S-2 Stuck to close, Stuck to open, Leakage

Actuators A1 and A2 Leakage, Broken

Connection to Rudder shaft RS Loose / Broken

Recording in FMEA Worksheet

ID Failure Modes Causes Effects Risk Control

Measures
M-1.1 No torque
M-1.2 High torque
M-1.3 Low torque
M-2.1
...
Pu-1.1 No flow
Pu-1.2 Leakage
...
A-1.1 Leakage
...
IV-1.1 Stuck to open
IV-1.2 Stuck to close
...

11
 Identify possible failure causes

• What may cause a failure?

• E.g. causes for:
– „No torque from motor M-1“
– „Leakage in isolation valve IV-2“
• Record causes in FMEA table
(create a new row for each cause)

Recording in FMEA Worksheet

ID Failure Modes Causes Effects Risk Control
Measures
M-1.1 No torque Electrical failure
Mechanical failure
...
Pu-1.1 No flow Electrical failure
Pu-1.2 Leakage Crack in pressure
chambers
Worn sealings
...
A-1.1 Leakage Crack in pressure
chamber
Worn sealing
...

Identify possible failure

consequences

• What are possible consequences / effects

of a failure?
• Record the effects in FMEA table

12
 Recording in FMEA Worksheet
ID Failure Causes Effects Risk
Modes Control
Measures
M-1.1 No Electrical Pump Pu-1 not available. None
torque failure Steering gear power
reduced. Rudder turning
speed and ship’s steering
capability reduced.
Mechanical Same as above None
failure
...
A-1.1 Leakage Crack in Reduced torque provision Isolate A-1
pressure by Actuator A-1. by closing
chamber Reduced ship’s steering valves S-1
capability. and IV-1
After some time low
hydraulic oil level.
...

Assess frequency of failures

• How frequently will a failure occur?

– Available failure statistics, experience
– Expert judgement
• Use a suitable frequency scale
• Record frequencies in FMEA table

Assess frequency of failure

FI Frequency Definition F (per ship year)

7 Frequent Likely to occur once per month on one ship 10
6 Probable Likely to occur once per year on one ship 1
5 Reasonably Likely to occur once per year in a fleet of 10 ships, 0.1
probable i.e. likely to occur a few times during the ship’s life
4 Unlikely Likely to occur once per year in a fleet of 100 ships 0.01
3 Remote Likely to occur once per year in a fleet of 1,000 ships, 0.001
i.e. likely to occur in the total life of several similar ships
2 Very remote Likely to occur once per year in a fleet of 10,000 ships 0.0001
1 Extremely Likely to occur once in the lifetime (20 years) of a world fleet of 0.00001
remote 5,000 ships

13
 Assess severity of failure effects
(consequences)

• How severe can effect be?

– for people (crew, passengers)
– for assets (ship, cargo, other assets)
• Available statistics, experience
• Expert judgement
• Use a suitable severity scale
• Record frequencies in FMEA table

SI Severity Human safety Ship

1 Minor Single or minor injuries Local equipment damage
(Repair on board possible, downtime negligible)
Small increase in Slight modifications of permissible operation
operational duties of conditions. …
crew

2 Signifi- Multiple or severe non-severe ship damage

cant injuries (port stay required, downtime 1 day)
Significant increase in Significant modification of permissible operation
operational duties of conditions; not outside capability of competent crew.
crew, but shall not be …
outside their capability.
3 Severe Single fatality or multiple Severe damage
severe injuries
(yard repair required, downtime < 1 week)
Dangerous increase in Marginal operation conditions. Essential need for
operational duties of outside assistance.
crew. …
4 Catastro- Multiple fatalities total loss (of, e.g. a medium size merchant ship)
phic

Recording in FMEA Worksheet

ID Failure Causes Effects Risk Frequ Severi Risk

Modes Control -ency -ty SI RI
Measures FI

M- No Electrical Pump Pu-1 not available. None 5 2 7

1.1 torque failure Steering gear power
reduced. Rudder turning
speed and ship’s steering
capability reduced.

Mechani- Same as above None 4 2 6

cal failure
...

A- Leakage Crack in Reduced torque provision Isolate A-1 3 2 5

1.1 pressure by Actuator A-1. by closing
chamber Reduced ship’s steering valves S-1
capability. and IV-1
After some time low
hydraulic oil level.

...

14
 Report results

Items to be included in the HAZID report :

• Study objectives, definition of scope and limitations
• Meeting dates, duration
• Name, affiliation and expertise of each team member
• HAZID technique (brief description)
• Adequate description of the topic under investigation,
e.g. in case of a technical system:
– System functions, operating procedures
– System drawings, specifications
• HAZID Worksheets
• List of hazards ranked acc. to associated risk
• Important results, conclusions and recommendations
for further analysis

End of Module 1b

15
 IACS FSA PRESENTATION

Session 2:
Formal Safety Assessment
Step 2
Risk Analysis

Contents of Session 2

 FSA Process
 Scope of FSA Step 2
 Measures of Risk
 Risk analysis team
 Methods and tools
 Quantitative Analysis
 Risk Models
 Quantification
 Common cause failure
 FSA and Data
 Sources of data
 Challenges
 Expert judgement
 Uncertainty
 Sensitivity analysis
 Output of FSA Step 2

FSA Process
Definition of Goals, Systems, Operations

Hazard Identification

Scenario definition

Cause and Consequence

Frequency Analysis Analysis Step 2
Risk Analysis
Risk Summation

No No
Options to decrease Risk Options to mitigate
Frequencies Controlled? Consequences
Yes

Cost Benefit Assessment

Reporting

1
 Scope of FSA Step 2
• Detailed investigation of the causes of initiating
events and consequences of the more important
accident scenarios identified in step 1
– Attention to be focused upon high-risk areas
• Different types of risk
– People
– Environment
– Property
• Risk = Frequency * Consequence

People Machinery Structures

Measures of Risk
• Individual Risk
– Probability of specific person dying in one year
• Societal Risk
– FN Curve
– Potential Loss of Life PLL
– tons of oil per ship year

Risk Analysis Team

• Typically, a risk analysis is performed by:

– Small number of risk analysis experts
– With the support of a group of experienced
people in different areas:
• Naval Architects
• Seafarers
• Fire and Evacuation experts
• Structural Engineers
• Marine Engineers
• Etc.
• Be aware – the quality of the study strongly
depends on obtaining the correct balance of
expertise in the team and the reliability of data
available

2
 Methods and Tools
• Fault Tree Analysis
• Event Tree Analysis
• Failure Mode and Effect Analysis (FMEA)
• Hazard and Operability Studies (HAZOP)
• What If Analysis
• Risk Contribution Tree
• Influence Diagrams
• Bayesian Network

Quantitative Analysis

Risk = Probability * Consequence

Risk=9E-2
10-1
fatalities
per vessel year

per ship-year
Frequency

10-2 3 x 10-3

10-3
30

1 10 100

Consequence
Number of Fatalities

Probability and Frequency

• Probability is the likelihood of something happening

(classic definition)
• Number between 0 and 1 (no units)
• A reference period needs to be specified, e.g.: annual probability,
probability of a failure in the next 30 days
• For example:
• 10-2 annual probability is ‘once in a lifetime’
• 10-4 annual probability of a severe event is ‘a significant threat’
• 10-6 annual probability in a fleet of 10,000 vessels may still be a reason to worry
• 10-10 annual probability is ‘once in the lifetime of the universe’

• Frequency is the rate at which something occurs or is

repeated over a particular period of time
• Can be any number, but failure frequencies are usually low
numbers
• For example 10-4 fatalities per ship-year (1 fatality in 10,000 years
in 1 ship, or 1 fatality in 100 years in a fleet of 100 ships)

3
 Main Components of Risk Models

• Risk Contribution Tree

– Overall risk model
• Event Tree Analysis
– Sequences of events
from initiating event to
final consequence
– Defines the scenarios
• Fault Tree Analysis
– Combination of failures
that can result in an
initiating event
• Quantification

Event Trees

• Event Trees provide a systematic means of

delineating accident sequences in terms of
the system/event successes and failures
combinations that make up those sequences

Sample Event Tree (SAFEDOR FSA)

4
 Initiating Events
• The first of a sequence of events leading
to a hazardous situation or accident
• They are undesirable events which may
lead to damage of the vessel and/or
personnel
• They are usually identified in FSA Step 1
• Group Initiators according to similarities
in accident progression
• A separate event tree is developed for each
group of initiating events

Consequence Determination

• Each possible sequence of events in

the event tree is assigned a
consequence (end state)
• The determination of consequences
may require the use of specialised
software, e.g. explosion and fire
modelling, gas dispersion, evacuation,
etc.

Sample Fault Tree (top part)

5
 Sample Fault Tree (bottom part)

OR Gate

G = A OR B OR C
Gate is TRUE if any of
ABC the input events occur

P(GATE1) = P(BE1) + P(BE2) - P (BE1 AND BE2) 

P(BE1) + P(BE2) = 1.01E-03

Minimal Cutsets for GATE1:

BE1
1.01 E-3 BE2

AND Gate
G = A AND B AND C
Gate is TRUE if all of
ABC the input events occur

P(GATE1) =P(BE1)*P(BE2|BE1)*P(BE3|BE1, BE2)

If BE1, BE2 and BE3 independent:
P(GATE1) =P(BE1)*P(BE2)*P(BE3) = 1.00E-10
1.00 E-10

Minimal Cutset for GATE1:

BE1* BE2 * BE3

6
 Fault Tree Quantification
• Fault trees can be developed with a software package
– Top event probability/frequency
• Minimal cutsets (combination of failures) examples:
– Battery A unable to output AND Charger A unavailable
– Op error causes loss of Batt. A AND Power cable 480MCC fails
– Common Cause Failure of Batteries AND Transformer failure
– Plus All Combinations !

Common Cause Failures (CCFs)

• Conditions which may result in the failure of more than
one component, subsystem or system, i.e. they can defeat
multiple layers of protection at once
• Example: A laundry room fire on a cruiseship propagated
through ventilation to affect auxiliary voltage circuitry to
the high-speed breakers where a single source supplies
both port and starboard propulsion systems.
• Types of Common Cause Failures:
– environmental (fire, flood, humidity)
– design deficiency
– manufacturing error
– test/maintenance error
– operational error
Failure Probability Failure Probability
System Type Omitting CCF Considering CCF
Mechanical, 1 Train 1.00E-02
Mechanical, 2 Trains 1.00E-04 1.00E-03
Mechanical, 3 Trains 1.00E-06 1.00E-04

CCFs are Important Because They Can:

• Defeat redundancy and diversity

• Result in a complete accident sequence
• Involve both initiating event and required
mitigating systems
• Involve high probability of occurrence (as
compared with the probability of independent
failure of two or more components)

7
 FSA and Data

 FSA should rely on facts as much as possible

 Severe accidents are relatively rare, so data will
always be scarce (and this is good news!)
 Mathematical models, simulation, and expert
judgement are alternatives to compensate for lack of
data: This is why we perform FSAs!

Sources of Data
• There are different types of data:
– Accidents
• Casualty data sources
– Incidents/near misses and component failures
• Reliability databases
• Maintenance work orders and operating logs
• Internal reporting documents
• Industry bulletins

• Data derived from the same type of vessel

being analysed is preferable, but it may be
limited or unavailable, so the data scope can be
expanded if needed
– For example use RoPax data to expand Cruiseship
database
• Data sources from other industries can be used
if judged applicable

Casualty Databases
2 • IHS-Fairplay Database: www.ihs.com
– Provides most comprehensive details of current world
merchant fleet of 100 GT and above
– Casualties/Detentions and Register of Ships (Paid
Subscription)
– Full data export and built in reports
– Regular updates – choice of monthly or quarterly updates
• Other source of data
– Flag states databases and investigation reports (e.g. UK
MAIB, USCG, ATSB)
– IMO Global Integrated Shipping Information System
(GISIS): www.gisis.imo.org

8
 Notes about the Databases
 Usually databases report the failures/accidents, but
not the exposure (operating hours) in order to
estimate failure rates
 Use other sources or estimates to calculate exposure
 Failure definitions, accident classification, ship
type definitions, etc. varies, and sometimes are not
clearly defined
 Use data sources that justify their applicability to the
scope of the FSA
 Verify consistency on units used: per hour operation, per
year, per lifetime, per trip, per time used, per ship-year,
etc.
 Some equipment show wear out behaviour, so
failure rates increase over time, and this is not
reflected in databases
 Typically FSA assumes constant failure rate over time

Notes on IMO GISIS

• IMO GISIS data is essentially not currently useful

for use in FSA studies
– lack of programmability and search functions of the
database
– degree of under-reporting is large and unquantified
– Data needs to be used in combination with other data
sources to obtain a larger pool of data
• Most FSA studies have used the IHS Fairplay
database (LRFP) as the basis for accident data
analysis, complemented by data from various other
sources
• Flag administrations are encouraged to improve
reporting to IMO

Generic Data Sources For

Component Reliability

Component Reliability Database Reference

Guidelines For Process Equipment Reliability Data With Data
Tables, Center for Chemical Process Safety (CCPS), American
Institute of Chemical Engineers, New York, 1989.
Nonelectronic Parts Reliability Data 2011, Reliability Information
Analysis Center RIAC
Offshore Reliability Data Handbook, 5th Edition, 2009
The European Industry Reliability Data Bank Handbook,
Pergamount, France, 1997.
IEEE 500: Guide To The Collection And Presentation Of Electrical,
Electronic, Sensing Component, And Mechanical Equipment
Reliability Data For Nuclear-Power Generating Stations, The
Institute of Electrical and Electronic Engineers Inc., New York, New
York, 1983.

9
 Expert Judgement

• Lack of historical data is sometimes compensated

with “expert” data
• Controversial comments: subjectivity
• Specific care should be taken:
– theoretical knowledge and practical experience
– questions on observable quantities (not judgment)
– clear questions should be asked
– number of techniques exist to combine the expert’s
estimates (e.g. Delphi)
– important to document how expert judgment was
handled in the study, including agreement between
experts

Occupational accidents

• Injuries from occupational accidents and

health effects on crew are typically not
reported in any global database
• Fatalities from occupational accidents are
reported sporadically in GISIS (huge under
reporting though) and not reported in IHS
Fairplay (out of scope)
• Estimates show that more than 50% of all
fatalities at sea are due to occupational
accidents rather than ship accidents!

How much data is needed?

• Common arguments against risk assessment…
– We do not have data…
– It takes a long time to collect data…
– I do not believe on the data…
– The data is very uncertain…
• May be true, but…
– Uncertainties exist whether we perform risk assessment
or not
– …and decisions have to be made anyway!
• So…
– Risk assessment can help organize the (uncertain) data in
a systematic, consistent and transparent format
– Modelling is used to decompose accidental events into
its component events for which data is available
• For example, fault tree modelling, fire and explosion
simulation, finite element analysis

10
 Decisions are Always Made with
Cost Uncertainty

Information
Certainty

Uncertainty

• Point values are imprecise to describe

event or failure probabilities
• Probability distributions can be assigned
to each basic event in the risk models
• Uncertainties can then be propagated
throughout the logic models, for example
by Monte Carlo simulation

Sensitivity Analysis
• It is possible to test how sensitive the
results are to certain assumptions or
parameters used in the analysis, e.g.:
– Examine key modelling assumptions
– Assess probability parameters felt to be
important (e.g. human factors)
• The process involves the change of one
parameter or assumption at a time, and
re-evaluate the results, comparing the
effect with the original results

11
 Output of FSA Step 2

• The identification of the high-risk areas

which need to be addressed
– risk to people / property / environment for the
scenarios modelled
– the main combination of failures or hazardous
events associated with the accidents scenarios
• The explanation of risk models
– They may be reused in FSA Step 4

End of Session 2

12
 IACS FSA PRESENTATION

Session 3a:
Formal Safety Assessment
Step 2
Risk Analysis
Examples

Contents of Session 3a

Component Failure Rates

SAFEDOR LNG Carrier FSA Example
SAFEDOR Containership FSA Example
IACS General Cargo Vessel Example

Component Failure Rates

• Time based for operating equipment

  failure rate (failures per hour)
 For example a diesel driven pump, failure to
operate while running, is around 8.0 10-4
failures/hour
• Demand based for standby equipment
 d demand failure rate (failures per demand)
– it is the probability of failure to operate on the
next demand
– For example, an air operated valve failure to open
is around 1.0 10-3 failures/demand

1
Vessel Specific Failure Rate Data
Failure Number of Failures
=
Frequency Number of tests or
Operating Hours Exposure

For example Sea water injection pumps

Operating experience at a group of companies shows:
47 failures (stop while running) in 1,334 106 hours

3.5 10-4 failures/hour

• There are statistical analysis methods to evaluate the

error range of the estimates

Sources of Data

• Sources for Failure Information

– Maintenance work orders
– Operating logs
– Internal reporting documents
– Maritime accident/incident databases
• Sources for Exposure
– Test logs
– Operations information
– Fleet information

Equipment Life Periods

I II III
Failure Rate  (t)

Infant Useful Wear

Mortality Life out

Risk Assessment
normally uses rates in Time
this zone
Burn Wear
in out

2
SAFEDOR LNG Carrier FSA

SAFEDOR LNG Carrier FSA

SAFEDOR LNG Carrier FSA

3
SAFEDOR LNG Carrier FSA

SAFEDOR LNG Carrier FSA

SAFEDOR LNG Carrier FSA

4
SAFEDOR LNG Carrier FSA

SAFEDOR LNG Carrier FSA

SAFEDOR Containership FSA

5
SAFEDOR Containership FSA

SAFEDOR Containership FSA

IACS General Cargo Vessels FSA

6
IACS General Cargo Vessels FSA

XX CN
WS 1% 16% CT
22%
6%
MG
FD
0% 4%

FX
8%
HM
43%

Relative distribution of casualty reports over the different accident

categories for IACS class ships of size 1,000 ≤ GT < 20,000 GT.

IACS General Cargo Vessels FSA

XX
0% WS CN
19% 19%
MG
4% CT
HM 2%
2%

FX
11%

FD
43%

Relative distribution of the different accident categories in respect of

“total loss”, and for IACS class ships of size 1,000 ≤ GT < 20,000.

End of Session 3a

7
 IACS FSA PRESENTATION

Session 3b:
Formal Safety Assessment
Step 3
Identification of
Risk Control Options
(RCO)

Contents of Session 3b

• Purpose of Step 3

• Identification of risk control

measures (RCM)

• Useful results from Risk analysis

• Grouping of RCMs & Dependencies

• Results from Step 3

Step 3 in the FSA Process

Definition of Goals,
Systems, Operations

Hazard Identification

Scenario definition

Cause and Frequency Consequence

Analysis Analysis

Risk Summation

No No
Options to Options to
Risk
decrease
Frequencies
Controlled?
mitigate
Consequences
Step 3 //
Yes
Cost Benefit
Assessment

Reporting

1
 Purpose of Step 3

• Focusing on risk areas needing control

• Identifying potential RCMs

• Evaluating the effectiveness of the RCMs in

reducing risk by re-evaluating FSA Step 2

• Grouping RCMs into practical regulatory

options: RCOs //

Identifying potential RCMs

• Ideally, a team of selected experts should address all
relevant aspects, such as technical, operational, human,
organisational

• Experts from the Hazard Identification Team may be re-

invited to carry out this team exercise, maybe strengthened
with relevant additional experts.

• Results of Step 2 are presented

• The team decides on a number of possible and practical

risk control options

Risk Model/Risk Contribution

tree
A forest rather than a tree

2
Each top event in FT is combined
with ET

FT may be mapped into a

minimum cut set

Comprehensive model for collision probability in

NAV51/10 (And.. Many scientific papers)

Single Point Failure

=Single point failure

Consider removing SPFs by introducing RCOs!

3
 Event tree collision
Data A index=
Software=
SOLAS II-1

RCOs

• The event tree branch probabilities are

in many cases estimated by sub-models

– Damage Stability
– CFD calculations
– Fire simulations
– Evacuation simulations
– Strength calculations
– Etc.

RCOs

• RCO evaluation frequently involve

redesigns of ships; and

• Quantification of risk by reuse of risk

models on redesigned ships

4
 How to Reduce Risks?

O i l ta n k e rs
1 .0 E -0 2

In to le ra b le C h e m . ta n k e rs
Frequency of N or more fatalities (per ship

O i l/C h e m i c a l
ta n k e rs
1 .0 E -0 3 G a s ta n k e r

ALARP
year)

1 .0 E -0 4

1 .0 E -0 5
N e g li g i b le

1 .0 E -0 6
1 10 100
F a ta litie s (N )

Which Risks Should be Reduced?

O i l ta n k e rs
1 .0 E -0 2

In to le ra b le C h e m . ta n k e rs
Frequency of N or more fatalities (per ship

O i l/C h e m i c a l
ta n k e rs
1 .0 E -0 3 G a s ta n k e r

ALARP
year)

1 .0 E -0 4

1 .0 E -0 5
N e g li g ib le

1 .0 E -0 6
1 10 100
F a ta litie s (N )

Which Risks Should be Reduced? (2)

Oil tankers
1.0E-02

Intolerable Chem. tankers

Frequency of N or more fatalities (per ship

Oil/C hemical
tankers
1.0E-03 Gas tanker

ALARP
year)

1.0E-04

1.0E-05
Negligible

1.0E-06
1 10 100
Fatalities (N)

5
 Notes on RCOs

• Preventive RCOs are preferred before mitigating RCOs (better to

avoid initiating a fire than to have it and then mitigate it)
• Passive RCOs are usually more reliable to fulfill their function
than active RCOs (e.g. fixed firewall vs water curtain)
•Be aware that some RCMs can influence other RCMs (e.g.
making them less effective) or can affect another element of the
risk contribution tree
• Be aware that Common Cause Failure can affect more than one
barrier (RCOs)
• If an RCO is the introduction of a redundancy, consider
the diversity of the redundancies (e.g. sensors of a different
principle, cabling through separate rooms, electric power
drawn from independent buses)
• Designing out hazards is preferred as opposed to the introduction
of procedural controls (hardware measures vs operational
measures)

Notes on RCOs

•Designing out is preferred to procedural controls

•Well established principle at IMO
•Formulation in e.g. MSC1/Circ.1455
•1.2.4 When proposing an alternative design, one should keep in
mind that the substitution of design measures to reduce risk with
operational or procedural ones to claim equivalent safety needs to
be thoroughly examined. Normally, this should not be permitted,
and special care should be taken in order to confirm that design
measures take priority over operational or procedural measures.

Avoid CCF

•Pitot probes used in the aircraft A330 vulnerable to

icing
•Three identical pitot probes iced simultaneously
•Plane needed to be manually controlled
•AF447 total loss, 216 passengers and 12 crew

•Remedy: Example DP Rules

•101 Where more than one positioning reference
system is required, at least two shall be based on
different principles
•FT model may be used to quantify the effect

6
 Example-
Event Trees >> Causal Chain

The causal chain could be:

fatigue >> navigational error >> other ship >>
collision >> flooding >> fail to launch lifeboat >>
fatalities
Many possible RCOs at each stage of the
escalation? //

Look outside the ship for potential RCMs

For example:
– Vessel traffic separation -
Responsibility > Port Authority.
– Loading/unloading at port facilities
> Decrease ship structure stress
– Terminal moved out of congested
waters and cities > Reduce public
risk
– Life Saving >Improved SAR service
OR Improved LSA?
>>>Actions Required in some cases may
be outside the purview of IMO

RCOs that may have unexpected results

Some RCOs may result in detrimental effect on

the reduction of Risk

– Psychological/Complacency: If we feel
over-confident, we may consume the
safety margin introduced.

Example Case –Winter driving in Norway

perceived as dangerous

>> Mandatory Training Introduced >>

Training introduced a feeling of
control/confidence >> Drivers increased
speed >> Resulted in more accidents
//

7
 Navigational accidents - Around
50% of the total
Distribution of navigational vs. non-
navigational accidents
All vessels, excluding Fishing and Miscellaneous categories (1990-
2012)
100 %
GNSS/GPS/AIS
90 %

80 %
Non-navigational
70 %

60 %

50 %

40 %

30 %
Navigational
20 %

10 %

0%

Source: IHS Fairplay

Vessel categories: Tankers (A1), Bulk Carriers (A2), Dry Cargo/Passenger (A3), Offshore (B2)
Navigational accident: Collision, Wrecked/Stranded and Contact

RCOs that may have unexpected results

Example Cases:

– CO2 fire extinguishing in machinery spaces

>> People left in the machinery space may
be adversely affected.
– Lifeboats >> Many incidents of
Fatalities/Injuries during exercises has
been reported.
– Helicopter Landing Area as Risk Control
Option >> Used for other purposes
(Evening entertainment, bring in VIPs, fly
passengers on sightseeing >>Increased
risk >> More Fatal Accident.
– Watertight doors >> Detrimental to damage
stability if left open

Grouping RCMs into practical regulatory

options

• In some cases adoption of a combination of RCOs is considered

for risk reduction
• Where combined effects on Risk reduction and Cost-Benefits due
to the combination of RCOs should be considered:
• A qualitative evaluation of RCO interdependencies should
be performed.

8
 Output of Step 3 to be used as
inputs in Step 4
1. a list of RCOs with their effectiveness in reducing
risk, including the method of analysis;
2. a list of interested entities affected by the identified
RCOs;
3. a table stating the interdependencies between the
identified RCOs; and
4. results of analysis of side effects of RCOs.

9
 Session 4
Step 4

Cost Benefit Assessment

Step 5

Risk Criteria

Recommendation for Decision Making

Reporting

Contents of Session 4

• Quantification of Cost
• Quantification of Benefit
• Risk Acceptance Criteria
• Risk acceptance based on Cost
Effectiveness Assessment
• Recommendation for decision making
• Reporting

Step 4 in the FSA Process

Definition of Goals,
Systems, Operations

Hazard Identification

Scenario definition

Cause and Frequency Consequence

Analysis Analysis

Risk Summation

No No
Options to Options to
Risk
decrease mitigate
Controlled?
Frequencies Consequences
Yes
Cost Benefit
Assessment Step 4
Reporting

1
 Purpose of Step 4

To identify and compare benefits and

costs associated with the

implementation of each RCO

identified and defined in step 3

Stages of Step 4

• Use the results of Step 2 as the base case to evaluate RCOs

• Address the proposed RCOs from Step 3

• Estimate the relevant costs and benefits for all proposed RCOs

• Estimate the cost-effectiveness of each option, by dividing the

net cost of implementing each RCO by the risk reduction

achieved as a result of implementing the RCO

• Rank the RCOs from a cost-effectiveness perspective

Quantification of Costs

Costs of a Risk Control Option (RCO) may be

composed of:
• Cost of equipment (investment costs)
• Cost of re-design and construction
• Cost of documentation
• Cost of training
• Cost of inspection, maintenance and drills
• Cost of auditing
• Cost of regulations
• Reduced commercial use
• Costs caused by operational limitations
Note:
Costs are expressed in terms of life cycle costs. They
may include initial costs, costs during operation and
decommission costs.

2
 Variation of Costs

• There may be wide differences of costs between

geographical regions and countries.
• As the market for a specific RCO is established the
“economy of scale” will help reduce the initial high costs.
• A sudden demand for a large number of upgrades may
increase the costs due to imbalance in the supply and
demand situation.
• There may be large cost differences for the same RCO if
implemented for a new ship as compared to an existing one
In FSA:
• use reasonable averages after consideration of all the
above,
• include a sensitivity study of important cost elements

Some RCOs may cost NOTHING

• Water tights doors that should be kept closed: Keep

them closed
• Optimisation of location of watertight bulkheads,
considering safety implication w.r.t. flooding
• Avoid drugs and alcohol
• On the job training
• Motivation
• Well planned manning/shift plans
• Etc.

Quantification of Benefits

Benefits obtained due to the implementation of the

RCO are obtained by recalculating the risks
applying the risk model from the base case
established in Step 2.
Benefits are:
• Reduced probability of fatalities; measured in
terms of indices for Potential Loss of Life ‘PLL’
• PLL: Annual probability x No. of fatalities, summed up over all
accident scenarios. (Unit: fatalities per ship-year)

3
 Other Benefits

Furthermore, benefits are

• Reduced adverse effects on environment
• Reduced property damage and other economic
losses
Benefits are NOT:
• Reduced insurance premiums as result of
implementing RCO(s)
Note:
RCO accounted for as risk reduction in the FSA.
Including reduced insurance premium would count the
same effect twice
Insurance itself is not a RCO, rather a marketplace for
buying and selling risks.

Cost Benefit Assessment (CBA)

Recommend RCO for implementation if:

Costs ($) < Benefits ($)
•But with regard to human life, it is controversial to
convert human lives/injuries to monetary units
•Therefore:
Costs ($) < Benefits ($) is not considered suitable
as recommendation criteria when the consequences
involve loss of life, injury or health consequences

Costs ($) < Benefits ($) is only carried out for loss of
property and environmental pollution (no fatalities)

RCOs with lower Cost/Benefit ratios are preferred

Cost Effectiveness Assessment (CEA)

When accident consequences involve loss of

life, injury and ill health:
A Cost Effectiveness Assessment is performed

Defining indices for cost effectiveness in relation to

safety against fatality of life:
GCAF - Gross Cost of Averting a Fatality
NCAF - Net Cost of Averting a Fatality

4
 GCAF

GCAF - Gross Cost of Averting a Fatality

Cost of RCO
GCAF =
Reduction in PLL resulting from RCO

Purpose:
Is the RCO justified for its life saving capability?

NCAF

NCAF - Net Cost of Averting a Fatality

Costs of RCO - Economic Benefits

NCAF =
Reduction in PLL resulting from RCO

Economic benefits include reductions in property

damage, pollution, loss of income, repair cost.
Those are converted to monetary units.
Negative NCAF: If Benefits > Costs
Purpose:
Is the RCO justified for of its life saving capability
accounting also for economic benefits?

Motivation for Cost Effectiveness

Assessment

Table: Results from Tengs et al. (1995)

“Five Hundred Life-Saving Interventions and their Cost Effectiveness”

Number of measures studied 587

Range of cost effectiveness
Median Value
Median for Medical Interventions
Median for Injury Prevention
Median for toxic control
negative to $10 billion / life year saved
$ 42.000 / life year saved
$ 19.000 / life year saved
$ 48.000 / life year saved
$2.8 million / life year saved

By reallocation of resources about 40,000 more

lives could be saved (without increased spendings)

5
 Cost Effectiveness Assessment for the
Shipping Industry (GCAF)

Table: Values of statistical fatalities averted in actual decisions

Decision Decision Maker Value
Strengthening Bulkheads on existing
IACS (1) > 1.5 million $
Bulk Carriers
> 37 million $
Helicopter Landing Areas on Non
IMO (2) (12 million $ to
Ro/Ro passenger ships
73.000 million $)
3 bulkheads on car deck IMO (3) < 5 million $
3 bulkheads on car deck NMD (3) > 5 million $
3 bulkheads + sponsons IMO (3) < 7.8 million $
Extended sponsons only IMO (3) < 11.8 million $
Collision avoidance training Owner (3) > 0.7 million $
Extra deck officer IMO (3) < 5.5 million $
Ref: (1) Mathiesen et al.(1997), (2) Skjong et al.(1997) MSC 70 WP.12, (3) DNV(1966)

A list of RCOs and their cost effectiveness for shipping:

http://research.dnv.com/skj/SAFEDOR/SAFEDOR-D-04.05.02-ListOfRCOs.pdf

Risk Tolerability and Acceptability

It is not the risk that is acceptable,

but activities involving risk

may be acceptable due to their benefits.

Risk Acceptance Criteria

9.2.2 ‘There are several standards for risk
acceptance criteria, none as yet universally
accepted. While it is desirable for the Organization
and Member Governments which propose new
regulations or modifications to existing regulations
to determine agreed risk evaluation criteria after
wide and deep consideration, those used within an
FSA should be explicit’
However:
All FSAs so far have used the same risk
acceptance criteria.
In FSAs the ALARP criterion is applied
In the ‘Strategic plan for the organization’
reference is made to the ‘best available techniques
not entailing excessive costs’ (BATNEC) principle
In practice both rely strongly on cost-benefit
analysis.

6
 Individual Risk

Individual Risk: Risk to an individual

(Fatal, injury, ill health)
Units:
Fatality: Per year (not ship-year)
Injury & Ill health: QALY loss

Acceptance Criteria - Individual Risk

Intolerable

Passengers & 3rd parties: 10-4 fatalities/year

Crew 10-3 fatalities/year

ALARP

Passengers & 3rd parties: 10-6 fatalities/year

Negligible

Interpretation of HSE, and other standards adopted for ships

DALY/QALY

Reduced number or severity of injuries and/or reduced adverse

effects on health; measured in terms of ‘DALY’ and/or ‘QALY’
DALY: Disability-adjusted life years
QALY: Quality-adjusted life years

Health index
expected health index, when RCO implemented
A
Perfect 1 B
health
Disability Adjusted Life Years
by implementing the RCO
A’ B’

Expected Health
when RCO not implemented

C
Death 0
Time (years)
No explicit risk criteria for injury & ill health in
FSA Guidelines (Cost effectiveness may be used)

7
 Individual Risk: Known results

Source: MSC72/16 (LMIS: 1978-1998)

Note:
Personal accidents not included
Not all ship types included

Societal Risk

Risk of death, injuries and ill health

experienced by a group of people
Unit: ship-year

Two types of presentation

Potential Loss of Life (PLL)
FN diagrams

FN - Diagram

Format:
F = Frequency (ship-year)
N = Number of fatalities
Cumulative distribution (N or
more fatalities)
Log-Log plot

Acceptance Criteria:
Inclination on log-log: -1 (used by most regulators)
Intolerable (not acceptable): Factor 10 above benchmark
Negligible (broadly acceptable): Factor 10 below benchmark
Benchmark Crew: fatalities per GDP
Benchmark Passengers: fatalities per turnover (airlines)
Ref: FSA Guidelines, Appendix 5, Chapter 5.2

8
 Known Results: FN Diagrams
O il ta nke rs
1 .0 E -0 2

Into le ra b le C he m . ta nke rs
Frequency of N or more fatalities (per ship

O il/C he m ical
ta nke rs
1 .0 E -0 3 G a s ta nke r

A L A RP
year)

1 .0 E -0 4

1 .0 E -0 5
Ne g lig ib le

1 .0 E -0 6
1 10 100
F a ta litie s (N)

Known Results: FN Diagrams

1.0E -02
Frequency of N or more fatalities (per ship year)

B ulk and ore

C ontainer

Intolerable
1.0E -03

1.0E -04 A LA RP

Negligible

1.0E -05
1 10 100 1000
Fatalities (N)

Implications of Known Results

Risks relating to most ship types are in the ALARP

area
 Cost–benefit and cost effectiveness will be the
basis for most recommendations
 An FSA do not need to analyze all accident
scenarios for a ship type
 The total risk may remain unknown
 Recommendation may be based on the cost
effectiveness of an RCO
Example: ECDIS recommendation was only based on
risk reduction for groundings
 Criteria:
 Value of a statistical Life (VSL)
 Value Of a Life Year (VOLY)

9
 VSL

‘The proposed values for NCAF and GCAF in table 2 were

derived by considering societal indicators (refer to
document MSC 72/16, UNDP 1990, Lind 1996). They are
provided for illustrative purposes only. The specific values
selected as appropriate and used in an FSA study should
be explicitly defined. These criteria given in table 2 are not
static, but should be updated every year according to the
average risk free rate of return (approximately 5%) or by
use of the formula based on LQI (Nathwani et al. (1996),
Skjong and Ronold (1998, 2002), Rackwitz (2002 a,b)’.

In practice all FSAs have used the criteria in table 2 (VSL=

$3million)

No updating, since proposed in year 2000 based on 1998

statistics, until GOALDS project (SLF55/INF.9)

VSL (SLF55/INF.12)
‘It is noted that the $3million is in reality
derived from 1998 statistics.
 If adjusted for US inflation rates until
2010, this figure should be updated to
$4.14 million (2010).
 If adjusted for a 5% risk free rate of
return the figure should be $5,39million
(2010),
 and if a full update based on LQI is
carried out the result is $7,45million

VSL
$12,00
$10,00
$8,00
$6,00
$4,00
$2,00
$0,00
PORTUGAL
AUSTRALIA
AUSTRIA

CHILE
CZECH REPUBLIC
BELGIUM

ESTONIA
FINLAND

ICELAND
IRELAND
ISRAEL
ITALY

LUXEMBOURG
MEXICO
NETHERLANDS
JAPAN
KOREA

NEW ZEALAND
NORWAY

SLOVAK REPUBLIC

SPAIN
SWEDEN
SWITZERLAND

UNITED KINGDOM
CANADA

DENMARK

FRANCE
GERMANY
GREECE
HUNGARY

POLAND

SLOVENIA

TURKEY

UNITED STATES

OECD average: $7,45 million (2012)

Other regulators:
The EPA recommended VSL is also stated explicitly here:
http://yosemite.epa.gov/ee/epa/eed.nsf/webpages/MortalityRiskValuation.html
$7.4 million (2006), $8.57 million (2012)
US Ministries
http://www.dot.gov/regulations/economic-values-used-in-analysis
$9.1 million (2013), sensitivity at $5.2 and $12.9 million
Norway (2012): NOK 30 million (About $ 5 million)

10
 Discount Rates

In practice all FSA use

– 5% real
– ‘real’ = above inflation
This corresponds to
– Pay all initial costs
– Place an amount in the bank at a ‘risk free rate
of return’ that can pay all future costs
This rate should probably be reduced in Future
FSAs. For example, use the UK Green Book
recommendation:

Output from step 4

1. costs and benefits for each RCO identified in step 3 from an overview
perspective;
2. costs and benefits for those interested entities which are the most
influenced by the problem in question; and
3. cost-effectiveness expressed in terms of suitable indices.
Example from SLF55/INF.9 (GOALDS)

Example-1
(Cost Effectiveness of a RCO)

Data:
Total number of lives lost in a fleet of 4000 ships,
over the lifetime of the ships is 80

Q: If all lives could be saved, what would be the

max. cost of the RCO in this case to be justified as
cost-effective ?

11
 CEA Exercise: Example-1-contd..

Answer:
(80 fatalities / 4000 ships ) x
(US$ 7 million / fatality averted)
= US$ 140,000 / ship

Cost Effectiveness Assessment (CEA)

• Environmental risk evaluation

Societal Oil Spill Costs

Assurance factor (FAssurance ): allowing for society's willingness to
pay to avert accidents;
Uncertainty factor (FUncertainty): allowing for uncertainties in the cost
information from occurred spill accidents
Volume-dependent total cost function (f(V)): representing the fact
that the cost per unit oil spilled decreases with the spill size in
US$ per tonne oil spilled.

Cost Effectiveness Assessment (CEA)

• In case an RCO affects oil spills only:

RCO is cost effective if ΔC < ΔSC

ΔC = Expected cost of the RCO
ΔSC = Expected benefit of the RCO = (Expected oil spill cost
without the RCO) – (Expected oil spill cost with the RCO)

• In case RCO affecting both safety and oil spill:

• RCO is cost effective if:

NCAF = (ΔC – ΔSC) / ΔPLL

ΔC = Expected cost of the RCO

ΔSC = Expected benefit of the RCO regarding oil spill only
ΔPLL = Expected reduction of fatalities due to the RCO

In case there is an economic benefit (ΔB), ΔC should be replaced

by ΔC-ΔB.

12
 Step 5 in the FSA Process
Definition of Goals, Systems, Operations

Hazard Identification

Scenario definition

Cause and Consequence

Frequency Analysis Analysis

Risk Summation

No No
Options to decrease Risk Options to mitigate
Frequencies Controlled? Consequences
Yes

Cost Benefit Assessment

Step 5
Recommendations for Decision Making

Purpose of Step 5

To define recommendations which should be

presented to the decision makers in an auditable
and traceable manner.
The recommendations should be based upon:
 The comparison and ranking of all hazards and
their underlying causes
 The comparison and ranking of risk control
options as a function of associated costs and
benefits
 The identification of those risk control options
which keep risks as low as reasonably practicable

IMO Standard Reporting Format

Structure of Report:

1. TITLE OF THE APPLICATION

2. SUMMARY (Max. 1/2 page)
3. DEFINITION OF THE PROBLEM (Max. 1 page)

4. BACKGROUND INFORMATION (Max. 3 pages)

5. METHOD OF WORK (Max. 3 pages)

6. DESCRIPTION OF THE RESULTS ACHIEVED IN EACH STEP (Max.

10 pages)

7. FINAL RECOMMENDATIONS FOR DECISION MAKING (Max. 2 1/2

pages)

Report should be clear & concise (Maximum 20 Pages !)

In addition, ANNEXES as necessary are reported

For details refer to the IMO Guidelines

13
 Standardized Presentation of Final
Results
Experienced has shown that IMO submissions present results in
different format, and consequently comparisons are difficult to
make. In order to simplify the evaluation of results obtained by
different bodies, IACS suggests standardizing the presentation of
final results as shown below:

Standard reporting of final results (MSC 78/19/1)

R Description PLL ΔBenefit ΔCost ΔPLL GCAF NCAF

C (lifetime) (lifetime) (lifetime) (lifetime)

Summary of recommendations

RCOs with NCAF<0

–Justified by economics alone
RCOs with GCAF < VSL
–Justified by life saving alone
RCOs with 0 < NCAF < VSL
–Justified by life saving & economics
RCOs with NCAF > VSL
–Not Justified
RCO with ΔC < ΔSC
–RCO justified for environmental protection
reason alone

Output of Step 5

1. an objective comparison of alternative options, based on the

potential reduction of risks and cost-effectiveness, in areas
where legislation or rules should be reviewed or developed;
2. feedback information to review the results generated in the
previous steps; and
3. recommended RCO(s) accompanied with the application of
the RCO(s), e.g. application of ship type(s) and
construction date and/or systems to be fitted on board.

14