See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/256471309

Formal Safety Assessment in Maritime Industry - Explanation to IMO Guidelines

Article · September 2013

CITATIONS READS
2 16,790

1 author:

Arun Kishore Eswara

Indian Maritime University - Visakhapatnam
7 PUBLICATIONS 15 CITATIONS

SEE PROFILE

All content following this page was uploaded by Arun Kishore Eswara on 12 June 2014.

The user has requested enhancement of the downloaded file.

 Formal Safety Assessment in Maritime Industry∗-
Explanation to IMO Guidelines †
(Class Notes for MTech NA&OE 1st Year)

Eswara Arun Kishore

SMDR, IMU-Vizag
Gandhigram, Visakhapatnam: 530051
[email protected]

September 10, 2013

1 Introduction
The disaster at North sea oil production platform Piper Alpha in 1988 prompted IMO to implement binding
guidance to evaluate safety in maritime industry, which is ”Formal Safety Assessment”. The disaster took the
lives of 167 crewmen and is the worst ever oil production disaster in terms of human lives lost. Piper Alpha Oil
production platform was originally built for oil production and was later converted to produce and handle gas. The
disaster took place due to unknowingly starting of a gas hydrate pump, whose system was under maintenance. The
leaking gas from the opened up parts ignited and caused an explosion. The rig was designed for oil and could resist
only fires and not explosions, so its parts were ripped apart. The parts from the blast site ruptured another gas
line leading to large amounts of gas leaks and subsequent fires and explosions took a heavy toll. The pump system
whose system was under maintenance had a work permit made but was not suitably displayed in the control room.
Also at the time of change of shift, the relieving engineer was not fully apprised of the situation.

2 Formal Safety Assessment

”A rational and systematic process for assessing the risk associated with the shipping activity and for evaluating the
costs and benfits of IMO’s options for reducing these risks” - epitomizes Formal Safety Assessment. Any disaster
ensuing an activity can be prevented by aptly framed assessment tools to enhance safety. FSA is a structured
and systematic methodology of risk analysis and cost benefit assessment. FSA can be used to help to evaluate
new regulations for maritime safety and protection of the marine environment or in making a comparison between
existing and possibly improved regulations. FSA is done with a view to achieve balance between various technical
and operational issues, human elements, maritime safety, marine environment protection and costs. The term
’Formal’ is used to refer to ’Formal methods’ for safety assessments, which means use of mathematical logic to
reason the safety assessment process [Marco Bozzano, 2011].

2.1 Five Steps to Safety

• Identify and visualize all hazards related to the activity.
∗ Creative Commons License - Quote author and organization and use it non-commercially as you like
† Created using LATEX, pgf-TikZ, Emacs-Auctex, Fedora-Linux, apalike bibliography style

1
 • Assess risks with each identified hazard.
• Explore & exercise control options.
• Carry out a cost benefit assessment of each risk and control options explored.
• Decide and plan the activity if it is viable.

Hazard Decision Making

Risk Assessment
Identification Recommendations

Risk
Control Options

Cost Benefit
Assessment

3 How to carry out FSA ?

FSA can be carried out with prior set of information and data of the activity related safety issues. If such data
is not available, then either IMO Casuality Statistics or experts opinion can be used. Physical models, analytical
models, simulation techniques, probabilistic models can also be used as alternatives to statistics or experts opinion.
A record of events should be gathered from time to time which will create a database for future assessments. So
incident reporting, near miss reporting forms an essential base of FSA.

4 Steps of FSA
4.1 Hazard Identification
Consider a simple example, say filling fuel into a car. How do we know what is a hazard ? To identify a hazard,
common sense and a good experience of the subject is required. For most of the simpler cases we have our common
sense. But for some cases where it requires a physical test or a computer visualization, methods have to be planned
and executed realistically and creatively. Imagine a passenger car crash test, what is it ? It is a kind of test to
prove safety of the passengers in a calculated crash. This example clarifies what we mean by physical modelling.
Now coming back to our activity, we can say the hazards identified are:

1. Fire - Fuel can be ignited by lighted cigarettes, use of mobile phones or other sources of ignition. Another
hazard often overlooked is the electrical bonding between the filler and the tank. Personnel involved in
laboratory experiments and air crafts fuelling operations are well familiar with such static discharges.
2. Spill - Fuel can spill and contaminate the area.
3. Toxic vapor inhalation - Vapours can be inhaled by personnel

4. Ingestion - Unintentionally, fuel can enter into mouth or kids can swallow it.

When the job is familiar, we are in a position to identify the hazards. But, What if the job is not known ?
Like - a ship’s fuel bunkering operation. Such assessment can be handled only by people well familiar in those
operations and who have managed them sufficiently enough to be called an expert.
Ranking: Hazards identified should be assigned a value commensurate with extent of damage or severity of its
effects and frequency of its occurrence. The ranking should be judiciously made.

4.2 Risk Analysis

Risk is defined in popular dictionaries as ’a situation involving exposure to danger, a hazard or a dangerous chance,
the possibility that something unpleasant or unwelcome will happen’.

4.2.1 Why Risk Analysis ?

Risk taking ability is an important step towards economic advancement, technological developments, improved
quality of life or towards successful adventures. This is the key element in our modern economy. Taking un-
managable risk is capricious. It is important for any industry or a country to manage risks in their strides towards
prosperity. Risks could be physical, economic, social, political or moral; so risk management is a challenging exer-
cise. When we work for sustainability and profitability of an industry, it therefore becomes essential to study and
understand the risks associated with each activity we carry out [Aven, 2003]. Traditionally hazardous activities
are designed and operated by references to pertaining codes and standards. Now the inclination of the industry is
more functional; in the sense, it is more a concern as to what to achieve, rather than a solution to the identified
risk.

The ability to address risk is an important factor. So there is a necessity to identify and categorize risks to provide
decision support concerning choice of arrangements and measures. The ability to define what may happen in the
future, assess associated risks and uncertainities and to choose among alternatives lies the core of risk management
system. Factors of an activity are evaluated both qualitatively and quantitatively and a concept is developed. The
best alternative is the one that gives the highest profitability, no fatal incidents and no damage to environment.
But it is impossible to know with certainity which alternative is the best, as there are many risks and uncertainities
involved with any choice. So the decision of choosing a specific alternative has to be based on predictions of cost
and other key performance measures and assessment of risks and uncertainities. Therefore, risk analysis is a must.

4.2.2 What is Risk Analysis ?

Risk analysis is the detailed procedure of analyzing the cause of the hazards and its consequences. Risk analysis is
a methodology, there are a number of techniques, theories and concepts applied in its process. Some of them are
explained here:

Meaning of Qualitative & Quantitative in Risk Analysis: Risk determination is sometimes judgemental
or involves a theory, proof or experiment to determine quantitative risk. Quantitative means either using a numeric
value, like 10 times in 1000 repetitions or abstract quantification as ’catastrophic’, ’moderate’ etc,. Determination
of risk by a definite quantity is advantageous, as it is more clearly stated, and can be understood by large number of
people. But, such determination is only possible when sufficient data is available. When data is limited or when it is
not possible to quantify a risk, expert decisions are relied on, which is called as qualitative assessment. Qualitative
decisions depend on the expert’s opinion and can change from person to person. Quantitative risk analysis requires
precise and quality data to establish a value to a hazard. A combination of qualitative and quantitative analysis
is also used in risk assessment. A common practice of using risk estimates is shown in Fig. 3. Consequences of a
risk is shown along y-axis and likelihood of occurrence of the risk is shown along x-axis of a matrix. The resulting
’risk rank’ is shown here as a product of likelihood and occurrence. The ’risk rank’ is shown as a sum, in Table 6.
IMO used summation in this table as it is based out of logarithmic values, see Tables 3 and 5. The risk rank gives
a quantified value using the risk index matrix. When a new circumstance is observed and the associated risk needs
to be determined, without sufficient data, an expert can classify this new risk as ’High Risk’, ’Medium Risk’ or a
’Low Risk’. This grouping is the qualitative determination of the risk. Qualitative risk should be improved through
out its life cycle, using day to day data of its likelihood and consequence [Ayyub, 2003].

1. Fault Tree Analysis: This is a top down approach in which each hazard with causes or events below it,
together with a relationship between the events constitute an understanding in constructing a ’working model’
of hazardous occurrence. The development of the Fault Tree starts with an intiating event, which can lead
 to a hazardous occurrence, often this technique is called ’deductive’. Subsequent immediate causes (events
responsible) of the initiating events are identified. Further subsequent events are defined and related with
earlier identifed events to create a model. These segregated events which contribute to a hazard occurrence
either alone or in combination with other events constitute a boolean model of blocks of events. Such a
development of blocks of events with logic ’or’ (alone) or ’and’ (combination) responsible for a hazardous
occurrence is called a ’Fault Tree Analysis’. The symbols used in FTA are shown in Table 1 [Vesely, 2004].

Event top/intermediate Undeveloped Event Basic Event

The above output event oc- The above output event oc- Transfer to/from
curs if all of the input lower curs if either of the input another part of
level events occur. lower level events occur. the fault tree

Table 1: Fault Tree Analysis / Risk Control Options - Basic events and basic gates

Development of Fault Tree is beneficial in understanding events and relationships. The fault tree explicitly
shows all the different relationships that are necessary to result in the top event. In constructing the fault
tree, a thorough understanding is obtained of the logic and basic causes leading to the top event. The
fault tree is a tangible record of the systematic analysis of the logic and basic causes leading to the top
event. The fault tree provides a framework for thorough qualitative and quantitative evaluation of the top
event. FTA is usually applied to technical issues. For example, like lifting a heavy steel structure using
a crane, taking into account all the design and operational safeties, procedures and human element. For
further understanding on FTA, refer to US Nuclear Regulatory Commission ’Fault Tree Handbook’ available
at ”http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/”. FTA can be understood with the below
illustration for filling fuel into a car.
Hazardous
Occurrence

Undersirable
Event

Fire Spill Vapor Fuel

Inhalation Ingestion

Filling Ignition Filling Undesirable

Source Event Open People on People Fuel Splash Mischievious
Loading Downstream Liking smell Kids :-)
Wind

Smoking Mobile Static Lack of No Prior

Phone Discharge Attention Check of
Car Tank

2. Event Tree Analysis: Inductive analysis technique for identifying and evaluating sequence of events leading
to a hazardous occurrence following an initiating event. This gives graphical model of a hazardous occurrence
with each initiating event and its probabilities. Unlike Fault Tree Analysis, this is bottom-up analysis. We
first start up with an initiating event and look at the consequences. The objective of Event Tree Analysis
is to see whether an initiating event develops into a hazardous occurrence. The Event Tree Analysis tests
the effectiveness of safety systems and procedures. The analysis gives rise to a probabilistic model, where
 probability of an event leading to a dangerous situation can be worked out. Event Tree Analysis has the
following steps:
(a) Identify major accidents from the activity.
(b) Consider developing ETA for each of the major accidents identified above.
(c) Identify the operational / design barriers which are in place to prevent such occurrences.
(d) Construct the event tree.
(e) Describe the seriousness of the resulting accident
(f) Determine the frequency of such accidents and probability of the branch in the event tree.
(g) Calculate the ratio - Probability/Frequency for the identified branch.
(h) Complete the ETA for all such accidents, and compile the data which will be the ETA for the activity.
The construction looks very simple with the above steps, however it is not so. Determination of the seriousness,
probability and frequency of incidents requires large amount of data. Example shown in Fig.1 would help in
understanding ETA of an intial event ’Explosion’.

Figure 1: Example of an Event Tree Analysis

(Source: Marvin Rausand, NTNU; System Reliability Theory (2nd ed), Wiley, 2004 - 6 / 28)

An industry works and creates a database using various reports, the number of fatalities or injuries or pollution
incidents as a result of accidents. The statistics tell us the total number of incidents associated with an activity
with a wide range of outcomes. Some outcomes are catastrophic while some are not so serious, but occur very
frequently. There are various other possible outcomes as well. They are instrumental in showing some trend, say
for example say 60 failures in 100 attempts; which means high possiblity of a failure ! But at the same time they
do not show what other prevailing conditions assisted the failure or otherwise. However they suggest that if the
activity is carried out as practised, the probability of failure is 0.6. Such data can be used to estimate safety
level, give inputs to risk analysis and compare alternatives to choices. The main challenge of interpreting the data
to predict future risks however remains. Changing circumstances, human element and too little data for making
predictions should be addressed. This calls for additional risk modelling or repetition of the activity with expected
circumstances and taking into account the people involved (Human Element).
In summary ETA is beneficial to: [Vesely, 2004].
1. Exhaustively identify the causes of a failure to identify weaknesses in a system and to resolve the causes of
system failure.
 2. Assess a proposed design for its reliability or safety to quantify system failure probability.
3. Identify effects of human errors to evaluate potential upgrades to a system.
4. Prioritize contributors to a failure to optimize resources in assuring system safety.
5. Model system failures in risk to resolve causes of an incident or to identify effective upgrades to a system.

6. Quantify the failure probability and contributors.

7. Optimize the tests and maintenance activities.
8. Find the probability of system failure using data on the probability of the causes.
9. Determine the probability of the accident scenario.

4.2.3 Risk Contribution Tree

We have earlier studied about Fault Tree Analysis and Event Tree Analysis; the basic difference between the two is
that while FTA gives the direct cause and initiating events, ETA gives event trees for consequences. If we were to
combine both FTA & ETA of them for an accident incident, we get a Risk Contribution Tree or RCT, a conceptual
model of the risk. An example of RCT for ’Fire or Explosion’ onboard a ship is illustrated in Fig. 2.

Figure 2: Risk Contribution Tree

4.2.4 Failure Mode Effect Analaysis - FMEA

FMEA is a systematic method to achieve quantifiable benefits in product & process design. It can also be described
as a tool for assessing the safety and reliablity of systems. The methodology application is also beneficial to enhance
existing products or processes. Its motto is to prevent process and product problems before they occur. Its focus
areas are:
 1. Preventing defects in products and processess by recognizing and evaluating potential failures and their
effects. FMEA identifies the failure modes, missed oppurtunities in the process to correct or to mitigate
failure modes.
2. Enhancing safety by identfiying and prioritizing actions that could eliminate the likely failures.
3. Enhancing end user experience by documenting the identification steps, evaluation and corrective actions.

FMEA is widely used in aerospace, chemical, automobile, electronics industries and more recently in healthcare.
FMEA identifies all the causes of failure of products and processes. This is called as Failure Modes. A wrong
operation by humans in a process or by interaction with the product that lead to its failure are also considered
failure modes. Each failure mode has a potential effect, a likelihood of occurrence and a severity. FMEA has a way
to identify and eliminate or mitigate the failures, undesirable effects and risks. Risks can be determined by severity
and occurrence. The Failure Modes data from the product design or process can be scaled by the risk in severity
and occurrence. The scale is chosen arbitarily and multiplying the risk allocation for severity and probability of
occurrence gives a rank to the risk, (also Risk Index, Risk Priority Number). The Risk Index forms basis of risk
control options and controls are specified to mitigate the risk.

Risk = Probability (P) × Severity (S) (1)

Log(Risk) = Log(Probability) + Log(Consequence) (2)

In short FMEA can be summarized as [Robin E. McDermott, 2009]:

1. Review the process or product.
2. Group discuss and analyse for potential failure modes.

3. List potential effects of each failure mode.

4. Assign a severity rank for each effect.
5. Assign probability rank for each effect.

6. Calculate the Risk Index for each effect.

7. Prioritize the failure modes for action.
8. Take steps to mitigate or eliminate the high-risk failure modes.
9. Calculate the resulting Risk Index as failure modes are subsided or eliminated.

How is Severity Index (SI) calculated ?

Severity Index (SI)

SI Severity Effects on Human Safety Effects on Ship S
1 Minor Single or Minor Injuries Local Equipment Damage 0.01
2 Significant Multiple or Severe Injuries Non-severe ship damage 0.1
3 Severe Single fatality or multiple severe injuries Severe damage 1
4 Catastrophic Multiple fatalities Total Loss 10

Table 2: Logarithmic Severity Index scaled for Maritime Safety. (Source: [IMO, 2002])

Steps of calculations for Severity Index (SI) are shown in Table 3.

How is Frequency Index (FI) calculated ?

Steps of calculations for Frequency Index (FI) are shown in Table 5.
 Severity Calculation Assigned Value (SI)
Minor log10 (0.01) = −2 −2 + 3 = 1
Significant log10 (0.1) = −1 −1 + 3 = 2
Severe log10 (1) = 0 0+3=3
Catastrophic log10 (10) = 1 1+3=4

Table 3: Steps to calculate Severity Index (SI)

Frequency Index (FI)

FI Frequency Definition P
7 Frequent Likely to occur per month on one ship 10
5 Reasonably Probable Likely to occur one per year in a fleet of 10 ships, i.e. Likely 0.1
to occur a few times during the ship’s life
3 Remote Likely to occur once per year in a fleet of 1000 ships, i.e. 10−3
likely to occur in the total life of several similar ships
1 Extremely Remote Likely to occur once in the life time of a world fleet of 5000 10−5
ships

Table 4: Logarithmic Frequency Index scaled for Maritime Safety. (Source: [IMO, 2002])

Frequency Calculation Assigned Value (FI)

Frequent log10 (10) = 1 1+6=7
Reasonably Probable log10 (0.1) = −1 −1 + 6 = 5
Remote log10 (10−3 ) = −3 −3 + 6 = 3
Extremely Remote log10 (10−5 ) = −5 −5 + 6 = 1

Table 5: Steps to calculate Frequency Index (FI)

Risk Index (RI)

Severity (SI)
1 2 3 4
FI Frequency Minor Significant Severe Catastrophic
7 Frequent 8 9 10 11
6 7 8 9 10
5 Reasonably Probable 6 7 8 9
4 5 6 7 8
3 Remote 4 5 6 7
2 3 4 5 6
1 Extremely Remote 2 3 4 5

Table 6: Risk Index calculated. (Source: [IMO, 2002])

How is Risk Index (RI) calculated ?

Risk Index (RI) is calculated as summation of logarithmic Severity Index (SI) and logarithmic Frequency Index
(FI). This is shown in Table 6

How does the Industry use this kind of data ? Each Industry has its own way of scaling, calculating and
interpreting the data. For example consider the safety card of The Institute of Quarrying, Australia and Govt. of
New South Wales shown in Fig. 3.
It can be seen that the Institute of Quarrying has defined three classes of risks as - ’High Risk’ (score ≤ 6),
’Medium Risk’ (7 ≤ score ≤ 15) and ’Low Risk’ (16 ≤ score ≤ 25), for which actions are indicated on the card.
 Figure 3: Courtesy: The Institute of Quarrying & Govt. of Australia

4.2.5 Hazard and Operability (HAZOP)

This technique is developed for use in chemical and process industries. It helps to design new process systems,
operations and identify hazards and operating problems from existing systems for a process plant. Ships, offshore
platforms have a number of plant process systems such as cargo systems, machinery systems, oil and gas storage
and process sytems. There is a large amount of risk in handling these systems and there is a necessity of specialized
specific risk assessment technique to suit these systems. In HazOp technique, a process plant is divided into sections
and the start and end points of these sections are marked as nodes. The team carrying out HazOp, applies all
abnormalities that can be effected by humans or due to equipment failure at each node and analyze all causes and
consequences. In the assessment both ’deductive’ and ’inductive’ as in FTA and ETA steps are employed. The
findings from the analysis yield solutions to type of safety barriers, isolations, alarms and instrumentation for the
process parameters, emergency shut downs or trips, stand-by provisions to ensure operability of critical systems,
data loggers for monitoring and investigating incidents, spill containment, location emergency shower, PPE and
fire control points [IChemE, 2008].
4.2.6 Hazard Analysis (HAZAN)
Hazard analysis is a safety tool to maximize profit from a plant. It aims to identify and quantify the hazards from
the plant operations and suggest profitable measures to counter the consequence(s) from the hazard occurrence.
HazAn is analogus to Qualitative Risk Analysis (QRA) and Probabilistic Risk Analysis (PRA) by its approach.
FTA for a plant is developed to identify all the hazards associated with it, ETA is applied to each identified
hazard, with a motive to determine the likelihood of its occurrence. The consequence from the hazard occurrence
is determined. Hazard is then quantified in terms of financial loss the plant may suffer, consequence to the workers or
personnel, brand or market capitalization loss, damages to third parties and damage to the environment or ecology.
The consequences are weighed against the management safety targets, to determine investment on safety required.
Hazan focuses on minimizing investment on safety, so as to deliver the end product to the market competitively.
If a hazard exists but, consequences due to its occurrence are lesser than the management safety targets, then no
further actions are taken to mitigate it [Kletz, 1999]. The management safety targets may become the bone of
contention. IMO has stated Appendix 5 on page 45 [IMO, 2002] as a guidance on measures and tolerability of risks.
The best practices mentioned are on a three level scale - ’Intolerable’, ’ALARP’ (As Low As Reasonably Practical)
and ’Negligible’, which form a guidance on setting the safety target(s) (consequence of unattended hazards).

4.2.7 As Low As Resonable Practicable (ALARP)

ALARP is a concept developed to act as guidance for weighing risk control options and its cost benefit to a system.
The cost of risk control options required to achieve least risk level in a system may become unprofitable for the
process. The domain of risk and the level of risk, which best suits the system must be determined to make it a
viable and competetive model. These are the concerns which lead to the concept of ALARP. The risks which are
identified during a FSA process are listed and ranked. The level of risks that should be eliminated at all cost is
assessed for the system. Further risk reduction is done on the basis of cost benefit assessments. The risks can be
broadly categorized as:

1. Negligible risk: The risks which are normally accepted by most of the people in their daily endeavour. For
example, the chance of getting stuck by a meteor.
2. Tolerable risk: Risks which we take to complete a task in the process that are considered essential or
profitable. The effect of the task not being done or the monetory loss which would likely arise from not
attending to such work are weighed against the risk control options and a decision to undertake the job is
judiciously made. Example of such jobs are the normal maintenance jobs, which are undertaken on ships and
offshore structures. For example, working aloft is an essential work activity when the situation demands. We
employ certain risk control options like PPE, safety harness and some checklists. But, the same task may
not be undertaken in a very rough weather. In the former activity, risk is calculated and we are banking on
the controls, like approved safety harness, hard hat etc.,. The later activity is unacceptable often, as it can
be taken up when situation improves.
3. Unacceptable risk: The level of risk which is unacceptable, for which we do not have sufficient controls
and is merely a daredevil stunt. In such cases the gains from going ahead with the activity are miniscule
compared to the occurrence of a mishap. For example, a hot work in a flammable confined environment. This
is a job, which is usually avoided during normal activity in maritime industry. But, such a job can be carried
out during a lay off time or in a dry-dock or a ship repair yard by employing steps to make the environment
safe to carry out the hot work. By employing suitable steps, the reponsible management team brings down
the unacceptable risk to tolerable risk levels or a negligible risk levels. The ALARP pinciple is illustrated in
Fig. 4.

4.2.8 Task Analysis

Task analysis is the study of the steps to be followed by an operator and his team or more such teams working
interactively or independently, to achieve successful operation facilitated by the design of the system. It is in
essential studying the human-human and human-equipment interactions, documentation of the information, control
and communication lines employed in the operation. By this study a team carrying out the analysis, achieves
structured information about the entire operation. This is then analyzed for objectives of the system for which
 Figure 4: ALARP Principle (Courtesy: NOPSEMA, Govt. of Australia)

it is designed, human competence and the organization. The purpose of carrying out such a task analysis is to
enhance safety, efficiency and reliability of the system [B.Kirwan and L.K.Ainsworth, 1992]. IMO has hinted at
application of three modes of applying the task analysis by way of - High-level task analysis, Detailed task analysis
and Extended task analysis.
1. High-Level Task Analysis: This is a type of task analysis with the aim of achieving an extensive but,
shallow overview of the system under consideration. The analysis produces a description of all the operations
within a system incorporated by design and the objectives of normal operations, emergency procedures,
maintenance, commissioning and decommissioning of the system.
2. Detailed Task Analysis: Detailed task analysis is carried out to identify the overall task completed, its
subtasks, operator and his team or similar teams involved in the operation and their interactions, practices
during normal and emergency situations, controls, documentation used, tools, etc., the factors which influence
the performance on the task. Detailed task analysis aims to create a complete blue print of the entire process.
3. Extended task analysis (XTA): Cognitive or Extended task analysis focuses mainly on detailing decision
making process of a task to understand explanation behind the decisions. Extended task analysis employs
various techniques to analyze work environment to identify constraints which influence behavior or affect
decisions. Intellectual tasks such as navigating a ship, involve decision making in familar situations or in an
unfamiliar or unforeseen set of conditions. The motive of this analysis is to make a novice operator (here a
navigator) take a wise decision in any condition [Hoffman and G.Militello, 2009].

4.2.9 Human Reliability Analysis (HRA)

Assessment of a maritime asset reliability shall have to consider its hardware - design, structure, equipment, control
and automation and also importantly, operations by crew. Ships such as Container ships, Oil tankers, Gas tankers
and Bulk carriers have a number of human effected operations. The three broad day to day activities on a ship
viz., Navigation, Cargo operations and Engine room operations are highly controlled by crew. It is important to
consider ship type(environment) to human-machine-automation interaction for analysis, to evaluate the over all
reliability. Also, maritime industry is truly global in workforce, comprising of crew from various countries with
different traditions, expertize and language. These factors emphasize the need to incorporate human factor in safety
assessments. Most of the accident investigation reports point out human error as a cause. Justifiable statistics
are available in maritime sector to reason human error as a major concern to minimize or eliminate accidents
and failures. Human Reliability Analysis (HRA) is a developing science to mitigate the human error from critical
operations. Human reliability can be defined as the successful performance of human activity necessary in a
healthy-system operation [A.D.Swain and H.E.Guttmann, 1983]. HRA is a method of estimating human reliability
and is based on the idea that human error is not a random event, but humans can be pushed to a faulty action
due to the context, environment or situation under which they are operating [Spurgin, 2010]. A safety assessment
and its incorporation into a marine system design are detailed here using an example of fire extinguishing system
on a ship.
Some of the operations have humans as an indispensible element, for example like navigating a ship, while other
operations such as engine room operations have cost effectiveness issues. The ultimate aim of FSA is safety and
cost-effectiveness, therefore managing human element for increased reliability and cost-effectiveness is important.
Some systems such as Fire detection or a Fire extinguishing system should have high operating reliability. It is
common in such systems design to opt for complete automation to avoid human errors. Still, some of the Fire
extinguishing systems can harm the personnel or passengers in the spaces by suffocating them, examples of such
types are CO2 extinguishing systems. Hence, we have a safety barrier in these systems by way of incorporating
a responsible manual release, after people have completely evacuated these spaces. Human element is currently
indispensable in taking critical decisions in maritime operations. Therefore employing HRA in such system designs
yield certain important conclusions, which are incorporated to make the system highly reliable. For example, a
marine CO2 extinguishing system will have the following steps for releasing the extinguishing medium into a space:
1. The remote release mechanism is located in ship’s fire station and / or just outside the space protected at
entrance. A fail-proof local release in the CO2 storage space is provided as a back up to remote operation.

2. Most of the designs will have similar steps of operation, irrespective of its maker or country of origin. The
steps of operation of the release system are clearly displayed next to the cabinet housing the operating gear
and they are written in English or in a major language spoken on the ship.
3. Operating gear is housed in a transparent glass cabinet, which is kept locked and with a provision of breaking
the glass to access the gear in emergency. This is to prevent unintentional operation of the system, but in
times of panic, the cabinet keys may be lost or misplaced and it should not be a reason to cause the system
inoperable. Therefore the cabinet can be broken to gain access to releasing gear.
4. The release systems sounds a gas release alarm (both audible and visual) upon opening the cabinet. Mostly,
this is accompanied by tripping of ventilation, fuel supply systems in the space protected by this system.

5. The release of CO2 is incorporated with a slight time delay to facilitate evacuation of people from the space,
after listening to the gas release alarm.
6. The release of CO2 is effected only after a brief management decision and head count of the people present
on the ship. Also the fire management team has deputies assigned, capable of taking decisions in case the
key managerial people are injured or dead in the accident.

Further, there will be planned mock drills involving all the personnel or passengers to familiarize them with the
actions necessary and to train them in recognizing the alarms, finding best escape routes and effect a periodic
maintenance and testing of the system. These operating stages and steps are a fallout of the safety assessment
including human element. The overall objective of ensuring high reliability of the system is achieved with such
consideration of human element at design state.
HRA is a process employing varied analysis techniques, for evaluation of risk due to human error in a Formal
Safety Assessment. Quantitative risk due to human error can be evaluated in terms of probabilities (referred to
as HEP, Human Error Probability) and incorporated into the ETA models for probabilistic risk assessment. IMO
[IMO, 2002] states that the present database for HRA risk quantification is limited and most benefit is derived by
early qualitative approach. HRA inclusion in FSA is done with the following objectives -

1. Identify key human tasks for hazard identification: The objective of this stage is to analyze the
human-human interaction and human-equipment interaction to understand human error that could lead to
system failure. Human hazard is identified by analyzing the ways by which a human error can contribute
to accidents during normal and emergency operations. Standard techniques such as Hazard and Operability
(HazOp) and FMEA are recommended in this stage. A high-level functional task analysis is also highly
recommended to gain a broad but shallow overview of the main functions that are perfomed by humans to
accomplish a particular task. The steps of implementation are as detailed:
 (a) Modelling the system (being Investigated) using task analysis to identify main human tasks and its
sub-tasks.
(b) For each task identified, techniques like HazOp, HazAn etc., are applied to identify contributing factors
to human errors and its associated hazards.
(c) Each hazard identified and consequence or scenario from its occurrence are ranked according to its
criticality.

More critical hazards and consequences are considered for further risk assessment, while lesser critical hazards,
which are acceptable within the set safety targets, are left unattended.
2. Risk analysis - task analysis: Risk analysis in HRA identifies probable zones in the process that are
vulnerable to human element. The analysis also brings into focus the factors affecting the risk. The aim is
implemented in the following steps:
(a) Key tasks are analyzed in detail using techniques such as Horizontal Task Analysis or Cognitive Task
Analysis.
(b) The detailed analysis is carried out exhaustively to cover all identified sub tasks.
(c) Likely human errors, which can lead to undesirable events are identified.
(d) The human errors are classified based on:
i. Cause of the error.
ii. Likely measures to recover error, i.e to restore the system back to the stage it was before the human
error is committed.
iii. The consequence of the error to the system i.e, monetary loss, process interruption, damage to the
system or environment etc.,.
(e) Human errors are quantified in Human Error probability (HEP), which can be further used in FSA
analysis. The HEP quantification is optional and IMO has offered some guidance on the methodology
that could be adopted to quantify human errors. Direct measurement, expert opinion, using historic
data by employing techniques such as HEART (Human Error Assessment and Reduction Technique)
or THERP (Technique for Human Error Rate Prediction), etc. IMO emphasizes the need for such
quantification and at the same time, cautions to heed the FSA objective.
3. Risk control options: To minimize or subvert the consequences from human error, risk control options are
framed. Cost benefit analysis for the risk control options is carried out and decisions are made judiciously.

4.2.10 Technique for Human Error Rate Prediction (THERP)

THERP is a method to predict human error probabilities and to evaluate the degradation of a man-machine system
likely to be caused by human errors alone or in connection with equipment functioning, operational procedures and
practices, or other system and human characteristics that influence system behavior [A.D.Swain and H.E.Guttmann, 1983].
The method can be implemented in the following steps:
1. Identify the system failures that may be influenced by human error during normal operation. The human
error probability may be evaluated for these identified failures.

2. Identify and analyze the related human operations in which the identified human error might occur.
3. Quantify the human error probabilities.
4. Estimate the effects of human errors on the system failure events.

5. Recommend changes necessary to the system and reassess the system reliability.
4.2.11 Human Error Assessment and Reduction Technique (HEART)
HEART is HRA model proposed by J C Williams of National Centre of Systems Reliability, UK. The implemen-
tation of HEART is as follows:
1. Identification of human error producing conditions, these are termed as ’EPC’s.
2. Each EPC is assessed for its importance.
3. The predicted probability of failure of the task is calculated.
HEART focuses on some causes and contributions to human error, called EPC (Error Producing Condition) such as
faulty system, shortage of response time, poor system feedback, significant judgement required from the operator,
alertness required by the operator, which is dependent on his health or the working environment, etc. HEART is a
method to quantify and reduce human error by defining and employing some standard possibilities of the system.
Each possible scenario during operation, termed GTT (Generic Task) is assigned a ’human reliability’ value range.
For example, ”a totally unfamiliar task performed at speed with no real idea of likely consequence” has a human
reliability value of 0.35 ∼ 0.97 in terms of 5th to 95th percentile bounds. These values are based on long-term
sizeable human reliability database. Further each EPC has some correction factors depending on its consequence
in the circumstance, on a 0 ∼ 1 scale. Using value of EPC and the correction factor, a weighing factor is calculated
using a relation. More such EPCs and its corresponding weighing factors can be calculated depending on number
of such conditions affecting the operation. Human Error Probability (HEP) for the operation is then calculated as
the product of GTT and all affecting weighing factors [Spurgin, 2010].

4.3 Risk Control Options (RCOs)

The purpose of RCOs is to provide effective and practical risk control options for the risk analysis. It has four
principle stages
1. Focus on the risk areas which need controls: Risks analysed by FTA and / or ETA, which have a high
frequency of occurrence or a severe outcome become primary focus. Areas of the risk which have a high
probability of occurrence should be addressed to irrespective of their outcome. Areas of the risk model which
have the highest severe outcomes should be addressed to irrespective of their probability of occurrence. Areas
of the risk model which have uncertain severity, risk or probability should be addressed.
2. Identifying the Risk Control Measures, (RCM).
3. Evaluating the effectiveness of the Risk Control Measures. Both historical and newly identified risks should
be addressed here.
4. Grouping risk control measures into practical regulatory options.

4.3.1 Identification of potential RCMs

This stage groups RCMs into well thought out pragmatic regulatory options. Often such grouping is achieved by:

1. General Approach: Provides risk control by mitigating the likelihood of initiating of incidents. They are
likely to be effective in preventing several different accident sequences.
2. Distributed Approach: Provides control of escalation of accidents and / or later stages of escalation of
other related and unrelated incidents.

The aim is to address both the existing risks and the risks posed by new technology or new methods of operation
and management. This gives way to structured review techniques used to identify new RCMs for risks that are
not sufficiently covered by existing measures. To sum up, this step provides a range of RCOs that are assessed for
their effectiveness in reducing risks and those entities affected by the RCOs.

4.3.2 How to visualize the Risk Control Options

Table 7 describes the Risk Control Options broadly divided into five categories:
 Elimination If the activity is redesigned or the substance concerned is eliminated so as to
remove the hazard, then the redesigned method should not prove less effective
or cause unacceptable results from the activity. Then this is a risk control
option.
Substitution If some material or process is substituted with alternative means, which results
in a lesser hazards, then this means becomes a risk control option.
Engineering Controls If employing additional automation or machinery or separating and enclosing
dangerous items results in mitigating the hazards, then exercising these options
forms an engineering risk control option.
Administrative Controls If some rules are framed such as avoid smoking, limiting the workers contin-
uous exposure time to the hazard etc. reduce hazards, then these are the
administrative risk control options.
Use of PPE If the hazards associated with the activity are minimised if the personnel in-
volved use appropriate personal protective equipment (PPE), then providing
personnel such gear constitue a risk control option. Examples of PPE are Safety
Helmet, Cover alls, Visor or Goggles, Gloves, Safety Shoes etc

Table 7: Risk Control Options

4.4 Cost Benefit Assessment

RCOs identified earlier are weighed to identify and compare benefits and costs associated with their implementa-
tion. This assessment can be done in the following steps:
1. Consider the risks assessed, both in terms of frequency and severity of consequence in order to define a base
level in terms of risk levels.
2. RCOs are arranged in a way to facilitate understanding of the costs and benefits resulting from their adoption.
3. Associated costs and benefits with each RCO is estimated.
4. Estimate each RCO effectiveness as cost per unit risk reduction. It is calculated as ratio of Net cost to the
risk reduction achieved as a result of implementing the option.
5. Rank the RCO from a cost-benefit perspective in order to facilitate the decision making.

4.5 Recommendations for Decision Making

The recommendations achieved in the discussed processess should be presented to the decision makers in a way that
these are both retraceable and auditable. This constitutes the recommendations for decision making. We identify
the hazards, carry out risk analysis, explore the risk control options taking into consideration the cost benefits
with each option and then we suggest decision making. Some points to consider while making recommendations
are that they shall be understood by all the effected people, the suggestions should be made in open access with a
scope of incorporating valuable comments. If a new IMO regulation is assessed by FSA and needs to be presented
to the IMO for incorporation, it should be made in a standard format prescribed by FSA Guidelines. IMO requires
that any FSA recommendations submitted to them shall include:
1. Provide clear statement of the final recommendations, ranked and justified in an auditable and traceable
manner
2. List the principal hazards, risks, costs and benefits identified during the assessment.
3. Explain the basis for significant assumptions, limitations, data models and inferences used or relied upon in
the assessment or recommendations.
4. Describe the sources, extent and magnitude of significant uncertainties associated with the assessment or
recommendations
5. Describe the composition and expertise of the group that performed the FSA process
 References
[A.D.Swain and H.E.Guttmann, 1983] A.D.Swain and H.E.Guttmann (1983). NUREG/CR-1278 - Handbook of
Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications. Sandia National Laboratories,
Prepared for Nuclear Regulatory Research (US NRC), GPO Sales Program, U.S. Nuclear Regulatory Commis-
sion, Washington, D.C 20555.
[Aven, 2003] Aven, T. (2003). Foundations of Risk Analysis. ISBN 0-471-49548-4, John Wiley & Sons Ltd, The
Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England.

[Ayyub, 2003] Ayyub, B. M. (2003). Risk Analysis in Engineering and Economics. ISBN 1-58488-395-2, Chapman
Hall/CRC, CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.
[B.Kirwan and L.K.Ainsworth, 1992] B.Kirwan and L.K.Ainsworth (1992). A Guide to Task Analysis. ISBN 0-
7484-0058-3, Taylor Francis Ltd, Taylor Francis Ltd., 4 John Street, London WCIN 2ET, UK.

[Hoffman and G.Militello, 2009] Hoffman, R. R. and G.Militello, L. (2009). Perspectives on Cognitive Task Anal-
ysis. ISBN 978-0-8058-6140-2, Psychology Press, Taylor Francis Group, 270 Madison Avenue, New York, NY
10016.
[IChemE, 2008] IChemE (2008). HAZOP - Guide to Best Practice. ISBN 978-0-85295-525-3, Institution of Chem-
ical Engineers (IChemE), Davis Building, 165-189, Railway Terrace, Rugby, Warwickshire CV21 3HQ, UK.

[IMO, 2002] IMO (5th April, 2002). Guidelines for Formal Safety Assessment (FSA) for use in the IMO Rule-
Making Process, MSC/Circ.1023; MEPC/Circ.392, Ref T1/3.02, T5/1.01.
[Kletz, 1999] Kletz, T. (1999). HAZOP & HAZAN - Identifying And Assessing Process Industry Hazards. ISBN
978-0-85295-506-2, Institution of Chemical Engineers (IChemE), Davis Building, 165-189, Railway Terrace,
Rugby, Warwickshire CV21 3HQ, UK.

[Marco Bozzano, 2011] Marco Bozzano, A. V. (2011). Design and Safety Assessment of Critical Systems. ISBN
978-1-4398-0332-5, Taylor & Francis Group, CRC Press, 6000 Broken Sound Parkway NW, Suite 300, Boca
Raton, FL 33487-2742.
[Robin E. McDermott, 2009] Robin E. McDermott, Raymond J. Mikulak, M. R. B. (2009). The Basics of FMEA.
ISBN 978-1-56327-377-3, Taylor & Francis Group, 270 Madison Avenue, New York, NY 10016.
[Spurgin, 2010] Spurgin, A. J. (2010). Human Reliability Assessment - Theory and Practice. ISBN 978-1-4398-
0383-7, Taylor & Francis Group, CRC Press, 6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL
33487-2742.
[Vesely, 2004] Vesely, B. (2004). Fault Tree Analysis (FTA): Concepts and Applications. NASA, HQ, USA.

View publication stats