2009 Risk Assessment Analysis Tools Ships in Service Training Material.

2009 Risk Assessment Analysis Tools Ships in Service Training Material

Risk Assessment General Method What is the potential event What can be
the causes What can be the consequences What are the actual control measures What can be done What is the risk Ships in Service Training Material A-M CHAUVEL

Risk Assessment Tools Analysis
- Pareto - Preliminary hazard - Job safety - Quantitative risk - Qualitative risk - What if - Fault tree - Event tree - Bow tie - Failure mode and effects - Hazard and operational ( PAR ) ( PHA ) ( JSA ) ( QRA ) ( qRA ) ( WIF/SWIF ) ( FTA ) ( ETA ) ( BTA ) ( FMEA ) ( HAZOP ) Ships in Service Training Material A-M CHAUVEL

Risk Assessment Tools Scope of Application of the Tools x Pareto
Checklist Preliminary hazard (PHA) What if (WIF or SWIF ) Failure mode and effects (FMEA) Hazard and operability (HAZOP) Fault tree (FTA) Event tree (ETA) Bow tie Diagram (BTA) Tools X x Hazard identification Risk screening Ships in Service Training Material A-M CHAUVEL

combination during Workshop
Risk Assessment Tools used in combination during Workshop Ships in Service Training Material A-M CHAUVEL

Risk Assessment Tools Usage
number Alone With other tools (Number) 1 - Pareto X 3, 10, 2 - Checklist X 8, 7, 6, 3 - Preliminary hazard (PHA) X 3, 4, 10, 3, 8, 4 - What if (WIF or SWIF) X 10, 3, 5 - Failure mode and effects (FMEA) 7, 5, 6 - Hazard and operability (HAZOP) X 2, 7 - Fault tree (FTA) 2, 8, 5 8 - Event tree (ETA) X 7, 2, 9 - Bow tie Diagram (BTA) 7 & 8 10 - Change analysis (CA) X 1, 3, 4, 8, Ships in Service Training Material A-M CHAUVEL

Risk Analysis Tools Checklists Just because we know how to do a job
doesn't mean that we do it safely. Ships in Service Training Material A-M CHAUVEL

Checklists Despite their simplicity, checklists are a form of
Quality & Safety Analysis. Example: An airplane is a safety critical system. As one level of analysis, a pilot must complete a pre-flight checklist before flight to ensure that the plane is working properly. Ships in Service Training Material A-M CHAUVEL

Checklists This checklist is a simple form of Safety Analysis.
They are generally useful where a problem is well understood, and examination rather than system analysis is the goal. Ships in Service Training Material A-M CHAUVEL

Checklists Process 1.0 Define the Activity or the System
7.0 Use the results in decision making 2.0 Define the potential hazards 6.0 Subdivide the elements of the activity or system ( If necessary ) 3.0 Subdivide the System or Activity for analysis Checklists analysis porcedure 1- Define the activity or system of interest - Intended functions - Boundaries 2- Define the problem of interest for the risk assessment - Safety problems - Environmental issues - Economic impacts 3- Subdivide the activity or system for analysis - Activity, Operation, Function - System, Subsystem, Components 4- Gather or create relevant checklists - Internal checklists - External checklists - Customized checklists 5- Respond to the checklists questions - Is the checklist question applicable? - Are there system weakness related to the question? 6- Further subdivide the elements of the activity or system - Activity, Tasks, Steps, - Systems, Subsystems, Components, - Subassemblies, Parts 7- Use the results in decision making - Jude acceptability - Identify improvement opportunities - Make recommendations for improvements - Justify allocation of resources for resources for improvements 5.0 Respond to the Checklist questions 4.0 Gather or create relevant checklists Ships in Service Training Material A-M CHAUVEL

Checklists Limitation - Possibly miss some potential problems.
Activity Level 1 Level 2 Level 3 Level 4 C1- Chemical, biological and radiation hazard control reference Information availability and knowledge. No knowledge or use of reference data. Data available and used by supervisor when needed. Additional standards have been requested when necessary. Employees and supervisors able to demonstrate an understanding of the material. Data posted and followed where needed. Additional standards have been promulgated, reviewed with employees involved and posted. C2- Flammable and explosive materials control. Storage of materials do not meet fire regulations. Some storage facilities meet minimum fire Storage facilities meet minimum fire regulations. Handling practices also meet minimum regulatory requirements. . In addition to “Good”, Storage facilities exceed the minimum fire A strong policy is in evidence relative to the control of the handling, storage and use of flammable/explosive materials No Yes - Traditionally provides only qualitative information. Limitations of Checklist Analysis Although checklist analysis is highly effective in identifying various system hazards, this technique has two key limitations: Likely to miss some potential problems. The structure of checklist analysis relies exclusively on the knowledge built into the checklists to identify potential problems. If the checklist does not address a key issue, the analysis is likely to overlook potentially important weaknesses. Traditionally only provides qualitative information. Most checklist reviews produce only qualitative results, with no quantitative estimates of risk-related characteristics. This simplistic approach offers great value for minimal investment, but it can answer more complicated risk-related questions only if some degree of quantification is added, possibly with a relative ranking/risk indexing approach. Ships in Service Training Material A-M CHAUVEL

Risk Analysis Tools P H A Preliminary Hazard Analysis
Ships in Service Training Material A-M CHAUVEL

Preliminary Hazard Process 1.0 Define the Activity or the System RISK
ASSESSMENT 4.0 Use the results in decision making 2.0 Precise the categories of accident and the accident severity 1- Define the activity or system of interest - Intended functions - Boundaries 2- Define the problem of interest for the risk assessment - Safety problems - Environmental issues - Economic impacts 3- Subdivide the activity or system for analysis - Activity, Operation, Function - System, Subsystem, Components 4- Gather or create relevant checklists - Internal checklists - External checklists - Customized checklists 5- Respond to the checklists questions - Is the checklist question applicable? - Are there system weakness related to the question? 6- Further subdivide the elements of the activity or system - Activity, Tasks, Steps, - Systems, Subsystems, Components, - Subassemblies, Parts 7- Use the results in decision making - Jude acceptability - Identify improvement opportunities - Make recommendations for improvements - Justify allocation of resources for resources for improvements 3.0 Conduct review Ships in Service Training Material A-M CHAUVEL

Preliminary Hazard Worksheet
Brief description Title ( Portion of the System/Sub-system/ Operational Phase covered by this analysis): Probability Interval: 5 years Date: Risk Before System Number: Analysis: I: Initial R: Revision A: Addition Hazard target Severity Probability Risk Code Hazard Description Prepared by/date: Hazard target : P- Personnel, E- Equipment T- Down time, R- Product, V- Environment Ships in Service Training Material A-M CHAUVEL

Corrective or Preventive
Preliminary Hazard Report Example Area : Drawing number : Meeting date : Team members : Hazard (Potential Accident) Cause Major effects Severity (Accident Category) Corrective or Preventive Measures suggested Fuel oil spill Ship motion away from the transfer terminal during bunkering Release of fuel oil into the waterway, resulting in significant environmental impact 2 Consider installing mooring tension meters with alarms to indicate ship motion during bunkering LNG fire or explosion Loss of ventilation in the compressor room Potential for explosion & large fire with fatalities 1 Consider providing an alarm that indicates when the ventilation fan in the compressor room shuts down Ships in Service Training Material A-M CHAUVEL

Description of Control measures
Preliminary Hazard Analysis Brief description Title ( Portion of the System/Sub-system/ Operational Phase covered by this analysis): Probability Interval: Date: Risk Before Risk After Description of Control measures System Number: Analysis: I: Initial R: Revision A: Addition Identify countermeasures by appropriate code letter (s): Hazard target Risk Code D: Design alteration S: Safety device E: Engineering safety feature W: Warning device Risk Code Severity Probability Severity Probability Hazard Description P: Procedures / training Prepared by/date: Hazard target : P- Personnel, E- Equipment T- Down time, R- Product, V- Environment Approved by/date: Ships in Service Training Material A-M CHAUVEL

Risk Analysis Tools J S A Job Safety Analysis

Risk Analysis JSA and not JHA
Japanese Style for Abandon Ship Day one of the JHA Japanese Hemorrhoid Association's annual cruise...” Ships in Service Training Material A-M CHAUVEL

Job Safety Process 1- Select a job 4- Develop for analysis
countermeasures 1- Select a job for analysis RISK ASSESSMENT 2- Break job down into basic work elements 3- Scrutinize each element Step (1): Select a job for analysis Possible criteria include: Accident frequency Job has produced one or more disabling injuries Potential for severe consequences New jobs (including equipment and process changes) Step (2): Break job down into basic work elements Select the right person to observe Brief the person as to why you’re observing Observe job and breakdown into steps Record each step in sequence Review with person observed for accuracy and completeness Don’t forget to include occasional tasks Ships in Service Training Material A-M CHAUVEL

How Handling Injuries Occur ?
These injuries often occur because : - Workers must adopt harmful postures in order to handle loads. - Workers are expected to lift loads which are too heavy. - Objects are not designed for ease of handling. - Workplaces are poorly designed (including work stations). - Work systems are poorly designed. Ships in Service Training Material A-M CHAUVEL

Job Safety Worksheet Ships in Service Training Material Platform: I.D:
Location: Field Superintendent: Analysis made by: Task: Loading and unloading truck Personnel Protective Equipment required and/or recommended: Sequence of basic job steps: Potential accidents or hazards: Recommendation to eliminate or reduce potential hazard: 1 X Ships in Service Training Material A-M CHAUVEL

Job Safety Worksheet Ships in Service Training Material Deck Officer:
Location: Security Officer: Analysis made by: Task: Unloading the ship Personnel Protective Equipment required and/or recommended: Sequence of basic job steps: Potential accidents or hazards: 1 X Recommendation to eliminate or reduce potential hazard: Ships in Service Training Material A-M CHAUVEL

Job Safety Worksheet Unloading the ship Please,
Would you do an exercise on that subject? 1- Define the nature of the cargo. 2- Step by step identify activities and potential possible hazards. 3- What are the safety remedies you will recommend? Ships in Service Training Material A-M CHAUVEL

Job Safety Worksheet Ships in Service Training Material
Location Room : : Task, Job : Written by: Revision #: Date: Revision date: Protective Personal Equipment ( PPE) required for entry in the local: Safety glasses Non -porous shoes Long Trousers Hard hat Available Safety Equipment: Nearest fire extinguisher: Nearest shower: Nearest telephone: Nearest eyes wash fountain: Nearest safety material : Nearest ….: Nearest first aid kit: Hazard Level: Medium Low High Sequences of Steps Potential Hazard Recommendation safety procedures Add PPE required Start-up Procedure Run Time Procedure Emergency Shutdown Ships in Service Training Material A-M CHAUVEL

Job Safety Worksheet Ships in Service Training Material
Location Date New: Revised: JSA#: Task: Team members: Leader: Analyzed by: Reviewed by: Approved by: Specific rules and procedures to be followed: Sequence of basic job steps Potential accidents or hazards Recommendations to eliminate or reduce potential hazards Safety Equipment required to do the job: Hard hats? Safety shoes, Safety glasses? Cotton gloves? Work vests? Safety harness? Face shields? Goggles? Barricades? Fire extinguishers? Lock-out/tag-out? Work permit? _________? Ships in Service Training Material A-M CHAUVEL

Articles of the convention
ILO-MLC Convention: 2006 Articles of the convention Regulation I Minimum requirements for seafarers to work on a ship Regulation II Conditions of employment Regulation III Accommodation recreational facilities, food and catering Regulation IV Health protection welfare, medical care and social protection Regulation V Compliance and enforcement PART A : mandatory PART B : recommendations Ships in Service Training Material A-M CHAUVEL

for scoring risk at work
Job Safety Analysis Kinney Method One other simple tool for scoring risk at work

Kinney Method A Qualitative Method for scoring Risk at work
R (Risk score ) = L x P x C L (Likelihood of the event) P (Period of exposure to the hazard) C (Consequences of the event) Ships in Service Training Material A-M CHAUVEL

Kinney Method L ( Likelihood of then event )
W = 0.1 = Highly unlikely W = 0.2 = Practically impossible W = 0.5 = Possible but unlikely W = 1 = Unlikely W = 3 = Likely W = 6 = Very likely P ( Period of exposure to the hazard ) B = 0.5 = Very rare Once per year or less B = 1 = Rare- A few times per year B = 2 = Unusual - Once per month B = 3 = Occasional- Once per week B = 6 = Frequent- Daily B = 10 = Continuous- Constant Ships in Service Training Material A-M CHAUVEL

Kinney Method C ( Consequences of the event )
E = 1 = Negligible injuries E = 3 = Minor injuries E = 7 = Major injuries E = 15 = Fatal (1 death) E = 40 = Disaster, more than one death R ( Risk score ) = L x P x C R < No attention required 20 < R < Attention required 70 < R < 200 Required actions 200< R < Corrective actions required R > 400 Stop activities Ships in Service Training Material A-M CHAUVEL

Kinney Method Using Monogram Ships in Service Training Material
A-M CHAUVEL

Kinney Method (Monogram)
Likelihood Exposure Might well be expected of some time Very rare Yearly or less Tie Line Quite possibly could happen Unusual Once per month Unusual but possible Remotely possible Conceivable but very unlikely Frequent Daily Practically impossible Continuous

Likelihood Exposure Possible consequences Risk score Might well be expected of some time Very rare Yearly or less Tie Line Very high risk Consider discontinuing operation 500 400 Many Fatalities >$ 10 millions damage 300 Quite possibly could happen Catastrophe Unusual Once per month 200 Substantial risk Correction required Unusual but possible Disaster 100 Fatality >$ damage 80 Very serious Remotely possible 60 Possible risk Attention required Conceivable but very unlikely Frequent Daily 40 Serious Disability >$ 1 000 damage 20 Practically impossible Continuous Important Risk Perhaps acceptable 10 Minor first aid case >$ 100 damage Noticeable 8

Kinney Method Exposure Possible consequences Risk score Likelihood
Might well be expected of some time Likelihood Quite possibly could happen Unusual but possible Remotely possible Conceivable but very unlikely Practically impossible Very rare Yearly or less Once per month Frequent Daily Continuous Fatality >$ damage Many Fatalities >$ 10 millions Minor first aid case >$ 100 Disability >$ 1 000 Catastrophe Disaster Very serious Serious Important Noticeable Very high risk Consider discontinuing operation Substantial risk Correction required Attention Risk Perhaps acceptable 8 10 20 100 200 300 400 500 40 60 80 Tie Line

Kinney Method Shall we invest to prevent an accident ?
From risk score to justification score Ships in Service Training Material A-M CHAUVEL

Risk score Very high risk Substantial Definite Risk Perhaps acceptable 8 10 20 100 200 300 400 500 40 60 80 Risk reduction Costs for correction Justification factor Tie Line 60 Small reduction 10% 40 $300 Highly worthwhile 25% 20 $3 000 Justified More effective 50% 10 $30 000 75% Of doubtful merit 6 $ Eliminate 100% $ 2 Ships in Service Training Material A-M CHAUVEL

Kinney Method Risk score Risk reduction Costs for correction
Very high risk Substantial Definite Risk Perhaps acceptable 8 10 20 100 200 300 400 500 40 60 80 Risk reduction Costs for correction Justification factor Tie Line 60 Small reduction 10% 40 $300 Highly worthwhile 25% 20 $3 000 Justified More effective 50% 10 $30 000 75% Of doubtful merit 6 $ Eliminate 100% $ 2 Ships in Service Training Material A-M CHAUVEL

Risk Analysis Tools q R A Qualitative Risk Analysis

Qualitative Risk Analysis
The most widely used analytical approach in risk assessment: - Probability data is not required. - Only estimated potential loss is used. Most qualitative risk analysis methodologies make use of a interrelated elements: - Hazards or Threats. - Asset Vulnerability. - Controls measures (Countermeasures). Ships in Service Training Material A-M CHAUVEL

Process 1.0 Identify all potential hazards linked to the activity or process 7.0 Use the results in decision making 2.0 Evaluate the risks link in regard to hazards for the first step 6.0 Determinate if the risk is acceptable or not 3.0 Repeat the evaluation to each step of the activity or process 5.0 Classify each event according its probability of occurrence 4.0 Classify each event according its potential consequences Ships in Service Training Material A-M CHAUVEL

The steps in assessing risk are : 1- Rank the severity of consequences. 2- Rank the “probability” of an incident or an accident occurrence 3- Use matrix to determine if risk is acceptable and… 4- Repeat as necessary for all phase hazard / target combinations. Ships in Service Training Material A-M CHAUVEL

Damage readily repaired
1- Rank Severity of Consequences Matrix table Category Consequences Personnel Illness Injury Equipment Loss (€) Down Time Assets Loss Environmental Effect/Impact I Catastrophic Death > 1M > 4 months Long-term (5 years or greater) or requiring > €1 M to correct and/or in penalties II Critical Several injury or severe occupational illness 250K to 1M 2 weeks to 4 months Medium-term(1-5 yrs) or requiring €250K- 1M to correct and/or in penalties Values as for equipment loss III Marginal Minor injury or minor occupational illness 1K to 250K 1 day to 2 weeks Short-term(<1 yr) or requiring €1K- 250K to correct and/or in penalties IV Negligible No injury or illness <1K <1day Damage readily repaired or requiring <€1K to correct and/or in penalties Ships in Service Training Material A-M CHAUVEL

The steps in assessing risk are : 1- Rank the severity of consequences. 2- Rank the “probability” of an incident or an accident occurrence 3- Use matrix to determine if risk is acceptable and… 4- Repeat as necessary for all phase hazard / target combinations. Ships in Service Training Material A-M CHAUVEL

2- Rank Probability of occurrence
Level Descriptive Word Frequent Probable Occasional Remote Improbable Impossible Definition Likely to occur repeatedly in system life cycle Likely to occur several times Likely to occur sometimes Not likely to occur in system life cycle, but possible So unlikely it can be assumed occurrence may not be experimented Physically impossible to occur F E D C - The rank probability depends on analyst experience and viewpoint. - If possible, use several analysts. - Estimate accident likelihood for total exposure time, not a single encounter B A Ships in Service Training Material A-M CHAUVEL

The steps in assessing risk are : 1- Rank the severity of consequences. 2- Rank the “probability” of an Incident or an accident occurrence 3- Use matrix to determine if risk is acceptable 4- Repeat as necessary for all phase hazard / target combinations. Ships in Service Training Material A-M CHAUVEL

Probability of Occurrence of each individual event
3- Is Risk Acceptable ? Severity of consequences Probability of Occurrence of each individual event A Impossible B Improbable C Remote D Occasional E Probable F Frequent I- Catastrophic II- Critical III- Marginal IV- Negligible Imperative to suppress risk to lower level Operation requires written limited waiver endorsed by management Operation permissible Personnel must not be exposed to hazards in both zones Ships in Service Training Material A-M CHAUVEL

Probability of the event
Qualitative Risk Assessment Probability of the event Very unlikely Unlikely May happen Likely Certain or imminent 1 2 3 4 5 Delay only Minor injury 6 8 10 Major injury 9 12 15 Single fatality 16 20 Multiple fatality 25 Potential consequences Potential risk analyzed : (an Injury , Fatality… ) Severity Likelihood Ships in Service Training Material A-M CHAUVEL

Qualitative Risk Assessment
Example of matrix : Impact ( For individual event ) Delay only 1 2 3 4 5 Minor injury 2 4 6 8 10 Severity Major injury 3 6 9 12 15 Single fatality 4 8 12 16 20 Multiple fatality 5 10 15 20 25 Probability of the event Very unlikely Unlikely May happen Likely Certain or imminent Likelihood Ships in Service Training Material A-M CHAUVEL

Risk Assessment ( Matrix 5x5 )
Interpretation of the risk Risk estimation Qualitative score Moderate 7 to 10 High 11 to 16 Very high 17 to 25 Low 1 to 6 Ships in Service Training Material A-M CHAUVEL

Vulnerability to threat
Risk Assessment ( Matrix 4x4 ) Identification of the level of risk Vulnerability to threat Very high High Moderate Low 4 3 2 1 Devastating 12 8 Severe 9 6 Noticeable Minor Impact of loss Potential risk analyzed : ( For individual event ) 16 Ships in Service Training Material A-M CHAUVEL

Risk rating interpretation
Risk Assessment ( Matrix 4x4 ) Interpretation of the risk Qualitative score Risk rating interpretation 8 to 16 These risks are high. The countermeasures should be implemented as soon as possible 3 to 7 These risks are moderate. The countermeasures should be planned and implemented in the near future 1 to 2 These risks are low. The implementation of countermeasures may be taken in consideration, but are of less urgency than the above risks Ships in Service Training Material A-M CHAUVEL

Vulnerability to threat
Risk Assessment ( Matrix 4x4 ) Identification of the level of risk Potential risk analyzed : ( For individual event ) Impact of loss Vulnerability to threat Very high High Moderate Low 4 3 2 1 Devastating 4 16 12 8 4 Severe 3 12 9 6 3 Noticeable 2 8 6 4 2 Minor 1 4 3 2 1 Ships in Service Training Material A-M CHAUVEL

Risk rating interpretation
Risk Assessment ( Matrix 4x4 ) Interpretation of the risk Qualitative score Risk rating interpretation 8 to 16 These risks are high. The countermeasures should be implemented as soon as possible These risks are moderate. The countermeasures should be planned and implemented in the near future 3 to 7 1 to 2 These risks are low. The implementation of countermeasures may be taken in consideration, but are of less urgency than the above risks Ships in Service Training Material A-M CHAUVEL

The steps in assessing risk are : 1- Rank the severity of consequences. 2- Rank the “probability” of an accident’s occurrence 3- Use matrix to determine if risk is acceptable 4- Repeat as necessary for all phase hazard & target combinations. Ships in Service Training Material A-M CHAUVEL

Risk Analysis Tools "What-if" Analysis

“What-if” Analysis “What-if” is a brainstorming approach that
uses broad, loosely structured questioning to : - 1 Postulate potential problems that may result in accidents or affect system performance. - 2 Ensure that appropriate safeguards against those problems are in place. Summary the What if Analysis A systematic, but loosely structured, assessment relying on a team of experts brainstorming to generate a comprehensive review and to ensure that appropriate safeguards are in place. Typically performed by one or more teams with diverse backgrounds and experience that participate in group review meetings of documentation and field inspections. Applicable to any activity or system. Used as a high-level or detailed risk assessment technique. Generates qualitative descriptions of potential problems, in the form of questions and responses, as well as lists of recommendations for preventing problems. The quality of the evaluation depends on the quality of the documentation, the training of the review team leader, and the experience of the review teams. Ships in Service Training Material A-M CHAUVEL

“What-if” Analysis (WIF)
Most common uses Generally applicable for almost every type of risk assessment application, especially those dominated by relatively… …simple failure scenarios. Occasionally used alone, but most often used to supplement other structured techniques (especially checklist). Ships in Service Training Material A-M CHAUVEL

“What-if” Analysis Process 1.0 Define the System or Activity
7.0 Use the results in decision making 2.0 Define the problems for the analysis 6.0 Respond to the questions “What-if” 3.0 Subdivide the System or Activity for analysis Procedure for What-if Analysis The procedure for performing a what-if analysis consists of the following seven steps: 1.0 Define the activity or system of interest. Specify and clearly define the boundaries for which risk-related information is needed. 2.0 Define the problems of interest for the analysis. Specify the problems of interest that the analysis will address (safety problems, environmental issues, economic impacts, etc.). 3.0 Subdivide the activity or system for analysis. Section the subject into its major elements (e.g., locations on the waterway, tasks, or subsystems). The analysis will begin at this level. 4.0 Generate what-if questions for each element of the activity or system. Use a team to postulate hypothetical situations (generally beginning with the phrase "what if …") that team members believe could result in a problem of interest. 5.0 Respond to the what-if questions. Use a team of subject matter experts to respond to each of the what-if questions. Develop recommendations for improvements wherever the risk of potential problems seems uncomfortable or unnecessary. 6.0 Further subdivide the elements of the activity or system (if necessary or otherwise useful). Further subdivision of selected elements of the activity or system may be necessary if more detailed analysis is desired. Section those elements into successively finer levels of resolution until further subdivision will (1) provide no more valuable information or (2) exceed the organization's control or influence to make improvements. Generally, the goal is to minimize the level of resolution necessary for a risk assessment. 7.0 Use the results in decision making. Evaluate recommendations from the analysis and implement those that will bring more benefits than they will cost in the life cycle of the activity or system. 5.0 Subdivide the elements of the System or Activity (If necessary) 4.0 Generate What-if questions for each element of the System or Activity Ships in Service Training Material A-M CHAUVEL

“What-if” Analysis Answers Questions - What if a specific
accident occurs? - Immediate effect on vessel condition… - What if a specific system fails? - Potentially leading to an accident… - What if a specific human error occurs? - Actual safeguards will fail… - What if a specific external event occurs? - … Ships in Service Training Material A-M CHAUVEL

Summary of the “What-if” Review of a Vessel’s Compressed Air System
“What-if” Analysis Summary of the “What-if” Review of a Vessel’s Compressed Air System What if… Immediate system condition Ultimate consequences Safeguards Recommendations 1- The intake air filter begins to plug Reduced air flow through the compressor, affecting its performance Inefficient compressor operation, leading to excessive energy use and possible compressor damages. Low or no air flow to equipment, leading to functional inefficiencies and possibly outages. Pressure/vacuum gauge between the compressor and the intake filter. Annual replacement of the filter. Rain cap and screen at the air intake Make checking the pressure gauge reading part of someone’s weekly round OR Replace the local gauge with low pressure switch that alarms in a manned area. 2- Someone leaves a safety valve open High air flow rate through the open valve to the atmosphere Low or no air flow to equipment leading to functional inefficiencies and possibly outages. Potential for personnel injury from escaping air or blown debris. Small drain line would divert only a portion of the air flow, but maintaining pressure would be difficult. Ships in Service Training Material A-M CHAUVEL

“What-if” Analysis WIFT an alternative to HAZOP:
The Structured What - If checklist (WIFT) technique is a method of identifying hazards based on the use of brainstorming. WIFT is a more structured form of analysis, which may be seen as a less rigorous but it is a quicker alternative to HAZOP. A sample vulnerability matrix is shown. Scores are out 0 to 10. The sum of the scores across the rows indicates the best collective belief of that organization as to the key assets That are most susceptible to possible threats. The sum of the scores in the rows indicates the belief as to the most serious threats the organization faces. The highest individual scores represent critical areas of vulnerability that should be addressed Ships in Service Training Material A-M CHAUVEL

“What-if” Analysis The Strengths of SWIFT are:
• It is very flexible, and applicable to any type of installation, operation or process, at any stage of the lifecycle. • It uses the experience of operating personnel as part of the team. • It is quick, because it avoids repetitive consideration of deviations. A sample vulnerability matrix is shown. Scores are out 0 to 10. The sum of the scores across the rows indicates the best collective belief of that organization as to the key assets That are most susceptible to possible threats. The sum of the scores in the rows indicates the belief as to the most serious threats the organization faces. The highest individual scores represent critical areas of vulnerability that should be addressed Ships in Service Training Material A-M CHAUVEL

“What-if” Analysis The Weaknesses of SWIFT are :
• As it works at system level: - Some hazards may be omitted, - It is difficult to audit. • Adequate preparation of a checklist in advance is critical for the quality of the review. • Its benefit depends on the: - Experience of the leader and - Knowledge of the team. A sample vulnerability matrix is shown. Scores are out 0 to 10. The sum of the scores across the rows indicates the best collective belief of that organization as to the key assets That are most susceptible to possible threats. The sum of the scores in the rows indicates the belief as to the most serious threats the organization faces. The highest individual scores represent critical areas of vulnerability that should be addressed Ships in Service Training Material A-M CHAUVEL

“What-if” Analysis Limitations - Likely to miss some
potential problems. - Difficult to audit for detail elements. - Traditionally provides only qualitative information. Limitations of What-if Analysis Although what-if analysis is highly effective in identifying various system hazards, this technique has three limitations: Likely to miss some potential problems. The loose structure of what-if analysis relies exclusively on the knowledge of the participants to identify potential problems. If the team fails to ask important questions, the analysis is likely to overlook potentially important weaknesses. Difficult to audit for thoroughness. Reviewing a what-if analysis to detect oversights is difficult because there is no formal structure against which to audit. Reviews tend to become "mini-what-ifs," trying to stumble upon oversights by the original team. Traditionally provides only qualitative information. Most what-if reviews produce only qualitative results; they give no quantitative estimates of risk-related characteristics. This simplistic approach offers great value for minimal investment, but it can answer more complicated risk-related questions only if some degree of quantification is added. Ships in Service Training Material A-M CHAUVEL

Used to search the root cause in Accident Investigation
Risk Analysis Tools Accident Cause Cause Used to search the root cause in Accident Investigation Cause 5 Why Analysis Cause Root Cause Ships in Service Training Material A-M CHAUVEL

Used to reach the potential causes
Risk Analysis Tools Accident Cause Cause Used to reach the potential causes of an Accident Cause 5 Why Analysis Cause Root Cause Ships in Service Training Material A-M CHAUVEL

The “5 Whys” The 5 Whys analysis is a simpler form of
Fault Tree analysis for investigations of specific accidents as opposed to chronic problems. It is a technique use to identifies root causes of the event by asking the question why events occurred or conditions existed. Ships in Service Training Material A-M CHAUVEL

The “5 Whys” Root Cause Analysis From Top The causes of the event
are identified by asking the questions until they become absurd or because we have no more ideas about the problem. Why…? Where are the roots Another, simple technique for accident investigation which is recommended for investigation of accidents is called root cause analysis. The technique is based on a fault tree where the top event is the accident. The causes of the accident are identified by asking the why questions until they become absurd. The aim is to find answers to the question why one seeks both unsafe acts and unsafe conditions, and failures in man, technology, and the environment or their interface. To roots Ships in Service Training Material A-M CHAUVEL

“5 Whys” Principles Why ? Ships in Service Training Material Top Event
condition Sub-Event Root Cause Why ? Ships in Service Training Material A-M CHAUVEL

“5 Whys” Principles 1 2 3 4 5 Why ? Why ? Why ? Why ? Why ? Why ?
Top Event condition Why ? Sub-Event condition Sub-Event condition 1 Why ? Why ? Sub-Event condition Sub-Event condition 2 Why ? Why ? 3 Sub-Event condition Root Cause Sub-Event condition Why ? Why ? 4 Sub-Event condition Sub-Event condition Sub-Event condition Why ? Why ? Why ? Root Cause Root Cause 5 Sub-Event condition Ships in Service Training Material A-M CHAUVEL

“5 Whys” A case "Why the robot stop?" The circuit is overloaded, causing a fuse to blow. "Why the circuit overloaded?" There was insufficient lubrication on the bearings, so they locked up. 3. "Why the insufficient lubrication on the bearings?" The oil pump on the robot is not circulating sufficient oil. 4. "Why the pump not circulating sufficient oil?" The pump intake is clogged with metal shavings. 5. "Why the intake clogged with metal shavings?" Because there is no filter on the pump. Ships in Service Training Material A-M CHAUVEL

The master let him take over the bridge ?
Ship sunk? Collision Why ? Lack of attention of the deck officer Collision? Why ? Lack of attention? Alcohol level in his blood Why ? Alcohol? Celebration prior watchkeeping Why ? Celebration? Radio told him “he is father” Why ? The master let him take over the bridge ? Why ? The company did not plan his shore stay period for the birth of his child? Ships in Service Training Material A-M CHAUVEL

“5 Whys” Limitations - Brainstorming is time consuming.
- Results are not reproducible or consistent. - Some root causes may not be identified. Limitations of the 5 Whys technique The 5 Whys technique is an effective tool for determining causal factors and identifying root causes. However, it does have three primary limitations: Brainstorming is time consuming. Compared to other techniques, the 5 Whys technique can be time consuming. The brainstorming process can be tedious for team members trying to reach consensus. This is especially true for large teams. Results are not reproducible or consistent. Another team analyzing the same issue may reach a different solution. The brainstorming process is very difficult, if not impossible, to duplicate. Root causes may not be identified. Like event and causal factor charting, the 5 Whys technique does not provide a means to ensure that root causes have been identified. Ships in Service Training Material A-M CHAUVEL

The “5 Whys” Conclusions Resulting sub-events and conditions should be
at or near the root causes of the event. More detailed evaluation may be necessary to reach management system root causes. Judgment and experience are key factors in selecting the right level of evaluation and to achieve the completeness of results. The results are not reproducible or consistent, but the application is auditable. Ships in Service Training Material A-M CHAUVEL

“5 Whys” A case Request to look at the wall paper Feel confident
Install the ladder Climb the ladder Carpet hygiene Anti pain treatment Sleeping effect Dizziness Fungi contamination Both feet operated Medical Shoes on both feet Loss equilibrium Fall 1st. step of the ladder Walk without shoes Over weight Sugar level High Temp. & Humidity Air conditioned defective Two vertebras crushed Ships in Service Training Material A-M CHAUVEL

Risk Analysis Tools Fault Tree Analysis

Fault Tree (FTA) A technique that visualize
how logical relationships exist between : Equipment failures Human errors External events -when combined- cause a specific incident/accident. Ships in Service Training Material A-M CHAUVEL

Fault Tree Developed first in the aerospace industries.
Have found uses in many other areas, most recently in software analysis. Fault tree operate by : - Developing a list of the faults that can occur in a system and - Attempting to trace them back to their root causes. Fault tree developed in the aerospace industries have found uses in many areas, most recently software analysis. Fault tree operate by developing a list of the faults that can occur in a system, and attempting to trace them back to their root causes. The reason that they are called fault tree is that there is a tree-like formal notation that accompanies the analysis, in which different types of events are specified by differently shaped containers, and the events are linked logically in tree like structures to lead up to the eventual fault of the system. While this method can be used to show complicated interactions, it is still subject to the danger of overlooking aspects of the system as these are mostly enumerated. It is advisable to combine this with another more methodical approach to ensure the completeness of the analysis. Ships in Service Training Material A-M CHAUVEL

Fault Tree While this method can be used to show
complicated interactions, it is still subject to overlooking some aspects of the system as the answers are mostly enumerated. It is advisable to combine this method with another approach to ensure the completeness of the analysis. Fault tree developed in the aerospace industries have found uses in many areas, most recently software analysis. Fault tree operate by developing a list of the faults that can occur in a system, and attempting to trace them back to their root causes. The reason that they are called fault tree is that there is a tree-like formal notation that accompanies the analysis, in which different types of events are specified by differently shaped containers, and the events are linked logically in tree like structures to lead up to the eventual fault of the system. While this method can be used to show complicated interactions, it is still subject to the danger of overlooking aspects of the system as these are mostly enumerated. It is advisable to combine this with another more methodical approach to ensure the completeness of the analysis. Ships in Service Training Material A-M CHAUVEL

Creating a Fault Tree 1- Define event of interest No No Yes Yes
2- Define next level of the tree 3- Develop questions to examine credibility of branches 4- Gather data to answer questions 5- Use data to Determine credibility of branches No 6- is branch credible? 8- Is model sufficiently developed? No 7- Stop branch development Creating a Simplified Fault Tree for Root Cause Analysis This section focuses on using simple fault trees and the closely related 5 Whys analysis to conduct investigations of accidents and other undesirable events. Step 1. Define an event of interest as the TOP event of the fault tree Clearly describe a specific, known event of interest for which you will explore the potential underlying causes. Events such as the primary events and conditions and the secondary events and conditions can be the events of interest. Examples might be, "Flow control valve FCV-1 opened prematurely" or "The room temperature was greater than 80 ºF." Typically, the event of interest for a fault tree is an equipment or system failure or a human error. When using a fault tree as the primary analysis tool, the accident is the TOP event. Step 2. Define the next level of the tree Determine the combinations of events and conditions that can cause the event to occur. If two or more events must occur to cause the event, use an AND gate and draw the events under the AND gate. For example, for a fire to exist, fuel, an oxygen source, and an ignition source must all occur simultaneously. If there are multiple ways for an event to occur, use an OR gate. For example, the fuel for a fire can be paper or gasoline. Regardless of whether an AND gate or an OR gate is selected, this level of development is a "baby step." It should be the smallest logical step, within reason, toward the underlying potential causes of the event above it. Taking too large a step can cause you to overlook important possibilities. Remember to include equipment failures, human errors, and external events as appropriate. After the tree level is developed, test the tree for logic. Start with each event at the bottom of the tree. Does the logic of the tree reflect your understanding of the event or system? If an event is connected to an OR gate above, then it must be enough to cause the event above. If an event is connected to an AND gate above, is it required to cause the event above? Must ALL of the other events connected to the AND gate also occur for the event above to occur? Step 3. Develop questions to examine the credibility of branches Develop questions to test the credibility of each branch. What evidence would be present if this branch were true? Step 4. Gather data to answer questions Gather data to answer the questions that were generated in the previous step. Step 5. Use data to determine the credibility of branches Use the data gathered in the previous step to evaluate which branches of the tree do or do not contribute to the event of interest. Do the data support or refute the presence of this branch? Do you have sufficient information to determine the credibility of the branch? If not, you need to gather more data or continue on to the next level of the tree. Cross out any branches that you can dismiss with high confidence, and list the specific data used to make this determination beneath the crossed-out branch. For chronic problems, assigning probabilities (i.e., percentages) to the various events will help characterize the types of events that occur most often. For chronic events, you may not be able to address every type of event that occurs, so you need to focus on those that occur most frequently. These percentages will be used in Step 6 to determine if we need to develop the event further. If all branches leading to the event of interest through an OR gate or one or more branches leading to the event of interest through an AND gate are eliminated, either - (1) the event of interest did not occur, - (2) some of the data are inaccurate or were misapplied, or - (3) other ways exist for the event of interest to occur. Step 6. Is the branch credible? Determine if the branch is credible. For acute problems, if the branch is credible, continue on to Step 7. If the branch is not credible, proceed to Step 8. For chronic problems, if the percentage of events for this branch is high, continue on to Step 7. If the percentage of events for this branch is low, proceed to Step 8. Step 7. Is the branch sufficiently developed? Determine if the branch is sufficiently developed. The branch is complete when it is detailed enough to allow an understanding of how the top event occurs. If the branch is not complete, return to Step 2. If the branch is complete, move on to Step 9. Step 8. Stop branch development There is no reason to develop the branch further if you have determined it is not credible. Stop development of this branch and move on to Step 9. Step 9. Stop when the scenario model is "complete" The model is complete when you have a clear understanding of how the accident occurred. Keep your model "barely adequate" for identifying the issues of concern for your analysis; avoid unnecessary detail or resolution that will not influence your results. For acute problems, if you have more than one possible way for the event of interest to have occurred and cannot gather data to dismiss any of the remaining possibilities, you should consider each as a potential causal factor and make recommendations to prevent each. For chronic problems, you will typically need to address a number of primary contributors to the event of interest. Step 10. Identify causal factors (optional) If the fault tree method is being used as the primary analysis tool, causal factors should be identified. Remember, you need not be, and probably will not be, the subject matter expert for the analysis. Use the expertise of others to help you develop the fault tree structure and apply the known data to dismiss branches appropriately. Use Post-it® Notes to "draw" the tree Allows for rapid revision of the tree Use different colors for different items green (events) yellow (OR gates) pink (AND gates) Yes Yes 9- Identify causal factors Ships in Service Training Material A-M CHAUVEL

Fault Tree Most common uses
Generally applicable for almost every type of risk assessment application, but used most effectively to address the root causes of specific events dominated by relatively complex combinations of these events. Can be used as an effective root cause analysis tool in several applications to : - Understand the causal factors of an event. - Determine the actual root causes of the event. Ships in Service Training Material A-M CHAUVEL

Fault Tree Most common uses Generally applicable for almost every type
of risk assessment dominated by relatively complex combinations of these events. But, used most to : - Understand the causal factors of an event. - Determine the potential root causes of the event. Ships in Service Training Material A-M CHAUVEL

Fault Tree Symbols Basic event Intermediate event Undeveloped event
Heavy weather Basic event Massive flooding Intermediate event Lateral collision Undeveloped event Top event and intermediate events The rectangle is used to represent the TOP event and any intermediate fault events in a fault tree. The TOP event is the accident that is being analyzed. Intermediate events are system states or occurrences that somehow contribute to the accident Basic events The circle is used to represent basic events in a fault tree. It is the lowest level of resolution in the fault tree. Undeveloped events The diamond is used to represent human errors and events that are not further developed in the fault tree. AND gates The event in the rectangle is the output event of the AND gate below the rectangle. The output event associated with this gate exists only if all of the input events exist simultaneously OR gates The event in the rectangle is the output event of the OR gate below the rectangle. The output event associated with this gate exists if at least one of the input events exists. “Or” Gate “And” Gate Ships in Service Training Material A-M CHAUVEL

quantitative analysis the model appropriately
Fault Tree Process 1.0 Define the System 8.0 Use the results in decision making 2.0 Define the top event for the analysis 7.0 Perform quantitative analysis If necessary 3.0 Define the tree structure 6.0 Identify important dependent failure potentials and adjust the model appropriately 4.0 Explore each branch in successive levels of details Procedure for Fault Tree Analysis The procedure for performing a fault tree analysis consists of the following eight steps: 1. define the system of interest : Specify and clearly define the boundaries and initial conditions of the system for which failure information is needed. 2. define the TOP event for the analysis : Specify the problem of interest that the analysis will address. This may be a specific quality problem, shutdown, safety issue, etc. 3.0 Define the treetop structure : Determine the events and conditions (i.e., intermediate events) that most directly lead to the TOP event. 4.0 Explore each branch in successive levels of details : Determine the events and conditions that most directly lead to each intermediate event. Repeat the process at each successive level of the tree until the fault tree model is complete. 5.0 Solve the fault tree for the combinations of events contributing to the TOP event : Examine the fault tree model to identify all the possible combinations of events and conditions that can cause the TOP event of interest. A combination of events and conditions sufficient and necessary to cause the TOP event is called a minimal cut set. For example, a minimal cut set for over pressurizing a tank might have two events: (1) pressure controller fails and (2) relief valve fails. 6.0 identify important dependent failure potentials and adjust the model appropriately : Study the fault tree model and the list of minimal cut sets to identify potentially important dependencies among events. Dependencies are single occurrences that may cause multiple events or conditions to occur at the same time. This step is qualitative common cause failure analysis. 7.0 perform quantitative analysis if necessary : Use statistical characterizations regarding the failure and repair of specific events and conditions in the fault tree model to predict future performance for the system. 8.0 use the results in decision making : Use results of the analysis to identify the most significant vulnerabilities in the system and to make effective recommendations for reducing the risks associated with those vulnerabilities. 5.0 Solve the fault tree for the combinations of events contributing to the event Ships in Service Training Material A-M CHAUVEL

Fault Tree Risk Contributing Factor Event trees For consequences
Incident/ Accident categories Contact or collision External hazards Fire or Explosion Flooding … F1 F2 F3 F4 Incident Sub-categories F1 - Engine room F3 - Accommodation ……… Event A Event B And Or Faults trees for direct cause and initiating events A1 A2 B1 B2 Ships in Service Training Material A-M CHAUVEL

Fault Tree Or And Ships in Service Training Material Power outage
Basic lamp failure Unresolved lamp failure And No spare lamp Operator error Inadvertent shutdown Projector lamp shutdown Unplug Internal Wiring failure External Ships in Service Training Material A-M CHAUVEL

Fault Tree Or And Ships in Service Training Material Projector lamp
shutdown Or And Power outage Unresolved lamp failure Inadvertent shutdown Wiring failure Basic lamp failure No spare Operator error Unplug Internal External Ships in Service Training Material A-M CHAUVEL

Fault Tree Cup leaks Ships in Service Training Material A-M CHAUVEL
Wrong particle size material expansion rate Low density Improper wall thickness Deflection force ratio too high Stacking damage Punctured Excess porosity Stacking stop height incorrectly specify Cup leaks Wrong particle size Wrong material expansion rate Legend : And Or Ships in Service Training Material A-M CHAUVEL

exceeds righting moment
Impact Capsize Heeling moment exceeds righting moment Or No possible remedial action Heeling moment increases And Sloshing of residual water from deluge system Massive flooding Lateral collision Cargo shift Previous fire Bilge failure Heavy weather Door left open

Fault Tree Engine fails to operate Or And Vessel loses propulsion
Basic failure of the propeller Engine stops Fuel supply to engine is contaminated Engine fails to operate Contaminated fuel in bunker tanks Onboard fuel cleanup system fails Basic failure of the engine

Ships in Service Training Material
Engine failure Gate : And Gate : Or Engine control failure Fuel supply failure Bearing failure Ships in Service Training Material BRENNAN & PEACHEY

Exercise Ships in Service Training Material Engine failure Gate : And
Gate : Or Engine control failure Fuel supply failure Bearing failure Fuel flow failure Contaminated fuel Exercise Ships in Service Training Material BRENNAN & PEACHEY

Exercise Complete the tree
Risk Analysis Tools Exercise Complete the tree Ships in Service Training Material A-M CHAUVEL

The Causes Ships in Service Training Material Engine failure
Gate : And Engine control failure Fuel supply failure Bearing failure Gate : Or Fuel flow failure Contaminated fuel Fuel tank failure Fuel pump failure Fuel supply pipe failure Fuel supply failure Contaminated fuel Fuel filter failure Mechanical failure Electrical failure Bunker fuel Leak from heating coils Water condensation Ships in Service Training Material BRENNAN & PEACHEY

Fault Tree Limitations - Narrow focus. - Art as well as science.
- Quantification requires significant expertise. Limitations of Fault Tree Analysis Although fault tree analysis is highly effective in determining how combinations of events and failures can cause specific system failures, this technique has three notable limitations: Narrow focus. Fault tree analysis examines only one specific accident of interest. To analyze other types of accidents, other fault trees must be developed. Art as well as science. The level of detail, types of events included in a fault tree analysis, and organization of the tree vary significantly from analyst to analyst. Assuming two analysts have the same technical knowledge, there will still be notable differences in the fault trees that each would generate for the same situation. However, given the same scope of analysis and limiting assumptions, different analysts should produce comparable, if not identical, results. Quantification requires significant expertise. Using fault tree analysis results to make statistical predictions about future system performance is complex. Only highly skilled analysts can reliably perform such quantifications. In addition, analysts often become so focused on equipment and systems that they forget to address human and organizational issues adequately in their models. While this is not an inherent limitation of fault tree analysis, it is worth noting. Ships in Service Training Material A-M CHAUVEL

Risk Analysis Tools Event Tree Analysis

Event Tree (ETA) A technique that logically develops models of
the possible outcomes of an initiating event. Event tree analysis uses decision trees to create the models. The models explore how safeguards and external influences, called lines of assurance (LOA), affect the path of the event chains. Brief summary of characteristics Models the range of possible accidents resulting from an initiating event or category of initiating events. A risk assessment technique that effectively accounts for timing, dependence, and domino effects among various accident contributors that are cumbersome to model in fault trees. Performed primarily by an individual working with subject matter experts through interviews and field inspections. An analysis technique that generates the following: - qualitative descriptions of potential problems as combinations of events producing various types of problems (range of outcomes) from initiating events - quantitative estimates of event frequencies or likelihoods and relative importance of various failure sequences and contributing events lists of recommendations for reducing risks - quantitative evaluations of recommendation effectiveness Ships in Service Training Material A-M CHAUVEL

Event Tree (ETA) A technique that develops models of the
possible outcomes of an initiating event. The models explore how: - Safeguards, - External influences, - Lines of assurance (LOA), affect the path of the event chains. Brief summary of characteristics Models the range of possible accidents resulting from an initiating event or category of initiating events. A risk assessment technique that effectively accounts for timing, dependence, and domino effects among various accident contributors that are cumbersome to model in fault trees. Performed primarily by an individual working with subject matter experts through interviews and field inspections. An analysis technique that generates the following: - qualitative descriptions of potential problems as combinations of events producing various types of problems (range of outcomes) from initiating events - quantitative estimates of event frequencies or likelihoods and relative importance of various failure sequences and contributing events lists of recommendations for reducing risks - quantitative evaluations of recommendation effectiveness Ships in Service Training Material A-M CHAUVEL

Event Tree Event trees function is similarly to fault trees,
but in the opposite direction. An event tree attempts to enumerate a list of components and subsystems and determine the result of their operation or non-operation. In this way all sequences of possible events are covered involving those components. As with fault trees, enumeration is the main form of choosing subsystems and components to examine, so a more methodical approach should be coupled with event tree analysis for greater completeness. Ships in Service Training Material A-M CHAUVEL

Event Tree Most common uses Applicable for almost any type
of risk assessment but, used most effectively to events where multiple safeguards are in place as protective features to avoid escalation. Ships in Service Training Material A-M CHAUVEL

Event Tree Process 1.0 Define the System or Activity 2.0 Define the
7.0 Use the results in decision making 2.0 Define the Initiating event 6.0 Summarize results 3.0 Define LOA and physical phenomena The procedure for performing an event tree analysis consists of the following seven steps: 1.0 Define the system or activity of interest. Specify and clearly define the boundaries of the system or activity for which event tree analyses will be performed. 2.0 Identify the initiating events of interest. Conduct a screening-level risk assessment to identify the events of interest or categories of events that the analysis will address. Categories include such things as groundings, collisions, fires, explosions, and toxic releases. 3.0 Identify lines of assurance and physical phenomena. Identify the various safeguards (lines of assurance) that will help mitigate the consequences of the initiating event. These lines of assurance include both engineered systems and human actions. Also, identify physical phenomena, such as ignition or meteorological conditions, that will affect the outcome of the initiating event. 4.0 Define accident scenarios. For each initiating event, define the various accident scenarios that can occur. 5.0 Analyze accident sequence outcomes. For each outcome of the event tree, determine the appropriate frequency and consequence that characterize the specific outcome. 6.0 Summarize results. Event tree analysis can generate numerous accident sequences that must be evaluated in the overall analysis. Summarizing the results in a separate table or chart will help organize the data for evaluation. 7.0 Use the results in decision making. Evaluate the recommendations from the analysis and the benefits they are intended to achieve. Benefits can include improved safety and environmental performance, cost savings, or additional output. Determine implementation criteria and plans. The results of the event tree may also provide the basis for decisions about whether to perform additional analysis on a selected subset of accident scenarios. 5.0 Analyze accident sequence outcomes 4.0 Define accident scenarios Ships in Service Training Material A-M CHAUVEL

Event Tree Terminology
The following terms are commonly used in ETA - Initiating event - Line of assurance (LOA) - Branch point - Accident sequence & scenario Ships in Service Training Material A-M CHAUVEL

Event Tree Terminology
The following terms are commonly used in ETA Initiating event : The occurrence of some failure with the potential to produce an undesired consequence. An initiating event is sometimes called an incident. Line of assurance (LOA) : A protective system or human action that may respond to the initiating event. Ships in Service Training Material A-M CHAUVEL

Accident sequence or scenario :
Event Tree Terminology The following terms are commonly used in ETA Branch point : Graphical illustration of (usually) two potential outcomes when a line of assurance is challenged. Accident sequence or scenario : One specific pathway through the event tree from the initiating event to an undesired consequence. Ships in Service Training Material A-M CHAUVEL

Event Tree Scenario & Sequence
Branch point Branch point Branch point LOA 1 LOA 2 LOA 3 S Consequence 1 S Consequence 2 Initiating Event F F S Consequence 3 F Consequence 4 LOA : Line of Assurance S : Success of LOA F : Failures of LOA Ships in Service Training Material A-M CHAUVEL

Event Tree Scenario & Sequence
Replacement OK S Instructor replaces Replacement still not OK F Spare available Replacement OK S Charlie replaces Projector lamps fails Replacement still not OK F Instructor inept Charlie unavailable F No spare available F S Success F Failure Ships in Service Training Material A-M CHAUVEL

Fire extinguished with :
Event Tree Scenario & Sequence Initiating event Ignition prevented Portable fire extinguishers CO2 system Sea water system Accident sequence Outcomes Fire extinguished with : Other Line Of Assurance Flammable material spill, but no fire A Leak or rupture of piping containing flammable material Yes Exercise Complete the tree Example : The following event tree illustrates the various outcomes resulting from a leak or rupture of fuel oil piping in a vessel's engine room. The first branch depicts the two potential paths forward, depending on whether or not the release contacts an ignition source and starts a fire. If the spill ignites (shown on the downward path of the first branch), three systems are available to extinguish the fire: handheld fire extinguishers, a CO2 system, and a seawater system. Successive branch points depict the success or failure of each system. Note that the upper branch in each case extends directly to the outcome because, once the fire is extinguished, there is no need for the remaining systems to operate. No Complete loss of facility ? X Ships in Service Training Material A-M CHAUVEL

Fire extinguished with :
Event Tree Scenario & Sequence Initiating event Ignition prevented Portable fire extinguishers CO2 system Sea water system Accident sequence Outcomes Fire extinguished with : Other Line Of Assurance Flammable material spill, but no fire P1 A Leak or rupture of piping containing flammable material Yes No Minor fire damage No loss of system availability P2 B Yes No Medium fire damage Potential loss of System availability P3 C Yes No P4 Example : The following event tree illustrates the various outcomes resulting from a leak or rupture of fuel oil piping in a vessel's engine room. The first branch depicts the two potential paths forward, depending on whether or not the release contacts an ignition source and starts a fire. If the spill ignites (shown on the downward path of the first branch), three systems are available to extinguish the fire: handheld fire extinguishers, a CO2 system, and a seawater system. Successive branch points depict the success or failure of each system. Note that the upper branch in each case extends directly to the outcome because, once the fire is extinguished, there is no need for the remaining systems to operate. D Major fire damage Loss of system availability Yes No Escalation process E Complete loss of facility Ships in Service Training Material A-M CHAUVEL

Scenario Event Effect Consequence Fire / explosion Where?
Critical damage Major damage Escalation Minor damage Total loss Fatal impact No fatal impact Fire / explosion Where? Ships in Service Training Material A-M CHAUVEL

Fire / Explosion Scenario
Major damage 0,67 Escalation 0,33 0,96 0,04 0,71 0,29 No fatal impact 0,92 Fatal impact ,08 Machinery spaces 0,72 Major damage 0,70 Total loss ,30 No fatal impact 0,93 Fatal impact ,07 Vehicle deck 0,08 Fire / explosion serious casualty Major damage 0,70 Total loss ,30 No fatal impact 0,57 Fatal impact ,43 Accom- modation 0,20 Major damage ,80 Total loss ,20 Ships in Service Training Material A-M CHAUVEL

Collision Scenario Minor incident 0,88 Non-fatal impact 0,81
Impact only 0,78 Fatal impact ,19 Remains upright 0,5 Collision under way 0,97 Struck ship 0,5 Flooding 0,19 Slow sinking ,25 Rapid capsize ,25 Minor damage ,5 Fire 0,03 Serious casualty 0,12 Major damage ,5 Impact only 0,91 Collision incident Remains upright 0,88 Flooding 0,06 Striking ship 0,5 Slow capsize ,12 Minor damage 0,5 Fire 0,03 Major damage 0,4 Destruction ,1 Striking at berth 0,03

Flooding Scenario Remains afloat 0,1 Through bow door Slow sinking 0,2
Below vehicle deck 0,16 Slow sinking 0,2 Rapid capsize 0,1 Remains afloat 0,7 Through hull 0,03 Stern door 0,56 Blow door 0,28 Into bridge / superstructure 0,27 Through open doors 0,19 Through down-flooding openings 0,18 Flooding incident Through bow door 0,67 Through stern door Slow sinking ,2 Rapid capsize 0,7 Remains afloat 0,1 Remains afloat 0,8 Side door Due to wave damage 0,47 Slow sinking 0,2

Sudden major happening
INITIATING EVENT FIRST ACTION SECOND ACTION THIRD ACTION FOURTH ACTION OUTCOME Become aware that vessel has ground Assess whether hull is still intact and no flooding in or leaking out. Is propulsion still available ? If damage appear minor, attempt to refloat by standard procedures. Seek and await assistance from other vessels. Cargo may have to be offloaded. Can vessel be refloaded. GROUNDING OR STRANDING DUE TO LOSS OF PROPULSION (FUEL OIL SYSTEM FAILURE) Yes Yes SUPERFICAL DAMAGE Floating off and proceed with caution No No Yes MINOR DAMAGE Proceed to port under own power No SEVER DAMAGE Two required to repair port, Risk of loss of stability Yes No Sudden major happening STRANDED Hull struck fast. High probability of loss of hull integrity. High probability of pollution. May need to abandon vessel. Probability of serious injuries. Reason for escalation to next action : Vessel struck firm Hull damage Damage is major and/or vessel be reloaded without external assistance. Propulsion may have been loss. Vessel immovable. Possible major structural damage. Other actions and precautions to be taken : Apply full astern power Advice complement of situation and tell them to standby. Mobilise emerge. Party. Sound all double bottom tanks. Follow hull damage procedures, advise shore. Damage could be more serious than first assessed. Risk of major flooding / pollution. Request external assistance. Look for injuries personnel. Send S.O.S. prepare to abandon ship if circumstances dictate. BRENNAN & PEACHEY

Marine Rescue ? Ships in Service Training Material Warm water Daytime
Second vessel on site within 20 mn. Other vessels on site Successful rescue prior to hypothermia Success 0.10 Failure 0.90 A B C D G 0.6 0.3 (B1) 0.4 (A1) 0.7 0.9 0.5 0.5 (C1) 0.25 0.75 (C2) 0.1 (D1) (D2) 0.9 (G1) 1.00 (G4) 0.1 0.0054 0.8 0 (G7) 1.00 0.2 (G3) 0.02 (G2) 0.98 0.01 (G5) 0.99 0 (G6) 0.0006 0.0486 0.0011 0.0529 0.0420 0.1680 0.0700 0.0009 0.0891 0.0 0.3150 0.1050 0.0900 requiring people in the water Situation within 60 mn. People Successfully into IBAs E F ? Notes for the case: 600 on board, second gaming vessel not required, no IBAs, and must rescue all A.1 Warm Water: Have warm water 40% of the time (i.e., 60 °F or higher) based on local SAR team experience. B.1 Daytime: One of the vessels does not go out on Monday, Wednesday, and Friday during the daytime. Also, there is a possibility of cancellation due to low customer demand, which mostly occurs during the day. C.1 Second Gaming Vessel on Site Within 20 Minutes: Variation in vessel schedules and the possibility of cancellation are higher during the day. Therefore, the team chose a probability of 0.5 for a second gaming vessel being on site during the day and a probability of 0.75 for a second gaming vessel being on site during the night. D.1 Other Vessels on Site Within 20 Minutes: Expectation that other vessels (certificated passenger vessels, commercial fishing vessels, and recreational craft) will be coming and going with seasonal variations. D.2 Other Vessels on Site Within 20 Minutes: During the night and during seasonal cold weather, other vessels in sufficient numbers are not expected to be on site within 20 minutes. E.1 Other (Including Coast Guard) Vessels on Site Within 60 Minutes: Not expected because vessels at their ports would require travel times > 60 minutes. F.1 People successfully into IBAs: None available. G.1 Successful Rescue Prior to Hypothermia: Would recover all people in the water 90% of the time because sufficient vessels are immediately available; however, 10% of the time someone would die from hypothermia due to not being retrieved from the water in under two hours. G.2 Successful Rescue Prior to Hypothermia: Sufficient assets will not be on the scene within one hour; therefore, some people will be in the water for three to four hours. While this event occurs in warm water during daylight, it is very unlikely that all 600 people would be rescued before having a hypothermia death. All people in the water would be recovered only 2% of the time. G.3 Successful Rescue Prior to Hypothermia: Even though the other gaming vessel is on site and the water is warm, recovery of all people in the water would occur only 20% of the time. Operations would be at night, making it difficult to locate all of the people in time. G.4 Successful Rescue Prior to Hypothermia: Even though the water is warm, sufficient assets will not be on the scene within two hours. Therefore, some people will be in the water for three to four hours, and at least one hypothermia death among 600 people is expected in this situation. G.5 Successful Rescue Prior to Hypothermia: Even though the other gaming vessel is on site during daylight, recovery of all people in the water would occur only 1% of the time. Operations would be in cold water, which would severely limit the time to successfully rescue the people. G.6 Successful Rescue Prior to Hypothermia: Even though the event occurs during daylight, sufficient assets will not be on the scene within two hours. Therefore, some people will be in the cold water for three to four hours, and at least one hypothermia death among 600 people is expected. G.7 Successful Rescue Prior to Hypothermia: Because of dispersion at night and cold water, the analysis team does not expect to find everyone in time. The quantitative analysis could be extended to estimate the following: The frequency of each scenario occurring. This would be done by multiplying each outcome likelihood by the initiating event frequency. The expected number of fatalities per initiating event. This would be done by estimating fatalities for each outcome and multiplying by outcome probabilities. Ships in Service Training Material

Event Tree Break fails Initiating Event First level of safeguards
LOA 1 Second level of safeguards LOA 2 Initiating Event Break fails : Yes : 0.25 No : 0.75 Break fails : Yes : 0.1 No : 0.9 Break fails : Yes : 0.25 No : 0.75 Break fails : Yes : 0.2 No : 0.8 Break fails : .02 Yes : 0.25 No : 0.75 Break fails : .06 Yes : 0.1 No : 0.9 Break fails : .18 Yes : 0.25 No : 0.75 Break engages : .54 Ships in Service Training Material A-M CHAUVEL

Event Tree (case 1) Initiating event First level of safeguards LOA 1
Second level of safeguards LOA 2 Outcome 1 : First level succeeded Freq = (0.4)(0.95 ) = 0.380 /year 0.4 /year Frequency of Initial event 0,95 P Success Outcome 2 : First level Failed Second level succeeded Freq = (0.4)(0.05)(0.90) = /year 0,05 P Failure 0,90 P Success Outcome 3 : Both level Failed Freq = (0.4)(0.05)(0.10) = 0.002 /year 0,10 P Failure Ships in Service Training Material A-M CHAUVEL

Event Tree (case 2) Initiating event First level of safeguards LOA 1
Second level of safeguards LOA 2 Outcome 1 : First level succeeded Freq = (0.4)(0.10 ) = 0.04 /year 0.4 /year Frequency of Initial event 0,10 P Success Outcome 2 : First level Failed Second level succeeded Freq = (0.4)(0.90)(0.90) = 0.32 /year 0,90 P Failure 0,90 P Success Outcome 3 : Both level Failed Freq = (0.4)(0.90)(0.10) = 0.04 /year 0,10 P Failure Ships in Service Training Material A-M CHAUVEL

Event Tree Limitations - Limited to one initiating event.
- Can overlook subtle system dependencies. Limited to one initiating event. An event tree is not an exhaustive approach for identifying various causes that can result in an accident. Other analysis techniques, such as HAZOP, what-if, checklist, or FMEA, should be considered if the objective of the analysis is to identify the causes of potential accidents. Can overlook subtle system dependencies. The paths at each branch point in an event tree are conditioned on the events that occurred at previous branch points along the path. For example, if ignition of a flammable release does not occur, there is no fire for subsequent lines of assurance (e.g., fire protection systems) to fight. In this way, many dependencies among lines of assurance are addressed. However, lines of assurance can have subtle dependencies, such as common components, utility systems, operators, etc. These subtle dependencies can be easily overlooked in event tree analysis, leading to overly optimistic estimates of risk. Ships in Service Training Material A-M CHAUVEL

Risk Analysis Tools Bow Tie Analysis

Bow Tie FAULT TREE ( Causes ) Hazards EVENT TREE ( Consequences )
Escalations Incident Accident Event trees and bottom-loop bias Two forms of risk assessment much used by engineers and project managers: - The fault tree on the left sets out the chains of faults that could have produced an undesired outcome. - The event tree on the right sets out the chains of contingencies that could lead to future undesired outcomes. Hazardous Event Sequences of faults & causes leading to a hazardous event Sequences of events & failures leading to the escalation of a hazardous event Ships in Service Training Material A-M CHAUVEL

Bow Tie Unwanted Event Causes Consequences Man Human Errors
Physical Conditions Qualifications Machines, Tools & Equipments Materials & Furniture Methods & Procedures Management Internal Environment External Environment Incidents Fire or Explosion Act of piracy Act of terrorist Equipment failures Ship collision … Accidents Personnel Injury Personnel illness Unwanted Event Consequences Social Loss of lives Loss of jobs Environmental Air pollution Water pollution,… Economic Loss of the ship Cargo damages Ship damaged Ship detention Insurance Premium Company image Bankruptcy Ships in Service Training Material A-M CHAUVEL

Bow Tie Hazards Causes Proactive controls Reactive controls Outcomes 1
2 2 2 3 3 Unwanted Event 3 4 4 4 5 5 5 6 6 7 7 Fault Tree Event Tree Ships in Service Training Material A-M CHAUVEL

Bow Tie Hazards Causes Proactive controls Reactive controls Outcomes 1 1 1 2 2 2 3 3 3 Unwanted Event 4 4 4 5 5 5 6 6 7 7 Fault Tree Event Tree Safety measure Safety measure Safety measure Safety measure Ships in Service Training Material A-M CHAUVEL

Risk Analysis Tools FMEA Failure Mode & Effect Analysis

Failure Modes & Effects
Failure Modes and Effects Analysis (FMEA) function much like a checklist, only a more organized one. Once the failure modes have been listed, the effects of that failure are listed. These numbers are used to provide some idea of how much risk that failure mode places upon the users or the environment. Once these have been collected, each failure mode has a possible protective measure listed with it. Failure Modes and Effects Analysis (FMEA) function much like a checklist, only a more organized one. There is a standard form which must be filled out, in which each subsystem or component is listed, along with the different ways In which that particular component can fail. Once these failure modes have been listed, the effects of that failure are listed. These numbers are used to provide some idea of how much risk that failure mode places upon users or the environment. Once these have been collected, each failure mode has a possible protective measure listed with it. This provides a list of hazards, risks, and possible countermeasures, and the criticality analysis orders them according to the level of danger they represent. Ships in Service Training Material A-M CHAUVEL

Failure Modes & Effects Analysis
Most common uses Used primarily for reviews of mechanical and electrical systems, vessel steering and propulsion systems. Used frequently as the basis for defining and optimizing planned equipment maintenance because the method systematically focuses directly and individually on equipment failure. Effective for collecting the information needed to troubleshoot system problems. Ships in Service Training Material A-M CHAUVEL

Like a checklist, but a more organized one. Once the failure have been listed, the consequences of that failure are listed. Once these information have been collected, possible countermeasures for each failure are listed. Failure Modes and Effects Analysis (FMEA) function much like a checklist, only a more organized one. There is a standard form which must be filled out, in which each subsystem or component is listed, along with the different ways In which that particular component can fail. Once these failure modes have been listed, the effects of that failure are listed. These numbers are used to provide some idea of how much risk that failure mode places upon users or the environment. Once these have been collected, each failure mode has a possible protective measure listed with it. This provides a list of hazards, risks, and possible countermeasures, and the criticality analysis orders them according to the level of danger they represent. Ships in Service Training Material A-M CHAUVEL

Like a checklist but a more organized one. Once the failure have been listed, the consequences of that failure are listed. Once these information have been collected, possible countermeasures for each failure are listed. Failure Modes and Effects Analysis (FMEA) function much like a checklist, only a more organized one. There is a standard form which must be filled out, in which each subsystem or component is listed, along with the different ways In which that particular component can fail. Once these failure modes have been listed, the effects of that failure are listed. These numbers are used to provide some idea of how much risk that failure mode places upon users or the environment. Once these have been collected, each failure mode has a possible protective measure listed with it. This provides a list of hazards, risks, and possible countermeasures, and the criticality analysis orders them according to the level of danger they represent. Ships in Service Training Material A-M CHAUVEL

This provides List of failures List of consequences List of possible control measures Rank them according to the level of risk they represent Failure Modes and Effects Analysis (FMEA) function much like a checklist, only a more organized one. There is a standard form which must be filled out, in which each subsystem or component is listed, along with the different ways In which that particular component can fail. Once these failure modes have been listed, the effects of that failure are listed. These numbers are used to provide some idea of how much risk that failure mode places upon users or the environment. Once these have been collected, each failure mode has a possible protective measure listed with it. This provides a list of hazards, risks, and possible countermeasures, and the criticality analysis orders them according to the level of danger they represent. Ships in Service Training Material A-M CHAUVEL

FMEA Principles Risk analysis What can go wrong ? Function failure
Function or Requirement ? What can go wrong ? Function failure Consequences Prevention? Cause Severity Occurrence Detection Risk analysis What can be done ? Countermeasures Ships in Service Training Material A-M CHAUVEL

How this can be prevented
FMEA Principles What are the functions, features or requirements ? What can go wrong ? - No function - Partial or Degraded function - Intermittent function - Unintended function What are the effect ? How this can be prevented or detected ? the cause (s) ? How bad is it ? How often does it happen ? How good is the method at detecting it ? What can be done ? - Design changes - Process changes - Special controls - Changes in Procedures or Spec. Ships in Service Training Material A-M CHAUVEL

FMEA Process 1.0 Define the system 2.0 Define the problem
9.0 Use the results in decision making 2.0 Define the problem for the analysis 8.0 Transition of the analysis to another level of resolution ( if useful ) 3.0 Choose the type of FMEA approach for the study 7.0 Perform quantitative evaluation ( if necessary ) 4.0 Subdivide the system for analysis Procedure for FMEA The procedure for performing an FMEA consists of the following nine steps. Each step is further explained on the following pages. 1.0 Define the system of interest. Specify and clearly define the boundaries of the system for which risk-related information is needed. 2.0 Define the problems of interest for the analysis. Specify the problems of interest that the analysis will address. These may include safety issues, failures in systems such as steering or propulsion, etc. 3.0 Choose the type of FMEA approach for the study. Select a hardware approach (bottom-up), functional approach (top-down), or hybrid approach for applying FMEA. 4.0 Subdivide the system for analysis. Section the system according to the type of FMEA approach selected. 5.0 Identify potential failure modes for elements of the system. Define the fundamental ways that each element of the system can fail to achieve its intended functions. Determine which failures can lead to accidents of interest for the analysis. 6.0 Evaluate potential failure modes capable of producing accidents of interest. For each potential failure that can lead to accidents of interest, evaluate the following: The range of possible effects Ways in which the failure mode can occur Ways in which the failure mode can be detected and isolated Safeguards that are in place to protect against accidents resulting from the failure mode 7.0 Perform quantitative evaluation (if necessary). Extend the analysis of potentially important failures by characterizing their likelihood, their severity, and the resulting levels of risk. FMEAs that incorporate this step are referred to as failure modes, effects, and criticality analyses (FMECAs). 8.0 Transition the analysis to another level of resolution (if necessary or otherwise useful). For top-down FMEAs, follow-on analyses at lower (i.e., more detailed) levels of analysis may be useful for finding more specific contributors to system problems. For bottom-up FMEAs, follow-on analyses at higher (i.e., less detailed) levels of analysis may be useful for characterizing performance problems in broader categories. Typically, this would involve system and subsystem characterizations based on previous component-level analyses. 9.0 Use the results in decision making. Evaluate recommendations from the analysis and implement those that will bring more benefits than they will cost over the life cycle of the system. 6.0 Evaluate potential failure modes capable of producing problems 5.0 Identify potential failure modes for elements of the system Ships in Service Training Material A-M CHAUVEL

Component Function Failure Mode Failure Cause Failure Detection End Effect of Failure Corrective Action Recom. Fuel Oil Purifier Electrical failure Switchboard fault or Power generation fault, e.g.. blackout Alarm channel to ECR for purifiers failure Both purifiers failed - Possible blackout - Potential to lead to eventual machinery failure Re-establish power supplies Restart main engine if stopped Reset purifier operation Service Tank should be large enough for adequate period on full power operation. A separate electrical distribution (main / emerge.) is provided to each purifier in the event of one switchboard failure. Mechanical failure Loss of lubrication due to degraded component. Inadequate or incorrect maintenance. Incorrect Operation. Alarm channel to ECR for purifiers failure One purifier failed, stand by unit available Run up and put stand-by unit on line Comment : Human error can contribute towards these failures Ships in Service Training Material BRENNAN & PEACHEY

MIL-STD- 1629A Ships in Service Training Material A-M CHAUVEL

FMEA Interpretation RPN = O x S x D The 3 components
There are three components that help define the Relative Priority Number concerning failures: RPN = O x S x D Occurrence (O) - Frequency of the failure. Severity (S) - Consequences of the failure. Detection (D) - Ability to detect the failure before it reaches the next step. Ships in Service Training Material A-M CHAUVEL

Example of Ranking Criteria
Effect of occurrence Rank Effect of severity Rank Effect of detection 1 Minor 1-2 Minor 1-2 Very high 2-3 Low 3-5 Low 3-4 high 4-6 Moderate 6-7 Moderate 5-7 Moderate 7-9 High 8-9 High 8-9 Low 10 Very high 10 Very high 10 Very low Ships in Service Training Material A-M CHAUVEL

Occurrence Ranking Criteria
Failure is minor, not more than 2 minutes. Failure will not result / cause the machine down. Failure will result / cause the machine down less than 25 minutes. This is a remote probability of occurrence during the operation time interval, unscheduled repair needed, quantitative & qualitative of output will be affected. Minor failure frequency is less than 2 times within 1 hour. An occasional probability of occurrence during operating time interval. Machine down is more than 30 minutes quantity & quality of the output will be affected. Failure will result / cause disruption to subsequent process. Minor failure frequency is less than 5 times within 1 hour. Failure will result / cause the equipment damage and unscheduled repairs. Machine down more than 2 hours ( less than 6 hours ), a moderate probability of occurrence during operating time the failure is minor alarm or stop less than 5 minutes quantity and quality of output will affect, unscheduled repairs need and frequency minor failure is more than 5 times within 1 hour. Failure will result / cause disruption stop. Machine down is more than 6 hours. This is unlikely probability of occurrence during the operating time interval ( Once every 2 months ) or high probability of occurrence during operation. More than 10 times within 1 hour for minor down. Description Minor Low Moderate High Very high Effect of occurrence 1 2-3 4-6 7-9 10 Rank Ships in Service Training Material A-M CHAUVEL

Severity Ranking Criteria
Effect of severity Description 1-2 Minor Failure is of a minor nature and would cause the real effect on product. The lead time required from the part is order ( no more 2 hours ) or looking in store and for installation & repair are completed not more than 15 minutes. 3-5 Low The lead time required from the part is order ( no more 3 hours ) or looking in store and for installation and repair are completed not more than 90 minutes. 6-7 Moderate The lead time required from the part is order ( more than 3 hours ) or looking in store and for installation and repair are completed more than 5 hours. 8-9 High The lead time required from the part is order ( more than 4 hours ) or looking in store and for installation and repair are completed more than 12 hours. 10 Very high Failure will result in the shutting down due to late shipment ( more than 2 days ) and no stock keep, or installation and repairing more than 24 hours. Ships in Service Training Material A-M CHAUVEL

Detection Ranking Criteria
Effect of detection Description 1-2 Very high Low probability that the defect or equipment warning signals will be detected. More than 6 months 3-4 High Equipment warning signals will be detected. More than 3 months but less than 6 months. 5-7 Moderate Equipment warning signals will be detected. Not more than 1 month. 8-9 Low High probability that the defect will be detected more likely and equipment warning signals will be detected to detect the existence of a defect. Mostly less than 1 week. 10 Very low Very high probability that the defect will be detected. Equipment warning signals will be detected. Not more than 1 day. Ships in Service Training Material A-M CHAUVEL

Item identification Function Failure mode Failure cause Failure Effect on : Failure detection method Component or Functional assembly Next higher assembly System Switch Initiates Motor power function Fails to open Release spring failure None Maintenance energy to circuit relay Maintains energy to power circuit through relay Motor continues to run Smoke visual when power circuit wire overheats Battery # 2 ( Relay circuit ) Provides relay voltage Fails to provide adequate power Depleted battery None Battery gets hot and depletes Fails to operate relay circuit System fails to operate Motor not running Relay coil Closes relay contacts when energized Coil fails to produce EMF Coil shorted or open Does not close relay contacts Does not Energize power circuit System fails to operate Motor not running Motor Provides desired mechanical event Fails to operate Motor shorted Motor over heats High current in power circuit Overheat Pwr Circuit breaker fails to open and switch or relay fails Smoke visual Ships in Service Training Material A-M CHAUVEL

Limitations - Examination of human error is limited. - Focus is on single event initiator of problems. - Examination of external influences is limited. Limitations of FMEA Although the FMEA methodology is highly effective in analyzing various system failure modes, this technique has four limitations: Examination of human error is limited. A traditional FMEA uses potential equipment failures as the basis for the analysis. All of the questions focus on how equipment functional failures can occur. A typical FMEA addresses potential human errors only to the extent that human errors produce equipment failures of interest. Misoperations that do not cause equipment failures are often overlooked in an FMEA. Focus is on single-event initiators of problems. A traditional FMEA tries to predict the potential effects of specific equipment failures. These equipment failures are generally analyzed one by one, which means that important combinations of equipment failures may be overlooked. Examination of external influences is limited. A typical FMEA addresses potential external influences (environmental conditions, system contamination, external impacts, etc.) only to the extent that these events produce equipment failures of interest. External influences that directly affect vessel safety, port safety, and crew safety are often overlooked in an FMEA if they do not cause equipment failures. Results are dependent on the mode of operation. The effects of certain equipment failure modes often vary widely, depending on the mode of system operation. For example, the steering system on a vessel is of little importance while the vessel is docked and is unloading cargo. A single FMEA generally accounts for possible effects of equipment failures only during one mode of operation or a few closely related modes of operation. More than one FMEA may, therefore, be necessary for a system that has multiple modes of operation. - Results dependent on the mode of operation. Ships in Service Training Material A-M CHAUVEL

Risk Analysis Tools HAZOP Hazard & Operability Analysis

Hazard Operability A methodology for safety analysis
that is highly rigorous & precise, involve : - A system model where each component is described with a list of attributes that support the function of a component. - A list of guide words with well defined meanings is then applied to each attribute to determine the effect of any deviation from the normal operating function. - (HAZOP) is a methodology for safety analysis that is highly rigorous, precise, and involved. - A system model is constructed and each component is described with a list of attributes that describe the function of that component. - A list of guidewords with well defined meanings is then applied to each attribute to determine the effect of the deviation from normal operating described by that attribute. For example a pipe might have the attribute flow, for which the guideword backwards would mean backwards flow through the pipe. By having a well defined set of guidewords and a good system model, as well as expert analysts, this method attempts to be completely rigorous in its application. Ships in Service Training Material A-M CHAUVEL

HAZOP : Guide Words Errors Safeguards Consequences Actions Skip
Part of Out of sequence Other than Reverse As well as Less More Consequences Actions Ships in Service Training Material A-M CHAUVEL

Hazard Operability Most common uses Primarily for identifying
safety hazards and operability problems of continuous process systems, especially fluid and thermal systems. Also used to review procedures and sequential operations. Ships in Service Training Material A-M CHAUVEL

HAZOP Principles Normal Operation Deviation 3 Deviation 2 Potential
Incident* Potential Incident* Normal Operation Deviation 1 Deviation 4 Potential Incident* Potential Incident* Brief summary of characteristics A systematic, highly structured assessment relying on HAZOP guide words and team brainstorming to generate a comprehensive review and ensure that appropriate safeguards against accidents are in place. - Typically performed by a multidisciplinary team. - Applicable to any system or procedure. - Used most as a system-level risk assessment technique. - Generates primarily qualitative results, although some basic quantification is possible. *What if appropriate safeguards fail Deviation see Guide Word & Process Condition Ships in Service Training Material A-M CHAUVEL

HAZOP Deviation Guide Ships in Service Training Material Flow Pressure
words No, Not, None Less, Low, Short. More, High, Long Part of As well as, Also Other than Reverse Process variables Flow No Flow Low rate, Low total High rate, High total Missing ingredient Misdirection, Impurities Wrong material Backflow Pressure Open to atmosphere Low pressure High pressure _ _ _ Vacuum Temperature Freezing Low temp. High temp. _ _ - Auto- refrigeration Level Empty Low level High level Low interface High interface _ _ Agitation No mixing Poor mixing Excessive mixing Mixing interruption Foaming, extra phase _ Phase separation Reaction No reaction Slow reaction Runaway reaction Partial reaction Side reaction Wrong reaction Decom- position Speed Stopped Too slow Too fast Out of synchron. _ Web or belt break Backward Ships in Service Training Material

information collected
HAZOP Process 1.0 Identify the item 9.0 Repeat step 3 through 9 for the remaining items 2.0 Define the design intent of the item 8.0 Repeat step 5 through 9 for the remaining deviations 3.0 Apply the first deviation to item What are the consequences? 7.0 Summarize the information collected for this deviation 4.0 Identify all of the causes of the deviation Procedure for FMEA The procedure for performing an FMEA consists of the following nine steps. Each step is further explained on the following pages. 1.0 Define the system of interest. Specify and clearly define the boundaries of the system for which risk-related information is needed. 2.0 Define the problems of interest for the analysis. Specify the problems of interest that the analysis will address. These may include safety issues, failures in systems such as steering or propulsion, etc. 3.0 Choose the type of FMEA approach for the study. Select a hardware approach (bottom-up), functional approach (top-down), or hybrid approach for applying FMEA. 4.0 Subdivide the system for analysis. Section the system according to the type of FMEA approach selected. 5.0 Identify potential failure modes for elements of the system. Define the fundamental ways that each element of the system can fail to achieve its intended functions. Determine which failures can lead to accidents of interest for the analysis. 6.0 Evaluate potential failure modes capable of producing accidents of interest. For each potential failure that can lead to accidents of interest, evaluate the following: The range of possible effects Ways in which the failure mode can occur Ways in which the failure mode can be detected and isolated Safeguards that are in place to protect against accidents resulting from the failure mode 7.0 Perform quantitative evaluation (if necessary). Extend the analysis of potentially important failures by characterizing their likelihood, their severity, and the resulting levels of risk. FMEAs that incorporate this step are referred to as failure modes, effects, and criticality analyses (FMECAs). 8.0 Transition the analysis to another level of resolution (if necessary or otherwise useful). For top-down FMEAs, follow-on analyses at lower (i.e., more detailed) levels of analysis may be useful for finding more specific contributors to system problems. For bottom-up FMEAs, follow-on analyses at higher (i.e., less detailed) levels of analysis may be useful for characterizing performance problems in broader categories. Typically, this would involve system and subsystem characterizations based on previous component-level analyses. 9.0 Use the results in decision making. Evaluate recommendations from the analysis and implement those that will bring more benefits than they will cost over the life cycle of the system. 6.0 Develop recommendations (if necessary) 5.0 Identify engineering and administrative controls that protect the item Ships in Service Training Material A-M CHAUVEL

Conduct HAZOP Reviews Step 1. Introduce the team members.
Step 2. Describe the HAZOP approach. Step 3. Identify Item. Step 4. Ask the team to define the design intent of the item. Step 5. Apply the first deviation to Item, and ask the team "What are the consequences of this deviation?" Step 6. After the team has exhausted its analysis of accidents, prompt the team to identify all of the causes of the deviation. Step 7. Identify the engineering and administrative controls that protect against the system upset. Step 8. If the team is concerned that the level of protection is not adequate for the particular system upset, then the team should develop recommendations to investigate alternatives. Step 9. Summarize the information collected for this deviation. Step 10. Repeat Steps 5 through 9 for the remaining deviations associated with this item. Step 11. Repeat Steps 3 through 10 for the remaining items. Conduct HAZOP reviews The systematic analysis process of the HAZOP technique is conducted in the following manner: Step 1. Introduce the team members. Step 2. Describe the HAZOP approach. Step 3. Identify Section 1. Step 4. Ask the team to define the design intent of Section 1. Step 5. Apply the first deviation to Section 1, and ask the team "What are the consequences of this deviation?" Allow time for the team to consider the system upset. Some prompting may be necessary to get the discussion going. If no accidents of interest are identified, go back to the beginning of Step 5 and apply the next deviation. If there are no credible accidents, there is no need for the team to investigate causes or safeguards. Step 6. After the team has exhausted its analysis of accidents, prompt the team to identify all of the causes of the deviation. Step 7. Identify the engineering and administrative controls that protect against the system upset. Remember, these controls can be either preventive (i.e., they help prevent the upset from occurring) or mitigative (i.e., they help reduce the severity of the accidents associated with the upset if it occurs). Step 8. If the team is concerned that the level of protection is not adequate for the particular system upset, then the team should develop recommendations to investigate alternatives. Level of protection includes the number, type, and pedigree of the safeguards. Step 9. Summarize the information collected for this deviation. Step 10. Repeat Steps 5 through 9 for the remaining deviations associated with this section. Step 11. Repeat Steps 3 through 10 for the remaining sections Ships in Service Training Material A-M CHAUVEL

HAZOP Worksheets Document the worksheet with the following information : - Subject - Item - Deviation - Causes - Consequences - Safeguards - Recommendations Develop HAZOP worksheets During the meeting, the scribe will document the HAZOP information on worksheets. The following information will be documented for the HAZOP: Section. Name of the section. This is usually documented by the leader and scribe before the meeting. Intent. The team will describe the design intent for the particular HAZOP section being analyzed. Declaring this intent is important, because the remainder of the discussion will focus on ways that the process can deviate from this intent. Deviation. Specific deviation that will be analyzed by the team Causes. Credible causes for the deviation as postulated by the HAZOP team. Accidents. Ultimate accidents of the deviation as postulated by the HAZOP team. These should correspond to the problems of interest that were defined as an objective for the study. Safeguards. Engineering and administrative controls that protect against the deviations. These safeguards can either help prevent the cause from occurring or help mitigate the severity of the accidents should the cause occur. Recommendations. Suggestions made by the team to help reduce the risk associated with specific issues if the team is not comfortable with the level of safeguards that currently exist. Ships in Service Training Material A-M CHAUVEL

HAZOP Worksheet Ships in Service Training Material Deviation Causes
HAZOP review of Barge Filling Operations at a Typical Small Fueling Terminal 1.0 Line from a storage Tank to the Barge Manifold (Including Hose ) Part 2 Item Deviation Causes Consequences Safeguards Recommendations 1.4 Reverse flow No credible causes (maximum level in barge tanks is below facility grade level Typical arrangement had a check valve at the discharge of the loading pump if a centrifugal pump is used. 1.7 High pressure Lower flow rate because of a deadheaded pump (see deviation 1.2). Thermal expansion of liquid isolated between closed valves. Potential leak or rupture of the piping (see deviation 1.10) Regulations specify the maximum allowable pressure for transfer operations. Relief valve at the discharge of gear pumps (Typically installed). Lines typically drain to barge tanks before valves are closed, minimizing the potential for isolating liquid full times. Recommendation: Verify that a relief valve is required at the discharge of positive displacement pumps that are capable of damaging the piping system ( including the transfer hose) if a deadheading occurs. Ships in Service Training Material

HAZOP Worksheet Causes Consequences Safeguards Rcd.
Item # Deviation Causes Consequences Safeguards Rcd. Step : Review appropriate documents, check logs, etc 1.1 Missing No missing steps were identified 1.2 Skip Communication barriers with foreign languages Many inspectors agencies on board do not allow adequate time to communicate expectations Time constraints on vessel trying to leave port quickly with commercial pressure to perform rapid inspection Potential to skip later steps because Coast Guard expectations are not communicated to the crew, creating the potential for accident/injury or loss of commerce Potential for inexperienced crew to perform the test, with the potential for accident or injury later in the test Potential for loss of commerce due to delay in passing the inspection/drill Vessel may be held to an inappropriate standard Flexibility of the C.G. to work with portions of the crew, so that other portion of the crew can work with other agencies Standardized C.G. expectations that are conducted/communicated very frequently Minimum of 2 C.G. staff members at least one being well trained 1.5 Less Same as skip 1.6 Out of sequence No consequence of interest if performed before the drill Ships in Service Training Material

HAZOP Worksheet Ships in Service Training Material A-M CHAUVEL
Consequence Project Description: Possible Cause(s) Team members: Existing Safeguard Ref # Recommendations Minutes by: Action Pages: Guide word Accountability Ref# Team leader: Date Ships in Service Training Material A-M CHAUVEL

HAZOP Worksheet Ships in Service Training Material BRENNAN & PEACHEY
Item Deviation Possible causes Consequences Safeguards Action required Fuel Oil Service Tank High level Purifier flow rate to tank high than engine consumption Overflow to settling tank None None Water ingress from steam heating coil Erratic engine operation De-sluding valve Watchkeeping procedures Engine failure alarms Consider cost benefit for the installation of water content monitors Water ingress from external source Erratic engine operation As above, and Air vent closures required by class As above Fuel Oil Service Tank Low temperature Steam supply failure Increased heat transfer required at the engine fuel heater in Inconvenient Watchkeeping procedures None Low temperature supply from unheated fuel oil purifiers As above As above None Ships in Service Training Material BRENNAN & PEACHEY

HAZOP Worksheet Ships in Service Training Material BRENNAN & PEACHEY
Item Deviation Possible causes Consequences Safeguards Action required Fuel Oil Service Tank High level Purifier flow rate to tank high than engine consumption Overflow to settling tank None None Water ingress from steam heating coil Erratic engine operation De-sluding valve Watchkeeping procedures Engine failure alarms Consider cost benefit for the installation of water content monitors Water ingress from external source As above, and Air vent closures required by class Fuel Oil Service Tank Low temperature Steam supply failure Increased heat transfer required at the engine fuel heater in Inconvenient Watchkeeping procedures None Low temperature supply from unheated fuel oil purifiers None Ships in Service Training Material BRENNAN & PEACHEY

HAZOP Worksheet Event Recommendations Hazards Causes Proactive
safeguards Reactive safeguards Consequences 1 1 1 2 2 2 3 3 Event 3 4 4 4 5 5 5 6 6 7 7 Safety measure Safety measure Safety measure Safety measure Recommendations Ships in Service Training Material A-M CHAUVEL

HAZOP Limitations - A well-defined system or activity is required.
- Time consuming. - Focuses on one event causing the deviations. Limitations of the HAZOP Technique Requires a well-defined system or activity. The HAZOP process is a rigorous analysis tool that systematically analyzes each part of a system or activity. To apply the HAZOP guide words effectively and to address the potential accidents that can result from the guide word deviations, the analysis team must have access to detailed design and operational information. The process systematically identifies specific engineered safeguards (e.g., instrumentation, alarms, and interlocks) that are defined on detailed engineering drawings. Time consuming. The HAZOP process systematically reviews credible deviations, identifies potential accidents that can result from the deviations, investigates engineering and administrative controls to protect against the deviations, and generates recommendations for system improvements. This detailed analysis process requires a substantial commitment of time from both the analysis facilitator and other subject matter experts, such as crew members, engineering personnel, equipment vendors, etc. Focuses on one-event causes of deviations. The HAZOP process focuses on identifying single failures that can result in accidents of interest. If the objective of the analysis is to identify all combinations of events that can lead to accidents of interest, more detailed techniques should be used. One example would be fault tree analysis Ships in Service Training Material A-M CHAUVEL

Risk Assessment Remember… tools are only tools to help you.
Risk score Very high risk Substantial Definite Risk Perhaps acceptable 8 10 20 100 200 300 400 500 40 60 80 Justification factor Remember… tools are only tools to help you. 60 40 Highly worthwhile 20 Justified 10 If something is “obvious” it probably doesn’t need a risk assessment to act. Of doubtful merit 6 2 Ships in Service Training Material A-M CHAUVEL

In closing Ships in Service Training Material A-M CHAUVEL

Do not start a new project unless risk analysis
has been completed. Ships in Service Training Material A-M CHAUVEL

Ships in Service Training Material
Do not start the risk assessment before the intent of the project is clear. Ships in Service Training Material A-M CHAUVEL

Do not start a risk assessment unless the event of interest
is well define and the need recognize by the participants. Ships in Service Training Material A-M CHAUVEL

Develop HAZOP worksheets
During the meeting, the scribe will document the HAZOP information on worksheets. The following information will be documented for the HAZOP: Section. Name of the section. This is usually documented by the leader and scribe before the meeting. Intent. The team will describe the design intent for the particular HAZOP section being analyzed. Declaring this intent is important, because the remainder of the discussion will focus on ways that the process can deviate from this intent. Deviation. Specific deviation that will be analyzed by the team Causes. Credible causes for the deviation as postulated by the HAZOP team. Accidents. Ultimate accidents of the deviation as postulated by the HAZOP team. These should correspond to the problems of interest that were defined as an objective for the study. Safeguards. Engineering and administrative controls that protect against the deviations. These safeguards can either help prevent the cause from occurring or help mitigate the severity of the accidents should the cause occur. Recommendations. Suggestions made by the team to help reduce the risk associated with specific issues if the team is not comfortable with the level of safeguards that currently exist.

2009 Risk Assessment Analysis Tools Ships in Service Training Material.

Similar presentations

Presentation on theme: "2009 Risk Assessment Analysis Tools Ships in Service Training Material."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

2009 Risk Assessment Analysis Tools Ships in Service Training Material.

Similar presentations

Presentation on theme: "2009 Risk Assessment Analysis Tools Ships in Service Training Material."— Presentation transcript:

Similar presentations

About project

Feedback