Risk Analysis and Risk Management

Risk Analysis and Risk Management
CONSTANTA MARITIME UNIVERSITY
RISK ANALYSIS AND RISK MANAGEMENT

(Course support)
Constanta
1|Page
2|Page

Content
Introduction.................................................................................................................... 5
1. Hazard classification and assessment .................................................................... 6
Risk assessment definitions ...................................................................................... 6
The basics of risk assessment .................................................................................. 6
2. Quantitative risk assessment ................................................................................... 8
3. Hazard identification ............................................................................................... 15
Hazard identification (HAZID) technique ................................................................. 16
What-if analysis ...................................................................................................... 17
Checklist analysis ................................................................................................... 18
Hazard and operability (HAZOP) analysis .............................................................. 19
Failure modes and effects analysis (FMEA) ........................................................... 20
Contribution of "Human Factors" issues ................................................................. 21
Frequency assessment methods ............................................................................ 22
Consequence assessment methods ....................................................................... 26
Risk evaluation and presentation ............................................................................ 27
4. Conducting a risk assessment ............................................................................... 29
Set up of risk analysis ............................................................................................. 29
Selecting the right approach ................................................................................... 31
Key factors in selecting methods ............................................................................ 33
Selecting an approach ............................................................................................ 35
Conducting the assessment and follow-up ............................................................. 39
Risk assessment limitations and potential problems ............................................... 40
5. Hazards and safety regulations for offshore oil and gas systems ...................... 42
Major hazards of offshore oil and gas production ................................................... 42
National developed offshore oil and gas regulatory ................................................ 46
Future trends .......................................................................................................... 49
6. Safety measures in design and process operations ............................................ 50
Introduction to ship design ...................................................................................... 50
The ship design process ......................................................................................... 52
Design principles in ship economics ....................................................................... 54
Risk management for designing of systems and functions ..................................... 61
7. Safety-based design for offshore vessels ............................................................. 67
Safety approach and formal safety assessment of offshore ships .......................... 67
Innovative offshore vessels design ......................................................................... 73
8. Marine systems risk modeling ............................................................................... 75
Planning, forecasting, decision making and safety management ........................... 75
Expert methods for safety assessment ................................................................... 77
3|Page

Nature of uncertainty and risk analysis ................................................................... 78
Decision theory ....................................................................................................... 80
Modeling decidion problems ................................................................................... 81
9. Risk based survey ................................................................................................... 84
A quantitative model for equipment with mesurable damage rate .......................... 84
10. Benefits of risk assessment ................................................................................. 90
Identification of hazards and protection against ...................................................... 90
Improving operations .............................................................................................. 91
Efficient use of resources........................................................................................ 92
Developing or complying with rules and regulations ............................................... 93
11. Management measures to prevent major accidents........................................... 98
Bibliography............................................................................................................... 101
4|Page

Introduction
The ability to make wise decisions is critical to a successful business enterprise. In todays
complex world, business decisions are seldom simple or straightforward. Components of a good
decision making process include:
identification of a wide range of potential options (allowing for novel approaches),
effectively evaluating each options relative merits,
appropriate levels of input and review
timely and fair decision-making methods, and
effective communication and implementation of the decision which is made.
Risk assessment is typically applied as an aid to the decision-making process. As options are
evaluated, it is critical to analyze the level of risk introduced with each option. The analysis can
address financial risks, health risks, safety risks, environmental risks and other types of business
risks.
An appropriate analysis of these risks will provide information which is critical to good decision
making, and will often clarify the decision to be made. The information generated through risk
assessment can often be communicated to the organization to help impacted parties understand
the factors which influenced the decision.
Risk assessment is not a new field. Formal risk assessment techniques have their origins in the
insurance industry. As the industrial age progressed, and businesses began to make large capital
investments, it became a business necessity to understand the risks associated with the
enterprises being undertaken and to be able to manage the risk using control measures and
insurance. For insurance companies to survive, it became imperative that they be able to
calculate the risks associated with the insured activities.
In more recent times, in efforts to protect their citizens and natural resources, governments have
become involved, requiring corporations to employ risk-reducing measures, secure certain types
of insurance and even, in some cases, demonstrate that they can operate with an acceptable level
of risk.
During the 1980s and 1990s, more and more governmental agencies have required industry to
apply risk assessment techniques. For instance, the U.S. Environmental Protection Agency
requires new facilities to describe worst case and expected environmental release scenarios
as part of the permitting process. Also, the United Kingdom requires submittal of Safety Cases
which are intended to demonstrate the level of risk associated with each offshore oil and gas
production facility.
As corporations have become more familiar with risk assessment techniques, these techniques
are applied more frequently to improve their decision-making processes, even when there is no
regulatory requirement to do so. As access to data and analytical techniques continues to
improve, risk assessment will continue to become easier to perform and more applications, both
mandatory and voluntary, can be expected.
5|Page

1. Hazard classification and assessment
1.1.
Risk assessment definitions
The term risk is used in a variety of ways in everyday speech. We frequently refer to activities
such as rock-climbing or day-trading stocks as risky; or discuss our risk of getting the flu
this coming winter. In the case of rock-climbing and day-trading, risky is used to mean
hazardous or dangerous. In the latter reference, risk refers to the probability of a defined
outcome (the chance of contracting the flu). Before beginning a discussion of risk assessment, it
is important to provide a clear definition of the term risk and some of the other terminology
used in the risk assessment field.
For our purposes, we will limit our discussion to the risk of unintended incidents occurring
which may threaten the safety of individuals, the environment or a facilitys physical assets. In
this setting, we can define a number of terms:
Hazards or threats are conditions which exist which may potentially lead to an
undesirable event.
Controls are the measures taken to prevent hazards from causing undesirable events.
Controls can be physical (safety shutdowns, redundant controls, conservative designs,
etc.), procedural (written operating procedures), and can address human factors
(employee selection, training, supervision).
An event is an occurrence that has an associated outcome. There are typically a number
of potential outcomes from any one initial event which may range in severity from trivial
to catastrophic, depending upon other conditions and add-on events.
Risk is composed of two elements, frequency and consequence. Risk is defined as the
product of the frequency with which an event is anticipated to occur and the consequence
of the events outcome.
Risk = Frequency Consequence
1.2.
The frequency of a potential undesirable event is expressed as events per unit time,
usually per year. The frequency should be determined from historical data if a significant
number of events have occurred in the past. Often, however, risk analyses focus on
events with more severe consequences (and low frequencies) for which little historical
data exist. In such cases, the event frequency is calculated using risk assessment models.
Consequence can be expressed as the number of people affected (injured or killed),
property damaged, amount of spill, area affected, outage time, mission delay, dollars lost,
etc. Regardless of the measure chosen, the consequences are expressed per event. Thus
the above equation has the units events/year times consequences/event, which equals
consequences/year, the most typical quantitative risk measure.
The basics of risk assessment
Risk assessment is the process of gathering data and synthesizing information to develop an
understanding of the risk of a particular enterprise. To gain an understanding of the risk of an
operation, one must answer the following three questions:
What can go wrong?
6|Page

How likely is it?
What are the impacts?
Qualitative answers to one or more of these questions are often sufficient for making good
decisions. However, as managers seek more detailed cost/benefit information upon which to base
their decisions, they may wish to use quantitative risk assessment (QRA) methods.
Figure 1.1. Elements of Risk Assessment
Before initiating a risk assessment, all parties involved should have a common understanding of
the goals of the exercise, the methods to be used, the resources required, and how the results will
be applied.
7|Page

2. Qualitative risk assessment
Having identified a range of risks is necessary to consider which are the most serious in order to
determine where to focus the attention and resources. Have to understand both their relative
priority and absolute significance.
Human are not generally good at analyzing risk. They tend to take decisions swayed by their
emotional response to a situation rather than an objective assessment of relative risk. Given half
a chance most of them will believe what they want to believe and selectively filter out
information that does not support their case. They are similarly bad at looking at probability in a
holistic way. People generally focus on risks that have occurred recently even though another
risk may have happened exactly the same number of times over the last five years.
We must nonetheless accept that most of the risk analysis done in our environment will be of a
qualitative nature. Few of us have the skills, time or resources to undertake the kind of
quantitative modelling that goes on in major projects in the commercial sector.
Identification and analysis of risk involves a range of people. Each will of course bring their own
bias to the analysis but if you understand your organization and stakeholders it ought to be
possible to separate out the valuable experience from the personal agendas. One technique that is
sometimes used to keep politics out of this type of discussion is the Delphi Technique. Using this
technique opinions are gathered anonymously then cross-checked with a range of experts. The
experts are simply looking at the data presented rather than dealing with the personalities
involved.
In deciding how serious a risk is we tend to look at two parameters:
Probability the likelihood of the risk occurring
Impact the consequences if the risk does occur
Impact can be assessed in terms of its effect on:
Time
Cost
Quality
There is also a third parameter that needs to be considered:
Risk proximity when will the risk occur?
Proximity is an important factor yet it is one that is often ignored. Certain risks may have a
window of time during which they will impact. A natural tendency is to focus on risks that are
immediate when in reality it is often too late to do anything about them and we remain in firefighting mode. By thinking now about risks that are 18 months away we may be able to manage
them at a fraction of the impact cost.
Another critical factor relating to risk proximity is the point at which we start to lose options. At
the start of a project there may be a variety of approaches that could be taken and as time goes on
those options narrow down.
Assessment of both probability and impact is subjective but your definitions need to be at an
appropriate level of detail for your project. The scale for measuring probability and impact can
be numeric or qualitative but either way you must understand what those definitions mean. Very
often the scale used is high, medium and low. This is probably too vague for most projects. On
the other hand a percentage scale from 1-100 is probably too detailed.
Use enough categories so that you can be specific but not so many that you waste time arguing
about details that wont actually affect your actions. Experience suggests that a five-point scale
works well for most projects. A suggested scale is:
8|Page

Scale
Probability
Impact
Very low
Unlikely to occur
Negligible impact
Low
May occur occasionally
Minor impact on time, cost or quality
Medium
Is as likely as not to occur
Notable impact on time, cost or quality
High
Is likely to occur
Substantial impact on time, cost or quality
Very high
Is almost certain to occur
Threatens the success of the project
Table 2.1. Five-point scale
Risk Matrix Methods. Risk matrices provide a traceable framework for explicit consideration of
the frequency and consequences of hazards. This may be used to rank them in order of
significance, screen out insignificant ones, or evaluate the need for risk reduction of each hazard.
A risk matrix uses a matrix dividing the dimensions of frequency (also known as likelihood or
probability) and consequence (or severity) into typically 3 to 6 categories. There is little
standardisation in matters such as the size of the matrix, the labelling of the axes etc. To illustrate
this, three different risk matrix approaches are presented below.
In each case, a list of hazards is generated by a structured HAZID technique, and each hazard is
allocated to a frequency and consequence category according to qualitative criteria. The risk
matrix then gives some form of evaluation or ranking of the risk from that particular hazard.
Sometimes risk matrices use quantitative definitions of the frequency and consequence
categories. They may also use numerical indices of frequency and consequence (e.g. 1 to 5) and
then add the frequency and consequence pairs to rank the risks of each hazard or each box on the
risk matrix. In the terms of this guide, this does not constitute quantification (semi or full) and
the technique is still classed as qualitative.
Defence Standard Matrix. This sets out a 6 x 4 risk matrix based on frequency and consequence
definitions as follows. The severity categories are defined as:
Category
Catastrophic
Critical
Marginal
Negligible
Definition
Multiple deaths
A single death; and/or multiple severe injuries or severe occupational
illness
A single severe injury or occupational illness; and/or multiple minor
injuries or minor occupational illness
At most a single minor injury or minor occupational illness.
Figure 2.1. Defence standard matrix
9|Page

There are four decision classes:
Risk class
A
B
C
D
Interpretation
Intolerable
Undesirable and shall only be accepted when risk reduction is
impracticable
Tolerable with the endorsement
Tolerable with the endorsement
Figure 2.2. Decision classes

The actual risk matrix (with the decision classes shown) used in maritime industry is as follows:
Frequent
Probable
Occasional
Remote
Improbable
Incredible
Catastrophic
A
A
A
B
C
C
Critical
A
A
B
C
C
D
Marginal
A
B
C
C
D
D
Negligible
B
C
C
D
D
D
Figure 2.3. Risk matrix (DNV)
ISO Risk Matrix. This provides a 5 x 5 risk matrix with consequence and likelihood categories
that are easier for many people to interpret.
The ISO matrix uses 4 types of consequence category: people, assets, environment and
reputation reflecting current good practice in integrating safety and environmental risk decision
making. The inclusion of asset and reputation risk is more for corporate well-being, but is useful
as it makes the risk matrix central to the total risk decision process used by companies.
The ISO risk matrix uses more factual likelihood terminology (has occurred in operating
company) instead of more general statements (remote likely to occur some time). Whilst
this makes it easier to apply, it also highlights the difficulty of these approaches for novel
technology, with no operational reliability statistics.
10 | P a g e
Figure 2.4. ISO risk matrix
Risk Ranking Matrix. A risk matrix has been proposed for a revision of the IMO Guidelines on
Formal Safety Assessment to assist with hazard ranking. It uses a 7 x 4 matrix, reflecting the
greater potential variation for frequencies than for consequences.
The severity index (SI) is defined like in figure 2.5.
SI
Severity
1
2
3
Minor
Significant
Severe
Catastrophic
Effects on human safety
Effects on ship
Single or minor injuries

Local equipment damage
Multiple or severe injuries
Non-severe ship damage
Single fatality or multiple severe Severe casualty
injuries
Multiple fatalities
Total loss
S
(fatalities)
0,01
0,1
1
10
Figure 2.5. Severity index
The frequency index (FI) is defined as shown in figure 2.6.
FI
Frequency
Definition
7
5
Frequent
Reasonably probable
Remote
Extremely remote
Likely to occur one per month on one ship

Likely to occur once per year in a fleet of 10 ships, or
likely to occur several times during a ships life
Likely to occur once per year in a fleet of 1000 ships,
or 10% chance of occurring in the life of 4 similar
ships
Likely to occur once in 100 years in a fleet of 1000
ships, or 1% chance of occurring in the life of 40
similar ships
F
(per ship year)
10
0,1
10-3
10-5
Figure 2.6. Frequency index

11 | P a g e

Intermediate indices may be chosen if appropriate. Non-integer values may be used if more
specific data is available.
If risk is represented by the product frequency x consequence, then an index of log (risk) can be
obtained by adding the frequency and severity indices. This gives a risk index (RI) defined as:
RI = FI + SI
The risk index may be used to rank the hazards in order of priority for risk reduction effort. In
general, risk reduction options affecting hazards with higher RI are considered most desirable.
Strengths and Weaknesses. The strengths of the risk matrix approach are:
It is easy to apply and requires few specialist skills, and for this reason it is attractive to
many project teams.
It allows risks to people, property, environment and business to be treated consistently
(using the ISO approach).
It allows hazards to be ranked in priority order for risk reduction effort.
However, there are several problems with this approach, which are less apparent:
Many judgements are required on likelihood and consequence and unless properly
recorded the basis for risk decisions will be lost.
The judgements must be consistent among different team members, which is difficult to
achieve whether qualitative or quantitative definitions are used.
Where multiple outcomes are possible (e.g. a fall on a slippery deck consequence can
range from nothing to a broken neck), it can be difficult to select the correct
consequence for the risk categorization. Many practitioners suggest using the more
pessimistic outcome (in this case: broken leg) and not a very rare worst case nor the
most likely trivial outcome.
A risk matrix looks at hazards one at a time rather than in accumulation, whereas risk
decisions should really be based on the total risk of an activity. Potentially many smaller
risks can accumulate into an undesirably high total risk, but each smaller one on its own
might not warrant risk reduction. As a consequence, risk matrix has the potential to
underestimate total risk by ignoring accumulation.
A good test is to verify that borderline decisions on risk reduction as determined from the
matrix match current good maritime practice.
Since the risk evaluation criteria are predefined, teams may (semi)consciously assign
risks into an adjacent less onerous risk category, as this reduces project costs. The study
leader must guard against this temptation.
The lack of standardization may cause confusion.
Risk matrices are probably the most common approach used for risk assessment in marine
activities, as they are appropriate for people new to risk assessment, being straightforward to
apply and easy to understand. However, they suffer from several limitations, including
difficulties in dealing with multiple differing outcomes, consistency in application, transparency
of categorization decisions, and dealing with novel hazards.
The depth of treatment of a risk matrix is appropriate for many hazards, in particular:
If the vessel / activity is well established with good operational experience
If there is a good track record of safe operations
If there are relatively few possible catastrophic outcomes and good experience to suggest
these are highly unlikely.
It is possible to use risk matrix for smaller well-known hazards, while using more in-depth
analysis for novel hazards or a selection of major hazards.
12 | P a g e

Assigning numeric scales. To move from qualitative to quantitative risk assessment, you can
assign a numeric scale and, by using a traffic light system assigning red, amber or green
against pre-determined value range break the risks into groups requiring different response
strategies. The red, amber, green designation is known as a RAG.
This table uses the same linear scale for both axes:
Figure 2.7. Numeric scale
Applying numeric scales to risk linear. The next figure doubles the numeric value each time
on the impact scale. This is perhaps a more useful model as it gives more weight to risks with a
high impact. A risk with a low probability but a high impact is thus viewed as much more severe
than a risk with a high probability and a low impact. This avoids any averaging out of serious
risks.
Figure 2.8. Numeric scales to risk - linear
Applying numeric scales to risk doubled. It is questionable whether the amber risks warrant
separate classification in terms of your response strategy and it is suggested that you examine
13 | P a g e

each in turn and either promote or demote them to red or green. This can be important in
assessing the overall level of risk especially if you opt for the straightforward linear scale in the
first table. This means particularly being clear about what you mean by a medium level of
probability. Once a risk is as likely to happen as not you should plan for it. The diagram below
shows the previous example with the amber risks demoted or promoted (here those risks with a
value of 10 or above have been promoted to red, below 10 demoted to green).
Figure 2.9. Numeric scales to risk - doubled
Applying numeric scales to risk demoted/promoted. Cutting your risk categories down in this
way leaves you with two sets of risks requiring a response strategy:
Red risks = Unacceptable. We must spend time, money and effort on a response. This is likely
to be at the level of the individual risk.
Green risks = Acceptable. This does not mean they can be ignored. We will cover them by
means of contingency.
14 | P a g e

3. Hazard identification
To use a systematic method to determine risk levels, the Risk Assessment Process is applied.
This process consists of four basic steps:
Hazard Identification
Frequency Assessment
Consequence Assessment, and
Risk Evaluation
The level of information needed to make a decision varies widely. In some cases, after
identifying the hazards, qualitative methods of assessing frequency and consequence are
satisfactory to enable the risk evaluation. In other cases, a more detailed quantitative analysis is
required. The Risk
Assessment Process is illustrated in Figure 3.1, and the results possible from qualitative and
quantitative approaches are described.
There are many different analysis techniques and models that have been developed to aid in
conducting risk assessments. Some of these methods are summarized in Figure 3.2. A key to any
successful risk analysis is choosing the right method (or combination of methods) for the
situation at hand. For each step of the Risk Assessment Process, this chapter provides a brief
introduction to some of the analysis methods available and suggests risk analysis approaches to
support different types of decision making within the maritime and offshore industries.
It should be noted that some of these methods (or slight variations) can be used for more than
one step in the risk assessment process. For example, every tree analysis can be used for
frequency assessment as well as for consequence assessment.
Figure 3.1. The Risk Assessment Process
15 | P a g e
Figure 3.2. Overview of Risk Assessment Methods
Because hazards are the source of events that can lead to undesirable consequences, analyses to
understand risk exposures must begin by understanding the hazards present. Although hazard
identification seldom provides information directly needed for decision making, it is a critical
step.
Sometimes hazard identification is explicitly performed using structured techniques. Other times
(generally when the hazards of interest are well known), hazard identification is more of an
implicit step that is not systematically performed. Overall, hazard identification focuses a risk
analysis on key hazards of interest and the types of mishaps that these hazards may create. The
following are some of the commonly used techniques to identify hazards.
3.1.
Hazard identification (HAZID) technique
HAZID is a general term used to describe an exercise whose goal is to identify hazards and
associated events that have the potential to result in a significant consequence. For example, a
HAZID of an offshore petroleum facility may be conducted to identify potential hazards which
could result in consequences to personnel (e.g., injuries and fatalities), environmental (oil spills
and pollution), and financial assets (e.g., production loss/delay). The HAZID technique can be
applied to all or part of a facility or vessel or it can be applied to analyze operational procedures.
Depending upon the system being evaluated and the resources available, the process used to
conduct a HAZID can vary.
Typically, the system being evaluated is divided into manageable parts, and a team is led through
a brainstorming session (often with the use of checklists) to identify potential hazards associated
with each part of the system. This process is usually performed with a team experienced in the
16 | P a g e

design and operation of the facility, and the hazards that are considered significant are prioritized
for further evaluation.
3.2.
What-if analysis
What-if analysis is a brainstorming approach that uses broad, loosely structured questioning to
(1) postulate potential upsets that may result in mishaps or system performance problems and
(2) ensure that appropriate safeguards against those problems are in place.
This technique relies upon a team of experts brainstorming to generate a comprehensive review
and can be used for any activity or system.
What-if analysis generates qualitative descriptions of potential problems (in the form of
questions and responses) as well as lists of recommendations for preventing problems. It is
applicable for almost every type of analysis application, especially those dominated by relatively
simple failure scenarios.
It can occasionally be used alone, but most often is used to supplement other, more structured
techniques (especially checklist analysis).
Table 3.1 is an example of a portion of a what-if analysis of a vessels compressed air system.
Summary of the What-if review of the vessels compressed air system

Immediate System
Ultimate
Safeguards
Recommendations
Condition
Consequences
1. The intake air Reduced air flow Inefficient
Pressure/vacuum
Make checking the
filter begins to through
the compressor
gauge
between pressure
gauge
plug
compressor
operation, leading the
compressor reading part of
affecting
its to excessive energy and the intake someones
daily
performance
use and possible filter
rounds
compressor damage
OR
Low/no air flow to Annual
equipment, leading replacement
of Replace the local
to
functional the filter
gauge with a low
inefficiencies and
pressure
switch
possible outages
Rain cap and that alarms in a
screen at the air manned area
intake
2. Someone
High air flow rate Low/no air flow to Small drain line
leaves a drain through the open equipment, leading would divert only
_
valve open on valve
to
the to
functional a portion of the
the compressor atmosphere
inefficiencies and air flow, but
discharge
possible outages
maintaining
pressure would be
Potential
for difficult
personnel
injury
from escaping air
and/or blown debris
What if ?
Table 3.1. What-if Evaluation
17 | P a g e

3.3.
Checklist analysis
Checklist analysis is a systematic evaluation against pre-established criteria in the form of one or
more checklists. It is applicable for high-level or detailed-level analysis and is used primarily to
provide structure for interviews, documentation reviews and field inspections of the system
being analyzed. The technique generates qualitative lists of conformance and nonconformance
determinations with recommendations for correcting non-conformances. Checklist analysis is
frequently used as a supplement to or integral part of another method (especially what-if
analysis) to address specific requirements.
Table 3.2 is an example of a portion of a checklist analysis of a vessels compressed air system.
Responses to Checklist Questions for the Vessels Compressed Air System

Questions
Responses
Recommendations
Piping
Piping
Piping
Have thermal relief valves Not applicable
been installed in piping runs
where thermal expansion of
trapped
fluids
would
separate flanges or damage
gaskets?
.
.
.
.
.
.
.
.
.
Cargo tanks
Cargo tanks
Cargo tanks
Is a vacuum relief system

needed to protect the
vessels cargo tanks during
liquid withdrawal?
Yes, the cargo tanks will be damaged

if vacuum relief is not provided. A
vacuum relief system is installed on
each cargo tank
.
.
.
.
.
.
.
.
.
Compressors
Compressors
Compressors
Are air compressor intakes Yes, except for intake of flammable Consider routing the cargo tank
protected
against gases. There is a nearby cargo tank vent to a different location
contaminants.
vent
.
.
.
.
.
.
.
.
.
Table 3.2. Checklist Analysis
18 | P a g e

3.4.
Hazard and Operability (HAZOP) analysis
The HAZOP analysis technique uses special guidewords to prompt an experienced group of
individuals to identify potential hazards or operability concerns relating to pieces of equipment
or systems. Guidewords describing potential deviations from design intent are created by
applying a predefined set of adjectives (i.e. high, low, no, etc.) to a pre-defined set of process
parameters (flow, pressure, composition, etc.). The group then brainstorms potential
consequences of these deviations and if a legitimate concern is identified, they ensure that
appropriate safeguards are in place to help prevent the deviation from occurring. This type of
analysis is generally used on a system level and generates primarily qualitative results, although
some simple quantification is possible. The primary use of the HAZOP methodology is
identification of safety hazards and operability problems of continuous process systems
(especially fluid and thermal systems). For example, this technique would be applicable for an
oil transfer system consisting of multiple pumps, tanks, and process lines.
The HAZOP analysis can also be used to review procedures and sequential operations. Table 3.3
is an example of a portion of a HAZOP analysis performed on a compressed air system onboard
a vessel.
Item
1.1
1.2
1.3
.
.
.
Hazard and operability analysis of the vessels compressed air system

Deviation
Causes
Mishaps
Safeguards
Recommendations
1. Intel Line for the Compressor
High flow
No mishaps of
interest
Low/no flow
Plugging filter Inefficient
Pressure/vacuum Make
checking
or
piping compressor
gauge between the
pressure
(especially
at operation, leading the compressor gauge
reading
air intake)
to
excessive and the intake part of someones
energy use and filter
daily rounds
Rainwater
possible
accumulation in compressor
Periodic
OR
the line and damage
replacement of
potential
for
the filter
Replace the local
freeze-up
Low/no air flow to
gauge with a low
equipment
and Rain cap and pressure switch
tools, leading to screen at the air that alarms in a
production
intake
manned area
inefficiencies and
possibly outages
Misdirected flow No
credible
cause
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Table 3.3. HAZOP analysis
19 | P a g e

3.5.
Failure Modes and Effects Analysis (FMEA)
FMEA is an inductive reasoning approach that is best suited for reviews of mechanical and
electrical hardware systems. This technique is not appropriate to broader marine issues such as
harbor transit or overall vessel safety. The FMEA technique
(1) considers how the failure mode of each system component can result in system performance
problems and
(2) ensures that appropriate safeguards against such problems are in place.
This technique is applicable to any well-defined system, but the primary use is for reviews of
mechanical and electrical systems (e.g., fire suppression systems, vessel steering/propulsion
systems). It also is used as the basis for defining and optimizing planned maintenance for
equipment because the method systematically focuses directly and individually on equipment
failure modes. FMEA generates qualitative descriptions of potential performance problems
(failure modes, root causes, effects, and safeguards) and can be expanded to include quantitative
failure frequency and/or consequence estimates.
Failure
mode
A.
No
start
signal
when the
system
pressure
is low
Local
Open
control
circuit
Effects
Higher
level
Low
pressure
and air
flow in
the
system
Causes
Indications
Safeguards
Recommendations
/Remarks
Sensor failure
or
miscalibrated
Low
pressure
indicated on
air receiver
pressure
gauge
Rapid
detection
because of
quick
interruption
of
the
supported
systems
Consider
a
redundant
compressor with
separate controls
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
End
Interruption
of
the
systems
supported by
compressed
air
Controller
failure or set
incorrectly
Wiring fault
Control circuit
relay failure
B.
No
stop
signal
when the
system
pressure
is high
.
.
.
.
.
.
.
.
.
.
.
.
Loss of power
for the control
circuit
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Compressor
not
operating
(but
has
power and
no
other
obvious
failure)
Calibrate sensors
periodically
in
accordance with
written procedure
Table 3.4. FMEA evaluation
20 | P a g e

3.6.
Contribution of Human Factors issues
In any effort to identify hazards and assess their associated risks, there must be full consideration
of the interface between the human operators and the systems they operate. Human Factors
Engineering (HFE) issues can be integrated into the methods used to identify hazards, assess
risks, and determine the reliability of safety measures. For instance, hazard identification
guidewords have been developed to prompt a review team to consider human factor design
issues like access, control interfaces, etc.
An understanding of human psychology is essential in estimating the effectiveness of procedural
controls and emergency response systems.
Persons performing risk assessments need to be aware of the human factors impact, and training
for such persons can improve their ability to spot the potential for human contributions to risk.
Risk analysts can easily learn to spot the potential for human error any time human interaction is
an explicit mode of risk control. However, it is equally important to recognize human
contributions to risk when the human activity is implicit in the risk control measure. For
example, a risk assessment of a boiler would soon identify overpressure as a hazard that can
lead to risk of rupture and explosion. The risk assessment might conclude that the combination
of two pressure control measures will result in an acceptably low level of risk. The two measures
are: 1) have a high pressure alarm that will tell the operator to shut down the boiler and vent the
steam, and 2) provide an adequately sized pressure relief valve. The first risk control measure
involves explicit human interaction. Any such control measure should immediately trigger
evaluation of human error scenarios that could negate the effectiveness of the control measure.
The second risk control measure involves implicit human interaction (i.e., a functioning pressure
relief valve does not appear on the boiler all by itself but must be installed by maintenance
personnel.)
A checklist of common errors or an audit of the management system for operator training are
examples of methods used to address the human error potential and ensure that it also is
controlled.
The purpose of any tool would be to identify the potential for error and identify how the error is
prevented. Does the operator know what the alarm means? Does he know how to shut down the
boiler? What if the overpressure event is one of a series of events (e.g. what if the operator has
five alarms sounding simultaneously)? Did the engineer properly size and specify the relief
valve? Was it installed correctly? Has it been tested or maintained to ensure its function? A
corollary to each of the above questions is required in the analysis: How do you know?
The answer to that last question is most often found in the management system, thus Human
Factors is the glue that ties risk assessment from a technology standpoint to risk assessment
from an overall quality management standpoint.
21 | P a g e

3.7.
Frequency assessment methods
Analysis of Historical Data. The best way to assign a frequency to an event is to research
industry databases and locate good historical frequency data which relates to the event being
analyzed. Before applying historical frequency data, a thoughtful analysis of the data should be
performed to determine its applicability to the event being evaluated. The analyst needs to
consider the source of the data, the statistical quality of the data (reporting accuracy, size of data
set, etc.) and the relevance of the data to the event being analyzed. For example, transportation
data relating to helicopter crashes in the North Sea may not be directly applicable to Gulf of
Mexico operations due to significant differences in atmospheric conditions and the nature of
helicopter operating practices. In another case, frequency data for a certain type of vessel
navigation equipment failure may be found to be based on a very small sample of reported
failures, resulting in a number which is not statistically valid.
When good, applicable frequency data cannot be found, it may be necessary to estimate the
frequency of an event using one of the analytical methods described below.
Event Tree Analysis (ETA). Event tree analysis utilizes decision trees to graphically model the
possible outcomes of an initiating event capable of producing an end event of interest. This type
of analysis can provide
(1) qualitative descriptions of potential problems (combinations of events producing various
types of problems from initiating events) and
(2) quantitative estimates of event frequencies or likelihoods, which assist in demonstrating the
relative importance of various failure sequences.
Event tree analysis may be used to analyze almost any sequence of events, but is most effectively
used to address possible outcomes of initiating events for which multiple safeguards are in line
as protective features.
The following example event tree (Figure 3.3) illustrates the range of outcomes for a tanker
having redundant steering and propulsion systems. In this particular example, the tanker can be
steered using the redundant propulsion systems even if the vessel loses both steering systems.
Figure 3.3. Event Tree Analysis

22 | P a g e

Fault Tree Analysis (FTA). Fault Tree Analysis (FTA) is a deductive analysis that graphically
models (using Boolean logic) how logical relationships among equipment failures, human errors
and external events can combine to cause specific mishaps of interest. Similar to event tree
analysis, this type of analysis can provide
(1)
qualitative descriptions of potential problems (combinations of events causing specific
problems of interest) and
(2) quantitative estimates of failure frequencies/likelihoods and the relative importance of
various failure sequences/contributing events. This methodology can also be applied to many
types of applications, but is most effectively used to analyze system failures caused by relatively
complex combinations of events.
The following example illustrates a very simple fault tree analysis of a loss of propulsion event
for a vessel (Figure 3.4).
Figure 3.4. Fault Tree Analysis
23 | P a g e

Common Cause Failure Analysis (CCFA). CCFA is a systematic approach for examining
sequences of events stemming from multiple failures that occur due to the same root cause. Since
these multiple failures or errors result from the same root causes, they can defeat multiple layers
of protection simultaneously.
Common Cause Failure Analysis has the following characteristics:
Systematic, structured assessment relying on the analysts experience and guidelines for
identifying potential dependencies among failure events to generate a comprehensive
review and ensure that appropriate safeguards against common cause failure events are in
place
Used most commonly as a system-level analysis technique
Primarily performed by an individual working with system experts through interviews
and field inspections
Generates:
qualitative descriptions of possible dependencies among events
quantitative estimates of dependent failure frequencies/likelihoods
lists of recommendations for reducing dependencies among failure events

Quality of the evaluation depends on the quality of the system documentation, the
training of the analyst and the experience of the SMEs assisting the analyst.
CCFA is used exclusively as a supplement to a broader analysis using another technique,
especially fault tree and event tree analyses. It is best suited for situations in which complex
combinations of errors/equipment failures are necessary for undesirable events to occur.
Human Reliability Analysis. Where human performance issues contribute to the likelihood of an
end event occurring, methods for estimating human reliability are needed. For instance, an event
tree could be constructed which includes a branch titled Operator responds to alarm and takes
appropriate corrective action. In order to estimate a numerical frequency with which this occurs,
human reliability analysis can be applied.
One of the best known approaches for assessing human errors is Human Reliability Analysis.
Human reliability analysis is a general term for methods by which human errors can be
identified, and their probability estimated for those actions that can contribute to the scenario
being studied, be it personnel safety, loss of the system, environmental damage, etc. The estimate
can be either qualitative or quantitative, depending on the information available and the degree
of detail required.
Regardless of the approach used, the basic steps that an assessor would undertake for a human
reliability analysis would be the same. Figure 3.5, Human Reliability Analysis Process
graphically depicts the steps and their order.
Given that high-risk scenarios have been identified during the risk assessment, these scenarios
would be re-examined as to the impact the individual could have while completing a task related
to the scenario. The assessor would then conduct some sort of task analysis to determine what an
individual would do to successfully complete the task.
24 | P a g e
Figure 3.5. Human Reliability Assessment Process
Once the successful steps were identified, then the assessor could determine what the person
might do wrong at each step to reach the undesirable result. Some examples of potential
problems areas are:
Written procedures not complete or hard to understand
Instrumentation inoperative or inadequate
Lack of knowledge by the operator
Conflicting priorities
Labeling inadequacies
Policy versus practice discrepancies
Equipment not operating according to design specifications
Communication difficulties
Poor ergonomics
Oral versus written procedures
Making a repair or performing maintenance with a wrong tool
Each of the above situations increases the probability that an individual will err in the
performance of a task. This is important since the next stage in human reliability analysis is
assigning likelihood estimates to human errors. When examining each of the potential human
errors in the context of a scenario, the analysis must systematically look at each step and each
potential error identified. If there are a large number of potential errors, the assessor may decide
to conduct a preliminary screening to determine which errors are less or more likely to occur and
then choose to only assign values to the more likely errors. For determining likelihood, the
assessor can produce qualitative estimates, (e.g., low, medium or high) or quantitative estimates
(e.g., 0.003) using existing human failure databases. From either, it can be determined what
individual errors are the most likely to cause an individuals performance to fall short of the
desired result. Upon reviewing the estimates, error reduction strategies can be developed to
minimize the frequency of human error. Minimizing the human error will also reduce the
likelihood of the overall scenario itself from occurring.
25 | P a g e

After the human reliability analysis is complete, the following information will be available:
List of tasks
List of potential errors
Human error probabilities
Error reduction strategies
Information related to training and procedures
Information related to safety management system
The listing of tasks relating to the scenario, the list of human errors and their probabilities, the
error reduction strategies and the other information generated as a part of the human reliability
study can all be integrated into the risk assessment study. The human reliability information
should also be used for defining risk reduction measures.
3.8.
Consequence assessment methods
Consequence modeling typically involves the use of analytical models to predict the effect of a
particular event of concern. Examples of consequence models include source term models,
atmospheric dispersion models, blast and thermal radiation models, aquatic transport models and
mitigation models. Most consequence modeling today makes use of computerized analytical
models.
Use of these models in the performance of a risk assessment typically involves four activities:
Characterizing the source of the material or energy associated with the hazard being
analyzed
Measuring (through costly experiments) or estimating (using models and correlations)
the transport of the material and/or the propagation of the energy in the environment to
the target of interest
Identifying the effects of the propagation of energy or material on the target of interest
Quantifying the health, safety, environmental, or economic impacts on the target of
interest
Many sophisticated models and correlations have been developed for consequence analysis.
Millions of dollars have been spent researching the effects of exposure to toxic materials on the
health of animals. The effects are extrapolated to predict effects on human health. A considerable
empirical database exists on the effects of fires and explosions on structures and equipment, and
large, sophisticated experiments are sometimes performed to validate computer algorithms for
predicting the atmospheric dispersion of toxic materials. All of these resources can be used to
help predict the consequences of accidents. But, only those consequence assessment steps
needed to provide the information necessary for decision making should be performed.
The result from the consequence assessment step is an estimate of the statistically expected
exposure of the target population to the hazard of interest and the safety/health effects related to
that level of exposure.
The form of consequence estimate generated should be determined by the objectives and scope
of the study. Consequences are usually stated in the expected number of injuries or casualties or,
in some cases, exposure to certain levels of energy or material release. These estimates
customarily account for average meteorological conditions and population distribution and may
include mitigating factors, such as evacuation and sheltering. In some cases, simply assessing the
quantity of material or energy released will provide an adequate basis for decision making.
Like frequency estimates, consequence estimates may have very large uncertainties. Estimates
that vary by a factor of up to two orders of magnitude can result from (1) basic uncertainties in
26 | P a g e

chemical/physical properties, (2) differences in average versus time-dependent meteorological
conditions, and/or (3) modeling uncertainties.
3.9.
Risk evaluation and presentation
Once the hazards and potential mishaps or events have been identified for a system or process,
and the frequencies and consequences associated with these events have been estimated, we are
able to evaluate the relative risks associated with the events. There are a variety of qualitative
and quantitative techniques used to do this.
Subjective Prioritization. Perhaps the simplest qualitative form of risk characterization is
subjective prioritization. In this technique, the analysis team identifies potential mishap scenarios
using structured hazard analysis techniques (e.g., HAZOP, FMEA). The analysis team
subjectively assigns each scenario a priority category based on the perceived level of risk.
Priority categories can be:
Low, medium, high;
Numerical assignments; or
Priority levels.
Risk Categorization/Risk Matrix. Another method to characterize risk is categorization. In this
case, the analyst must
(1) define the likelihood and consequence categories to be used in evaluating each scenario
and
(2) define the level of risk associated with likelihood/consequence category combination.
Frequency and consequence categories can be developed in a qualitative or quantitative manner.
Qualitative schemes (i.e., low, medium, or high) typically use qualitative criteria and examples
of each category to ensure consistent event classification. Multiple consequence classification
criteria may be required to address safety, environmental, operability and other types of
consequences. Table 3.5 and Table 3.6 provide examples of criteria for categorization of
consequences and likelihood.
Category
1
2
Description
Negligible
Marginal
3
4
Critical
Catastrophic
Definition
Passenger inconvenience, minor damage
Marine injuries treated by first aid, significant damage not
affecting seaworthiness
Reportable marine casualty
Death, loss of vessel, serious marine incident
Table 3.5. Consequence criteria
Likelihood
Low
Low to Medium
Medium to High
High
Description
The mishap scenario is considered highly unlikely.
The mishap scenario is considered unlikely. It could happen, but it would be
surprising if it did.
The mishap scenario might occur. It would not be too surprising if it did.
The mishap scenario has occurred in the past and/or is expected to occur in
the future.
Table 3.6. Likelihood criteria
27 | P a g e

Once assignment of consequences and likelihoods is complete, a risk matrix can be used as a
mechanism for assigning risk (and making risk acceptance decisions), using a risk categorization
approach. Each cell in the matrix corresponds to a specific combination of likelihood and
consequence and can be assigned a priority number or some other risk descriptor (as shown in
Figure 3.6). An organization must define the categories that it will use to score risks and, more
importantly, how it will prioritize and respond to the various levels of risks associated with cells
in the matrix.
Figure 3.6. Risk Matrix

Legend: A Acceptable, M Marginal, U - Unacceptable
Risk Sensitivity. When presenting quantitative risk assessment results, it is often desirable to
demonstrate the sensitivity of the risk estimates to changes in critical assumptions made within
the analysis. This can help illustrate the range of uncertainty associated with the exercise. Risk
sensitivity analyses can also be used to demonstrate the effectiveness of certain risk mitigation
approaches. For example, if by increasing inspection frequency on a piece of equipment, the
failure rate could be reduced, a sensitivity analysis could be used to demonstrate the difference in
estimated risk levels when inspection frequencies are varied.
28 | P a g e

4. Conducting a risk assessment
4.1.
Set up of a risk analysis
If a risk or reliability assessment is to efficiently satisfy a particular need, the charter for the risk
assessment team must be well defined. Figure 4.1 contains the various elements of a risk
assessment charter. Defining these elements requires a clear understanding of the reason for the
study, a description of managements needs and an outline of the type of information required
for the study.
Sufficient flexibility must be built into the analysis scope, technical approach, schedule and
resources to accommodate later refinement of any undefined charter element(s) based on
knowledge gained during the study. The risk assessment team must understand and support the
analysis charter; otherwise a useless product may result.
Figure 4.1. Elements of a QRA Charter
Study Objective. An important and difficult task is concisely translating requirements into study
objectives. For example, if is necessary to decide between two methods of storing a hazardous
chemical on a vessel, the analysis objective should precisely define that what is needed is the
relative difference between the methods, not the general Determine the risk of these two storage
methods. Asking the risk assessment team for more than is necessary to satisfy the particular
need is counterproductive and can be expensive. For any risk assessment to efficiently produce
the necessary types of results, the requirements must be clearly communicated through wellwritten objectives.
Scope. Establishing the physical and analytical boundaries for a risk assessment is also a difficult
task. The scope will often need to be proposed by the risk assessment team. Of the items listed in
Figure 4.1, selection of an appropriate level of detail is the scope element that is most crucial to
performing an efficient risk assessment. The risk assessment project team should be encouraged
to use approximate data and gross levels of resolution during the early stages of the risk
assessment. Once the project team determines the areas that are the large contributors to risk,
29 | P a g e

they can selectively apply more detailed effort to specific issues as the analysis progresses. This
strategy will help conserve analysis resources by focusing resources only on areas important to
developing improved risk understanding.
Management should review the boundary conditions and assumptions with the risk assessment
team during the course of the study and revise them as more is learned about key sensitivities. In
the end, the ability to effectively use risk assessment estimates will largely be determined by the
appreciation of important study assumptions and limitations resulting from scope definition.
Technical Approach. The risk assessment project team can select the appropriate technical
approach once the study objectives are specified, and together management and the team can
define the scope. The methodologies to be used to identify hazards and to estimate frequencies
and consequences should be defined. A variety of modeling techniques and general data sources
can be used to produce the desired results. Many computer programs are now available to aid in
calculating risk or reliability estimates, and many automatically give more answers than
needed. The planned output from the assessment activities should also be described. The risk
assessment team must take care to supply appropriate risk information that satisfies the study
objectives - and no more.
Independent peer reviews of the risk assessment results can be helpful by presenting alternate
viewpoints, and one should include outside experts (either consultants or personnel from another
vessel or facility) on the risk assessment review panel. A mechanism should be set up wherein
disputes between the risk assessment team members (e.g., technical arguments about safety
issues) can be surfaced and reconciled. All of these factors play an essential role in producing a
defendable, high-quality risk assessment. Once the risk assessment is complete, it is important to
formally document responses to any recommendations the project teams report contains.
Resources. Organizations can use risk assessments to study small-scale as well as large-scale
problems. For example, a risk assessment can be performed on a small part of a process, such as
a storage vessel.
Depending on the study objectives, a complete risk assessment (both frequency and consequence
estimates are made) could require as little as a few days to a few weeks of technical effort. On
the other hand, a major study to identify the hazards associated with a large process unit may
require 2 to 6 person-months of effort, and a complete risk assessment of that same unit may
require up to 1 to 3 person-years of effort.
If a risk assessment team is commissioned, it must be adequately staffed if it is to successfully
perform the work. An appropriate blend of engineering and scientific disciplines must be
assigned to the project. If the study involves an existing facility, operating and maintenance
personnel will play a crucial role in ensuring that the risk assessment models accurately represent
the real system. In addition to the risk analyst(s), a typical team may also require assistance from
a knowledgeable process engineer, a senior operator, a design engineer, an instrumentation
engineer, a chemist, a metallurgist, a maintenance foreman and/or an inspector. Unless a
company has significant in-house risk assessment experience, it may be faced with selecting
outside specialists to help perform the larger or more complex analyses. If contractors are used
extensively, the client should require that his knowledgeable technical personnel be an integral
part of the risk assessment team.
30 | P a g e

4.2.
Selecting the right approach
There are literally hundreds of diverse risk analysis methods and tools, many of which are highly
applicable to the analysis of marine and offshore systems. Of course, a key to any successful risk
analysis is choosing the right method (or combination of methods) for the situation at hand. A
number of factors influence the choice of analysis approach.
Levels of Analysis. The goal of any risk analysis is to provide information that helps
stakeholders make more informed decisions whenever the potential for losses (e.g., mishaps or
shutdowns) is an important consideration. Thus, the whole process of performing a risk
assessment should focus on providing the type of loss exposure information that decision-makers
will need. The required types of information vary according to many factors, including the
following:
The types of issues being evaluated
The different stakeholders involved
The significance of the risks
The costs associated with controlling the risks
The availability of information/data related to the issue being analyzed
Information needs determine how the analysis should be performed.
The goal is always to perform the minimum level of analysis necessary to provide information
that is just adequate for decision making. In other words, do as little analysis as possible to
develop the information that decision-makers need. Although not always obvious initially,
decision-makers can often make their decisions with risk information that is surprisingly limited
in detail and/or uncertain.
In other cases, very detailed risk assessment models with complicated quantitative risk
characterizations may be necessary. The key is to always begin analyses at as high (i.e., general)
a level as practical and to only perform more detailed evaluations in areas where the additional
analysis will significantly benefit the decision-makers.
More detailed analysis than is necessary not only does not benefit the decision-maker, but also
inappropriately uses time and financial resources that could have been spent implementing
solutions or analyzing other issues.
Figure 4.2 illustrates the concept of performing risk analyses through repetitious layers of
analysis. Each layer of analysis provides more detailed and certain loss exposure information,
but the resources invested in the analysis increase at each level. The filtering effect of each layer
allows only key issues to move into the next more detailed level of analysis. At any point,
sufficient information for decision making may be developed, and the analysis may end at that
level. (All levels of analysis will not be performed for every issue that arises). In fact, most
issues will probably be resolved through risk/reliability screening analyses or broadly focused,
detailed analyses. At each level of analysis, the analysis may involve qualitative or quantitative
risk characterizations.
The following sections briefly describe each level of analysis.
31 | P a g e
Figure 4.2. Levels of Risk/Reliability Analysis
Hazard Identification. Because hazards are the source of events that lead to losses, analyses to
understand loss exposures must begin by understanding the hazards. All risk/reliability analyses
begin at this level (implicitly or explicitly). Analysts with little risk/reliability analysis
experience and some training can successfully perform these types of analyses.
Risk Screening Analysis. In most situations, there are hundreds or even thousands of ways that
losses may occur. Analyzing each of these possibilities individually in detail is not practical in
most instances. Risk screening analyses are high-level (i.e., very general) analyses that broadly
characterize risk levels and identify the most significant areas for further investigation.
Sometimes, this level of analysis is sufficient to provide all of the information that decision
makers need; however, more refined analysis of important issues identified through the risk
screening is most common.
Once the hazards are understood, risk screening should be the next step of any analysis.
Generally, analysts with a modest amount of risk analysis experience and some training can
successfully perform these types of analyses.
Broadly Focused, Detailed Analysis. When specific activities or systems are found to have
particularly significant or uncertain risks, broadly focused, detailed analyses are generally
employed. These analyses use structured tools for identifying the specific combinations of
human errors, equipment failures and external events that lead to consequences of interest. These
analyses may also use qualitative and/or quantitative risk characterizations to help identify the
most appropriate risk management strategies.
Most risk analyses performed are broadly focused, detailed analyses that primarily use
qualitative (or at most, quantitative categorization) risk characterizations. These analyses require
32 | P a g e

analysts with training and experience to be most effective. This level of analysis is the most
advanced that someone who does not specialize in risk/reliability analyses should attempt.
Narrowly Focused, Detailed Analysis. When the potential for specific human errors, equipment
failures, or external events are particularly significant or uncertain, more narrowly focused,
detailed analyses are performed. These analyses are used to dissect specific issues in great detail,
often involving highly quantitative risk characterizations.
This level of analysis, particularly highly quantitative applications, should be reserved for only
those applications truly demanding this level of information. Only analysts with special training
and some supervised experience should attempt this level of analysis.
Table 4.1 lists specific risk/reliability analysis methods and indicates the level(s) of analysis for
which each method is most prominently used. Of course, many other risk/reliability analysis
tools exist that could be useful for particular applications.
4.3.
Key factors in selecting methods
Motivation for analysis. This consideration should be the most important to every analyst.
Performing a risk analysis without understanding its motivation and without having a welldefined purpose is likely to waste valuable resources. A number of issues can shape the purpose
of a given analysis. For example:
What is the primary reason for performing the analysis?
Is the analysis performed as a result of a required policy?
Are insights needed to make risk-based decisions concerning the design or improvement
of an operation or system?
Does the analysis satisfy a regulatory, legal or stakeholder requirement?
Individuals responsible for selecting the most appropriate technique and assembling the
necessary human, technical and physical resources must be provided with a well-defined, written
purpose so that they can efficiently execute the objectives of the analysis.
Types of results needed. The types of results needed are important factors in choosing an
analysis technique. Depending on the motivation for the risk analysis, a variety of results could
be needed to satisfy the studys charter.
Defining the specific type of information needed to satisfy the objective of the analysis is an
important part of selecting the most appropriate analysis technique. The following five categories
of information can be produced from most risk analyses:
List of potential problem areas
List of how these problems occur (i.e., failure modes, causes, sequence)
List of alternatives for reducing the potential for these problems
List of areas needing further analysis and/or input for a quantitative risk analysis
Prioritization of results
33 | P a g e

Applicability to various levels of Hazard/Risk analysis
Hazard
Hazard/Risk
Broadly
Narrowly
identification
screening
Focused,
Focused,
Hazard/Risk analysis method
Detailed
Detailed
Analysis
Analysis
Preliminary hazard analysis

Preliminary risk analysis

What-if/checklist analysis

Failure modes and effects analysis

Hazard and operability analysis

Fault tree analysis

Event tree analysis

Relative ranking

Coarse risk analysis

Pareto analysis

Change analysis

Common cause failure analysis

Human error analysis

Table 4.1. List of Risk Analysis Methods
Some risk analysis techniques are used solely to identify the critical problem areas associated
with a specific activity or system. If that is the only purpose of the analysis, select a technique
that provides a list or a screening of areas of the activity/system possessing the potential for
some performance problems.
Nearly all of the analysis techniques provide lists of how these problems occur and possible risk
reduction alternatives (i.e., action items). Several of the techniques also prioritize the action
items based on the teams perception of the level of risk associated with the action item.
Types of information available. Two primary conditions define what information is available to
the analysis team:
(1) the current stage of the activity or system at the time of the analysis and
(2) the quality of the documentation and how current it is.
The first condition is generally fixed for any analysis. The stage of life establishes the practical
limit of detailed information available to the analysis team. For example, if a risk analysis is to
be performed on a proposed marine activity, it is unlikely that an organization will have already
produced detailed descriptions of the activity and documented procedures and/or design
drawings for the proposed activity. Thus, if the analyst must choose between the HAZOP
analysis and What-If analysis, this phase-of-life factor would dictate a less-detailed analysis
technique (What-If analysis).
The second condition deals with the quality of the existing documentation and how current it is.
For a risk analysis of an existing activity or system, analysts may find that the design drawings
are not up to date or do not exist in a suitable form. Using any analysis technique with out-ofdate information is not only futile, it is a waste of time and resources. Thus, if all other factors
point to using a specific technique for the proposed analysis that requires such information, then
the analysts should request that the information be updated before the analysis is performed.
34 | P a g e

Complexity and size of analysis. Some techniques get bogged down when used to analyze
extremely complicated problems. The complexity and size of a problem are functions of the
number of activities or systems, the number of pieces of equipment, the number of operating
steps and the number and types of events being analyzed. For most analysis techniques,
considering a larger number of equipment items or operating steps will linearly increase the time
and effort needed to perform a study. For example, using the FMEA technique will generally
take five times more effort for a system containing 100 equipment items than for a system
containing 20 items. Thus, the types and number of events and effects being evaluated are
proportional to the effort required to perform a risk analysis.
Type of activity/system. Many techniques can be used for almost any marine or offshore system,
or combinations thereof.
However, certain techniques are better suited for particular systems than others. For example, the
FMEA approach has a well-deserved reputation for efficiently analyzing electronic and computer
systems, whereas the HAZOP analysis approach is typically applied to fluid transport or
processing systems.
The type of operation, for example
(1) a fixed facility (e.g., offshore production platform, marine loading facility) or a transportation
system (e.g., transiting vessel),
(2) permanent, transient (e.g., onetime operation) or temporary, or (3) continuous, semi-batch or
batch, can also affect the selection of techniques.
The permanency of the activity or system affects the methodology selected in the following way.
If all other factors are equal, analysts may use a more detailed, exhaustive approach if they know
that the subject process will operate continuously over a long period of time. The more detailed,
and perhaps better documented, analysis of a permanent operation could be used to support other
needed activities (e.g., safety programs, employee training programs). On the other hand,
analysts may choose a less extensive technique if the subject activity is a one-time operation. For
instance, an analyst may be better served using the checklist technique to evaluate a one-time
maintenance activity.
Type of loss event targeted. Organizations tend to use more systematic techniques for those
systems that they believe pose higher risk (or, at least, for situations in which failures are
expected to have severe consequences). Thus, the greater the perceived risk of the activity, the
more important it is to use techniques that minimize the chance of missing an important potential
problem.
4.4.
Selecting an approach
Table 4.2 summarizes the risk analysis methods and key characteristics that differentiate the
various methods. The information is summarized in a format to assist in selecting the appropriate
techniques for specific applications.
Often, an assessment is conducted in phases, and it is only necessary to specify the methods to be
used for hazard identification and high-level risk screening analysis to begin the study. As the
scope of more detailed or focused analyses identified during risk screening becomes clear, the
methods for conducting these detailed analyses can be selected.
35 | P a g e

Hazard risk
analysis methods
Preliminary
hazard analysis
(PrHA)
Preliminary risk
analysis (PRA)
What-if/checklist
analysis
Failure modes and

effects analyses
(FMEA)
Hazard and
operability
(HAZOP) analysis
Summary of methods
More common uses
The PrHA technique is a broad, initial study

that focuses on identifying apparent hazards,
assessing the severity of potential mishaps that
could occur involving the hazards, and
identifying means (safeguard) for reducing the
risks associated with the hazards. This
technique focuses on identifying weakness
early in the life of a system, thus saving time
and money which might be required for major
redesign if the hazards are discovered at a later
date.
PRA is a streamlined mishap-based risk
assessment approach. The primary objective of
the technique is to characterize the risk
associated with significant loss scenarios. This
team-based approach relies on subject matter
experts systematically examining the issues.
The evaluator postulates combinations of
mishaps, most significant contributors to losses
and safeguards. The analysis also characterizes
the risk of the mishaps and identifies
recommendations for reducing risk.
What-if analysis is a brainstorming approach
that uses loosely structured questioning to
postulate potential upsets that may result in
mishaps or system performance problems and
to ensure that appropriate safeguards against
those problems are in place.
Checklist analysis is a systematic evaluation
against preestablished criteria in the form of
one or more checklists.
FMEA is an inductive reasoning approach that
is best suited to reviews the mechanical and
electrical hardware systems. The FMEA
technique considers how the failure modes of
each system performance problems and
ensures that appropriate safeguards against
such problems are in place. A quantitative
version of FMEA is known as failure modes,
effects and criticality analysis (FMECA).
The HAZOP analysis technique is an inductive
approach that uses a systematic process (using
special guide words) for postulating deviations
from design intents for sections of systems and
ensuring that appropriate safeguards are in
place to help prevent system performance
problems.
Most often conducted early in

the development of an activity
or system where there is little
detailed
information
or
operating procedures, and is
often a precursor to further
hazard/risk analyses.
Primarily used for hazard
identification and ranking in any
type system/process.
Primarily used for generating
risk profiles across a broad
range of activities.
Generally applicable to any type

of system, process or activity
(especially
when
pertinent
checklists of loss prevention
requirements or best practices
exist).
Most often used when the use of
other more systematic methods
is not practical.
Primarily used for reviews of
mechanical
and
electrical
systems.
Often used to develop and
optimize planned maintenance
and equipment inspection plans.
Sometimes used to gather
information for troubleshooting
systems.
Primarily used for identifying
safety hazards and operability
problems of continuous process
systems. Also used to review
procedures and other sequential
operations.
36 | P a g e

Hazard risk
analysis methods
Fault tree analysis
(FTA)
Event tree analysis

(ETA)
Relative
ranking/risk
indexing
Coarse risk
analysis (CRA)
Pareto analysis
Summary of methods
More common uses
FTA is a deductive analysis technique that use Generally applicable for almost
graphically models how logical relationship
every
type
of
analysis
between equipment failures, human errors and
application, but most effectively
external events can combine to cause specific
used to address the fundamental
mishaps of interest.
causes of specific system
failures dominated by relatively
complex
combinations
of
events.
Often used for complex
electronic,
control
or
communication systems.
ETA is an inductive analysis technique that Generally applicable for almost
graphically models the possible outcomes of
every
type
of
analysis
an initiating event capable of producing a
application, but most effectively
mishap of interest.
used to address possible
outcomes of initiating events for
which multiple safeguards are in
place as protective features.
Often used for analysis of vessel
movement
mishaps
and
propagation of fire/explosions
or toxic releases.
Relative ranking/risk indexing uses attributes Generally applicable to any type
of a vessel, shore facility, port or waterway to
of analysis situation as long as a
calculate index numbers that are useful for
pertinent scoring tool exists.
making relative comparisons of various
alternative.
CRA
uses
operations/evaluations
and Primarily used to analyze the
associated functions for accomplishing those
broad
range
of
operations/evolutions to describe the activities
operations/evolutions associated
of a type of vessel or shore facility. Then,
with a specific class of vessel.
possible deviations in carrying out functions Especially useful when riskare postulated and evaluated to characterize the
based information is sought to
risk of possible mishaps, to generate risk
optimize field inspections
profiles in a number of formats and to
recommend appropriate risk mitigation actions.
Pareto analysis is a prioritization technique Generally applicable to any type
based solely on historical data that identifies
of system, process or activity.
the most significant items among many. This Most often used to broadly
technique employs the rule which states that
characterize the most important
around 80 percent of the problems are
risk contributors for more
produced by around 20 percent of the causes.
detailed analysis.
37 | P a g e

Hazard risk
analysis methods
Root cause
analysis
Event charting
5 Whys technique
Root Cause Map
Change analysis
Common cause
failure analysis
(CCFA)
Summary of methods
More common uses
Root cause analysis uses one or a combination Generally applicable to the

of analysis tools to systematically dissect how
investigation of any mishap or
a mishap occurred. Then, the analysis
some identified deficiency in
continues to discover the underlying root
the field.
causes of the key contributors to the mishap Event
charting
is
most
and to make recommendations for correcting
commonly used when the loss
the root causes.
scenario
is
relatively
complicated,
involving
a
significant chain of events
and/or a number of underlying
root causes.
5 Whys is most commonly used
for more straightforward loss
scenarios.
Root Cause Map is used in
conjunction with any root cause
analysis to challenge analysts to
consider a range of possible root
causes.
Change analysis systematically looks for Generally applicable to any
possible risk impacts and appropriate risk
situation in which change from
management strategies in situations in which
normal
change is occurring.
configuration/operations/activiti
es is likely to significantly
affect risks.
Can be used as an effective root
cause analysis method as well
as a predictive hazard/risk
analysis method.
CCFA is a specialized approach for Exclusively
used
as
a
systematically examining sequences of events
supplement to a broader
stemming from the conduct of activities and/or
analysis
using
another
operation of physical systems that cause
technique, especially fault tree
multiple failures/errors to occur from the same
and event tree analyses.
root causes, thus defeating multiple layers of Best suited for situations in
protection simultaneously.
which complex combinations of
errors/equipment failures are
necessary
for
undesirable
events to occur.
38 | P a g e

Hazard risk
analysis methods
Human error
analysis
Error-likely
situation analysis
Walkthrough
analysis
Guide
word
analysis
Human reliability
analysis
Summary of methods
More common uses
Human error analysis involves a range of Error-likely situation analysis is

analysis methods from simple human factors
the simplest approach and is
checklist through more systematic analyses of
used as a basic level of analysis
human actions to more sophisticated human
for human factors issues.
reliability analyses. These tools focus on Walkthrough and guide word
identifying
and
correcting
error-likely
analyses are used for more
situations that set people up to make mistakes
systematic
analyses
of
that lead to mishaps.
individual procedures.
Human reliability analysis is
used for special applications in
which detailed quantification of
human reliability performance
is needed.
Table 4.2. Overview of widely recognized risk analysis methods
4.5.
Conducting the assessment and follow-up
Once an assessment has been chartered and an approach selected, the risk assessment team can
begin the study effort. The team should follow the approach defined in the charter, and should
arrange for periodic reviews with involved personnel (technical and operations) and
management.
It is critical that the boundaries and conditions set forth in the charter be honored by the team as
the study progresses. If the team determines that changes need to be made to the documented
approach, recommendations should be made to management, and the agreed changes should be
documented.
Periodic reviews are essential to ensure effective transmittal of data and review of the
assumptions and methods used by the risk analysts. The organization must identify a focal point
or focal points who are responsible for coordinating the transmittal of data and review of the
assumptions and techniques applied by the risk analysts and/or risk assessment team. Time must
be allocated for these focal points to conduct this most critical task. If adequate involvement is
not obtained, it is the responsibility of the risk analysts to make the personnel aware of the
potential impact on study validity and/or schedule.
Adequate management reviews should be defined in the charter and conducted throughout the
assessment process. For short studies, it will be adequate to conduct management reviews only at
the times of chartering and presenting results. For longer studies, intermediate management
reviews should be scheduled to review results of various phases of the assessment and to agree
on the path forward based on preliminary findings. The chartering document should be modified
to reflect any agreed changes to study boundaries or approach which arise from these reviews.
Quality reviews should be conducted within the risk analysts organization to assure that the
study process and deliverables meet established quality criteria. Any shortfalls should be
promptly addressed to assure a high quality service is provided. In some cases, quality programs
may also impact the study. It is important that quality process impacts are identified in the
chartering phase so that they can be incorporated into the study plan and schedule.
Upon conclusion of the risk assessment, final results, conclusions and recommendations should
be documented and approved by the organization.
39 | P a g e

After a risk assessment is concluded, and the results are documented and approved, appropriate
management takes ownership of the study results. It is critical that the organization address all
approved recommendations and document the actions taken. Failure to document these actions
will result in an incomplete paper trail which will make it difficult or impossible for the
organization to understand how the results were interpreted and applied at a later date. Failure to
document follow-up actions can also create legal exposures in the event that an incident occurs
within the operation which was studied.
It is also the responsibility of the management to communicate the results of the risk study with
the appropriate parties. In more and more cases, it is becoming a regulatory requirement to
communicate known hazards and risk assessment results with personnel and the public
associated with an operation.
In any case, open communication of these results will improve understanding of the operation
and its associated risks. This improved understanding has the potential to improve the
operations safety and financial performance as a result of more effective implementation of
study recommendations, fewer human errors, improved designs and operating methods, and more riskinformed decision making.
4.6.
Risk assessment limitations and potential problems
In any decision-making process, there is a tension between (1) the desire for more/better
information and (2) the practicality of improving the information. Even with extraordinary
investment in data collection, significant uncertainty generally remains. So, throughout a
decision-making process, the decision makers and those supplying information must work
together to ensure that efforts to improve data collection (including risk analyses) are only
carried out to an extent proportional to the value of the more refined data obtained through those
efforts. This is why analysts should never jump to highly refined analysis tools without first
trying to satisfy decision-making needs with simpler tools.
Because dealing with uncertainty is inherent in any decision-making process, those involved in
decision making (directly or indirectly) must be aware of the most common sources of
uncertainty: model uncertainty and data uncertainty.
Model uncertainty. The models used in both the overall decision-making framework and in
specific analyses that support decision making (e.g., risk analyses) will never be perfect. The
level of detail in models and defined scope limitations will determine how accurately the model
reflects reality. Often, relatively simple models focusing on the issues that the stakeholders agree
to be most important suffice for decision making. Even if the data were perfect, the model used
would generally introduce some uncertainty into the results.
Data uncertainty. Data uncertainty is an issue that raises much concern during decision making
and can arise from any or all of the following:
The data needed does not exist
The analysts do not know where to collect or do not have the resources to collect the
needed data
The quality of the data is suspect (generally because of the methods used to catalog the
data)
The data have significant natural variability, making use of the data complex
Although steps can be taken to minimize uncertainty in data, all measurements (i.e., data) have
uncertainty associated with them.
There are a number of things that can go wrong when applying risk assessment techniques. It is
critical that those leading the study are experienced in conducting risk assessments and can steer
40 | P a g e

the effort to success. Typical problems which can be encountered when conducting risk
assessments include:
Inadequately defining analysis scope and objectives
Using quantitative methods where qualitative approaches would suffice
Overworking the problem. Analyzing more cases and using more complicated models
than needed to produce the information needed for a decision
Selecting inappropriate analysis techniques
Using inexperienced or incompetent practitioners
Choosing absolute results when relative results would suffice
Not providing sufficient resources
Not providing for sufficient data input and review by the organization
Having unrealistic expectations
Being overly conservative
Failing to acknowledge the importance of the analysis assumptions and limitations
Misapplying the results. Results will be operation-specific, and it is often difficult to
apply risk assessment results to other related operations
Recognizing potential pitfalls up front will improve the likelihood of success through effective
chartering and management of the study.
41 | P a g e

5.
Hazards and safety regulations for offshore oil and gas systems
In an ideal world, rules and standards developed to regulate a new industry would be the result of
a systematic evaluation of the hazards and concerns associated with that industry. The potential
risks to be encountered by operators, owners, the public and other impacted groups would be
carefully evaluated, as well as the risks imposed on the natural environment. Following thorough
assessments of risks, a comprehensive and workable set of rules and standards could be
developed which would protect all of the people and natural systems exposed to the new
industry.
In reality, however, rules and standards have seldom been developed in this fashion. At the onset
of an industrys development, the knowledge base does not exist to predict what types of rules
will be needed. Typically, initial regulations and codes are developed to meet the most pressing
needs of the industry and governments involved to enable the new industry to get started.
Requirements usually increase over time in response to events that occur in the industry.
Accidents, environmental incidents and commercial or legal difficulties point to chinks in the
protective armor provided by regulations, and regulators and industry groups rush to fill the gaps
with additional requirements.
This cumulative adding on of requirements accurately describes regulatory development for
the oil and gas industry in most countries and for the marine industry. However, with the
emergence of the nuclear industry in the mid-1900s, more systematic approaches to industrial
regulation were developed. Due to the huge perceived risks associated with accidents in the
nuclear industry, it was acknowledged that more predictive methodologies must be used to set
standards for the industry prior to wide-scale development of nuclear facilities. The potential
consequences associated with nuclear incidents were too great to allow operators and regulators
to learn from their mistakes. Many of the predictive risk assessment techniques applied within
the marine and oil and gas industries today originated from the nuclear industry.
5.1.
Major hazards of offshore oil and gas production
Offshore oil and gas production systems present a unique combination of equipment and
conditions not observed in any other industry. Although there are few aspects of the industry
which are completely new or novel, the application in an offshore environment can result in new
potential hazards which must be identified and controlled.
Much of the oil and gas processing equipment which is utilized on offshore facilities is similar to
the equipment used onshore for oil production activities or in chemical process plants. Therefore,
many of the hazards associated with the process equipment are well known. However, the
inherent space constraints on offshore structures have resulted in the application of some new
process equipment, and, more importantly, make it difficult to mitigate hazards by separating
equipment, personnel and hazardous materials. Due to the facilities remote locations, personnel
who operate or service offshore facilities typically live and work offshore for extended periods
of time. In many ways, these aspects of offshore operations are similar to those found in the
shipping industry. However, the operations that take place on offshore oil and gas production are
different than those which take place on trading ships.
Another difference between offshore and onshore oil and gas production is the relative
complexity of drilling and construction activities, which contribute significantly to the risk
picture. Due to the remoteness of most offshore facilities and the challenges presented by a
marine environment, drilling and construction projects are typically major undertakings which
42 | P a g e

require the use of large and expensive marine vessels (drill ships, derrick barges, supply vessels,
diver-support vessels, etc.).
These non-routine operations dramatically increase the number of persons onboard a facility and
the level of marine activity, material handling and other support activities over more routine
production activities.
Transportation of personnel and materials to and from the offshore locations present a significant
risk element: helicopter transport, marine transport and loading and unloading operations are a
routine part of offshore life.
The design of offshore facilities multi-deck platforms above the water or floating systems, can
expose personnel to falling and drowning hazards which are not encountered onshore.
In addition to the factors described above, the fact that offshore facilities typically have higher
concentrations of manpower, higher operating costs and revenues, and higher initial capital
investments than their onshore counterparts make them an obvious place to apply risk
assessment and risk reduction measures.
The hazards associated with offshore production facilities can be categorized in different ways,
but are often grouped by operation. This grouping mirrors the way the supporting engineers,
operators and support personnel are grouped within the organization, since these organizational
entities are responsible for identifying and understanding potential hazards and addressing them
during design, construction and operation of the facilities.
Some of the major potential hazards associated with offshore operations are listed below.
Production Operations
o
Topside Production Facilities and Pipelines
Equipment-related Hazards:

Rotating equipment hazards

Electrical equipment hazards

Lifting equipment hazards

Defective equipment

Impact by foreign objects
Process-related Hazards:

High pressure liquids and gas

Hydrocarbons under pressure

Temperature (High or very low)

Hydrocarbons and other flammable materials

Toxic substances

Storage of flammable or hazardous materials

Internal erosion/corrosion

Seal or containment failures

Production upsets or deviations

Vent and flare conditions

Ignition sources

Process control failures

Operator error

Safety system failures

Pyrophoric materials
Well-related Hazards:

Pressure containment

Unexpected fluid characteristics (sand, etc.)

Well-servicing activities
43 | P a g e

Proximity of wells to other wells and facilities
Environmental Hazards:

Corrosive atmosphere

Sea conditions

Severe Weather (storms, hurricanes, etc.)

Earthquakes or other natural disaster
Material Handling, Air and Marine Transport

o
Personnel Quarters
External Hazards:

Gas releases

Fires

Dropped objects
Internal Hazards:

Flammable materials/internal fires

Toxic construction materials

Inadequate escape routes and lifesaving equipment

Emergency system failures

Bacterial hazards

Drinking water supply

Food preparation and delivery

Living conditions

Waste disposal

Security hazards
o
Personnel Safety
Drilling Operations
o
Rig Operations

Well control

Tubular handling

Lifting operations
o
Air and Marine Transport

Vessel approach and docking or mooring procedures

Sea and atmosphere conditions

Severe weather

Vessel failures

Diving operations
o
Materials Handling

Rig transfers

Crane operations

Storage of drilling equipment and supplies

Chemical/flammable storage

Radioactive sources

Explosives
o
Personnel Safety
Construction and Maintenance Operations
o
Marine Transport

Vessel traffic and mooring

Sea conditions

Vessel failures
44 | P a g e

Diving operations
Materials and Equipment Handling

Crane and lifting operations

Elevated objects

Storage of equipment and supplies

Chemical/flammable storage

Static electricity

Radioactive sources

Respiratory hazards (exhaust, chemicals, confined spaces, etc.)

Active or stored energy sources (electrical and mechanical)
o
Simultaneous Activities

Release of flammable hydrocarbons

Hot work (Welding, grinding, cutting)

Proximity of other operations
o
Personnel Safety

Inadequate personnel protective equipment

Improper use of equipment

Slipping and tripping hazards

Working at heights

Friction, sparks or flames

Drugs and alcohol

Exposure to weather

Fatigue

Housekeeping

Living conditions

Waste disposal
This listing of hazards is not meant to be all-inclusive, but is provided to give the reader an
understanding of the types of hazards encountered offshore. Listings such as this or more
specific and detailed listings can be used in hazard identification exercises.
The potential hazards described, if not properly controlled, can lead to undesirable and hazardous
events. The most severe consequences of these events could include:
Personnel injury
Loss of life
Impact on public
Environmental impact
Loss of facilities and equipment damage
Loss of production
Impact on associated operations
Impact on corporate reputation
It is to prevent these types of consequences that regulations have been developed and
corporations have established internal standards and controls. Through the application of risk
assessment approaches, the risks associated with offshore hazards can be better understood and
regulations and controls can be continuously improved.
o
45 | P a g e

5.2.
National developed Offshore Oil and Gas regulatory
The U.S. was an early leader in the development of codes and regulations governing oil and gas
development. In more recent years, the U.K. has emerged as a leader in developing performance
oriented requirements. The tables below are not all-inclusive, but summarize the progression of
regulatory development in several key nations. It can be seen that the U.K. has been the most
active in recent years, and many other nations are using U.K. regulations as a model for new
regulatory development.
In the U.K., the Health and Safety Executive (HSE) has jurisdiction over safety regulations for
the offshore oil and gas industry.
Regulation
Driver
Description
Offshore
Installations Development of Central North Followed contemporary industry
(Construction
and
Survey) Sea area required larger and practice,
and
required
Regulations
more complex offshore facilities certification
demonstrating
compliance
to
prescriptive
requirements
and
periodic
surveys
of
completed
installations.
Offshore Installations (Safety Implementation of Lord Cullens For each offshore installation, the
Case) Regulations
recommendations following the operator must prepare a detailed
Piper Alpha disaster
Safety Case describing their
safety management system, the
measures taken to identify and
address all hazards with the
potential to cause a major
accident and to evaluate risks to
assure a risk level as low as
reasonably practicable.
Offshore installation (Prevention Clarifying
Safety
Case Promotes an integrated riskof Fire and Explosion, and requirements
based approach to managing fire
Emergency
Response)
and explosion hazards and
Regulations
emergency response.
Offshore Installation (Design and Aid in Implementing Safety Case Dispenses with the concept of a
Construction) Regulations
Regulations
Certifying Authority, placing
responsibility with the owner or
operator (duty holder) to identify
safety critical elements and to
verify performance through
independent
review
and
verification throughout their life
cycle.
Table 5.1. United Kingdom offshore safety regulations
46 | P a g e

In Norway, the Norwegian Petroleum Directorate has jurisdiction over offshore safety
regulations.
Regulation
Driver
Regulations
Concerning Norwegian response to
Implementation and Use of Risk Safety Case Regulations
Analyses in the Petroleum
Activities
Description
UK A brief regulation aimed at
improving safety performance
through implementation of risk
analysis. Operators are required
to define acceptable risk and are
given flexibility in the methods
used
to
demonstrate
the
acceptability of their operations.
Table 5.2. Norwegian offshore safety regulations
In Australia, the Department of Minerals and Energy (DME) is the Designated Authority
regarding offshore safety regulations.
Regulation
Australian Safety Case Regime
Driver
Description
Australian response to UK Safety Requires submittal of a number
Case Regulations
of Safety Cases which are similar
in content to those required in the
UK. Operators are expected to
prioritize hazards using QRA, set
acceptance criteria, demonstrate
that these standards are met, and
use cost-benefit analysis to show
the risks are ALARP. Nonquantitative approaches may be
accepted.
Table 5.3. Australian offshore safety regulations
47 | P a g e

In the United States, the jurisdiction over offshore safety is split between the Mineral
Management Service (MMS), the U.S. Coast Guard, the Department of Transportation, and the
individual states to the limit of their jurisdiction in offshore waters.
Regulation
Code of Federal Regulations
Driver
Description
Need to provide comprehensive Provides requirements based
regulatory coverage of the largely on API Specifications and
industry
Recommended Practices related
to structures, process equipment,
piping, safety devices and
electrical components. Also
addresses minimum training
requirements. Because hazards
associated with offshore systems
are considered well-known and
well-analyzed, MMS regulations
emphasize design in accordance
with good engineering practice
and
that
operations
and
maintenance activities follow
fundamental safety management
principles.
Voluntary
Safety
and Desire to encourage operators to Operators are required to
Environmental
Management develop
effective
safety implement safety management
Program
management systems without the systems that address 12 key
effort and expense of totally elements. The elements include
redrafting existing regulatory Hazards Analysis (quantitative
requirements.
risk assessment is not required),
and Assurance of Quality and
Mechanical Integrity of Critical
Equipment,
Emergency
Response and Control, and
Audits. Voluntary compliance
with this standard is being
monitored.
If
voluntary
participation levels are not
satisfactory, regulatory solutions
will be pursued.
State Regulations
Varied
With the exception of offshore
California and Alaska, state
regulations are prescriptive,
minimal, and focused on
environmental protection and
safety of well design. With the
exception of requirements for a
structural risk analysis offshore
California,
there
are
no
requirements for the use of risk
analysis.
Table 5.4. United States offshore safety regulations

48 | P a g e

5.3.
Future trends
Although regulatory requirements which apply to offshore oil and gas development are still quite
different from nation to nation, a degree of uniformity is beginning to emerge in the approach
operators are taking toward project development, design and risk assessment. The dominance of
the major operators in the newest areas of offshore development has played a major role in this
progression. Many of the risk assessments and safety studies that are now required for North Sea
developments in response to Safety Case legislation are becoming corporate standards for the
large global operators.
Ongoing improvement in the safety of offshore facilities relies upon a union of good regulations
and industry codes and standards. Modern regulations are generally becoming more performance
oriented, requiring operators to demonstrate the effectiveness of their safety management
techniques.
More and more, operators are being given the opportunity to demonstrate, typically by means of
risk assessments, the acceptability of new or novel approaches. Industry codes and standards
which are continually improved remain a critical tool for operators to document practices which
have been shown to produce acceptable results and to share learning from new experiences and
approaches.
49 | P a g e

6. Safety measures in design and process operations
6.1.
Introduction to ship design
Design methodology consists of a formal description of the design process, its premises,
objectives and procedures. One of its essential foundations is the approach of systems analysis
which became known and rapidly spread after the 1950s.
The prevailing design procedure was well captured in the image of the famous design spiral.
This schema correctly depicts the iterative nature of design, but overemphasizes an apparently
prescribed sequence of design steps. In practice the procedure varies from case to case and is
much more flexible, given that provisional assumptions permit starting subtasks independently.
At a later stage when concurrent engineering was pursued, the design team actually endeavored
to perform several design subtasks simultaneously. Nevertheless the design spiral served well as
guidance in coordinating design activities.
By about 1970 the methods of systems analysis had matured in many other applications and
began to make a profound and lasting impact on ship design methodology. System analysis
serves as a decision-making approach in the analysis, design and operation of large, complex
systems. It can equally well be applied to ships, their subsystems and to the fleet or transport
system of which the ship may be a part.
The approach of systems analysis made a deep impact on ship design methodology, not only
because of its greater rigor, but also because it facilitated a coordinated division of labor in the
design team. The introduction of computer aids in design enabled each designer to perform a
greater share of subtasks in the design process and thus necessitated a reorganization of the
division of labor in design. The subtasks of design attained greater scope and granularity,
increasing the responsibilities of the individual team member. But systems analysis also provides
criteria and methods for harmonizing the results of subsystem design in consonance with overall
system performance.
Thus the system approach has been providing a common platform for many new developments
and innovative design techniques for many decades. The degree of change in ship design
methodology during several decades was significant and must be rated by the sum of many
individual innovations in this general framework.
Economic efficiency. Economy remains with safety the most essential goals of commercial ship
design. There is no doubt that significant improvements were made in the economic efficiency of
ships. The economic assessment of alternatives has become a routine matter in early design
stages. The computer made it even more feasible to get an immediate evaluation of economic
performance for a proposed design. Design decisions thus have become more transparent and
more rational. The sometimes superficially conflicting requirements of economy and safety can
usually be reconciled by quantification. Several approaches exist for making these criteria more
commensurable. The future trends are the design for lower lifecycle cost, i.e., shipbuilding and
operating cost as well as the design for better product quality, i.e., improved functionality,
performance and reliability of the ship. The reduction of the lead time for design and production
to achieve shorter time to market is obviously also an important issue.
Ship safety and risk assessment. Ship safety requirements are as essential to shipping ventures
as economic objectives. This concerns the safety of human lives, the risks of damage to or loss of
ship and cargo, and the hazards to the environment. In fact it is the art of ship design to find
solutions meeting both economic and safety requirements without compromising any safety
50 | P a g e

principles. For many decades the management of safety in design has been a matter of improving
regulatory requirements in response to experience with fatalities, damage or loss, by conventions
issued by international agencies and institutions such as SOLAS and IMO. This is still necessary
to set standards and reach international agreement. Probabilistic methods for risk assessment
have now gained full acceptance and are in practice replacing older deterministic, safety factor
based regulations. Calculation methods for predicting ship performance in critical situations, in a
seaway or in collisions and groundings, have been further developed. Quantification of risks in
early design stages is becoming more and more feasible. Pursuing risk based design approach
quantifying all hazards is the future trend. From a design perspective, Formal Safety Assessment
is important for promoting goal based standards to support the design of new and innovative
designs, as an alternative to prescriptive rules presupposing a specific technical solution. By
explicitly defining the safety objective to be met, alternative design solutions meeting the same
standard may be approved. This also opens up for risk based acceptance criteria, with
classification societies using the formal safety assessment guidelines as basis for own rule
development.
Rationality and probabilistic modeling. Many influences on ship performance are uncertain at
the design stage, in particular the hazards of loads and safety. The environment of the ship in an
irregular seaway and the events involved in ship collisions and groundings are examples of
random processes that need to be described in terms of probabilities. Fortunately some
pioneering work has made these processes amenable to probabilistic modeling. Recent
applications in design optimization are giving new significance to such models. Design for
structural reliability belongs to the same category. Therefore in recent decades several
computational methods have been introduced and have become routinely applied in ship design,
where appropriate, to evaluate risks and contend with uncertainties.
Optimization. In the framework of the system approach optimization methods have become the
favorite design solution tool. Many of the principal stages of the design process have been
approached by optimization. The approach is invaluable for innovative design tasks and many
confirm and thus reassure the solutions to more conventional design applications. The advantage
of using optimization in design is not only the ease of finding the best possible solutions more or
less automatically, but also having the assurance that improvements are no longer feasible by
small changes in the design variables. It is an important result also to learn which constrains
governing the solution, sometimes in order to soften certain constraints. The nonlinear
optimization problem does not necessarily yield a unique solution, in multimodal cases several
local optima exist. It is of value to know multiple optima if they exist. To enumerate several or
all local optima necessitates a conscientious inspection of the whole feasible design space.
Problem formulations with multiple goal criteria have become popular in ship design. This tends
to occur when economic and safety indicators are both taken into account as equivalent goals.
One possible approach to this dilemma consists of Multiple Criteria Optimization. These
methods help to define the most suitable compromises.
Integration. It was one of the earliest dreams in CAD/CAM to have available an integrated,
coherent software system that would support the entire design process. This meant that a set of
design methods would share a certain database and build up the product model in successive
design steps, not necessarily in any prescribed sequence. Thus the methods would be interfaced
by sharing data sets in the database. The designer would be able to perform design steps in any
desired and meaningful order without unnecessary responsibility for input and output.
Open communication. The communication between heterogeneous CAD/CAM systems and
subsystems is now recognized as a key prerequisite for digital collaboration between suppliers
and customers. The standardization shows an approach for neutralizing the interfaces. However
51 | P a g e

open product model communication between distributed partners has not yet been fully achieved,
especially if the systems differ in functionality.
Versatility. In ship design the lot size is usually one. Changes will always occur before and
during production. Thus CAD/CAM systems must be extremely versatile to contend with ever
changing design requirements. CAD systems during several decades have certainly become more
comprehensive in scope and hence more versatile. Some system vendors claim to cover the
complete CAD-CAM-CIM cycle. Exceptions from this trend still occur with new floating
structures such as offshore wind mills and features as well as unconventional design objectives.
Simulation and visualization have added to system versatility. The trend is in the right direction.
Simulation and visualization. Simulation and visualization together, known as the virtual ship
, are also increasingly used in early stage design to display the product model of the ship in
three-dimensional views together with its operating systems in order to review the geometry,
subdivision and emergencies, the performance of lifesaving systems and many other operational
scenarios.
6.2.
The ship design process
Today ship design can be viewed as an ad hoc process. It must be considered in the context of
integration with other design development activities, such as production, costing, quality control,
and others. In that context, it is possible for the designer to work on a difficult product, requiring
high material or labor cost, and containing some design flaws that the production engineers have
to correct or send back a new design before production. Any adjustment required after the design
stage will result in a high penalty of extra time and cost. Deficiencies in the design of a ship will
influence the succeeding stages of production. In addition to designing a ship that fulfils
producing requirements, it is also desirable to design a ship that satisfies risk, performance, cost,
and customer requirements criteria. More recently, environmental concerns, safety, passenger
comfort, and life-cycle issues are becoming essential parts of the current shipbuilding industry.
With this paradigm, the selected design will be a producible, cost-effective, safe, clean, and
functionally efficient design. This will enable shipyards to obtain great rewards, such as the
reduction of construction time and costs, reduction of lead time, improving product quality,
simplification of products, and gaining sustainable competitive advantages in the shipbuilding
market.
Throughout the engineering disciplines, many design processes have been developed in order to
correct the inadequacies of the designs during the ship design stages. This is the process of proactively designing products to optimize all the functions throughout the life of the product.
Design for cost. Design to cost is a management strategy and supporting methodologies to
achieve an affordable product by treating target cost as an independent design parameter that
needs to be achieved during the development of a product. Design to cost is an area which has
attracted much attention recently. The objective with this strategy is to make the design converge
to an acceptable cost, rather than to let the cost converge to design. Design to cost can produce
massive savings on product cost before production begins. The basic concept is to estimate the
manufacturing cost during the conceptual and early design stages in order to achieve the
following objectives:
To identify the model parts that might cause high manufacturing costs,
To provide an environment to estimate alternative cost for comparative design

models.
The general approach is to set a cost goal, then allocate the cost goal to all the elements of the
product. Designers must then confine their approaches to set alternatives that satisfy the cost
52 | P a g e

constraint. The control of costs to meet these objectives is achieved by practical trade-off
involving mission capability, performance and other schedule objectives.
However, this is only possible once cost engineers have developed a tool set that designers can
use to determine the impact of their decisions as they make them. In time have appeared different
developments to help the designer analyze the impact of their decisions on the ship cycle.
Design for maintenance. Consideration of product maintainability and reliability tends to be an
afterthought in the design of ships. The design of the support processes needs to be developed in
parallel with the design of the ship and not after. Parallel design can lead to lower overall life
cycle costs and a product design that is optimized to its maintenance processes. Maintenance
characteristics of the design and particularly unplanned maintenance are very important mainly
because they lead to a reduction in operability, and hence profit in the case of commercial
vessels or the ability to complete the desire mission in the case of naval vessels.
Engineering techniques can be applied to systems design to minimize the time and effort
required to perform periodic preventive maintenance as well as unscheduled maintenance. Some
recommendations can be given to achieve higher quality, better reliability, lower operating cost,
and better maintainability. For instance:
Reduce the number of parts to minimize the possibility of a defective part or an assembly
error;
Reduce the complexity and time of the assembly/disassembly process;
Improve the accessibility for testing or inspections of the components of the product;
Use modular design for components with greater probability of replacement to facilitate
assembly/disassembly;
Utilize standard parts to minimize the amount of spare parts;
Provide self test and self-diagnosis as more as possible;

Design for environment. This is a relatively new field, developed in parallel to pollution
prevention. The aims are to minimize raw material consumption, energy and natural resource
consumption, waste/pollution generation, health and safety risks, and ecological degradation
over the entire life of the ship.
Design for environment integrates environmental considerations into the design of ships with a
better environmental performance over the ships entire life cycle. Decisions made about the
types of materials and other resources, as well as manufacturing processes to be used during
production, affect the environmental performance of the ship. Following the finished design, the
ships environmental attributes are generally fixed and cannot be changed. Therefore, a
systematic integration of environmental considerations into the earlier stages of design is
essential to achieve increased environmental performance. Incorporating design for environment
attributes into ship design has some benefits, such as reduced energy and material use, reduction
of emissions and waste, focus on material selection issues: design for recycling, design for
disassembly, management of toxic materials, and evaluation of environmental attributes.
Design for safety. Rather than waiting for an accident to happen and then act in haste to set up
new rules, all pertinent knowledge deriving from such accidents could be analyzed and stored to
improve the safety as early as possible in the design process. It is widely accepted that rules
provide minimum standards on average and in some areas there are not even rules to provide
minimum standards of safety. Consequently, design for safety should systematically integrate
risk analysis in the ship design process with prevention/reduction of risk embedded as a design
evaluation attribute.
Design for safety is a real opportunity for ship owners to have ships customized to their needs
while maintaining the same safety levels. However, design for safety is a very expensive and
time consuming approach. Indeed, the resources required for additional safety during the design
53 | P a g e

stage will inevitably have a cost. It is from this background that the marine design for safety
emerged. The key drivers of the philosophy are to keep safety as an important functional
characteristic of the design and to speed up the process of risk and cost analysis, so that the
process itself becomes more usable. IMO, MSC, SOLAS, ISO, IACS and MARPOL are
continuously improving and implementing the safety requirements in the shipbuilding industry.
In particular, the IMO Maritime Safety Committee recently adopted a new philosophy and a
working approach for developing safety standards for passenger ships. In this approach, modern
safety expectations are expressed as a set of specific safety goals and objectives, addressing
design, operation and decision making in emergency situations with special attention paid to
flooding survival analysis and fire safety analysis.
Design for retrofitting and refurbishment. Retrofitting and refurbishment are significant cost
factors in the life cycle of a ship. Retrofitting and refurbishment is being carried out mainly for
the following reasons:
To adopt ships to meet upcoming safety and environmental regulations, like,

related to double hull structures for inland waterway ships or to meet new regulations in regard
to gas emissions;
To adopt the interior of passenger ships to varying passenger needs and comfort
requirements;
To adopt ships to new operational tasks, like conversion of tankers into FPSO.
For complex ships, the cost related to refurbishment can reach the order of magnitude of the
original investment. Even if retrofitting is in many cases not driven by structural aspects, the
structure of a ship is often affected by changes in the outfitting part.
Design for robustness. Robustness is defined as insensitivity, or stability, with respect to
uncontrollable parameters and is becoming a standard concept, particularly for innovative
designs. Many input parameters (e.g. loads, material data, thickness) held constant during the
optimization process, are subject to uncertainties causing variations of the values in the criteria
set and/or violation of constraints. They can also be costly to control. One way is to introduce
safety margins on the constraints, but this leads to a reduction of the design space. Robust design
has been developed with the expectation that the insensitive design can be obtained.
The robust design method greatly improves engineering productivity. Variation reduction is
universally recognized as a key to reliability and productivity improvement. There are many
approaches to reducing the variability, each one having its place in the product development
cycle. The robustness strategy provides the crucial methodology for systematically arriving at
solutions that make designs less sensitive to various causes of variation. It can be used for
optimizing product design as well as for the manufacturing process design.
6.3.
Design principles in ship economics
Recent research advances in the economics of maritime transport discuss issues related to the
value of ships, design methods to maximize this for stake holders, shipbuilding as a service, ship
speed and others.
Observing the world trade figures can clearly state that without seaborne shipping, world trade
would not be possible on the scale necessary for the modern world to functions. Around 90% of
world trade is carried by the international shipping industry and this accounts for 4.5 trillion
USD of exported goods. According to the same statistics, this figure brings 380 billion USD in
freight rates, which is equivalent to about 5% of total world trade.
These figures indicate the efficiency of shipping. The ratio between the total freight rates and
goods transported leads shows that on average less than 10% of the value of goods transported is
54 | P a g e

required undertaken that transportation using the shipping of the world. Even if the annual
investment in new building is add to this, in the order of 100 billion USD, the overall system is
still very lean.
Modern shipbuilding demands a new approach that accounts for the opinions of multiple
stakeholders. Traditionally, ship designs were often developed by a stove pipe design
organization without the direct, early participation of the future ships builder, ship owner,
operators and maintainers. In contrast, modern design teams employ concurrent engineering
principles, which require the consideration of all the stakeholders preferences. It indicates that
the ship valuation should be approached from the perspectives of different parties involved in the
shipbuilding process.
The conventional ship value assessment adopts the Net Present Value approach, which only
measures the tangible aspects of the ship, including ships features and functions, discounted
through time. Net Present Value therefore fails to capture the importance of partnership and
cooperation between the stakeholders of the shipbuilding industry.
Was studied the importance of the relationship between the shipyards as sellers, and the owners
as buyers and turnkey suppliers, and was concluded that interdependency triggers stakeholders to
continue the relationships, recognizing that they can to create more value together than
independently.
On the other side, was found that currently there is insufficient understanding of the value of a
ship by the ship owner and shipyard. A more complete understanding will enable designers to
reduce the problems of over and under-engineering, prevent ship owners from making unrealistic
requirements and avoid shipyards doing inappropriate things such as installing poorly
performing equipment. Also, was concluded that for unique and sophisticated ships, like cruise
ships, successful building was only possible if there was a strong relationship between the
stakeholders that allowed flexibility to bridge all technical challenges. Less sophisticated ships,
like bulk carriers or tankers, are built strictly according to specifications, and any demands for
alterations are met with resistance. The dominant factor of value for these kinds of ships is price,
while for sophisticated ships, the value is held in the passenger experience and the uniqueness
that the ship has in the market.
This fact led many yards building cruise ships to extend their business activities to support the
owner in the post-delivery phase, offering to their clients not just a product, but a shipbuilding
service. This service would include a maintenance service for the ship, but the primary objective
was to engage in the refitting and enlargements of vessels in order to rejuvenate them after a
certain period of time, perhaps 10 to 15 years.
Noticing the shipping industrys trend toward the reduction of operating speed due to the rising
oil prices and reduced economic activity in 2010 and onwards, an analysis was performed to
identify optimal speeds dependence on freight rates. Following the premise of economic
equilibrium, it was possible to draw a functional relationship between the optimal ship speed and
the freight rates, assuming constant transport capacity. Further to this, the relationship was also
established with the cost of ship operations. Considering that the biggest cost in operation is the
fuel, it is possible to estimate the optimal ship speed and the corresponding freight rate for a
given price of fuel. Extending the result of this analysis into the present day situation of rising oil
prices, or the addition of CO2 taxes, we can expect that the ship speed will need to be further
reduced if the economic equilibrium is to be maintained. Only a rise in the world economy could
reverse this trend, but if the requirement to reduce the CO2 emissions from shipping is accepted
then maintaining the slow speed steaming and building more ships might in the long term build a
more sustainable approach to greener shipping industry.
55 | P a g e

Design criteria for valuation of human life, health and safety. During engineering projects such
as shipbuilding projects decisions have to be done how the performance of a system and namely
its safety can be improved. This goes along with changes of costs of the project, may it be
increased or decreased costs. As a consequence the engineer needs a support to determine the
consequences of an option, as this may be a risk control option in the terminology of formal
safety assessments, to improve the performance with regard to the costs. In this context, one of
the most difficult issues in examining different risk control options for making engineering
design decisions and policy formulation is the valuation of human life, health and safety in
monetary terms which have meanings in pricing decisions. These decisions are usually made by
politicians, taking into account the aversion towards human suffering in an intuitive way. An
analysis of these decisions shows, however, that the implicit value of a human life is always
finite.
The economic aspect of the problem is, that the scarce national means have to be divided over
many investments, among which are a number of possible investments in health and safety. Any
rational decision mechanism must therefore be able to weigh the probability of profit against the
probability of saving lives and enhancing health. The growing application of risk based design
methods makes it necessary to estimate the value of a human life, health and safety in addition to
an assessment of the economic damage involved with failure of the system under design.
Generally, the most common approach is to conduct a cost and benefit analysis. One such
analysis is to study the outcomes of political or societal decision processes, the investments made
in a society to enlarge the probability of saving extra life. This value seems to be able to serve as
a valuation of human life, as it indicates the willingness to pay for the saving of a life.
In their work, some researchers, contend that the characteristic value monism of cost-benefit
analysis renders the practice inadequate for guiding environmental policy formation: not all
choices are tradeoffs made on quantitative assessments of preference satisfactions, and some
goods human life among them cannot and should not be measured in monetary terms. At a basic
level, cost-benefit analysis can include within the scope of its reasoning diverse goods, including
so called human costs, such as rights and duties, and environmental costs.
In its strategy, IMO has focused on the development of goal based new ship construction
standards, where a more holistic approach towards the ship and its systems is applied. The
second approach has a more risk-based and holistic attitude and is called the safety level
approach, included the safety of seafarer, occupational health, passengers and safety of third
parties. The intention with goal based standard, and in this respect, especially with regard to
safety level approach, is that the standard is an overarching and holistic approach which covers
all functions and systems onboard. The argument is that if there were a safety standard in place
for all systems and workplaces on board, it would indirectly reflect positively on the health and
safety of the crew. According to research studies, communication between ships design and
ships ergonomics has been non-existent, and it is overdue for the working environment and the
prevention of personnel accidents to be taken into consideration in the construction phase, where
it is both cheaper and more efficient to create the solutions that efficiently prevents work-related
accidents.
IMO Goal-based standards. The notion of goal-based ship construction standards was
introduced in IMO at the 89th session of the Council in November 2002 through a proposal by
two Member States, the Bahamas and Greece (C 89/12/1), suggesting that IMO should play a
larger role in determining the standards to which new ships are built, traditionally the
responsibility of classification societies and shipyards.
The submission argued that the Organization should develop initial ship construction standards
that would permit innovative designs but at the same time ensure that ships are constructed in
56 | P a g e

such a manner that, if properly maintained, they could remain safe for their economic life. The
standards would also have to ensure that all parts of a ship could be easily accessed to facilitate
proper inspection and ease of maintenance.
Over the next two years the matter was extensively discussed in the Maritime Safety Committee
(MSC), the Council and finally the IMO Assembly which, at its twenty-third session in 2003,
included the item Goal-based new ship construction standards in the strategic plan (A.944(23))
and the long-term work plan (A.943(23)) of the Organization.
After in-depth discussions in plenary and in the GBS working group during MSC 79 and MSC
80, MSC 80 in May 2005 agreed on in principle the basic principles of IMO goal-based
standards as follows:
broad, over-arching safety, environmental and/or security standards that ships are
required to meet during their lifecycle;
the required level to be achieved by the requirements applied by class societies and other
recognized organizations, Administrations and IMO;
clear, demonstrable, verifiable, long standing, implementable and achievable,
irrespective of ship design and technology; and
specific enough in order not to be open to differing interpretations.
It is understood that these basic principles were developed to be applicable to all goal-based
standards developed by IMO and not only to ship construction standards, in recognition that, in
the future, IMO may develop goal-based standards for other safety areas, e.g. machinery,
equipment, fire-protection, etc., as well as security and environment protection related areas, and
that all goal-based standards developed by the Organization should follow the same basic
principles. It was agreed to proceed with the development of GBS using a deterministic
approach, while, at the same time, the use of risk-based methodologies was to be further
explored over the next few sessions of the Committee.
Following deliberation on the subject, MSC 81 agreed to limit the scope of its consideration
initially to bulk carriers and oil tankers and consider expansion to other ship types and areas of
safety at a later time. For the GBS for oil tankers and bulk carriers, a five-tier system was agreed,
consisting of the following:
Tier I - Goals
High-level objectives to be met.
Tier II - Functional requirements
Criteria to be satisfied in order to conform to the goals.
Tier III - Verification of conformity
Procedures for verifying that the rules and regulations for ship design and construction conform
to the goals and functional requirements.
Tier IV Rules and regulations for ship design and construction
Detailed requirements developed by IMO, national Administrations and/or recognized
organizations and applied by national Administrations and/or recognized organizations acting on
their behalf to the design and construction of a ship in order to conform to the goals and
functional requirements.
Tier V - Industry practices and standards
Industry standards, codes of practice and safety and quality systems for shipbuilding, ship
operation, maintenance, training, manning, etc., which may be incorporated into, or referenced
in, the rules and regulations for the design and construction of a ship.
The GBS Tiers I to III constitute the IMO GBS, which became mandatory on 1 January 2012
under the SOLAS Convention (new SOLAS regulation II-1/3-10), subsequent to the adoption of
the following instruments at MSC 87 in May 2010:
57 | P a g e

New SOLAS regulation II-1/3-10 Goal-based ship construction standards for bulk
carriers and oil tankers (resolution MSC.290(87));
International goal-based ship construction standards for bulk carriers and oil tankers
(resolution MSC.287(87)) (the Standards); and
Guidelines for the verification of conformity with goal-based ship construction standards
for bulk carriers and oil tankers (resolution MSC.296(87)) (the Verification Guidelines).
SOLAS regulation II-1/3-10 makes the goal-based standards applicable to oil tankers and bulk
carriers of 150 m in length and above, for which the building contract is placed on or after 1 July
2016; in the absence of a building contract, the keels of which are laid or which are at a similar
stage of construction on or after 1 July 2017; or the delivery of which is on or after 1 July 2020.
The new SOLAS regulation also requires that a Ship Construction File shall be provided upon
delivery of a new ship and kept on board the ship and/or ashore. (see also Guidelines for the
information to be included in a Ship Construction File (MSC.1/Circ.1343)).
MSC 89 in May 2011, with a view to providing the process for the development, verification,
implementation and monitoring of goal-based standards (GBS) to support regulatory
development within IMO, approved the Generic guidelines for developing IMO goal-based
standards (MSC.1/Circ.1394).
The verification of conformity of ship construction rules of individual recognized organizations
and/or national maritime administrations with the GBS will be carried out by international GBS
Audit Teams established by IMOs Secretary-General, in accordance with the verification
Guidelines. These Guidelines foresee that recognized organizations and/or national maritime
administrations submit requests for verification of their ship construction rules to the SecretaryGeneral who will forward these requests to the Audit Teams to be established for a verification
of the submitted information through an independent review. The final reports of the Teams
with relevant recommendations will then be forwarded to the MSC for consideration and
approval.
According to the implementation schedule (MSC 87/26/Add.1/Annex 13), the deadline for the
receipt of initial verification requests at IMO is 31 December 2013. To facilitate audit
preparation, IMO has sent Circ. Letter No.3097 in August 2010, inviting advanced notification
of intent to submit a request for a GBS verification audit, and as of June 2012, eight notifications
from classification societies have been received.
At the same time, a pool of auditors is being established. In response to Circ. Letter No.3076 of
July 2010, inviting the nomination of GBS auditors, 33 nominations had been submitted by
Member States and international organizations as of 12 July 2012.
The Assembly, at its 27the session, included in the Strategic Plan for the Organization (for the
six-year period 2012-2017) (resolution A.1037(27)) a relevant strategic direction and in the
High-level Action Plan (resolution A.1038(27)) a corresponding high-level action with two
planned outputs:
implementation of goal-based new ship construction standards for bulk carriers and oil
tankers (by MSC);
development of goal-based ship construction standards for all types of ships, including
safety, security and protection of the marine environment (by MSC and MEPC).
For further study of risk-based methodologies, MSC 90 established a GBS correspondence
group and instructed it to develop draft guidelines for the approval of equivalents and
alternatives as provided for in various IMO instruments, which should be based on the
Guidelines on approval of risk-based ship design annexed to document MSC 86/5/3.
Risk management in ship design
58 | P a g e

Risk evaluation criteria. Hazard identification and risk assessment methodologies vary greatly
across maritime industries, ranging from simple assessments to complex quantitative analyses
with extensive documentation. Individual hazards can require that different methods be used, e.g.
an assessment of long term exposure to asbestos can need a different method than that taken for
equipment safety or for assessing an office workstation.
Each organization should choose approaches that are appropriate to its scope, nature and size,
and which meet its needs in terms of detail, complexity, time, cost and availability of reliable
data. In combination, the chosen approaches should result in an inclusive methodology for the
ongoing evaluation of all the companys risks.
The management of change needs to be considered for changes in assessed risks, determination
of controls, or the implementation of controls. Management review should be used to determine
whether changes to the methodology are needed overall.
To be effective, the organizations procedures for hazard identification and risk assessment
should take account of the following:
hazards,
risks,
controls,
management of change,
documentation,
ongoing review.
Risk assessment techniques can be applied in almost all areas of maritime industries. Ship
owners know that to be successful they must have a good understanding of their risks and how
risks impact the people associated with their operations, their financial performance and
corporate reputation.
These objective values might be used in an optimization process to:
achieve a reduced level of risk with a prescribed amount of money,
reduce the costs that are required to achieve a target risk level.
Furthermore, compared with traditional root cause analysis approaches, risk analysis or risk
assessment is proactive. Pro-active means that hazards are identified before the un-wanted event
occurs. In that sense risk analysis helps to avoid fatalities, environmental pollution and economic
losses.
One of the fundamentals of all safety systems is the understanding of the safety barrier principle.
Whenever we design safety critical systems we provide them with a certain recovery potential.
We do not want that safety critical systems fail because of single and simple mistakes. This is
why we integrate certain safety barriers and controls in our systems. If a hazard occurs it might
not affect the system because of pre-installed safety barriers.
These barriers do not have to be a physical protection, such as safety boots or gloves. They can
also be of organizational nature etc. An overview is given below.
59 | P a g e
Figure 6.1. Overview about measures to safeguard safety in shipping
When barriers are designed and integrated in the systems one has to pay specific attention to the
nature of the target of a hazard: the ship, the cargo, the crew or other humans involved, the
environment. Different hazards and targets require different barriers.
Safety management is therefore a continuous process of assessment of safety barriers. The
existing barriers are monitored constantly. In addition our safety critical system is monitored,
too. The focus is here on missing barriers resulting from insufficient risk assessment or changes
in the systems.
After accidents an analysis of the function of our pre-installed safety barriers is carried out.
These barriers were not always installed based on previous experience. They can also be
installed based on personal judgment etc.
It is therefore vital to analyze if the safety barriers in each system have the right dimensions.
Accidents, unfortunately, are practical tests for our barriers. If they did not function, we have to
improve them.
Before we install safety barriers we assess our systems. Risk management is a complex process.
It consists of the following phases:
Risk analysis and estimation
Risk assessment
Risk management and control
During the analysis the vital components of technical/operational systems and potential hazards
endangering the functionality of these systems are identified.
The next step is concerned with the estimation of frequencies of the appearance of these hazards
and the resulting consequences. During risk assessment suitable Risk Control Options (RCOs)
are identified, evaluated, and the most appropriate Risk Control Measure (RCM) selected. The
selected RCMs are the barriers that should prevent a hazard from hampering the vital
components in our technical/operational systems.
In order to facilitate the approval of novel designs or novel systems, there is a need for different
risk evaluation criteria, sometimes also referred to as risk acceptance criteria or risk tolerability
criteria. The actual approval process may be considered independent from the risk evaluation
60 | P a g e

criteria and the criteria may be derived from high-level goals independent of the actual design or
system that seeks approval.
Criteria for evaluation of high-risk level. High-level risk evaluation criteria may at least cover
the risk to human life, including injuries and ill health, and the risk to the environment. Other
types of risk could also be covered, as appropriate for the design or system in question. Different
criteria for each type of risk could also be employed and typically the following risk evaluation
criteria are needed:

criteria for individual and societal risk;

criteria for risk to crew, passengers and people ashore, as appropriate;

limits between negligible, ALARP area and intolerable levels of risk;

cost-effectiveness criteria defining when risks are considered ALARP.
A thorough review of existing risk evaluation criteria included a review of different approaches
to establish limits between the ALARP area and negligible and intolerable levels of risk to
human life and cost-effectiveness criteria for risks to human life as well as a new approach to
cost-effectiveness criteria for environmental protection against spills.
The revised IMO Guidelines on Formal Safety Assessment contain two appendices that discuss
risk evaluation criteria and also propose GCAF and NCAF criteria for cost-effectiveness. Such
criteria may have to be updated from time to time. However, the importance of having adequate
risk evaluation criteria in place when performing safety-based approval of ship designs and
systems is emphasized.
6.4.
Risk management for designing of systems and functions
Risk-based design is an alternative to the present prescriptive rules, replacing the actual design
regulation by goals and functional requirements. The risk-based ship system approval process
requires suitable evaluation criteria. These criteria may be defined for the overall ship level, but
also for specific ship functions. For the risk-based design of a specific ship system, evaluation
criteria for this system may be provided. The relation between the overall risk and the risk
contribution of a specific system is defined by the risk model and the risk analyses that have
been performed as part of the risk-based design and approval process.
Based on the ALARP principle, a general procedure for how to derive risk evaluation criteria for
ship functions may be described as follows:
develop a risk model, including all scenarios that are affected by the function in question;
use the decision criteria for cost-effectiveness for the function in question;
derive the target reliability or availability by cost-effectiveness criteria;
use the optimum reliability as a target for the function that is analyzed.
This procedure is a simplified FSA limited to the relevant function and it is implicitly assumed
that the risk level is in the ALARP area, rendering cost-effectiveness criteria applicable.
It may be noted that risk evaluation criteria derived in this way may not be dimensioning for the
function in question.
61 | P a g e

Safety standards for designing and building of ships. The strength and construction of hull,
superstructures, deckhouses, machinery casings, companion ways and any other structure and
equipment should be sufficient to withstand all foreseeable conditions of the intended service.
Ships should be fitted with a collision bulkhead and with watertight bulkheads bounding the
machinery spaces. Such bulkheads should be extended up to the freeboard deck. In ships
constructed of wood such bulkheads should also be fitted extending to the freeboard deck and
should be watertight as far as practicable.
Propeller shafts and shaft logs or stern tubes should not be situated in any space other than
machinery spaces containing main propulsion unless they are enclosed in watertight spaces or
enclosures inside such spaces. May be exempted from these requirements, ships having
constraint of space or engaged on sheltered voyages provided it is demonstrated that any
progressive flooding of such space can be easily controlled and that the safety of the ship is not
impaired. Stern glands should be located in spaces which can be easily accessible at all times for
inspection and maintenance.
A collision bulkhead should be watertight up to the freeboard deck. This bulkhead should, as far
as practicable, be located at a distance from the forward perpendicular of not less than 5% and
not more than 7% of the length of the ship. Where it can be shown that it is impractical for the
collision bulkhead to be located at a distance from the forward perpendicular of not more than
7% of the length of the ship, is possible to allow relaxation there from, subject to the condition
that should the space forward of the bulkhead be flooded, the ship at full load condition will not
be submerged to the margin line.
The collision bulkhead may have steps or recesses in it provided that they are within the
prescribed limits. Pipes piercing the collision bulkhead should be kept to the minimum. Such
pipes should be fitted with suitable valves operable from above the freeboard deck and the valve
chest should be secured at the collision bulkhead inside the forepeak. Is possible to be permit the
location of such valves on the after side of the collision bulkhead provided that they are readily
accessible under all service conditions and the space in which they are located is not a cargo
space. All such valves should be of acceptable material.
Where a long forward superstructure is fitted, the collision bulkhead should be extended
watertight to the deck above the freeboard deck. The extension should be located within the
prescribed limits. The part of the deck, if any, between the collision bulkhead and its extension
should be weathertight.
In every ship provided with a bow door and a sloping loading ramp that forms part of the
extension of the collision bulkhead above the freeboard deck, the part of the ramp which is more
than 2.3m above the freeboard deck may extend forward of the specified limits. The ramp should
be weathertight over its entire length.
The number of openings in the collision bulkhead above the freeboard deck should be reduced to
the minimum compatible with the design and normal operation of the ship. All such openings
should be capable of being closed weathertight.
No doors, manholes, ventilation ducts or access openings should be fitted in the collision
bulkhead below the freeboard deck.
In every ship propelled by mechanical means where the chain locker is located abaft the collision
bulkhead or extends into the forepeak tank, it should be watertight and provided with efficient
means of drainage.
Each watertight subdivision bulkhead, whether transverse or longitudinal, should be constructed
in such a manner that it should be capable of supporting, with a proper margin of resistance, the
pressure due to the maximum head of water which it might have to sustain in the event of
62 | P a g e

damage to the ship but at least the pressure due to a head of water up to the margin line. The
construction of these bulkheads should be to the satisfaction of recognised organisation.
Steps and recesses in bulkheads should be watertight and as strong as the bulkhead at the place
where each occurs.
Where frames or beams pass through a watertight deck or bulkhead, such deck or bulkhead
should be made structurally watertight.
The number of openings in watertight bulkheads should be reduced to the minimum compatible
with the general arrangements and operational needs of the ship. Openings should be fitted with
watertight closing appliances. Watertight doors should be of equivalent strength to the adjacent
unpierced structure.
Watertight decks, trunks, tunnels, duct keels and ventilators should be of the same strength as
watertight bulkheads at corresponding levels. The means used for making them watertight, and
the arrangements adopted for closing openings in them. Watertight ventilators and trunks should
be carried at least up to the freeboard deck.
Testing main compartments by filling them with water is not compulsory. When testing by
filling with water is not carried out, a hose test is compulsory. In any case, a thorough inspection
of watertight bulkheads should be carried out.
Tanks which are intended to hold liquids, and which form part of the subdivision of the ship,
should be tested for tightness with water to a head corresponding to two-third of the depth from
the top of keel to the margin line in way of the tanks provided that in no case should the test head
be less than 0.9m above the top of the tank.
The tests are for the purpose of ensuring that the subdivision structural arrangements are
watertight and are not to be regarded as a test of the fitness of any compartment for the storage of
oil fuel or for other special purposes for which a test of a superior character may be required
depending on the height to which the liquid has access in the tank or its connections.
Accident prevention and crew accommodation. Hinged covers of hatchways, manholes and
other similar openings should be protected against accidental closing. In particular, heavy covers
on escape hatches should be equipped with counterweights. Escape doors and covers of escape
and access hatches should be so constructed as to be capable of being opened from either side of
the door or cover.
The dimensions of access hatches should be such that it will allow a person to have a quick and
easy escape to a safe place in the event of an emergency. Where practicable, the dimensions of
access hatches of cargo and machinery spaces should be such that they will facilitate expeditious
rescue operation.
Handrails, grabrails and handholds of sufficient size and strength should be provided where
necessary in the opinion of the Administration for persons to hold on when the ship is severely
rolling or pitching.
Skylights of machinery spaces or other similar openings which are normally kept open at sea
should be provided with adequately spaced protective bars or other arrangements to prevent a
person from falling into the space accidentally. Where the size of such an opening is small, may
waive this requirement where satisfied that due to the small size of the opening no protective
arrangement is necessary.
Surfaces of all decks should be so prepared or treated as to minimize the possibility of persons
slipping. In particular, decks and platforms in machinery spaces, floors of galleys, decks at
winches and areas at the foot and head of ladders and in front of door and steps of ladders should
be provided with anti-slip surfaces.
Every ship should comply with any other requirements which are deemed necessary to prevent
accidents at sea and to maintain appropriate living and working conditions. Such requirements as
63 | P a g e

set should be consistent with the ILO Code of Practice, Accident Prevention on board ships at
Sea and in Port to the extent reasonable and practicable.
Intact stability and subdivision requirements for cargo ships. Stability information approved
should be supplied to ships of 24 m in length and over to enable the master to assess with ease
and certainty the stability of the ship under various operating conditions. Such information
should include specific advice to the master warning him of those operating conditions which
could adversely affect either stability or the trim of the ship. In particular, the information
recommended in the relevant IMO Instruments should be included as appropriate. A copy of the
stability information should be submitted to the recognized organization.
The approved stability information should be kept on board, readily accessible at all times and
inspected at the periodical surveys of the ship to ensure that it has been approved.
Where alternations are made to a ship affecting its stability, revised stability calculations should
be prepared and submitted to the recognized organization for approval. Where the recognized
organization decides that the stability information must be revised, the new information should
be supplied to the master and the superseded information removed from the ship.
General requirements for mechanical and electrical machinery, equipment and installations.
All machinery and electrical installations, mechanical and electrical equipment and appliances,
boilers and other pressure vessels, associated piping systems, fittings and electrical cables and
wiring should be of a design and construction adequate for the service for which they are
intended and should be so installed and protected as to reduce to a minimum any danger to
persons on board, due regard being paid to moving parts, hot surfaces and other hazards. The
design should have regard to materials used in construction, and to purposes for which the
equipment is intended, the working conditions and the environmental conditions to which it will
be subjected.
Boilers. All boilers and other pressure vessels, all parts of machinery, all systems, hydraulic,
pneumatic and other systems and their associated fittings which are under internal pressure
should be subjected to an approved pressure test before being put into service for the first time.
Adequate provisions should be made to facilitate cleaning, inspection and maintenance of
machinery installations including boilers and other pressure vessels.
Where main or auxiliary machinery including pressure vessels or any parts of such machinery
are subject to internal pressure and may be subject to dangerous overpressure, means should be
provided where practicable to protect against such excessive pressure.
All gearing and every shaft and coupling used for transmission of power to machinery essential
for the propulsion and safety of the ship or for the safety of persons on board should be so
designed and constructed that they will withstand the maximum working stresses to which they
may be subject in all service conditions, and due consideration should be given to the type of
engines by which they are driven or of which they form part.
Machinery should be provided with automatic shut off arrangements or alarms in the case of
failures such as lubricating oil supply failure which could lead rapidly to complete breakdown,
damage or explosion.
Controls. Main internal combustion propulsion machinery and applicable auxiliary machinery
should be provided with automatic shut off arrangement in the case of failures such as
lubricating oil supply failure which could lead rapidly to complete breakdown, serious damage
or explosion.
Steam boilers and boilers feed systems. Every steam boiler and every oil-fired steam generator
should be provided with not less than two safety valves of adequate capacity. However, having
regard to the output or any other features of any boiler or oil-fired steam generator, the
64 | P a g e

recognized organization may permit only one safety valve to be fitted if it is satisfied that
adequate protection against overpressure is thereby provided.
Every steam generating system which provides services essential for the safety of the ship, or
which could be rendered dangerous by the failure of its feed water supply, should be provided
with not less than two separate feed water systems from and including the feed pumps, noting
that a single penetration of the steam drum is acceptable. Unless the pump is designed to prevent
overpressure, means should be provided which will prevent overpressure in any part of the
systems.
Boilers should be provided with means to supervise and control the quality of the feed water.
Suitable arrangements should be provided to preclude, as far as practicable, the entry of oil or
other contaminants which may adversely affect the boiler.
Every boiler essential for the safety of the ship and designed to contain water at a specified level
should be provided with at least two means for indicating its water level, at least one of which
should be direct reading gauge glass.
Air pressure systems. In every ship means should be provided to prevent overpressure in any
part of compressed air systems and wherever water jackets or casings of air compressors and
coolers might be subjected to dangerous overpressure due to leakage into them from air pressure
parts. Suitable pressure relief arrangements should be provided for all systems.
The main starting air arrangement for main propulsion internal combustion engines should be
adequately protected against the effects of backfiring and internal explosion in the starting air
pipes.
All discharges pipes from starting air compressors should lead directly to the starting air
receivers, and all starting air pipes from the air receivers to main or auxiliary engines should be
entirely separate from the compressor discharge pipe system.
Protection against noise. Measures should be taken to reduce machinery noise in machinery
spaces to acceptable levels. Where the noise cannot be sufficiently reduced, the source of
excessive noise should be suitably insulated or isolated or a refuge from noise should be
provided if the space is required to be manned. Where necessary, ear protectors should be
provided for personnel required to enter such spaces.
General electrical requirements. Electrical installations should be such that:
all electrical services necessary for maintaining the ship in normal operational and
habitable conditions will be assured without recourse to the emergency source of
electrical power;
electrical services essential for safety will be assured under emergency conditions; and
the safety of personnel and ship from electrical hazards will be assured.
Electrical installations should be such that uniformity in the implementation and application of
the provisions of this part will be ensured.
All electrical apparatus should be so constructed and so installed as not to cause injury when
handled or touched in the normal manner.
When a distribution system, whether primary or secondary, for power, heating of lighting, with
no connection to earth is used, a device capable of continuously monitoring the insulation level
to earth and of giving an audible or visual indication of abnormally low insulation values should
be provided.
In every ship other than ships propelled by mechanical means, cables and wiring external to
equipment should be at least of a flame retardant type and should be so installed as not to impair
their original flame retarding properties. Where necessary for particular applications, the
Administration may permit the use of special types of cables such as radio frequency cables,
which do not comply with the foregoing.
65 | P a g e

Cables and wiring serving essential or emergency power, lighting, internal communications or
signals should so far as practicable be routed clear of galleys, laundries, machinery spaces of
category A and their casings and other high fire risk areas. Cables connecting fire pumps to the
emergency switchboard should be of fire resistant type where they pass through the high fire risk
areas. Where practicable all such cables should be run in such a manner as to preclude their
being rendered unserviceable by heating of the bulkhead that may be caused by a fire in an
adjacent space.
No electrical equipment should be installed in any space where flammable mixtures are liable to
collect including those on board tankers or barges carrying liquid cargoes of flammable nature in
bulk or in compartments assigned principally to accumulator batteries, in paint lockers, acetylene
stores or similar spaces, unless the recognized organization is satisfied that such equipment is:
essential for operational purposes;
of a type which will not ignite the mixture concerned;
appropriate to the space concerned; and
appropriately certified for safe usage in the dusts, vapors of gases likely to be
encountered.
66 | P a g e

7. Safety-based design for offshore vessels
7.1.
Safety approach and formal safety assessment of offshore ships
Following the public inquiry into the Piper Alpha accident, the responsibilities for offshore
safety regulations were transferred from the Department of Energy to the Health and Safety
Commission (HSC) through the Health and Safety Executive (HSE) as the single regulatory
body for offshore safety. In response to the accepted findings of the Piper Alpha inquiry, the
HSE Offshore Safety Division launched a review of all offshore safety legislation and
implemented changes. The changes sought to replace legislation that was seen as prescriptive
with a more goal setting regime. The mainstay of the regulations is the Health and Safety at
Work Act. Under that act, a draft of the offshore installation (safety case) regulations was
produced. It was then modified, taking into account comments arising from public consultation.
The regulations came into force in two phases:
(a) at the end of May 1993 for new installations and
(b) on November 1993 for existing installations.
The regulations require operational safety cases to be prepared for all offshore installations. Both
fixed and mobile installations are included. Additionally, all new fixed installations require a
design safety case. For mobile installations, the duty holder is the owner.
The HSE framework for decisions on the tolerability of risk has three regions: (a) intolerable, (b)
as low as is reasonably practicable (ALARP), and (c) broadly acceptable. Offshore operators
must submit operational safety cases for all existing and new offshore installations to the HSE
Offshore Safety Division for acceptance. An installation cannot legally operate without an
accepted operational safety case. To be acceptable, a safety case must show that hazards with the
potential to produce a serious accident have been identified and that associated risks are below a
tolerability limit and have been reduced ALARP. For example, the occurrence likelihood of
events causing a loss of integrity of the safety refuge should be less than 10-3 per platform year
and associated risks should be reduced to an ALARP level.
It should be noted that the application of numerical risk criteria may not always be appropriate
because of uncertainties in inputs. Accordingly, acceptance of a safety case is unlikely to be
based solely on a numerical assessment of risk.
Fires and explosions may be the most significant hazards with potential to cause disastrous
consequences in offshore installations. Prevention of fire and explosion and emergency response
regulations (PFEER) were developed in order to manage fire and explosion hazards and the
corresponding emergency responses that protect persons from their effects. A risk-based
approach is used to deal with problems involving fire and explosion and emergency response.
PFEER supports the general requirements by specifying goals for preventive and protective
measures to manage fire and explosive hazards, to secure effective emergency response, and to
ensure compliance with regulations by the duty holder. Management and administration
regulations (MAR) were introduced to cover areas such as notification to the HSE of changes of
owner or operator, functions, and powers of offshore installation managers. MAR is applied to
both fixed and mobile offshore installations (excluding sub-sea offshore installations).
The importance of safety of offshore pipelines has also been recognized. As a result, pipeline
safety regulations (PSR) were introduced to embody a single integrated, goal-setting, risk-based
approach to regulations covering both onshore and offshore pipelines.
After several years of experience, the safety case regulations were amended in 1996 to include
verification of safety-critical elements, and the offshore installations and wells (design,
67 | P a g e

construction, etc.) regulations (DCR) were introduced to deal with various stages of the life cycle
of the installation. From the earliest stages of the life cycle of the installation, the duty holder
must ensure that all safety-critical elements be assessed.
Safety-critical elements are parts of an installation and of its plant (including computer
programs) or any part whose failure could cause or contribute substantially to or whose purpose
of which is to prevent or limit the effect of a major accident. In DCR, (a) a verification scheme is
introduced to ensure that a record is made of the safety-critical elements; (b) comment on the
record by an independent and competent person is invited; (c) a verification scheme is drawn up
by or in consultation with such person; (d) a note is made of any reservation expressed by such
person; and (e) such scheme is put into effect. DCR allows offshore operators to have more
flexibility to tackle their own offshore safety problems. Offshore duty holders may use various
safety assessment approaches and safety-based decision making tools to study all safety-critical
elements of offshore installations and wells to optimize safety. This may encourage offshore
safety analysts to develop and employ novel safety assessment and decision-making approaches
and to make more efforts to deal with offshore safety problems.
Compliance with current offshore safety regulations is achieved by applying an integrated riskbased approach, starting from feasibility studies and extending through the life cycle of the
installation. Design for safety is considered to be the most important. This is achieved through
stages of hazard identification (HAZID) for the life cycle of installation from concept design to
decommissioning and the use of state-of-the-art risk assessment methods. In a risk-based
approach, early considerations are given to those hazards that are not foreseeable to design out
by progressively providing adequate measures for prevention, detection, control, and mitigation
and further integration of emergency response.
Recently, the industrial guidelines on a framework for risk-related decision support were
produced. In general, the framework could be usefully applied to a wide range of situations. Its
aim is to support major decisions made during the design, operation, and abandonment of
offshore installations. In particular, it provides a sound basis for evaluating the various options
that need to be considered at the feasibility and concept selection stages of a project, especially
with respect to major accidents hazards such as fire, explosion, impact, and loss of stability. It
can also be combined with other formal decision-making aids such as Multi-Attribute Utility
Analysis (MAUA),
Analytical Hierarchy Process (AHP), or decision trees if a more detailed or quantitative analysis
of the various decision alternatives is desired. It should be noted that there can be significant
uncertainties in the information and factors that are used in the decision-making process. These
may include uncertainties in estimates of the costs, time scales, risks, safety benefits, the
assessment of stakeholder views and perceptions, and so forth. There is a need to apply common
sense and ensure any uncertainties are recognized and addressed.
Current status of formal ship safety assessment. Due to serious concerns over the safety of
ships all over the world, the International Maritime Organization (IMO) continuously deals with
safety problems in the context of operation, management, survey, ship registration, and the role
of the administration. Improving safety at sea is highly stressed. The international safety-related
marine regulations are guided by lessons learned from serious marine accidents that have
happened. These lessons were first observed from the accidents. Then, the regulations and rules
were produced to prevent similar accidents from occurring. For example, the capsize of the
Herald of Free Enterprise in 1987 greatly affected the rule-developing activities of the IMO. The
accident certainly raised serious questions on operation requirements and the role of
management, which stimulated discussions in those areas at the IMO. This finally resulted in the
adoption of the International Management System (ISM) Code. The Exxon Valdes accident in
68 | P a g e

1989, which was a large-scale oil spill, seriously damaged the environment. It facilitated the
implementation of the international convention on Oil Pollution Preparedness, Response and
Cooperation (OPRC) in 1990.
Double hull or mid-deck structural requirements for new and existing oil tankers were
subsequently applied. The Scandinavian Star disaster in 1990 resulted in the loss of 158 lives.
Furthermore, the catastrophic disaster of the Estonia, which capsized in the Baltic Sea in
September 1994, caused more than 900 people to lose their lives. Those accidents highlighted
the role of human error in marine casualties, and as a result, the new Standards for Training,
Certificates and Watchkeeping (STCW) for seafarers were subsequently introduced.
After Lord Carvers report on the investigation of the capsize of the Herald of Free Enterprise
was published, the UK Maritime and Coastguard Agency [previously named Marine Safety
Agency (MSA)] quickly responded and in 1993 proposed to the IMO that formal safety
assessment should be applied to ships to ensure a strategic oversight of safety and pollution
prevention. The UK MCA also proposed that the IMO should explore the concept of formal
safety assessment and introduce formal safety assessment in relation to ship design and
operation. The IMO reacted favorably to the UKs formal safety assessment submission. Since
then, substantial work (including demonstrating its practicality by a trial application to highspeed catamaran ferries and bulk carriers) has been done by the UK MCA. In general, for the last
several years, the application of formal safety assessment has significantly progressed. This is
demonstrated by the successful case studies of a high-speed craft and a bulk carrier and by the
IMO approval of the application of a formal safety assessment for supporting rule-making
process.
Safety assessment in ship design and operation offers great potential incentives. Application of it
may:
1. Improve the performance of the current fleet and make it possible to measure the performance
change and ensure that new ships are good designs;
2. Ensure that experience from the field is used in the current fleet and that any lessons learned
are incorporated into new ships; and
3. Provide a mechanism for predicting and controlling the most likely scenarios that could result
in incidents.
Possible benefits have already been realized by many shipping companies. For example, P&O
Cruises in the UK reviewed the implementation of risk assurance methods as a strategic project
and proposed short/medium- and long-term objectives. Its short/medium-term objectives are (a)
to provide a reference point for all future risk assurance work, (b) to develop a structure chart
that completely describes vessel operation, (c) to complete a meaningful HAZID as the
foundation of the data set, (d) to enable identification of realistic options for vessel improvement,
(e) to be a justified record of modifications adopted or rejected, and (f) to be capable of
incorporating and recording field experience to ensure that the knowledge is not lost.
Its long-term objectives are (a) to provide a mechanism for understanding the effect of
modifications on total vessel performance, (b) to be capable of future development, (c) to
provide a basis for total valuation of identified improvements using cost benefit analysis (CBA),
(d) to generate a meaningful risk profile for vessel operation, and (e) to provide a monitor for
evaluation of modification effectiveness.
The idea of formal safety assessment may well be fitted to the above objectives in order to
improve the companys performance.
Offshore safety assessment. The format of safety case regulations was advocated by Lord
Robens in 1972 when he emphasized the need for self-regulation and pointed out the drawbacks
of a rule book approach to safety. The concept of the safety case was derived and developed
69 | P a g e

from the application of the principles of system engineering for dealing with the safety of
systems or installations for which little or no previous operational experience exists. The five key
elements of the safety case concepts are:
1. HAZID. This step is to identify all hazards with the potential to cause a major accident.
2. Risk estimation. Once the hazards have been identified, the next step is to determine the
associated risks. Hazards can generally be grouped into three risk regions known as the
intolerable, tolerable, and negligible risk regions.
3. Risk reduction. Following risk assessment, it is required to reduce the risks associated with
significant hazards that deserve attention.
4. Emergency preparedness. The goal of emergency preparedness is to be prepared to take the
most appropriate action in the event that a hazard becomes a reality so as to minimize its effects
and, if necessary, to transfer personnel from a location with a higher risk level to one with a
lower risk level.
5. Safety management system (SMS). The purpose of a safety management system is to ensure
that the organization is achieving the goals safely, efficiently, and without damaging the
environment. One of the most important factors of the safety case is an explanation of how the
operators management system will be adapted to ensure that safety objectives are actually
achieved.
A safety case is a written submission prepared by the operation of an offshore installation. It is a
stand-alone document that can be evaluated on its own but has cross-references to other
supporting studies and calculations. The amount of detail contained in the document is a matter
of agreement between the operator and the regulating authority. In general, the following
elements of an offshore installation are common for many safety cases:
1. A comprehensive description of the installation.
2. Details of hazards arising from the operation installation.
3. Demonstrations that risks from these hazards have been properly addressed and reduced to an
ALARP level.
4. Description of the safety management system, including plans and procedures in place for
normal and emergency operations.
5. Appropriate supporting references.
The following activities characterize the development of a safety case:
1. Establish acceptance criteria for safety, including environment and asset loss, if possible.
These may be both risk based and deterministic.
2. Consider both internal and external hazards using formal and rigorous HAZID techniques.
3. Estimate the frequency or probability of occurrence of each hazard.
4. Analyze the consequences of occurrence of each hazard.
5. Estimate the risk and compare with criteria.
6. Demonstrate ALARP.
7. Identify remedial measures for design, modification, or procedure to avoid the hazard
altogether, reduce the frequency of occurrence, or mitigate the consequences.
8. Prepare the detailed description of the installation including information on protective systems
and measures in place to control and manage risk.
9. Prepare a description of the safety management system and ensure that the appropriate hazard
procedures are identified.
In offshore safety analysis, safety-based design/operation decisions are expected to be made at
the earliest stages in order to reduce unexpected costs and time delays. A risk reduction measure
that is cost effective at the early design stage may not be ALARP at the late stage. HSE
regulations aim to have risk reduction measures identified and in place as early as possible when
70 | P a g e

the cost of making any necessary changes is low. Traditionally, when making safety based
design/operation decisions for offshore systems, the cost of a risk reduction measure is compared
with the benefit resulting from reduced risks. If the benefit is larger than the cost, then it is cost
effective, otherwise it is not. This kind of CBA based on simple comparisons has been widely
used in offshore safety analysis.
Conventional safety assessment methods and CBA approaches can be used to prepare a safety
case. As the safety culture in the offshore industry changes, more flexible and convenient risk
assessment methods and decision-making approaches can be employed to facilitate the
preparation of a safety case. The framework for risk-related decision support can provide an
umbrella under which various risk assessment and decision-making tools are employed.
The guidelines in the framework set out what is generally regarded in the offshore industry as
good practice. These guidelines are a living document. Experience changes the working practices
(both the business and social environment), and new technology may cause them to be reviewed
and updated to ensure that they continue good practice. It should be noted that the framework
produced is only applicable to risks falling within the ALARP region.
The life cycle approach manages the hazards that affect offshore installations (offshore safety
study has to deal with the boundaries of other industries such as marine operations and aviation).
In offshore safety study, it is best to obtain the optimum risk reduction solution for the total life
cycle of the operation or installation, irrespective of the regulatory boundaries. The basic idea is
to minimize/eliminate the source of hazard rather than place extremely high reliance on control
and mitigatory measures. To reduce risks to an ALARP level, the following hierarchical
structure of risk control measures (RCMs) should be followed:
Elimination and minimization of hazards by inherently safer design
Prevention
Detection
Control
Mitigation of consequences
Decisions evolve around the need to make choices, either to do something or not to do
something, or to select one option from a range of options. These can either take the form of
rigid criteria that must be achieved or of goals or targets that should be aimed for but which may
not be met. The offshore oil and gas industry operates in an environment where safety and
environmental performances are key aspects of successful business. The harsh marine
environment and the remoteness of many of the installations also provide many technical,
logistic, and operational challenges. Decision-making can be particularly challenging during the
early stages of design and sanction of new installations where the level of uncertainty is usually
high. In many situations, there may be several options that satisfy the requirements.
It may also be difficult to choose a particular option that is obviously the best. If this is the case,
there is a need to consider what is or may be reasonably practicable from a variety of
perspectives and to identify and assess more than just the basic costs and benefits. The decisionmaking process can be set up to:
Define the issue,
Examine the options,
Make the decision, and
Implement, communicate, and review the decision.
Making risk-based decisions can be very difficult because it can be difficult to:
Ensure that the choices have been properly selected and defined;
Find ways to set out criteria and objectives;
Identify risk issues and perceptions;
71 | P a g e

Assess the performance of options against aspects that may not be quantifiable or
that may involve judgments and perceptions that vary or are open to
interpretation;
Establish the relative importance of often widely different types of objectives and
factors;
Deal with uncertainties in estimates, data, and analyses;
Deal with conflicting objectives and aspects of performance;
Deal with differences in resolution of estimates, data, and analyses (these may
not provide a fair reflection of the actual differences between the options being
considered); and
Deal with or avoid hidden assumptions or biases.
A narrow view in the decision-making process may result in decisions creating problems in other
areas at a later time. For example, in a life cycle view of the project or installation, decisions
made during design to decrease engineering and installation costs may lead to higher operating
costs, reducing the overall profitability of the venue.
Safety and risk factors in the decision-making process include risk transfer, risk quantification,
CBA, risk levels and gross disproportion, risk aversion, perception, risk communication,
stakeholders, and uncertainties. As decision-making moves from the prescriptive nature to the
descriptive nature, technology-based decision-making begins to include values. The hierarchical
structure of the decision context is as follows:
Prescription
Well-established solution
Well-understood risks
Very novel
Significant trade-offs or uncertainties
Strong views and perceptions
The factors that affect offshore safety-based decision-making include degree of novelty versus
well-understood situation or practice, degree of risk trade-offs and uncertainties, strength of
stakeholder views and risk perceptions, and degree of business and economic implications.
Decision calibration changes with design context. As the design context moves from prescription
to strong views and perceptions, means of calibration change from codes and standards to
external stakeholder consultation through verification, peer review, benchmarking, and internal
stakeholder consultation.
The framework proposed is also capable of reflecting the differences between the design of
safety approaches for fixed offshore installations operating in the continental shelf versus mobile
offshore installation operating in an international market. Fixed offshore installations in the
continental shelf are usually uniquely designed and specified for the particular duty and
environment, and their design basis can be set against very specific hazards and specific
processing and operation requirements. Many of the more complex design decisions therefore
often fall into the Type B context in the detailed framework. Mobile offshore installations have
to operate in very different environments and tackle a wide range of operational activities and
reservoir conditions. Specific codes and rules need to be applied. Therefore, many mobile
offshore installation design decisions fall into the Type B context. Where neither codes and rules
cannot be effectively applied nor traditional analysis cannot be carried with confidence, such
installation may be categorized as Type C.
72 | P a g e

7.2.
Innovative offshore vessels design
Over the past several years, innovative vessel concepts have been built by major operators. We
discuss the merits of these designs and under what conditions they provide advantages over
existing vessels.
Large deadweight PSVs. In many deepwater scenarios, mud supply is currently a bottleneck.
This is only expected to get worse with water depth. A mud change occurs at the request of the
drillers when they need a change in mud composition or density. An industry rule of thumb for a
typical deepwater mud change volume is around 950 cubic meters. As such vessels have been
designed and built around this standard. PSVs in the current fleet built before 2005 have an
average deadweight of 1,000 tons, while PSVs built between 2005 and 2010 have an average
deadweight of 2,500 tons. Pushing the boundary of this trend toward increasing deadweight have
been vessels explicitly designed to serve more than one drilling platform. These vessels
incorporate mud capacities that are multiples of the standard 950 cubic meters mud change
volume. Vessels with extremely large mud capacities may become attractive for either supply
scenarios that include multiple deepwater drilling rigs or rigs in extremely deepwater where the
mud requirements to fill the riser are very high.
Faster and larger FSIVs. In 2008 has been launched by Seacor Marine a twin-hulled catamaran
FSIV capable of speeds up to 40 knots. At such speeds, the intent of the vessel is to compete
with helicopters for crew transfer. Despite being significantly faster than other OSVs, this ship
and her sister ship have not succeeded in displacing helicopter crew transport. According to
industry interviews, most platform operators prefer to send crew out to platforms on helicopters,
and will likely not change their mind in the near future. The main advantage of an extremely fast
crew boat is reduced crew transport cost when compared to a helicopter, while the disadvantages
include paying crew for an extended crew-boat ride and long crew-boat ride recovery periods for
platform personnel. In addition, highly-trained technical crew are often required on short notice.
Even as a contingency vessel, a faster FSIV does not offer significant advantages over a
traditional PSV, let alone a standard CSV. As the contingencies a crew-boat can handle probably
do not occur more than once every couple weeks, it is unlikely that faster FSIVs will provide any
significant advantage over traditional CSVs. The only possible niche for fast crew-boats is in the
delivery of extremely low-cost personnel to highly-manned and tightly-clustered production and
drilling platforms very far from shore. These conditions presently only exist in very few
deepwater fields, mainly off the coast of Brazil. Even these CSV opportunities are extremely
limited by vessel motions, which are severe at high speeds and can be very uncomfortable for
crew. As such, we expect only innovative hull shapes, such as Small Waterplane Area Twin Hull
Craft (SWATHs), that significantly reduce ship motions to offer feasible crew transport
solutions.
Redundancy. In the recent past, major oil companies have focused increasingly on reliability and
incident avoidance. In the wake of the BP Macondo spill, accident avoidance will be intensified.
Even before the Macondo spill, most newbuild OSVs were expected to be DP II for almost all
service types. In the future, almost all OSVs will be expected to not only be built, but also
operated, according to DP II standards, and some oil companies are already requesting DP III
vessels or DP II vessels that are easily upgradeable to DP III. The demand for redundancy is so
great that even crewboats are being outfitted with DP II systems.
Automation. Aside from specialized large vessels, OSVs are typically built to minimum
manning standards by staying below 6,000 GRT. As even standard PSVs are getting significantly
more complex, outfitted with DP systems, advanced liquid cargo handling systems, and often
Diesel Electric propulsion, while the number of crewmembers stays constant, automation is
73 | P a g e

playing an increasingly important role in vessel design. In fact, a large portion of the price
increase for a standard PSV can be attributed to the increase in vessel automation. Modern
vessels often have integrated fuel-tracking, onboard maintenance-tracking systems and DP
systems.
Safety. All major operators are committed to safety as a priority company mission. OSV designs
are adapting to reflect that commitment. The recent Rolls-Royce design in their UT-700 AHTS
class exemplifies safety-minded design. The vessel features small cargo deck cranes that move
on rails mounted on the port and starboard gunwales. These cranes eliminate a large portion of
manual handling on deck of ropes, wires, chains, shackles, and deck cargo and are part of a
larger system designed to minimize the amount of manual work on deck. The vessel also features
a 360 degree bridge view, made possible by a wet exhaust system that eliminates the need for a
smokestack. A vessel safety and an alert crew go hand in hand, a number of improvements in
crew comfort directly support the demands of oil companies in the area of safety.
Crew comfort. A side effect of increasing OSV complexity is the difficulty in hiring and training
crew. Modern OSV operators must be significantly more specialized and technical than their
counterparts 30 years ago, and the need for additional training is expected to continue to increase
with advances in automation. In addition, the increasing demands on crew require levels of
performance that are difficult to achieve in the relatively uncomfortable environment of the
traditional OSV. In order to attract good crew and keep their level of performance and safety
high, OSV operators are expecting vessel designs that are more comfortable and appealing to
mariners. Newbuilds are increasingly conforming to class society comfort notations, and
designers have made a number of conscious design decisions to increase habitability. Such
improvements include increased engine room insulation, more spacious cabins, and moving
accommodations higher to avoid bow thrusters noise and vibrations. Comfort improvements not
only attract quality crew, but also reduce crew exhaustion and thereby increase vessel safety.
Environmental performance. Increased environmental performance on vessels has two main
components: reducing emissions from fuel consumption, and reducing emissions helps operating
costs when it means reduced fuel consumption, but hurts operating costs when it means burning
more expensive fuels. Operators and oil majors are already pushing for increased efficiency of
both propulsion system and hull forms, which will both aid environmental performances. Design
choices enhancing fuel efficiency and environmental performance will be made inasmuch as
they pay for themselves with reduced operating expenses or are required by regulations.
Emissions Control Areas are being set up in a number of areas that OSVs operate in. These will
precipitate the burning of more expensive fuels, and thereby provide even greater incentives for
increasing efficiency. As stringent emissions regulations are being put into place rapidly, we
expect significant moves toward more efficient hullforms, more efficient propulsion systems,
and changes in fuels.
74 | P a g e

8. Marine systems risk modeling
8.1.
Planning, forecasting, decision making and safety management
Forecasting is the process of making statements about events whose actual outcomes (typically)
have not yet been observed. A commonplace example might be estimation of some variable of
interest at some specified future date. Prediction is a similar, but more general term. Both might
refer to formal statistical methods employing time series, cross-sectional or longitudinal data, or
alternatively to less formal judgemental methods. Usage can differ between areas of application:
for example, in hydrology, the terms "forecast" and "forecasting" are sometimes reserved for
estimates of values at certain specific future times, while the term "prediction" is used for more
general estimates, such as the number of times floods will occur over a long period.
Risk and uncertainty are central to forecasting and prediction; it is generally considered good
practice to indicate the degree of uncertainty attaching to forecasts. In any case, the data must be
up to date in order for the forecast to be as accurate as possible.
Formal strategic planning calls for an explicit written process for determining the firm's longrange objectives, the generation of alternative strategies for achieving these objectives, the
evaluation of these strategies, and a systematic procedure for monitoring results. Each of these
steps of the planning process should be accompanied by an explicit procedure for gaining
commitment. The need for commitment is relevant for all phases. The specification of objectives
should be done before the generation of strategies which, in turn, should be completed before the
evaluation. The monitoring step is last.
The various steps of the planning process are described below along with some formal
techniques that can be used to make each step explicit. This discussion is prescriptive; it suggests
how planning should be done. Numerous accounts are available of how formal strategic planning
is done.
Specify Objectives: Formal planning should start with the identification of the ultimate
objectives of the organization. Frequently, companies confuse their objectives (what they
want and by when) with their strategies (how they will achieve the objectives). The
analysis and setting of objectives has long been regarded as a major step in formal
strategic planning. Informal planners seldom devote much energy to this step.
Unfortunately, the identification of objectives is a difficult step for organizations. It is
even difficult for individuals. The simplest way to demonstrate this is the following: The
difficulties in setting objectives have led some observers to recommend that formal
planners ignore this step. The recommendation here is just the opposite. Significant time
and money should be allocated to the analysis of objectives. This difficult step might be
aided by use of an outside consultant to help the group focus only upon the objectives.
Generate Alternative Strategies: A strategy is a statement about the way in which the
objectives should be achieved. Strategies should be subordinate to objectives. That is,
they are relevant only to the extent that they help to meet the objectives. This advice is
obvious but often ignored. The generation of alternative strategies helps to avoid this
problem. It recognizes explicitly that the objectives may be achieved in many different
ways. Strategies should first be stated in general terms. The more promising strategies
should be explained in more detail.
Evaluate Alternative Strategies: Once sufficient strategies have been proposed, the
evaluation of alternatives can begin. This requires a procedure by which each alternative
plan is judged for its ability to meet the objectives of the organization. Such a process is
75 | P a g e

not simple, because conflicting objectives usually exist among stakeholders.
Furthermore, the presence of uncertainty complicates the choice of a strategy. For
example, one should consider not only how well the strategy does for the most likely
situation, but also how well it does against other possible situations, especially those that
are dramatically different. The use of scenarios is also relevant to evaluation, particularly
when dealing with negative evidence from the environment. One danger in planning is
that the objectives may become confused with the strategies.
Monitor Results: The value of feedback has been well established in laboratory studies,
especially when combined with the setting of objectives. Field studies have also
demonstrated the value of explicit feedback. It seems important, then, to provide
feedback to the organization on how well they are meeting their objectives. In other
words, specific procedures should be developed to monitor results. The monitoring
system should allow for corrective action. To do this, the following items should be
measured in a systematic way:
o
Changes in the environment (sometimes called environmental scanning)
o
Changes in the organization's capabilities (and in their competitors'
capability)
o
Actions that were actually taken by the organization (did they implement the
desired strategy?)
o
Actions by major competitors
o
Results
Seek Commitment: Business plans and forecasts are frequently ignored; at other times
they are used to rationalize a course of action previously decided. Attention should be
given to commitment throughout each of the above steps in planning. Formal planning
calls for an explicit procedure for gaining commitment to the plan. A first condition is
that key stakeholders should be evolved in the planning process. This would mean, at
least, that information should be obtained from these stakeholders. Publicly stated
objectives are a requirement if the objectives are expected to have an impact on behavior.
Each stakeholder group and each key decision maker should be aware of the objectives.
This can help to achieve consensus. Qualitative forecasting techniques are subjective,
based on the opinion and judgment of consumers, experts; they are appropriate when past
data are not available. They are usually applied to intermediate- or long-range decisions.
Examples of qualitative forecasting methods are informed opinion and judgment,
the Delphi method, market research, and historical life-cycle analogy.
Quantitative forecasting models are used to forecast future data as a function of past data; they
are appropriate when past data are available. These methods are usually applied to short- or
intermediate-range decisions. Examples of quantitative forecasting methods are last period
demand, simple and weighted N-Period moving averages, simple exponential smoothing, and
multiplicative seasonal indexes.
Nave approaches, time series methods, econometric forecasting techniques, regression analysis,
judgmental methods, artificial intelligence methods, simulation, probabilistic forecasting are all
methods well complying with the task of planning and forecasting. In the next lectures, some of
these techniques and their elements shall be discussed in more detail.
76 | P a g e

8.2.
Expert methods for safety assessment
The Delphi method is a structured communication technique, originally developed as a

systematic, interactive forecasting method which relies on a panel of experts. The experts answer
questionnaires in two or more rounds. After each round, a facilitator provides an anonymous
summary of the experts forecasts from the previous round as well as the reasons they provided
for their judgments. Thus, experts are encouraged to revise their earlier answers in light of the
replies of other members of their panel. It is believed that during this process the range of the
answers will decrease and the group will converge towards the "correct" answer. Finally, the
process is stopped after a pre-defined stop criterion (e.g. number of rounds, achievement of
consensus, stability of results) and the mean or median scores of the final rounds determine the
results.
Delphi is based on the principle that forecasts (or decisions) from a structured group of
individuals are more accurate than those from unstructured groups. Delphi has been widely used
for business forecasting.
The following key characteristics of the Delphi method help the participants to focus on the
issues at hand and separate Delphi from other methodologies:
Anonymity of the participants: Usually all participants remain anonymous. Their identity
is not revealed, even after the completion of the final report. This prevents the authority,
personality, or reputation of some participants from dominating others in the process.
Arguably, it also frees participants (to some extent) from their personal biases, minimizes
the "bandwagon effect" or "halo effect", allows free expression of opinions, encourages
open critique, and facilitates admission of errors when revising earlier judgments.
Structuring of information flow: The initial contributions from the experts are collected in
the form of answers to questionnaires and their comments to these answers. The panel
director controls the interactions among the participants by processing the information
and filtering out irrelevant content. This avoids the negative effects of face-to-face panel
discussions and solves the usual problems of group dynamics.
Regular feedback: Participants comment on their own forecasts, the responses of others
and on the progress of the panel as a whole. At any moment they can revise their earlier
statements. While in regular group meetings participants tend to stick to previously stated
opinions and often conform too much to the group leader; the Delphi method prevents it.
Role of the facilitator: The person coordinating the Delphi method is usually known as
a facilitator or Leader, and facilitates the responses of their panel of experts, who are
selected for a reason, usually that they hold knowledge on an opinion or view. The
facilitator sends out questionnaires, surveys etc. and if the panel of experts accept, they
follow instructions and present their views. Responses are collected and analyzed, then
common and conflicting viewpoints are identified. If consensus is not reached, the
process continues through thesis and antithesis, to gradually work towards synthesis, and
building consensus.
The method is widely applied in a variety of areas.
First applications of the Delphi method were in the field of science and technology forecasting.
The objective of the method was to combine expert opinions on likelihood and expected
development time, of the particular technology, in a single indicator. One of the first such
reports, prepared in 1964 by Gordon and Helmer, assessed the direction of long-term trends in
science
and
technology
development,
covering
such
topics
as
scientific
breakthroughs, population control, automation, space progress, war prevention and weapon
77 | P a g e

systems. Other forecasts of technology were dealing with vehicle-highway systems, industrial
robots, intelligent internet, broadband connections, and technology in education.
Later the Delphi method was applied in other areas, especially those related to public policy
issues, such as economic trends, health and education. It was also applied successfully and with
high accuracy in business forecasting. Quantitative methods produced errors of 1015%, and
traditional unstructured forecast methods had errors of about 20%.
The Delphi method has also been used as a tool to implement multi-stakeholder approaches for
participative policy-making in developing countries.
From the 1970s, the use of the Delphi technique in public policy-making introduces a number of
methodological innovations.
Further innovations come from the use of computer-based (and later web-based) Delphi
conferences.
A number of Delphi forecasts are conducted using web sites that allow the process to be
conducted in real-time. For instance, the TechCast Project uses a panel of 100 experts worldwide
to forecast breakthroughs in all fields of science and technology. Another example is the Horizon
Project, where educational futurists collaborate online using the Delphi method to come up with
the technological advancements to look out for in education for the next few years.
Traditionally the Delphi method has aimed at a consensus of the most probable future by
iteration. Other versions, such as the Policy Delphi is instead a decision support method aiming
at structuring and discussing the diverse views of the preferred future. In Europe, more recent
web-based experiments have used the Delphi method as a communication technique for
interactive decision-making and e-democracy. The Argument Delphi focuses on ongoing
discussion and finding relevant arguments rather than focusing on the output. The
Disaggregative Policy Delphi, developed by Petri Tapio, uses cluster analysis as a systematic
tool to construct various scenarios of the future in the latest Delphi round. The respondent's view
on the probable and the preferable future are dealt with as separate cases.
Overall the track record of the Delphi method is mixed. There have been many cases when the
method produced poor results. Still, some authors attribute this to poor application of the method
and not to the weaknesses of the method itself. It must also be realized that in areas such as
science and technology forecasting, the degree of uncertainty is so great that exact and always
correct predictions are impossible, so a high degree of error is to be expected.
Another particular weakness of the Delphi method is that future developments are not always
predicted correctly by consensus of experts. Firstly, the issue of ignorance is important. If
panelists are misinformed about a topic, the use of Delphi may only add confidence to their
ignorance. Secondly, sometimes unconventional thinking of amateur outsiders may represent the
disrupting element the experts could not predict, as described in the black swan theory.
8.3.
Nature of uncertainty and risk analysis
The main purpose of the theoretical methods and practical approaches to work with probabilities is to
elicit the conditional likelihood of the states that result from the chance points, as well as those
associated with the events in each lottery. The set of all these estimates form the probability structure
of a problem, whereas the process of collecting these probabilities is called probability quantification
of uncertainty.
There are problems, where the probabilities of some states in the decision table or some chance
points in the decision tree may be directly elicited subjectively by the DM (or by an expert to whom
this task has been assigned by the DM) using all the available information. Of course, if information
78 | P a g e

from a repeated identical experiment is available, then it is possible to find the frequencies of these
states.
On the other hand, the probabilities of most events are usually very difficult to elicit directly. The
subjective approach suggests that the beliefs of the OS in the occurrence of events may be quantified
with the help of formalized techniques. However, this does not imply that estimates are always
adequate to life. That is why complex events are usually decomposed to several simple ones
according to a given model. This model assigns the connections between the easily elicited input
quantities/events and the output quantities/events that are difficult to analyze. The idea is to
decompose a complex task into several simple ones and acquire consistent probability estimates on
the expense of longer and more detailed analysis.
The assessment of the probabilities is strongly dependent on the model that binds the easily analyzed
input quantities and the output quantities that are important in the problem. There are two types of
models:
a) analytical models, where the output probabilities may be calculated by the given characteristics of
the input quantities;
b) simulation models, where the probability estimate of the output quantities does not follow from
deterministic calculation procedures over the probability characteristics of the input quantities.
The complexity of the analytical models varies in a wide range. The simplest models directly apply
the dependencies between the probability characteristics of random variables. In most cases, the
model just uses the Bayes formula and/or the total probability formula. The input information
consists of the prior probabilities of the hypotheses and the conditional likelihoods of a given event,
whereas the output information consists of the posterior probabilities of the hypotheses given an
event.
Regardless of their complexity and volume, the statistical pattern recognition (SPR) systems are also
analytical models. Almost as a rule, they apply the Bayes theorem in order to classify a given object
to each of the states of the world. SPR systems may process huge amounts of measurement data, but
a learning process should be executed before they are able to classify that data. During the learning
process, estimates of the conditional likelihoods are identified on the basis of subjective assumptions
regarding their form, e.g. an assumption for multi-dimensional normality of the observation vector
from a given class, or an assumption for independence of the coordinates of the observation vector.
In the parametric SPR methods, the conditional likelihoods are calculated with the help of the mixed
frequentist-subjective approach to probabilities. Unfortunately, the complex but useful (for the
quantification of uncertainty) SPR systems are often improperly and technocratically treated as
decision support systems.
The simulation models build upon the concept of risk analysis. They find the connection between the
input random variables and the analyzed output variable. For example, the NPV of profit of an
investment depends on many input variables, such as amount of investment, period of investment,
market share, demand of the product, costs, inflation, taxes, etc. The distribution law of each of these
variables should be constructed using either frequentist, or subjective or mixed techniques. Then the
following steps are repeated multiple times in a computer simulation:
a) generate a set of values of all input variables from their distributions;
b) calculate the output variables using the generated set of input data following the established
connection between the input and output variable.
The collected values of the output variable then serve to construct a frequentist distribution. In this
sense, risk analysis is a powerful technique for quantification of uncertainty in an arbitrary chance
point.
The Hertz-Thomas simulation-based risk analysis applies to classical probability distributions
and also generates such, which is why it may be referred to as classical risk analysis. In most
79 | P a g e

practical problems the FRDM only partially quantifies the uncertainty in terms of ribbon
distributions. This calls for a modification in the simulation procedures of the risk analysis in
order to take this fact into account.
8.4.
Decision theory
Choosing between alternatives under risk and uncertainty is a matter of professional and personal
importance. There are decision problems that strongly affect the decision maker, and which are
very complicated mainly due to the large amount of information that has to be processed. These
situations ask for systematic techniques for rational choice that analyze the available information
step by step, take into account the objectives of the individual in the problem and in the same
time are easy to use and do not require complicated and highly specialized theoretical knowledge
from the decision maker. Decision theory (DT) has established as a well-developed and easily
applicable quantitative analysis approach to support choices between uncertain alternatives
using. It is based on utility theory and is part of the scientific discipline, operations research that
evolved after World War II. Its key feature is the ability to define an adequate decision criterion
that accounts for the subjective preference, risk attitude and expectations. The decisions reflect
the opinion of the one that makes them, which is why they are considered only correct for her.
Modern DT applies successfully in situations that obey all of the following four conditions:
1. A problem must exist.
2. The problem must be important for the decision maker.
3. There should be resources available to apply DT.
4. The problem must be difficult, i.e.:
a) the problem requires to analyze great amount of information;
b) the analysis is performed according to a set of criteria;
c) there is uncertainty in the problem;
d) the decision must be made by a group of people.
There exist other approaches to individual decision making, such as interactive multi-objective
programming, analytical hierarchy process (AHP), Markov decision processes, arkov flows
over graphs, Pareto analysis, multi-criteria decision making (MCDM), fuzzy logic, etc. Those
techniques shall be given explanation on their essence during the lecture, and a comparison with the
particular decision techniques shall be provided.
Several facts to support the usage of DT shall be outlined:
1. If one is aware of the procedures to make correct decisions, then it is possible to comment,
analyze and eventually criticize the decisions of other people.
2. DT may help improve the quality of decisions.
3. DT prevents from regreting about a decision.
4. DT allows and requires from the DM to use 100% of the available information.
5. Documenting decisions in a modern constitutional state according to the paradigms of DT is a
way to avoid further accusations to the people authorized to make choices.
6. If DT becomes an obligatory legal standard in public decision making, then it can substantially
decrease (to bearable levels) the devastating effect corruption has over national and international
economies and over the society.
DT has had applications in various areas, e.g. industry, transport, marketing, strategic
management, public healthcare, etc. This proves its vast capabilities as a decision support tool.
Quantitative decision analysis is yet to widen its potentials in areas like law, medicine and
engineering.
80 | P a g e

There are empirical proofs regarding inconsistencies between normative behavioral decision
rules and actual preferences declared in the subjective measurement process that are the basis of
the analysis. This fact is a major obstacle before the wider application of DT. For that reason,
research nowadays focuses on the actual aspects of the subjective measurement process and the
resulting subjective information that is employed in robust normative decision techniques. The
expected utility rule is central to DT. It is sometimes criticized due to its empirical fallacies,
dependence on heuristics during the elicitation, differences in results due to the elicitation
method, lack of compliance with the axiomatic rules of rationality, etc. Furthermore, empirical
results prove that expected utility tells how the DM must make her choice and perceive utilities,
and not how she actually does that. The efforts to enhance the descriptive aspects of the analysis
and to avoid the paradoxes of expected utility resulted in the elaboration of generalizations of
expected utility, such as prospect theory, cumulative prospect theory, hazard effect models,
theory of real rationality and nomic probabilities, regret theory, rank dependent utilities,
disappointment aversion theory.
A major part of the following discussion shall focus on a new generalization of utility theory,
called fuzzy rationality, which combines a group of techniques, applicable in different stages of
decision analysis modeling problems, measuring preferences, measuring uncertainty, analysis
of risk attitude. What unites these techniques is the tendency to measure the true opinion of the
individual instead of trying to idealize her abilities. At a later stage, the collected data is
adequately and consistently analyzed so that to identify the best alternative for a specific real
DM.
8.5.
Modeling decision problems
In real life problems, DMs face the necessity to choose between several courses of action, which
in turn leads to another choice in time, and so on. The possible consequences of the choice form
a set X, and the DM receives one regardless of her wish. Instead, the DM may and should choose
exactly one alternative out of a set (of possible) alternatives L. The consequences from the
choice of an alternative from L depend on random events, called states, which are also out of the
control of the DM. As a rule, a single event occurs and it defines the consequence. It is obvious
that consequences are a result of DMs choice, and in the same time defined by the combination
of random factors that model a given state. The structure of consequences should be defined so
as to describe all aspects of the problem that are of importance for the DM. It should also show
the extent to which the result of the decision meets all significant objectives of the DM,
described by measurable parameters. That is why a typical form of the consequences is a multidimensional vector, whose coordinates (components) equal to the values of these parameters.
There are specific objectives that must be taken into account in each situation. There are
philosophical trends, which assume that everything is connected to everything. That is why
choosing an alternative affects the world and the future. Most of these effects are practically
negligible. On the other hand, the more effects analyzed the more difficult the choice that
balances these effects in the best possible way. For practical purposes one has to outline the part
of the world over which the influence of the choice shall be analyzed. This part of the world
combines objectives, alternatives and consequences and is called decision context. The wider the
context the more alternatives defined and the more global the objectives, all this making the
choice much harder. hree aspects are crucial in choosing the correct decision context.
The first one is the third type error (solving the wrong problem).
81 | P a g e

The second aspect that influences the correct choice of the decision context is problem
ownership. It is required to define the decision context so as to correspond to the authority of the
DM.
The third aspect that matters in choosing the right context is problem solvability, i.e. is it
possible to adequately take into account all factors that the choice of an alternative influences
within the chosen context using the available resources (of time, money, knowledge, abilities,
etc.). Strive for a wider decision context leads to the use of more resources to solve the problem.
One must balance her intention to analyzer more influences and the desire for low price of the
decision. Obviously, as the importance of the decision increases so does the maximum allowed
price of the decision and the possibility to have a wider decision context.
In conclusion, the correct description of consequences is a prerequisite for an adequate solution
of the problem. However, consequences are a function of the decision context since it defines the
objective against which one judges about the quality of the final choice. Decision context should
be chosen so as to include all objectives that obey the following conditions: objectives should be
influenced by the decision; objectives should correspond to the authority of the DM; one should
be able, within the available resources, to analyze the dependence between attaining objectives
and making the choice. After objectives have been defined, one must choose one or several
parameters (indicators) for each, so that to measure numerically the degree of attainment of the
former. The aggregation of those parameters forms the consequence.
If the model is comparatively simple, it is possible to use decision tables. This model is
represented as a table, where each column corresponds to a state of nature, whereas each row
corresponds to a possible action (alternative). The interaction between columns and rows
generates the consequences in the decision problem, which are listed in the middle of the table.
The most typical decision scheme, where a choice leads to another, which in turn leads to a third,
etc., is called multi-stage problems. Multi-stage problems, where L and X are countable sets, are
accommodated in a decision tree. Decision trees have a specific topology that indicates how to
depict it, and how to denote different stages in the development of the problem in time. A
decision tree is usually depicted flatwise, with its root on the left and crown on the right, and
time passes from left to right. Each branch of the tree corresponds to a state or an action.
Two elements connect the branches. The first is the decision point or node. As the name implies,
this is where the DM must choose between a set of actions. A single branch enters the decision
point, and the branches stemming this point correspond to a possible action (alternative) the DM
may choose at that moment. Decision points are represented by squares. The root of the tree is
always a decision point, but with no branches at the input. The other element of the tree is the
chance point or node, which again has a single branch at the input. The chance point is
represented by a circle, at which a branch subdivides into several branches corresponding to
possible states of nature affecting the problem at that stage. Decision and chance points are
connected by branches that correspond to either actions or states. Each branch that does not enter
a decision/chance point is part of the tree crown and at the end of it is a consequence.
There is only one path from the root to a particular branch in the crown (and its corresponding
consequence). This path depends on the choices the DM makes in the decision nodes and the
choices that an outside force (which is not related to the DM. For reasons of clarity, the crown is
aligned and the consequences are depicted column wise. The decision tree well describes the
order of actions the DM must undertake and the order of possible states of nature that may occur
within the problem. Decision trees shall be applied to model three examples of multi-stage
problems.
82 | P a g e

When modeling multi-stage problems via decision trees, policies are of prime importance. A
policy is a contingency plan of actions from the root to the crown of the tree. It defines how to go
out of each decision node from the particular policy.
The major advantages of decision trees are:
a) the model is easy to understand and shows how the problem develops over time;
b) the model is quite compact in most problems;
c) the model describes asymmetric problems, where possible results from a decision point
depend on the decisions in the previous ones, and the states depend on the alternative analyzed.
The major advantages of decision tables are:
a) they are rather compact, especially if the number of alternatives and the number of
consequences is not too high;
2) the decision table has a general form, and each particular situation is then a special case of that
general form;
3) mathematical calculations are easily performed in a decision table, where the information is
well structured.
83 | P a g e

9. Risk based survey
Risk Based Surveys are an alternate to prescriptive surveys of fixed intervals and scope. Such
surveys recognize that some equipment items pose a much greater risk to an offshore installation
than others. Risk assessment aids in identification of those high-risk items, and allows for higher
priority and more in-depth surveys to be conducted on these.
Qualitative Screening. Some equipment may require little survey activity at all due to low risk.
This may include nonhazardous materials, or non-corrosive service. Equipment ranked Low
Risk may be included in this category.
Qualitative screening methods typically use a risk assessment method similar to the Failure
Modes and Effects Analysis (FMEA). An additional step is taken to rank the risk criticality of
the failure modes via a risk categorization/risk matrix. Failure modes that have low likelihood or
low consequences should they occur may be eliminated from more rigorous evaluation, and
inspections will be performed on an as needed basis, or may default to the minimum
permissible under applicable codes and standards.
9.1.
A quantitative model for equipment with measurable damage rate
Based on the environmental exposure (inside and out), the material of construction, the heat
treated condition, the operating parameters and other factors, equipment may be subject to one or
more types of damage. Corrosion, erosion, pitting, crevice or under deposit attack, stress
corrosion cracking, and fatigue are examples of typical types of damage that are measurable.
Predictive maintenance such as gauging, pit depth measurement and visual examination is used
to monitor the extent and progression of damage.
Past experience, previous survey data, and models for corrosion and other mechanisms are useful
for determining the potential existence of a damage mechanism, and an approximation of the rate
of damage. A most important consideration is that the rate is rarely known with certainty due to
variations in the rate (which may average out over time), and especially due to insufficient or
inaccurate data. Even if gaugings have been performed, the corrosion in localized areas that were
not gauged may greatly exceed the measured rate. Therefore, damage rates determined by
gauging should be compared to damage rates from models or other sources of information. Once
the validity of available data is evaluated, a final estimate should be made of the potential for
variation of damage rates from the measured or expected rate.
As new information is gathered from surveys, the estimate of the variation in the damage rate
can be updated and refined.
An analytical tool known as Bayes Theorem is commonly used to evaluate problems such as
this.
The state or condition of a thing is unknown, and there are tests that can be conducted to learn
more about it. However, the test results themselves are uncertain. Having performed the test,
Bayes Theorem allows one to determine logically how much was actually learned from the test.
In Bayes Theorem, the knowledge of the thing before the test is called the Prior Probability,
the accuracy of the test is called the Conditional Probability, and the final result after the test is
called the Posterior Probability. These are illustrated in the flow diagram below.
84 | P a g e
Figure 9.1. Hazard identification
Structural reliability. In a previous chapter, it was determined how rapidly an equipment item
might be deteriorating, based both on the expected rate of damage, and based on the
consideration that the damage rate might be worse. In the next step, the actual amount of damage
is determined (from rate and age), and this is compared to the amount of damage the equipment
is designed to withstand. This comparison is related to the likelihood of failure, and analytical
methods are available to quantify this value.
The methods used vary from complicated to quite simple; however, there is generally a trade off
in accuracy and credibility as one goes from the complex to the simple. One possibility is to use
simplified models that are calibrated to the generic, or average, or typical failure rate for
the equipment being studied.
85 | P a g e
Figure 9.2. Likelihood determination
Note that the above evaluation can provide an estimate of the likelihood of failure, however, it
may not assure that the equipment is in compliance with all applicable laws and regulations. For
example, the ASME pressure vessel code is not based on risk, except in an indirect way. Thus
the likelihood of failure of a vessel that is just above the minimum allowable wall thickness
(MAWT) is not very much different from one that is just below the MAWT, but the latter case
has an additional consequence of possible fines or citations.
Consequence of failure. Determination of the consequence of failure on an offshore installation
requires special considerations compared to onshore facilities, due to the proximity of equipment
and relative lack of escape routes.
Some of the methods typically employed are: a release/dispersion model (usually a software
package, highly analytical), a Failure Modes, Effects, and Criticality Analysis (FMECA, a more
subjective approach), or the use of event trees to allow consideration of multiple potential
outcomes.
A major consideration is to determine what units consequence will be measured in. Some typical
measures (all per event) are:
Area (affected by fire/explosion)
Area (affected by toxic fumes)
Environmental damage (barrels of oil spilled)
Safety (deaths, injuries)
Costs (can include most consequences on a common basis)
86 | P a g e
Figure 9.3. Consequence determination
Risk evaluation and risk management. Completion of the analysis and building of the Risk
Based Survey Plan is accomplished in the final step. The likelihood of failure and the
consequence of failure are simply multiplied to determine the risk. Typically, on completion of
the first Risk Based Survey analysis, the equipment is ranked in order of decreasing risks and
examined on this basis. This allows performance of a baseline and acts as a check on all data and
assumptions made during the analysis.
The next step (or this is sometimes done as the first step) is to increment the age of the
equipment by a certain number of years, and/or increment the inspection count by one. This
allows what-if planning for determining optimal times and locations for surveys.
87 | P a g e
Figure 9.4.
Risk assessment is a well-developed field which many operators are currently applying to
improve their operations and reduce their risk exposure. In the offshore oil and gas industry,
some progressive regulators have encouraged the application of risk assessment techniques by
enacting performance based safety regulations which require operators to demonstrate reduced
risk levels. In many areas of the offshore and marine industries there is a dichotomy: operators
must still comply with prescriptive old-style regulations while being encouraged on other
fronts to develop a risk-based approach to safety.
This chapter has attempted to paint a picture of the current state of risk assessment application in
these industries and to provide some basic information to guide those who would like to apply
risk assessment techniques. There are many challenging issues that organizations must address as
they begin to incorporate risk assessment into their businesses:
What are my risk acceptance criteria?
What types of internal guidelines are needed to assure consistency in the approach and
quality of risk assessments we conduct?
88 | P a g e

When should we perform risk assessments?
Where will the resources to conduct assessments come from?
No formal risk assessment should be approached casually. There are any number of pitfalls and
issues which can and will be encountered by the uninitiated. Therefore, it is recommended that
any organization that wishes to encourage the use of risk assessment undertake an effort to
provide appropriate training to all impacted personnel and address issues such as those listed
above.
Risk assessment is a good business practice. The thoughtful application of risk assessment
techniques can indeed improve the decisions made by an organization and result in improved
performance in a number of areas by reducing risk exposure.
Risk assessment should be at the core of any safety-related rule-making or regulatory
development process. Since the underlying goal of these rules and regulations is to reduce the
risk of losses resulting from hazards, risk assessment seems an imperative part of any rulemaking process.
However, buy-in and significant participation is required by all stakeholders in the process to
assure that risk assessment is incorporated in an effective and meaningful way. This is no small
feat considering the number of players involved, their diverse interests and the wide differences
in their levels of understanding with regard to risk assessment.
As awareness of risk assessment increases, the benefits which can be realized through its
application will continue to increase. Organizations in both the public and the private sectors are
becoming more and more familiar with the benefits associated with risk-based approaches to
managing safety, and we continually see more examples of risk assessment applications across
the marine and offshore oil and gas industry.
89 | P a g e

10. Benefits of risk assessment
Risk assessment techniques can be applied in almost all areas of the offshore oil and gas and
marine industries. Corporations know that to be successful they must have a good understanding
of their risks and how the risks impact the people associated with their operations, their financial
performance and corporate reputation. More and more, regulators are striving to use risk-based
approaches in formulating new regulations. The ability to conduct meaningful risk assessments
continues to improve as more and better data are collected, and computer applications become
more accessible.
The four key areas where risk assessment has been seen to be useful are:
identifying hazards and protecting against them
improving operations
efficient use of resources
developing or complying with rules and regulations
10.1.
Identification of hazards and protection against
The primary goal of many risk assessments is to identify the hazards that are involved in a
particular process or system and to develop adequate safeguards to prevent or reduce negative
consequences from the related hazardous events. As previously discussed, the first step in
performing a risk assessment is hazard identification. Whether done in an explicit or implicit
form, this step provides an understanding of the basic hazards (e.g., high temperatures, toxic
chemicals, rotating machinery) that are involved in a process or operation. Because of the
negative consequences that can occur if these hazards are not controlled, the hazard
identification step is key in developing an understanding of the contributors to the risk of
operating a particular system or process. Once these hazards are identified and the potential
undesirable events involving these hazards are described, risk assessment techniques can allow
personnel to identify the safeguards, or risk-reducing measures, that are currently in place and to
make recommendations for additional safeguards that would further reduce the risk. These
safeguards can either prevent an event from occurring, or reduce (mitigate) the consequences if
an event does occur.
Hazard identification is most effectively applied early in a projects life-cycle. If hazards can be
identified early, they can often be designed out or eliminated completely during the early
design phases. If the hazards are not recognized until design is complete or the system is
operational, they will be more costly to address, and the only feasible way to address the hazards
may be to provide measures to mitigate the hazardous events they may cause.
It is best to integrate hazard identification activities into the project development process to
assure these activities are conducted at optimal times. For instance, high level Preliminary
Hazards Analyses should be conducted as early as possible in the project life-cycle, while
multiple project options are under consideration. This will enable risk assessments of the various
options and help identify the major hazards which will need to be managed as the project goes
forward. As the development process progresses, more and more detailed hazard analyses can be
conducted. In the offshore oil and gas industry, hazard identification is typically performed on
process systems during conceptual design (when process flow diagrams and layouts are
available) and again at the detailed design phase (when P&IDs and equipment specifications are
available).
90 | P a g e

Evaluation of safeguards. Since the hazards relating to oil and gas production facilities are
generally well understood, safeguards and preventive measures have become fairly standard
across the industry. However, each project has its own unique requirements as a result of the
types and amounts of fluids handled, the location, existing infrastructure, manning philosophy
and other parameters. Safeguards must be customized for each project to adequately protect the
facility. In order to evaluate safeguards, specialized safety studies are often applied. Companies
designing major new offshore facilities typically conduct a suite of these studies, including:
Fire and Explosion Risk Analyses
Equipment Layout Review and Optimization
Evacuation, Escape and Rescue Analysis
Emergency Systems Survivability Analysis
Most hazard identification exercises (HAZOPs, etc.) also include the evaluation of existing
safeguards as a part of their process.
Often, risk calculations are incorporated into these specialized studies. For instance, the risks
determined from the likelihood of process releases and their potential consequences are
considerations in Fire and Explosion Risk Analyses and many Equipment Layout Reviews.
Management of change. After a system is in operation, hazard identification is sometimes
required by regulatory authorities as a design and operational check or to assure that changes
made subsequent to the initial design have not introduced new hazards.
Root Cause analysis. Despite efforts to safeguard against all hazards during the design and
specification of a facility, systematic analyses and strong management systems cannot
completely eliminate the possibility of reliability-related problems. When failures occur, root
cause analysis can be used to identify the underlying reasons (hazards and pre-conditions) that
problems occur and to correct the root causes so that the same problem or related problems with
shared root causes do not occur in the future. The root causes of an event are the most basic
causes of an event that (1) can be reasonably identified and (2) management has the
control/influence to fix. Typically, root causes are the absence, neglect, or deficiencies of
management systems that control human actions and equipment performance.
10.2.
Improving operations
Over the years, standard approaches have been developed for operating oil and gas related
equipment.
Many of these have been documented as industry standards and/or codified into regulation. For
example, regulatory bodies such as the U.S.s OSHA and Coast Guard require adherence to basic
standards in the areas of Hearing Conservation, Lock-out/Tag-out, Fall Protection, Electrical
Safety, Fire Protection, Emergency Response, etc. In addition, most operators have developed
internal requirements to address recognized operational hazards.
In efforts to continually improve business performance, successful operators continue to
challenge the established ways of conducting their operations. Opportunities for improved
business performance are continually identified, and must be assessed for risk impact in addition
to financial impact and feasibility. Risk studies can be conducted to assess the relative risks
associated with various modes of operation, including:
Simultaneous Operations (Concurrent Production and/or Drilling and/or Construction
Operations)
Construction Activities: (Hazard analysis of construction activities, Risk impact of major
marine activities at producing locations, etc.)
Automation of Drilling Activities
91 | P a g e

Production and Maintenance Activities (Manned vs. unmanned platforms, Platformbased maintenance crews vs. roving maintenance teams, etc.)
Improving emergency and operating procedures. During the performance of a risk assessment,
detailed discussions of normal operations and abnormal conditions will often focus on the
actions and response of operators, maintenance personnel, and emergency response personnel.
Recommendations for the improvement of procedures are often the result of such reviews. These
can include such things as the addition of procedural steps to improve clarity, highlight critical
steps or provide better control. Unnecessary procedural steps or superfluous information may be
noted and recommended for deletion. In some cases, the addition or deletion of entire procedures
may be a recommendation from the risk assessment.
Improving operations through better understanding. In addition to the identification of hazards
and safeguards, the value of the knowledge and understanding gained from the performance of
risk assessments should not be under estimated. This increased understanding can often result in
improved operations, design, maintenance, and emergency response. Risk assessments
frequently yield recommendations to system hardware, software, training, and procedures that
result in more efficient or improved operations, along with increased safety.
Many of the techniques (e.g., HAZOP) used in performing risk assessments involve a detailed,
systematic review of the process or system being evaluated. During a review, a variety of
information sources, such as process drawings, operating and emergency procedures, incident
reports and operators experiences, are typically examined in detail to allow an understanding of
the hazards, potential events or mishaps and the safeguards that exist to minimize the frequency
or consequence of these events. In addition, many reviews involve a multidisciplinary team
representing various organizations (e.g., operations, engineering, instrumentation, or industrial
hygiene), each member of which has detailed knowledge on particular aspects of the system.
This thorough review and sharing of information typically benefits all personnel involved in the
risk assessment by increasing their knowledge of the design and operation of their facility.
For example, information provided by operators about the way that a system is actually operated,
as opposed to how it was designed to be operated, can provide process engineers and design
engineers with information on design concerns or equipment problems. This knowledge could
result in modifications in equipment or system design, which increase the safety and efficiency
of operations.
Details provided by process engineers on why a particular interlock is required on a piece of
equipment or information given by industrial hygiene personnel on why specific personal
protective equipment is required can contribute significantly to the operating staffs
understanding of the design of the system they operate and the requirements that they must
follow.
10.3.
Efficient use of resources
Design option comparisons. When significant design decisions are being made, a thorough
comparison of the options available is typically performed. This comparison should include an
evaluation of the risks associated with each option, with the goal of selecting an option which
meets the organizations risk acceptance criteria and provides the best overall value with regard
to other factors, such as economics, political considerations, environmental concerns, legal
issues, reliability, operability and safety. An organizations risk acceptance criteria may define
tolerable risk levels, or may require that one show that the risk is As Low As Reasonably
Practicable (ALARP), and hence acceptable, subject to certain maximum limits. UK regulators
hold the operators of offshore facilities accountable to an ALARP criterion.
92 | P a g e

The criterion of ALARP implies the analysis of costs versus benefits. Under this criterion, risk
needs to be reduced to the lowest level as is practical (i.e., risk-reduction measures are required
to the point where their costs far outweigh the benefits). Costs and benefits of course are
perceived differently by the various stakeholders affected by a risk management decision,
namely the ship owner, regulatory body, insurer, crew, etc. The question How safe is safe
enough? is thus generally difficult to answer. Further, the acceptable answer may itself
change over time, due to changing societal values.
Reliability of critical systems. Reliability analysis can serve as a useful tool for comparisons
between various design options for critical equipment or systems. This is true both during the
early stages of the equipment life cycle, such as design and construction, and during later stages
in the life cycle when modifications or changes are considered. For example, a control system for
a ships steering equipment may require strict operability requirements that cannot be fulfilled
through the reliability of a single set of components, thus necessitating the use of equipment
redundancy. A reliability assessment could provide designers an evaluation of redundancy
options (e.g., redundant components, redundant systems, multiple redundancies) that could best
meet the requirements. In addition, an analysis could identify common cause failure potentials
that could defeat the planned redundancy.
Another type of reliability analysis that can be beneficial during the design phase is an
assessment of human factors issues. Consider the design of a control panel for a ships complex
electrical distribution system. Upon completion of the initial design of the panel, a human factors
analysis of the preliminary layout, using operators who will use the equipment if possible, could
identify improvements that could increase the efficiency and accuracy in which the panel is
operated during normal and abnormal situations. These recommendations could include such
changes as the location of switches or meters, the labeling of equipment on the panel, and
audible/visual feedback provided to the operator.
When safeguards are put in place to protect against potentially hazardous events, the reliability
of these safeguards must be validated to meet certain criteria. For instance, the failure rates of the
components of an electronic safety shutdown system must be evaluated and reduced to
acceptable levels through system design and component selection. In another example, issues
such as the reliability of the release mechanism for davit-mounted escape craft must be
considered during the selection of lifesaving equipment suppliers.
10.4.
Developing or complying with rules and regulations
Risk-based regulatory and standards development. Many regulatory bodies and industry groups
now understand the importance of taking a risk-based approach when developing new
regulations and standards. More and more, as industry and regulators work together to draft new
requirements, risk assessments are becoming an integral part of the process. In many cases, new
safety regulations are performance-oriented and leave the operator with the responsibility to
demonstrate the effectiveness of his safety management system (U.K. Safety Case). In other
cases, regulators have commissioned risk assessments to be performed as a part of the regulatory
development process, to assure risks are assessed before new regulations are drafted.
For example, following a near-miss collision between a Gulf of Mexico Deepwater Tension Leg
Platform and an 800-foot tankship in 1997, the National Offshore Safety Advisory Committee
(NOSAC), sponsored by the U.S. Coast Guard, appointed a special subcommittee made up of
members from the Coast Guard, MMS, the oil industry and the marine industry to examine the
incident. The subcommittee was asked to use a risk-based approach to identify potential
regulatory and non-regulatory means to reduce the risk of this type of incident recurring.
93 | P a g e

In another example, the Mineral Management Service (MMS) has recently chartered a risk
assessment of Floating Production Storage and Offloading facilities (FPSOs) to help them
understand the key hazards and the risks associated with these types of facilities. The results of
this assessment will likely provide a basis for the development of regulations concerning the use
of these mobile production systems in the Gulf of Mexico.
Estimating overall facility risks. In the North Sea, it has become an industry norm to use
Quantified Risk Assessment (QRA) methods to estimate the Individual Risk Rate (annual
potential of loss of life for an individual working on the facility) for Safety Case submittals to
demonstrate that the risk associated with a particular platform is ALARP. Due to the potential
for data and modeling uncertainties, and the assumptions made, the accuracy of such explicit risk
rate calculations is not considered to be very good, and may be off by over 100%. Unless
specifically required by regulation (North Sea Safety Cases), the calculation of individual risk
rates does not typically prove to be a useful way to devote risk assessment resources.
Many operators prefer instead to conduct focused relative risk studies of a smaller scope to aid in
making decisions between two or more viable options. When comparing the relative risks of two
or more options, the same methodology and assumptions can be used to evaluate each option,
and the uncertainties associated with the absolute risk numbers calculated does not significantly
impact the decision.
Often, high-level estimates of overall facility risks and the major risk contributors are made early
in the project life to aid in selecting between various development options. This is a valuable
exercise, because it is at this point that a project team has the most impact on the overall risks
associated with the project. Conducting hazard and risk assessments early in the project life also
allows time for the development of mitigation solutions to address major risk contributors.
The future: Providing the framework for regulatory reform. In the shipping industry, where
there are an abundance of regulators and rule-makers, and existing safety rules and regulations
are particularly piecemeal in nature, the structure and logic provided by a risk assessment model
may be able to provide a framework for regulatory reform.
Existing rules and regulations prescribe safeguards to protect against hazardous states or events.
The rules and regulations also prescribe consequence mitigating measures, such as: lifesaving
appliances, global search and rescue, fire detection and alarm, fire extinguishing systems, fire
containment, limitation of tank size, damage stability, shipboard pollution prevention plan, etc.
This approach can be illustrated as follows in Figure 10.1:
Figure 10.1. Framework of existing Rules and Regulations
What this approach lacks is a systematic consideration beginning with operating scenarios and
the identification of hazard in each scenario, through to assessing and recommending effective
risk reduction measures. An improved approach is illustrated in Figure 10.2.
94 | P a g e
Figure 10.2. A framework based on risk assessment
A risk-based framework as shown in Figure 10.2 may be looked upon as a systematic, firstprinciple approach to accomplishing what the existing rule- and regulation-based framework
seeks to accomplish. Figure 2 may be used as a generic safety framework within which the
existing rules and regulations can be populated. In fact it could be used to assess the
comprehensiveness of the existing fragmented regimes of rules and regulations: any gaps or lack
of considerations can be identified and addressed with risk-analysis techniques. Figure 10.3
illustrates how this may be conduced.
95 | P a g e
Figure 10.3. An example of the application of the framework
As the example illustrates, the framework allows users to:

o systematically assess each operating scenario and the safeguards that would be needed,
o identify where the different regimes of rules and regulations reside and how they relate to
other safety measures,
o identify operational requirements that are in fact important elements in the chain of
safety measures, and
96 | P a g e

o identify where risk assessment techniques may be applied to derive effective safety
measures.
Regulators could use this framework as an umbrella for their regulations, under which they
could have a holistic view of the safety issues they need to address. This would allow them to
have a better view of the roles their rules or regulations play in the safety equation. It would
assist them in assessing whether new requirements ought to be formulated and whether existing
ones are adequate.
It could provide them with a common vocabulary to reexamine their safety philosophy.
Knowing where their rules or regulations currently reside in the framework, they could either
begin to embrace a holistic view towards safety or stick to the current piecemeal one. In either
case, the intent of their requirements will now be more apparent to those affected by them. Using
the framework philosophy as structure, they could perform risk assessments to examine the
effectiveness of their existing rules or regulations as well as to formulate new ones. By
examining the operating scenarios, the hazards, the safeguards and the consequences, their
requirements would acquire a risk-based rationale.
Inter-regime or inter-agency jurisdictions could also be mapped in this framework, thus allowing
better cooperation between agencies. The framework could also provide the opportunity to unify
safety philosophies between agencies and to work towards common safety acceptance criteria.
Owners and operators could use this framework as a template for safety planning in their
operations.
Providing a framework, a template and a methodology and having operators perform their own
risk assessments for their own individual operations, as the ISM Code seem to be encouraging,
may be a positive way forward to address the integration of ship operations in the safety
equation. It would be the job of regulators to come up with the framework, the template and the
methodology.
Perhaps the insurers would have the most to gain by promoting a holistic safety framework. This
would provide a holistic view of the degree to which risks have been addressed, and would
provide a rational yardstick by which they could underwrite insurance for those risks.
This type of holistic safety framework could be used as the roadmap for major regulatory reform
in the shipping industry. It could be applied to integrate all the different regimes of regulations as
well as all the operational, human and organizational considerations and regard them as one
entity. The historic piecemeal and fragmented approach to assuring safety has served its purpose
and must now move on. A holistic safety framework can be developed which not only
accommodates the hard earned experience of the past but also provides a philosophy and a
structure by which hazards and hence risks can be systematically and rationally assessed. This
would provide a tool not only for the regulators, but, more importantly, for the operators
themselves.
Clearly, the extent to which a holistic safety framework can be applied will be determined by the
willingness of operators, industry groups and governmental bodies around the world to engage in
this process. The result of such an effort could have the potential to significantly improve the
safety of shipping operations through the systematic application of risk-based approaches.
97 | P a g e

11. Management measures to prevent major accidents
For the past 20 to 30 years the offshore oil industry, including the marine industry which
supports the offshore industry, has focused its safety efforts on preventing incidents and injuries
to people, basically, preventing slips, trips and falls. This focus can be called occupational
health and safety.
In parallel, there have been efforts to prevent major incidents involving multiple fatalities or
asset threating events such as Piper Alpha, Alexander Kielland, Sleipner and Exxon Valdez.
These events occurred during production, drilling, construction and transportation where
procedures, design, planning and personnel were amongst the root causes. The responses have
included emphasis on all these aspects as well as fundamental changes like introduction of safety
cases, which details how offshore installations will be managed safely.
However, some incidents within the offshore oil industry have shown that safety efforts should
not only be focused on occupational health and safety but also need to continue to emphasize
preventing major incidents.
There are distinct differences between these two ways of seeing safety, but there are common
hazards which can lead to occupational health and safety and major incidents and there are
similar control measures which can prevent, detect, control and mitigate against occupational
health and safety and major incidents.
In the chemical processing industry process safety generally refers to the prevention of
unintentional releases of chemicals, energy, or other potentially dangerous materials during the
course of chemical processes that can have a serious effect to the plant and environment. The
goal of process safety is to protect major assets, the environment or a large group of people from
the effects of a low probability but catastrophic or severe incident. A parallel can be drawn with
marine industry and in marine industry terms, such major incidents can be asset threatening to a
vessel, and/or cause multiple fatalities amongst its crew.
In the marine industry, some examples of major hazards are shown in the table below.
Shipboard fires and Fires and explosions in machinery spaces may possibly affect many people in
explosions
the space, including loss of ship systems within or passing through the space.
Fires and explosions on the bridge may possible affect many people in the
space, including loss of ship systems within or passing through the space and
loss of command and control centre.
Fire or explosion in the accommodation may possibly affect many people in
the accommodation, including loss of ship systems within or passing through the
space.
Disintegration of rotating equipment may possible affect many people in the
space, including loss of ship systems within or passing through the space.
Failure of a pressure vessel may possibly affect many people in the space,
including loss of ship systems within or passing through the space.
Release of dangerous Release of certain dangerous substances in significant quantities to cause death
substances
or serious injury to several personnel. May possibly affect many people on deck.
Helicopter crash on Crashing of a helicopter on to the helideck with a potential resultant fire. May
vessel
possibly affect many people on board.
Vessel
Collision between a vessel and another vessel or offshore structure which causes
collision/impact
impact damage, with a potential effect on watertight integrity and stability. May
98 | P a g e
Structural failure
Loss of position
Loss of stability
Extreme weather
Vessel grounding
Major dropped objects
Loss of diving bell(s)

or chamber pressure
Subsea
well
or
hydrocarbon releases
Topside well releases
Process
fire
explosion
Other incidents
Human factors
and
possibly affect many people on board. In the event any of these incidents occur,
emergency response arrangements may be affected.
Failure of the hull or superstructure, with a potential effect on watertight
integrity and stability. May possibly affect many people on board. In the event
any of these incidents occur, emergency response arrangements may be affected.
Failure of superstructure components, cranes, derrick, etc., with a potential
effect on watertight integrity and stability. May possibly affect many people on
deck.
Loss of station keeping capabilities (dynamic positioning (DP) or anchors, etc.)
from:
Failure of power generations systems;
Failure of DP reference systems;
Failure of thrusters;
Operator error;
Mooring failure (e.g. from environmental forces).
May possibly affect many people on board. In the event any of these incidents
occur, emergency response arrangements may be affected.
Failure of ballast or bilge systems imparting excessive list (pitch or roll) to a
vessel. May possibly affect many people on board. In the event any of these
incidents occur, emergency response arrangements may be affected.
Vessel experiences weather conditions up to and exceeding the design weather
criteria of the vessel or the capabilities of the vessel when systems are
downgraded.
Vessel impact on seabed or seabed protrusions causing damage to the vessel
superstructure and/or limiting the vessels ability to manoeuvre. May possibly
affect many people on board. In the event any of these incidents occur,
emergency response arrangements may be affected.
Impact of dropped object on the deck, superstructure or equipment with the
potential for significant damage and/or loss of systems. May possibly affect
many people on board. In the event any of these incidents occur, emergency
response arrangements may be affected.
Loss of the diving bell from the vessel with or without loss of services. May
possibly affect several people on board. Loss of chamber pressure in saturation
diving system. May possibly affect several people on board.
Loss of well or hydrocarbons control subsea through the loss of, or incorrect
operation of well or hydrocarbon barriers causing hydrocarbons and/or gases to
rise to surface with the potential for ignition, ingestion into intakes and/or loss
of stability. May possibly affect many people on board. In the event any of these
Loss of well or hydrocarbons control topside through the loss of, or incorrect
operation of well and/or hydrocarbon barriers causing hydrocarbons and/or
gases to escape on to the deck with the potential for ignition or ingestion into
intakes. May possibly affect many people on deck. In the event any of these
See topside well releases and subsea well or hydrocarbon releases. Premature
detonation of explosive substances on deck. May possibly affect people on deck.
Incidents with the potential to cause multiple deaths or multiple serious injuries.
Behavioural factors/fatigue may affect crew members which could have the
potential to lead to the major incident hazards identified above.
Table 11.1. Major incident hazards which are asset threatening to vessels or can cause multiple
crew fatalities
99 | P a g e

Hazard assessment, removing the risk, reducing the risk, managing the risk, responsibilities of all
parties involved, risk analysis, toolbox talks, personnel competence, personal protective
equipment and so forth all play their part. These approaches are valid for major incident hazards
in marine construction as well.
The control methods for testing, inspection and audit of major items of equipment such as DP
systems and diving systems, as well as framework for vessel assurance, include:
Develop and maintain written safety information identifying safety critical elements,
workplace hazards and major items of hazardous equipment;
Perform a workplace hazard assessment, including:
potential sources of asset threatening hazards
any previous incident that had a potential for catastrophic consequences in the
workplace
an estimate of workplace effects from these hazards, and an estimate of the health
and safety effects on employees;
Consult with employees to develop and conduct hazard assessment and accident
prevention plans;
Establish a written operating procedure to respond to the workplace hazard assessment
findings, which should address prevention, mitigation, and emergency responses during
operation and define operating limitations, and safety and health considerations;
Share the procedure with employees. Training and education should be provided,
emphasizing hazards and safe practices;
Review periodically the workplace hazard assessment and response system;
Ensure contractors and contract employees are also provided with appropriate
information and training;
Establish a quality assurance programme for vessels, safety critical elements, and major
items of hazardous equipment including inspection/audit, maintenance and spare parts,
written procedures, employee training, and testing of such equipment to ensure on-going
asset integrity;
Conduct pre-start-up safety reviews of all newly installed or modified equipment;
Establish and implement management of change procedures for vessels and major items
of hazardous equipment;
Investigate every incident that results in or could have resulted in a major incident.
Incorporate the findings into operating procedures. Review the findings and any
modifications, if appropriate, with operating personnel;
Ensure competent personnel are involved throughout these processes, from the worksite,
through supervisor, vessel officers, to onshore vessel management and corporate
management.
100 | P a g e

Bibliography
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
AINA, Good Practice Guide Managing inland waterways safety risks

A. D. Swain and H. E. Guttmann, Handbook of Human Reliability Analysis
with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278,
U.S. Nuclear Regulatory Commission, Washington, DC
A. Mosleh, D. M. Rasmuson, and R. M. Marshall, Guidelines on Modeling
Common-Cause Failures in Probabilistic Risk Assessment, NUREG/CR5485, U.S. Nuclear Regulatory Commission, Washington, DC
Allin Cornell, William C. Webster. The Application of Risk-Based
Technologies to Ships An Introduction, ABS internal research report
Brown, R.H., Analysis of Marine Insurance Clause Book One: The
Institute Cargo Clauses, Witherby & Co
Bjorn Sohal. Risk Assessment Applied to Special Trade VLCC Operations: A
Case Study, presented at Safety Risk Assessment in Shipping Conference,
Athens, Greece
Chauvel, A.M., Managing Safety and Quality in Shipping, The Nautical
Institute
Assessing risk and setting targets in transport safety programmes, European
Transport Safety Council, Brussels, ISBN 90-76024-14-6
Definition of terms for Risk Management, Australian/New Zealand
Standards Organisations
Guidelines on the Application of the IMO International Safety Management
Code, International Chamber of Shipping
Guidelines for Hazard Evaluation Procedures, Second Edition with Worked
Examples, American Institute of Chemical Engineers, New York, NY, 1992.
Guidelines for Consequence Analysis of Chemical Releases, American
Institute of Chemical Engineers, New York
Goal-based new ship construction standards, MSC 78/6/2, 2004
Guidelines on Alternative Design and Arrangements for Fire Safety,
MSC/Circ.1002, 2001
Guidelines for Formal Safety Assessment (FSA) for use in the IMO RuleMaking Process, MSC/Circ.1023, 2002
Guidelines on the application of formal safety assessment for use in the IMO
rule-making process, MSC Circ. 1023/MEPC Circ. 392, 2002
Guidelines on alternative design and arrangements for SOLAS Chapters II-1
and III, MSC/Circ.1212, 2006
Goal-based construction standards: Issues for development and
implementation, MSC 79/6/6, 2004
Goal-based new ship construction standards: Safety Level Approach and
safety level criteria, IMO MSC 81/6/10, 2006
Goal-based new ship construction standards: Report of the Working Group,
MSC 82/WP.5, 2006
Goal-based new ship construction standards: Safety level approachSafety
level criteria, MSC 81/6/10, 2006
101 | P a g e

22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
Goal-based new ship construction standards: Draft Guidelines on goalbased standards, MSC82/5/8, 2006
Goal-based new ship construction standards: Report of the Working Group.
MSC 83/WP.5, 2007
Goal-based New Ship Construction Standards Report of the Working Group.
Part 1. MSC85/WP.5, 2008
Goal-based New Ship Construction Standards - Report of the Working
Group. Part 2. MSC85/WP.5/Add.1, 2008
Goal-based New Ship Construction Standards: The Report of the Working
Group on Goal-based New Ship Construction Standard. MSC84/WP.4,
2008
Goal-Based New Ship Construction Standards Guidelines on approval of
risk-based ship design. MSC 86/5/3, 2009
Goal-Based New Ship Construction Standards The safety level approach introducing the safety knob to control maritime safety. MSC 86/6/8, 2009
Goal-Based New Ship Construction Standards Safety level approach Safety level criteria, 2009
International Convention on Standards of Training, Certification and
Watchkeeping for Seafarers, 1978, with Manila ammendments, IMO
International Transport Workers Federation Report, Seafarer Fatigue:
Wake up to the dangers
International Maritime Organisation, Interim Guidelines for the Application
of Formal Safety Assessment (FSA) to the IMO Rule Making Process,
MSC/Circ. 829 and MEPC/Circ. 335, IMO
IMCA, Preventing major incidents in offshore operations and marine
construction, IMCA sel 13/12
IMCA, International guidelines for the safe operation of dynamically
positioned offshore supply vessels, Revision I, 2009
International Convention on the Prevention of Pollution at sea, 1973,
consolidated edition, IMO
IMO, Resolution MSC 266(84), Code of safety for special purpose ships,
2008
Ingemar Palsson, Gert Swenson. Formal Safety Assessment, Introduction of
Modern Risk Assessment into Shipping, Report 7594, Swedish National
Maritime Administration, SSPA Maritime Consulting
J.S. Arendt, D.K. Lorenzo, A.F. Lusby. Evaluating Process Safety in the
Chemical Industry, Chemical Manufacturers Association
Managing Risk in Shipping, The Nautical Institute
Nancy Leveson. Safeware, System Safety and Computers, A Guide to
Preventing Accidents and Losses Caused by Technology
Pradeep Chawla. Reducing the Paperwork of Risk Assessment - How to
Make Your Safety System Efficient and User-friendly, presented at Safety
Risk Assessment in Shipping Conference, Athens, Greece
Panel on Risk Assessments of Offshore Platforms - Draft Report (7th Draft),
Panel for Marine Board of National Research Council
Philippe Boisson. Safety At Sea, Policies, Regulations & International Law,
Bureau Veritas, Paris
102 | P a g e

44.
45.
46.
47.
48.
49.
Risk Management System Risk Assessment Framework and Techniques,

DaGoB Project Report
Rose R.S.K., Future characteristics of offshore support vessels,
Massachusetts Institute of Technology Library, 2011
Safety Aspects of Ship Design & Technology, House of Lords Select
Committe on Science and Technology
Ship inspection a report to members, UK P&I Club
The International Management Code for the Safe Operation of Ships and for
Pollution Prevention The ISM Code, IMO
The International Convention for the Safety of Life at Sea, 1974 SOLAS,
Chapter V, Reg. 20
103 | P a g e

Risk Analysis and Risk Management

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Risk Analysis and Risk Management

Transféré par

Droits d'auteur :

Formats disponibles

Risk Analysis and Risk Management

CONSTANTA MARITIME UNIVERSITY