Risk based methodology for safety improvements in ports

Journal of Hazardous Materials 71 Ž2000. 467–480 www.elsevier.nlrlocaterjhazmat Risk based methodology for safety improvements in ports Vladimir M. Trbojevic ) , Barry J. Carr EQE International, 18 Mansell Street, London E1 8AA, UK Abstract With the introduction of the Formal Safety Assessment in the International Maritime Organisation decision making process regarding new regulations, and the recent tanker disasters resulting in extensive oil pollution, the public and political pressure to improve safety in ports and the shipping industry has increased. Considering that some kind of Safety Report Žcase. regulations related to marine operations have not been established, and that the ports and shipping industry are at the onset of safety regimes utilised in other industries, a step wise methodology for safety improvements in ports has been developed. In the first step, the hazard identification and the qualitative risk assessment is carried out to establish hazard barriers which are or should be in place to prevent hazards from being released; the controls for managing these hazards are then developed and integrated into the Safety Management System ŽSMS.. In the second and optional step, the areas of high risk are investigated in detail and the approach for risk quantification discussed. The use of the quantitative risk assessment results is illustrated in two examples. q 2000 Elsevier Science B.V. All rights reserved. Keywords: Risk; Safety; Ports 1. Introduction In 1993, the United Kingdom Marine Safety Agency ŽMSA. proposed to the International Maritime Organisation ŽIMO. that Formal Safety Assessment ŽFSA. could be applied to ensure a strategic oversight of safety and pollution prevention. FSA is the process of identifying hazards, evaluating risks and deciding on an appropriate course of action to manage these risks in a cost-effective manner. This methodology was developed to facilitate the IMO decision making process regarding new regulations for the shipping industry. ) Corresponding author. Tel.: q44-171-357-2426; fax: q44-171-357-2015. 0304-3894r00r$ - see front matter q 2000 Elsevier Science B.V. All rights reserved. PII: S 0 3 0 4 - 3 8 9 4 Ž 9 9 . 0 0 0 9 4 - 1 468 V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 In February 1996, there was Sea Empress disaster at Milford Haven, which prompted the application of the FSA to this port; Sullom Voe followed in 1997. The Review of the Pilotage Act 1987 w1x was published in 1998, the principal outcome of which was that a ‘Marine Operations Code for Ports’ should be developed, covering all port safety functions including pilotage. Consequently, at least in the UK, the process of enhancing management control systems for the safety of navigation in ports has been initiated. Considering the absence of some type of Safety Case regulations related to port marine operations, the potential problems with the environmental risk criteria, and the fact that ports are at the very beginning of the modern approach to safety as utilised in other industries, this paper proposes a step wise approach for safety improvement in ports. The main aim is to establish an optimal risk based methodology suitable for port operations and to show that: Ž1. hazard assessment can be integrated into day-to-day management; Ž2. risk quantification can be used in the later stage either to optimise the management of safety, andror to facilitate other decision making processes, e.g. optimising insurance coverage. 2. Development of an integrated Safety Management System (SMS) A number of accidents in the chemical, petrochemical and nuclear industries have, over the past decade or so, increased the public and political pressure to improve the safety which protects people and the environment. In the evolution of the approach to safety and loss prevention, it is clear that there has been an increasing move towards risk management, as opposed to more technical solutions. The reason for this evolutionary trend is simple. While design standards and technical solutions have improved, major accidents continue to occur as a function of failures in the SMS. Analysis of underlying causes of failure are increasingly viewed as originating not in the failure of the front line technical and human control systems, but in the safety management practices which are supposed to keep them in place. The main objectives of a good SMS are to provide assurance that: Ø risks are identified and evaluated, Ø suitable controls are in place to manage these risks, Ø line management has responsibility for those tasks that ensure controls are effective at all times. A good SMS should be tailor-made for the technical system and its associated risks. To assess the technical system the following risk based methodology is applied. 2.1. Hazard identification Hazard identification is the first and in many ways the most important step in a risk assessment. An overlooked hazard is likely to introduce more error into the overall risk estimate than an inaccurate consequence model or frequency estimate. The aim of the hazard identification is to produce, therefore, a comprehensive list of all hazards. The list should include all foreseeable hazards, but it should also avoid double counting by V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 469 including the same hazard under more than one heading. In order to distinguish between hazards and consequences, it is advisable to start with defining a ‘hazard’, for example: A hazard is a physical situation or condition with the potential to cause harm, including injury and fatality, damage to property andror the environment, business interruption, or increased liabilities. Therefore, ship ‘grounding’ is considered as a possible consequence of hazards related, for example, to navigation errorrfailure, and not as a hazard itself. Similarly, ‘navigation’, ‘ship maneuvering’, etc. are considered as hazardous operations because a component failure could lead to a chain of unwanted outcomes. An example of a hazard list developed for a port is presented in Table 1. 2.2. Hazard analysis The hazard analysis approach which is considered suitable for ports is illustrated on a ‘bow tie’ diagram w2x, which has been found to be an extremely useful representation of the hazard identification and risk management process, and is readily understood at all levels in an organisation. In this approach it is assumed that each specific hazard can be represented by one or several threats that have the potential to lead to an incident or top Žinitiating. event. A threat can be a specific hazard ŽTable 1., or a more detailed Table 1 List of hazards General hazard Description Specific hazard Impacts and collision Interaction with a moving or a stationary object, or a collision with a vessel Ship related Hazards related to ship specific operations andror equipment Navigation Potential for a deviation of the ship from its intended route or designated channel Maneuvering Firerexplosion Failure to keep the vessel on the right track, or to position the vessel as intended Fire or explosion on vessel or in the cargo bay Loss of containment Release and dispersion of dangerous substances Pollution Release of material that can cause damage to the environment Weather exceeds vessel design criteria, or harbour operations criteria Vessel collision Berthing impacts Striking while at berth Flooding Loadingroverloading Mooring failure Anchoring failure Navigation error Pilotage error Vessel not under command Fine maneuvering error Berthingrunberthing error Cargo tank firerexplosion Fire in accommodation Fire in engine room Other fires Release of flammables Release of toxic material Crude oil spill Other cargo release Extreme weather Wind exceeds port criteria Strong currents Environmental 470 V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 representation of a specific hazard. Each accidental event may lead to unwanted consequences. In the example shown in Fig. 1, top event is ‘pilotage error’, which can be initiated by the pilot giving an inappropriate command, or by the ship’s crew failing to execute the command. Consequences of the ‘pilotage error’ can be grounding, spillage and loss of life. A ‘plus’ sign in Fig. 1 indicates that a branch can be expanded Žsee later in Fig. 2., and a ‘minus’ sign is used to contract a branch. For each threat one or several ‘barriers’ can be specified to prevent or minimise the likelihood of hazard release. In the example in Fig. 2, the barriers to the ‘inappropriate command from a pilot’ are: Ø Competent pilot Ø Competent ship’s master Ø Port control Ø Passage plan Ø Navigational aids For any barrier there may be internal or external factors which affect its effectiveness, for example, a competent pilot may not have been aware that the ship was a ‘bad steerer’, or he may make an ‘error of judgement’ due to being over worked. These factors or barrier failure modes can be modelled as ‘escalation factors’ each of which can be controlled by ‘escalation factor control’, Fig. 2. These escalation factor controls can be envisaged as secondary barriers; for example, a ‘ vessel vetting procedure’ or a ‘working hours procedure’ represent secondary barriers. Any threat should have a sufficient number of barriers and escalation factor controls to ensure the integrity of the system. If a hazard is released, the accidental event can escalate to one of the several possible consequences. To prevent escalation, the mitigation measures, emergency preparedness Fig. 1. Bow tie. V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 Fig. 2. Barriers, escalation factors and controls. 471 V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 Fig. 3. Recovery preparedness measures. 472 V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 473 and escalation control measures need to be in place to stop chain of events propagation andror to minimise the consequences of escalation. This is shown graphically in Fig. 3, where a ‘pilotage error’ is detected and ship can be steered away from a shore Žto avoid grounding., or the tugs can be used for the same purpose. Each recovery measure can be associated with one or several failure modes, or escalation factors; for example, tug support may not be effective due to tug failure or wind and current effects. Control measures can be specified to prevent or minimise these failures. It is clear that the left and right hand sides of a bow tie correspond to fault and event trees, respectively. Indeed, the fault and event tree analysis should always underpin the bow ties. In the analysis of marine or engineering operations w3x, the fault and event trees describe not only mechanical failures, but also operator Žhuman. front line and recovery errors. While the operator errors can be associated with the corresponding procedure designed to minimise such failures, in general it is difficult to quantify the ‘quality’ of such procedure. Bow tie approach focuses on risk control measures Žbarriers and recovery measures., and is more suitable for incorporation of ‘procedural’ control measures than the fault or event trees. 2.3. QualitatiÕe risk assessment Risk can be qualitatively assessed by the use of a risk matrix. A typical matrix has rows representing increasing severity of consequences of a released hazard and columns representing increasing likelihood of these consequences, Fig. 4. The matrix indicates the combinations of likelihood and consequence, and typically, there are three regions: Fig. 4. Risk matrix. 474 V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 area of broadly acceptable risk in which risk has to be managed for continuous improvement, an intermediate region in which risks have to be reduced to a level which is as low as reasonably practicable ŽALARP, w4x., and an intolerable region. In a qualitative approach such as using ‘bow ties’, it is possible to set targets for acceptance of sufficient controls being in place to meet objectives. For example, for hazards in the ALARP region the minimum requirement may be to have two independent barriers for each threat, and two independent recovery measures for each consequence, one of which must be to detect the incident, and the other to prevent further escalation. 2.4. Integration of hazard analysis into the SMS The most significant development in this approach is the integration of management activities and tasks with hazard controls, i.e. barriers, recovery measures and escalation controls. The activities and tasks taken to ensure that these controls are effective at all times are called ‘safety-critical’. Tasks are grouped into the high level activities to preserve the logic of the system. Activities describe the port management system, interaction with tugs, and other stakeholders, etc. The safety-critical tasks are a subset of the management activities and tasks required for day-to-day running of the port. For this purpose each task is described along with its execution party, task inputs, task competence, methods of verification and frequency. In associating tasks with the hazard controls, the integrity of the management system is demonstrated. This integration of the SMS with the identified threat barriers, recovery measures, and escalation factor controls is shown schematically in Fig. 5. Fig. 5. An integrated SMS model. V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 475 3. Optimisation of SMS through risk quantification 3.1. System definition The quantification of risk may typically be required either as a demonstration that the risks are as low as reasonably practicable with respect to the specified risk acceptability criteria, or in the case of cost benefit analysis of various safety measures, comparison of new port developments, choice of traffic channels, etc. The first step in risk quantification is to define the boundaries and the objectives of the system to be analysed. If the full dynamic risk model is required, then the interaction between risk model parameters will be required. The ‘interaction between parameters’ denotes changes in the risk profile due to changes in port management, ship characteristics, or other parameters; it is important to note that this interaction is not linear. By defining the system and the objectives of the analysis, it is possible to assemble a list of parameters which will affect the normal operations in the port, and to which the model will be sensitive ŽTable 2.. Table 2 Parameters of the port dynamic risk model System Characteristics Waterway Location Wind speed and direction Tides Currents Visibility Traffic separation Size Type Age Crew Maneuverability Pilotage requirements Escorting requirements Propulsion Steering Electrical power Structural integrity Traffic rules Navigational equipment Number of pilots Number of tugs Traffic monitoring equipment Poor management practices Lack of ship specific knowledge Poor vessel maintenance Poor decision making Poor judgement Lack of knowledge Poor communication Vessel Vessel reliability Port control Organisation Human 476 V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 It should be noted that most of these parameters should have been identified in the first step, either as hazard barriers Že.g. navigation equipment., and recovery measures Že.g. tugs., or as barrier failure modes Že.g. poor management practices, poor communication, etc... The reason for emphasising this point at this stage is that the influence of these parameters along the port channels will vary, and consequently the risk profile. The resolution of the analysis will also depend on the resolution of the risk model. For example, if the marine operations are divided into phases, or if the shipping channels in the port are split into sections, then it will be possible to obtain risk differential between different phasesrsections. An example of sectionalisation is shown in Fig. 6. Ships visiting a port will have different maneuvering characteristics, pilotage requirements, hazard potential, etc. and should therefore be classified accordingly. In other words, the sensitivity to risk parameters ŽTable 2. will vary from ship to ship. As the consequence, the risk models need to be assembled for each ship type and channel section Žphase of operation.. 3.2. DeÕelopment of accidental eÕents The hazard identification carried out in the first step produced a list of initiating Žaccidental. events. It should be noted that all events will not be applicable to all phases of operation, and some economising should be carried out. However, it is important to realise that the parameters influencing quantification of risk will have different effects at Fig. 6. Phases of marine operations. V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 477 different phases of operation even when related to the same event. For instance, the waterway hazard characteristics may be very pronounced at certain sections Že.g. narrow channel, shallow water, strong tide, etc.., and negligible in other sections of the port channels. In this approach the risk assessment model is structured around the initiating events and can be considered as having two parts. In the first part Žfault tree., the frequency of the initiating event is established, while in the second part Ževent tree., the likelihood and severity of accidents which can follow from an initiating event are evaluated. The process of assembling the fault and event trees has been implicitly carried out in the first stage, and basically the only requirement at this stage is their quantification. It should be noted that the bow ties may not have one-to-one correspondence with the faultrevent trees, since the factors such as weather, proximity of the shore, etc. can be included for each phase. An example of an event tree which can be used for modelling of, say, ‘navigation error’ in the case of a tanker in harbour waters being actively escorted by tugs is shown Fig. 7. An example of event tree. 478 V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 Fig. 8. Grounding risk profile along two channels. Fig. 9. Comparison of potential Žexpected. annual loss. V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 479 in Fig. 7. A similar methodology for quantifying errors in marine operations during tow out and installation of offshore structures has been well developed w3x. 3.3. Risk assessment As an example of risk assessment used for decision making, a comparison of frequency of grounding for one ship type and two channels into the same port is presented in Fig. 8. In another example, influence of the improvements of the port management system was quantified. The results are presented in Fig. 9, where the potential Žexpected. annual loss taking into account vessel and port facilities Žstorage tanks and pipelines. damage, spill cleanup costs, and loss of life, is presented for the existing situation and with an improved SMS targeting the navigation and other marine operations. The overall reduction in the potential annual loss was conservatively evaluated as 39%. 4. Conclusions A step wise approach for safety improvements of marine operations in a port has been presented. The basis of this approach is as follows. Ø The hazard management process for port operations is developed and incorporated in the SMS. At this stage, hazard management process is carried out qualitatively, and the approach can be considered as a ‘broad brush’ risk assessment. Ø In the second step, the areas of high risk are investigated in more detail, and the risk profile of port operations is assembled. This step is quantitative, and a particular advantage of quantitative assessment is that it deals both with the probability and the consequences of a large number of possible accidents. This is important because, if the consequences were considered alone, attention would inevitably focus on the most extreme case. Therefore, this is a more balanced approach. Quantification of risk facilitates the decision making about port operations andror management to be carried out on a cost benefit basis. An additional benefit is that it can provide a better measure of the expected loss, total liability etc., and hence optimise the insurance coverage. On the other hand, if a ‘Safety Case’ or ‘Marine Operations Code for Ports’ regime were to be introduced for port operations, then it may become important to consider the following questions. Ø What is an appropriate hazard identification method? In the goal setting safety regime, hazard identification should be appropriate to the magnitude of hazards involved. This means that the hazard identification method will vary between ports and port types. They may depend on the sensitivity of the environment, types of cargoes, quality of navigational equipment, etc. All significant activities associated with the port should be considered. Generic hazards should be broken down into specific hazards, from which a set of initiating events or failure modes should be developed. It is important not to discard any initiating event based on ‘it could never happen here’; hazards may be eliminated after risk assessment has been carried out. 480 V.M. TrbojeÕic, B.J. Carr r Journal of Hazardous Materials 71 (2000) 467–480 Ø What is a suitable and sufficient risk assessment? In the qualitative approach, a good SMS should demonstrate that risks have been reduced by implementing measures to eliminate andror minimise hazards and mitigate consequences. While it may be difficult to eliminate some hazards related to external factors, it may be possible to do so with hazards related to operations. In other words, some operations can be re-designed in such a way as to eliminate hazards from the ‘source’. A minimisation of hazards can be achieved by placing more independent barriers along a potential hazard path. ALARP can be demonstrated by showing that all possible barriers are in place, or that there are more barriers than specified by the acceptance criteria. A suitable risk assessment can then be defined as fit for the purpose, and sufficiently extensive not to require additional effort in ALARP demonstration. The main advantage of this approach is that it is simple and can be done ‘in house’. If structured as shown in this paper, it can be very efficient. The ‘bow tie’ diagram is easy to communicate to the port personnel, and it is readily understood. Since it ‘forces’ the management to relate management activities and tasks to hazard barriers and recovery actions, it is also a tool for day-to-day management of navigation and other marine operations. An additional quantification would then reinforce and demonstrate the suitability and sufficiency of risk assessment. References w1x DETR, Review of the Pilotage Act 1987, HMSO 1998, ISBM 0 11 753471 4. w2x THESIS Version 2.02 — The Health, Environment and Safety Information System, User Guide, EQE International, July 1998. w3x V.M. Trbojevic, L.J. Bellamy, P.G. Brabazon, O.T. Gudmestad, W.K. Rettedal, Methodology for the Analysis of Risks During the Construction and Installation Phases of an Offshore Platform, Special Issue: Safety on offshore process installation: North Sea, J. Loss Prev. Process Ind., Vol. 7, No. 4, 1994. w4x The Health and Safety at Work, Act 1974 HMSO 1991, ISBN 0 10 543774 3.