Experience Gained by the Application of the Formal Safety
Assessment Approach to High Speed Craft
C Vivalda & R Giribonel
ABSTWCT
The paper discusses the experience gained by developing a methodological approach supporting the application of the Formal Sc#ep Assessment to High Speed Crafi. The pioneer study presented in the paper started when the use and objectives of the FSA were under discussion at the International Maritime Organisation and dl~erences from the IMO FSA Interim Guideline exist. The bottom-up option was selected. The idea was to focus the analysis on individual ships to improve their design and operational performance and to extend the results to make decisions in a general regulato~ framework. In addition, safety as well as ship performance are addressed in order to reach an
optimised balance when assessing the costs against the benefits obtained by the introduction of risk reduction measures.
The methodological approach has been successfully applied to the Propulsion and Manoeuvring System of a referenced mono-hull High Speed Craft, and improvements as well as knowledge gaps hme been identijled.
INTRODUCTION
The paper discusses the main results and the experience gained by applying the Formal Safety Assessment Approach to High Speed Craft. The work was carried out as a part of a Brite Euram Project co-tided by the European Commission, DGXII, and entitled “Formal Safety Assessment of High Speed Craft (FSA-HSC)” (Project No. BE 95-1924). The project, which started in January 1996 for a duration of three years, was co-ordinated by Bureau Veritas and involved five European Organisations with complementary skills in marine topics, i.e. CETENA (I), Bazan (ES), MCA (UK), MTU (D), Scandlines (DK).
The aim of the project was to suggest a rational, comprehensive approach to safety, based on risk assessment, and to provide potential users with a methodology [Capizzi, 1997] supporting the preparation of a complete Formal Safety Assessment (FSA) [Cazzulo, Capizzi, 1994; Giribone, 1996] for fast ferries.
The methodology’s development was managed simultaneously with a step by step application to a real system on an existing craft, i.e. the propulsion and manoeuvring system of a mono-hull high speed craft. In this way the possible methodological weaknesses and inconsistencies were identified and the methodology updated through an iterative process.
In this paper, the suggested methodology, the main achievements and the lesson learnt by the approach development and application to a real case, are discussed.
A review of the advantages and limitations of its application is also provided.
The development of the project ran in parallel to the activities of the FSA Working Group at IMO (International Maritime Organisation), which ended with the release of a guideline for the Formal Safety Assessment approach application to set rules in place [IMO, 1997], The two approaches are not to be confised, as the FSA-HSC project was basically formulated to be applicable to an individual ship, evolving in a specific context and with a strong focus on availability problems,
in order to support designers and operators who will then be able to safely improve ship performance. In addition, although used in a limited context, the approach was also able to give some insight on how to assess safety rules. The FSA approach adopted by IMO addresses a generic ship and is intended to be a support tool for safety oriented rule making processes.
A comparison of the current approach and the IMO Guidelines on FSA is presented, showing that, although different, the two approaches are compatible and complementary.
METHODOLOGICAL APPROACH
The aim of the project was to address both safety and economical aspects in order to provide a methodology able to support ship designers and operators to deliver and operate a safe ship with high performance and to help policy makers set rules in place [Vivalda et al. 1998a].
In order to achieve this objective, safety analysis and availability studies have been considered the most suitable approaches, as their final results are represented by a set of recommendations and corrective measures addressing system design and operation.
Because of the different objectives they refer to, these sets could be different in nature and sometimes in conflict. Then, the introduction of the Cost-Benefit Analysis allows their assessment, providing a final set of optimised recommendations obtained by balancing the two analyses but always preferring safety features.
The figure below summarises the project development approach, showing the parallels between safety and availability analysis, including the Human Factors influence.
+
[ Guidelines 1 ( Regulations 1
Safety analysis and Human Factors
Safety analysis is an inductive-deductive approach that allows the analyst to forecast the cause-consequences of specific undesirable events (initiators) [Henley & Kumamoto 1996]. Afier having identified such events
(Hazard identification), accident scenarios are constructed and their cause-consequences investigated.
Hazard identljication is an integral part of any risk analysis procedure as a hazard not identified is a hazard not analysed and controlled. The approach used for hazard identification generally comprises a combination of both creative and analytical techniques, the aim being to identi~ as many relevant hazards as possible.
Hazard identification must always consider accidents that have already occurred, and their particular circumstances (accidentology).
Some analytical techniques exist for hazard identification, such as Failure Mode, Effect and Criticality Analysis (FMECA), for fictional failures, Zonal Analysis, for hazardous failures, Human Reliability Analysis or expert elicitation, for human related hazards.
Accident scenarios are derived fkom the Hazard Identification and relative to specific accidents, which are generally categorised in classes (e.g. collision, grounding, contact, flooding, fire, explosion, etc.),
For any given accident category, it is often usefid to precisely define the particular circumstances of this accident.
Given a final undesired event, the “accident” itself, scenarios definition aims at combining all initiating hazardous events already identified at the HAZard Identification (HAZID) stage, and combining them together with possible contributing or influencing factors, to analyse how the accident could occur and its consequences. This formalisation and quantification lead to the next steps, causeiconsequence analysis.
Taken as a whole, cause analysis is usually formalised in terms of fault trees, where the top event represents the final undesired event (or state) [Shooman
1990].
Each intermediate event contributing to the final one has to be properly connected with other relevant intermediate events. These intermediate events can be either basic, or complex events resulting from more elementary ones. In the latter case they need to be further developed by using appropriate techniques (for example events trees or fault trees).
The accidents consequences could be of any nature: injury to human life, damage to properties or to the environment. Relevant consequence analyses are therefore specific to each issue,
Frequency analysis aims at quantifying both causes and consequences. This can be done in several ways: by directly resorting to accident statistics, reliability databases, or an experts’ judgement. Complex events are broken down in more elementary ones for which quantitative data are available and corresponding probabilities are calculated by fault trees techniques. Sequences of events, happening according to conditional occurrence of intermediary events are usually estimated by using events trees.
Once frequencies and consequences are known, it is a simple matter to compute resultant risk levels. According to the scope of the analysis, individual or societal risks can be evaluated.
Risk acceptance criteria needs to be defined with the target of setting acceptance risk intervals. They can be mono-dimensional, for individual risk, or two-dimensional (FN curves) for societal risk. Usually, three risk intervals are defined: acceptable, not acceptable and acceptable z~ the “AS Low As Reasonably Practicable (ALARP)” princ@le applies. The cost-benefit analysis is applied to verifi if the ALARP principle is fhlfilled.
Safety analysis usually leads to the following main results by:
■ Demonstrating the compliance with stated safety
objectives;
■ Identi&ing the critical items or functions; ■ Identi&ing Risk Control Options (RCOS);
■ Comparing RCOS in terms of both technical
performances and cost-effectiveness;
■ Assessing the safety rules efficiency,
Special attention is also paid to Human Factors, due to the fact that human errors deeply affect the ship performance and safety and represent one of the major contributions to marine accidents.
The analysis is integrated in the previous ones, in order to have a complete understanding of Man-Machine Interaction [Lee 1996].
Expert elicitation as well as analytical methods can be used for assessing human factors.
The Delphy method [Humphrey 1988] is suggested for a general understanding of human influence on ship accidents and for quantification purposes.
A methodology for identi~ing and reducing human and organisational errors in maritime transport was also introduced [Vivalda 1998b], customizing the Technique for Human Error Rate Prediction (THERP) [Swain & Guttman 1983] for qualitative and quantitative assessment of human performance in ship navigation.
The analysis, based on Task Analysis and Human Reliability Analysis Event Trees, provides the following outcomes:
■ List of human errors likely to be encountered
during operatio~
■ Factors contributing to such errors;
■ Risk Control Options suggestions for reducing
the likelihood of such errors;
■ Detailed description of operators’ tasks, which
can be used to establish procedures, training or maintenance policies;
m Evaluation of human error probability based on the use of statistical data (e.g. THERP Data Bank), or expert judgments.
■ Comparative studies deciding whether or not a
system should be automatic or manual.
Availability analysis
As already stated in the previous sections, a project’s particularity was a combination of safety assessment and ship performance analysis. Ship performance can be assessed by probabilistic methods and is commonly known as ship availability.
The term availability generally represents a measure of the ship’s ability to perform a specific task under stated operational conditions [Blanchard 1992]. The availability figure is obtained by the analysis of the ship’s subsystems, e.g. propulsion system, control system, etc. and the combination of their performance.
Many contributors intervene to determine the final availability figure, i.e. intrinsic reliability characteristics, maintenance policies, organisation, training level, etc. Moreover, boundary conditions, such as weather conditions, sea state, route, etc. should be added to these factors, It follows that, due to a variety of aspects to be taken into consideration, the quantitative assessment of availability and the subsequent interpretation of the results, requires a clear definition of the system under analysis, mission profiles, weather and sea conditions.
The method developed in the project targets evaluating theoperational availabilip of Fast Ferries and is supported by provisional techniques for availability analysis [Vivalda & Capizzi 1999]. It compares the results with the objectives stated by the ship operators in order to provide an understanding of the actual ship behaviour with respect to the expected one. The influence of subsystems/components on the availability of the system is also evaluated.
Starting from the mission profile of the ship, the maintenance activities foreseen during navigation (usually corrective) and the reliability of the ship’s items, a model representing ship performance is set up. This model makes use of Reliability Block Diagram (RBD) technique, which allows the system to be represented as a combination of subsystems and components behaviour in terms of reliability/availability relationships.
Usually for each phase of the mission profile, two or more levels of RBD should be provided. The fwst level is represented by the System Reliability Block Diagram, in which the blocks refer to the main subsystems, the second by Subsystem Reliabili~ Block Diagrams, reporting the logical decomposition of the subsystems in elementary items, and so on.
The quantitative assessment of ship availability is obtained by applying Monte Carlo simulation to the RBDs or when possible, by transforming the RBDs into Fault Trees and solving them according to the rules of Boolean Algebra [Capizzi 1998].
This assessment is possible only when reliability and maintainability data are provided. Usually for each elementary item, at least failure rates and repair rates are required, which can be either constant or variable in time
according to a known statistical distribution. Their identification should be supported by data banks, existing statistics, expert judgement, etc. ~ivalda et al. 1998c].
The method is applicable to a single ship or to a fleet. In this way different maintenance practices and design solutions, can be compared.
The method main advantage is represented by its ability to provide a preliminary and provisional estimate of ship performance and to identi~ possible design or operational improvements.
The analysis output is mainly represented by:
■ the quantitative assessment of the actual
availability of the ship;
m a list of subsystems/ components most influential in system performance;
■ a set of Availability Improvement Options
(AIOS) aimed at improving ship’s availability;
■ input to cost-effectiveness analysis of proposed
AIOS. Cost-benefit analysis
The Cost Benefit Analysis methodology [AEA 1996, Brent 1996] addresses issues concerning costs and benefits assessment due to the implementation of Risk Control Options and Availability Improvement Options, to potentially reduce the risk of accidents and service irregularity.
The benefits associated to each improvement is assessed for each scenario.
Availability benefits (e.g. costs of downtime re. vessel per operating hour, delay with respect to operative requirements) as well as safety benefits (people and material) are addressed
Concerning the benefits on safety improvements, the new scenarios should be recalculated and compared to the risk acceptance intervals to see, if they still fall in the interval of “acceptable if ALARP (As Low As Reasonably Practicable)” or have moved to the “acceptable interval”. If two scenarios at the ranking are considered to be ahnost equal in financial terms, then this additional information can assist in the decision making process.
The costs of the improvements (RCOS and AIOS)are then estimated using data tlom operators, yards etc.
The identi~ing the RCOS and AIOS in economic terms involves the evaluation of
■ the benefits present value of each improvement; ■ the costs present value of each improvement ■ the net present value (NPV) of each
improvement.
A spreadsheet for estimating the NPV is prepared and arranged. The expenditure for each year’s period is stated as extra information to assist in the decision making.
The Cost of Unit Risk Reduction (CURR) is then calculated for the safety measures (RCOS) and it provides an indication of the RCOS relative efficiency.
For availability analysis this figure can be evaluated indirectly by assessing the reduced risk level due to the availability improvements suggestions, if any.
In the case where AIOS would improve only ship performance, without impairing safety, the Cost of Unit Unavailability Reduction (CUUR) is evaluated. This coefficient provides information about the AIOS relative efficiency.
For each AIO and RCO there are now some improvements given with a calculated CURR and/or CUUR value. The ranking of the different improvements for the same component or scenario should be done by giving the improvement with the smallest CURR (CUUR) value, the highest preference. If two or more improvements have almost the same CURR-value (CUUR-value) it is possible to use additional measures to rank them.
A sensitivity analysis is usually necessary in order to take into account the uncertainty of different assumptions made in the calculations.
The output from the Cost Benefit Analysis is represented by:
s a report describing different measures to be incorporated in the design of the crafl or the procedures for its operation, in order to apply with the fiarnework of the ALARP concept;
■ information for rule makers for setting new rules
in place. Decision making
Once the RCOS and AIOS are ranked, a criterion is necessary to assess them and make the final decision. The criteria vary according to the concerned stakeholder and sometimes they can be conflicting. For example the ship operator could be mainly concerned by an extra financial incentive while the policy maker could be only interested in saving human lives. Brainstorming sessions among the different stakeholders, as well as rational methods are therefore necessary to reach a satisfying agreement.
CASE STUDY
The methodological approach has been satisfactorily applied to the propulsion and manoeuvring system of a referenced mono-hull fast ferry and recursively updated when weaknesses and inconsistencies were identified.
The selected ship has a maximum speed of 37 knots, CODAD configuration, with NO steering and two booster propulsion lines.
The safety, as well as the ship availability were assessed during the operation between two ports and the mission profile was defined according to five phases: harbour manoeuvring, exiting ffom harbour, navigating the open sea, approaching the harbour, loadinghmloading and supplying.
The methodological approach application to the specific ship configured as above has lead to the identification of a set of Risk Control Options and Availability Improvement Options which were submitted to cost benefit assessment, A final ranking was presented according to their effectiveness.
To give the reader an understanding of the kind of Options suggested and their influence on safety andlor availability, two examples are presented. The fwst one concerns a measure influencing both safety and availability, i.e. a change in the design of the propulsion system, where four steering lines are selected, instead of two. In this case, a dramatic improvement of both the parameters is documented.
The second example refers to the design of the collapse zone in ffont, in order to reduce the collision consequences. In this case, safety enhancements are not closely accompanied by the operational availability ones. As in this case the measure’s cost is high, its worthiness can only be justified by the cost-benefit assessment.
The different stakeholders could then take advantage of these results in their process of decision making. For example:
“ the owner could better accept an increase of the costs in light of the advantages and benefits obtained. Obviously, close co-operation between the designer and the owner is necessary in order to define the optimal choice;
■ the policy maker could rationally justify the
introduction of new rules, knowing the impact on an individual’s safety;
■ thepassenger could acquire more confidence in the
new technology he is experiencing, etc.
COMPARISON TO IMO FSA APPROACH
The idea of setting up the current project came at the same time as the initiatives promoted by the IMO for the introduction of the FSA approach for the rule making process.
At that time, alternative approaches concerning the basic philosophy and the implementation of the FSA method were submitted by delegations of different member countries and interesting discussions occurred deciding whether to apply the approach to a generic or a specific ship.
The current project followed its own direction, supporting the application to a specific ship, while the discussions at IMO closed with the adoption of “the generic ship” as an assessment basis to support the rule makers in their final decisions. The IMO Interim Guidelines [IMO 1997] were endorsed in 1997, and are currently being improved by the feedback gained flom their application to selected case studies.
In addition to the IMO approach, the current project was also concerned about the performance of the ship, and due attention was paid to the balance of the two leading parameters in ship design: safety and earning features. The objective was to provide a method able to assist:
■ the ship designers and operators in their day to
day decisions about design and operation optimisation, and
‘ the rule makers in the revision and introduction of proactive and rational regulations.
A parallel between the two approaches is given in the following table, where the five steps of IMO FSA are compared to those of the project under discussion.
Yhiptype kpproach Jteps
I
E-L
IMO FSA FSA HSC
Generic Individual
Top-down Bottom-up
■ Hazard Identification 8 Hazard identification
s Availability objectives
■ Risk assessment ■ Risk Assessment ■ Availability
assessment
■ Risk Control Options ■ Risk control Options ■ Availability
improvement options 8 Cost benefit I■ Costbenefit
Regulator Designer Owner Insurer
The following main features can be highlighted by comparing the two approaches.
■
■
■
Compatibility the well known five steps of IMO FSA are endorsed by the FSA HSC project; End user focus: Both approaches are intended to support decision making. The IMO FSA addresses the regulators while the FSA HSC project has a broader spectrum of end users (designer, owners, insurers, regulators) and aims at following the ship’s life cycle from the early design phases. The FSA HSC approach also deals with ship performance, enlarging the options for a rational ranking of alternatives; Complementari~ aids for decision making are provided by either a top-down or a bottom-up approach. In the first case generic directives can be directly drawn from the outcome. In the
second case the specific results need to be generalised and then generic directives can be defined. Both approaches should contribute to create a wide and comprehensive spectrum of suggestions to the different stakeholders.
CONCLUSIONS
The project ran three years and new concepts and ideas have been raised since its inauguration.
A new safety culture is spreading all around the maritime community and a better understanding of the proactive approaches is progressing.
Today, several applications of the FSA approach have started, contributing to the improvement of the IMO Interim Guidelines.
The current project can be considered as a pioneer and one of the most complete studies attempting to face safety issues with a proactive philosophy. In addition, human factors, as well as performance characteristics have been addressed, in order to provide the decision makers with a wider spectrum of information for their final decisions.
Limitations and gaps are still present, but the great advantage is that many of them have been identified and could be better addressed in order to support the maritime community in its struggle for safety enhancement.
The methodological approach can be considered sufficiently complete to address the different issues related to ship safety and availability and to support the decision makers.
The techniques used are well assessed in other technological applications (i.e. nuclear, aerospace, chemical, etc.) and suffer from limitations that have already been highlighted [Shooman 1990]. However, they represent a good starting point for rationally assessing ship behaviour.
The lack of reliable data for the maritime application is always claimed [Inuzu et al. 1996] but the opinion of the authors is that the problem can currently be encompassed by combining field data with expert judgement, and by giving the results of the study relative
importance rather than absolute meaning.
One of the major difficulties is to include the human factor assessment in safety studies, because specific methods do not exist and the those developed in other technological applications [Kirwan 1994] are limited with regard to some particularities of maritime personnel behaviour. The recent adoption by IMO of a guideline for the inclusion of human factors in the FSA process [IMO 1999] is an important step toward fulfilling this gap. However, fiulher research in this field is necessary in order to face one of the major causes of marine accidents.
ACKNOWLEDGEMENTS
The authors would like to thank the partners of the FSA HSC project, for the collaboration and valuable contribution to the development of the work. They would also like to thank the European Commission, for the trust in the research activity and the financial contribution.
REFERENCES
AEA Technology (1996) ‘Full Methodology Report (FINAL), MSA Project 388 Step 4 Methodology “Cost Benefit Assessment’”, Deliverable 388D4, September
1996, AEA/RTRN/24855001 /196/Issue 3.
Blanchard, (1992) Logistic engineering and management. Prentice Hall International, IV ed.
Brent, R (1996) Applied cost-benefit analysis. Edward Elgar Publishing Limited, 1996.
Cazzulo, R., Capizzi, S. (1994) Perspectives of implementation of the Formal Safety Assessment methods for chemical tankers. International Symposium TDG12. Transport of dangerous goods by sea and inland waterway. 1994, Manchester, U.K.
Capizzi, S, (1998) Procedura per la valutazione previsionale dei parametri ARM (Availability, Reliability and Maintainability) in sede di progettazione nave. Rapporto Cetena N“ 6525.
Capizzi, S., Dogliani, M., Lauro, G. (1997) Assessment of operational and safety performance according to the HSC IMO Code. International conference Nav&HSMV. 1997, Sorrento, I.
Forestier, J.M., Giribone, R. (1997) Formal Safety Assessment for High Speed Craft. Propulsion and Manoeuvring System Reliability. International Symposium on the Safety of High Speed Cratl. Feb. 1997. London, U.K.
Giribone, R. (1996) FSA-HSC. Methodological Guidelines. BE 95-35 Project Report No. Tec-00-02.
Henley, E.J., Kumarnoto, H. (1996) Probabilistic Risk Assessment and Management for Engineers and Scientists, , Second edition, 1996. By, IEEE PRESS, ISBN 0-7803-1004-7, 1996.
Humphrey, P. (1988) Human reliability assessors guide. Safety and Reliability directorate. UKAEA. RTS 88J95Q.
IMO (1997) Interim Guidelines for the application of Formal Safety Assessment (FSA) to the IMO rule-making process. MSC/Circ. 829. MEPC/Circ. 335.17 Nov. 1997. IMO (1999) Draft Guidance on Human Reliability Analysis (HRA) within the Formal Safety Assessment. MSC 71iWP. 15/Add. 1, May 1999)
Inozu, B., P. G. Schaedel, Z. J. Karaszewski, (1996) Reliability, Availability, Maintainability @.AM) Database
/ Shipnet of the Ship Operations Co-operative Program. Annual SNAME meeting October 1996.
Lee, J.D. (1996) Design of advanced ship systems: emerging problems and human factors solutions. CETENA Seminar on Human Factor Impact on ship design )), Genoa, I, 1996.
Kirwan, B. (1994) A guide to practical human reliability assessment, Taylor&Francis Ltd., London, U.K., 1994.
Shooman, M.L. (1990) Probabilistic reliability: an engineering approach. Krieger Publishing Company. Second ed.
Swain, A.D., Guttman, H.E. (1983) Handbook of human reliability analysis with emphasis on nuclear power plant applications. NUREG/CR - 1278, U.S. Nuclear Regulatory Commission, Washington, .C. 1983.
Vivalda, C. (1993) Affldabiliti dei sistemi dinarnici: il problems delle missioni a fmi, Ph.D. Thesis. Ministero dells Ricerca Scientific e Tecnologica. Roma, I, 1993.
Vivalda, C., Giribone, R., Forestier, J.M., Pedersen, A.Cl., Carlsen, R. Aa., Capiz.zi, S. (1998a) Safety and economical factors into the Formal Safety Assessment of Fast Ferries. 14th Fast Ferry International Conference. Bells Center, Copenhagen. 24th-26th February 1998.
Vivalda, C. ( 1998b) An approach to Human Error Analysis during steering and manoeuvring of Fast Ferries. International Conference “ESREL 98”. Norway, June
1998.
VivaIda, C., Capizzi, S., Pedersen, A.Cl., Molinero, J. (1998c) An approach to customise generic reliability data to specific studies of High Speed Crafts. 14th ESReDA Seminar on Quality of Reliability Data. Stockholm, Sweden, 14th-15th May 1998.
VivaIda C, Capizzi S (1999) Availability analysis of High Speed Crafts - a way to improve competitiveness, ISOPE-99 9th International Offshore and Polar Engineering Conference & Exhibition, Brest (F) May-June 1999.
