1.1 This report details one example of how formal safety assessment methods can
be applied to Rescue Boat, equipment and procedures. The methods described adhere to the International Code of Safety for High Speed Craft - HSC Code (International Maritime Organization, London 1995) and the 2000 HSC Code (International Maritime Organization, London 2001). Other recognised systems for conducting risk assessments may be used, as appropriate.
2. Functional assessment
2.1 Carry out a functional assessment of the system in question. This process can
be assisted by first generating a diagrammatic functional breakdown. Define ‘systems’, ‘sub-systems’ and ‘components’ and determine identification numbers: these items can represent not only physical equipment, but also the associated procedures and the surrounding environment. Functional flow diagrams can be created if considered useful for understanding the relationships between items in a system. Each specified ‘system’, ‘sub-system’ or ‘component’ must be explored and its significant features and functions documented. By carrying out both procedural and equipment assessments, a certain amount of overlap occurs between systems, helping to reduce the chance that any item will be overlooked. 2.2 The breakdown of a system defines to a large extent the level of ensuing safety
assessment. However there is no ‘correct’ level: engineering judgement must be used to balance the time taken to carry out the safety assessment with the results achieved. In many cases an appropriate level will automatically be reached.
3. Failure mode, effect and criticality analysis
3.1 ‘Failure mode, effect and criticality analysis’ (FMECA) is used to systematically
determine and record the safety information. The standard FMECA as defined by the HSC Code has been expanded and manipulated to fit Rescue Boat requirements more accurately.
3.2 The functional analysis provides a systematic structure for investigating possible
failures. A methodical brainstorm involving relevant design and operational personnel can then be used to generate the information required by the FMECA. 3.3 Each item specified in the functional analysis must be studied in turn, with the
initial aim of identifying all possible failure modes that could occur. A failure mode is a way in which an item can fail, and each failure mode must be given a
must be generated. The effects of each failure mode must also be determined. The aim is to determine the overall effect of the failure at the highest level: these final effects are named ‘end events’ and must be determined at the outset of the FMECA. A qualitative measure of the severity of each event must also be determined at the outset. As such ‘local’ effects can be described as all the effects that occur as a result of the failure that are prior to the end event. The appropriate end events can then be simply chosen from the list.
3.4 By looking at causes and effects associated with each identified failure mode,
possible failure paths (‘a combination of basic events which occur together to produce an end event’) are being determined. The failure path leading to a specified end event is also known as a ‘hazard’. In order to facilitate the identification of hazards, key words can be used during the brainstorm to ‘trigger’ thought processes. A list of key words that normally form the basis of a standard HAZOP (HAZard and OPerability) assessment can be used.
3.5 The probability of each identified failure path occurring can be judged using
accepted qualitative criteria. The probability is the likelihood that the failure mode will occur and lead to the end event i.e. the probability of the path, and not just
the failure mode in isolation. Risk is a combination of the likelihood of a failure path occurring and the severity of consequence of the associated end event. Using a risk matrix, a measure of risk (or criticality) can be associated to each identified failure path.
3.6 A failure mitigation process must be carried out whereby risks considered
unacceptable by the FMECA can be mitigated to a level of at least ‘as low as reasonably practicable’.
3.7 This guide details definitions for HAZOP identifiers, failure probabilities,
consequence severities and risks. A spreadsheet should be created to store the FMECA information, see Para 8 of this Appendix.
4. HAZOP keywords
Key Word Parameter
Operation - No action Intended action did not occur; action not possible
Operation - More action More than intended occurs; Other actions affecting this action occur – operator assumes that he is intended to conduct additional actions
Operation - Less action Action does less than intended – equipment does not perform as required – insufficient time to complete action.
Operation - Extra action Extra actions carried out other than what was intended –
Operation - Incorrect
action Operator conducts wrong action – misses out a step in action process etc. Environment – Wind What is the effect of wind – what is the limiting speed? Environment – Waves What is the effect of waves – what is the limiting size? Environment – Surf What is the effect of surf – what are the limiting factors? Environment – Night What effect does night time have?
Environment – Day Are we limited to day time only? Environment – Visibility Is visibility a limiting factor? Environment –
Temperature Does heat/cold have an effect – what are the limits? Effect – Stability Will anything have an effect on boat stability?
Effect – Structure Will anything have an effect on boat structure / fittings? Effect – Fire Will anything induce a fire?
Effect – Safety Will anything require personal protective eqp’t, etc. Effect – Training Requirements for specific training?
5. Probability definitions FMEC
A Code
PROBABILITY Definition
F Frequent Likely to occur often during the operational life of a particular craft.
RP Reasonably
probable Unlikely to occur often but may occur several times during the total operational life of a particular craft.
R Remote Unlikely to occur to every craft but may occur to a few craft of a
type over the total operational life of a number of craft of the same type.
ER Extremely
remote Unlikely to occur when considering the total operational life of a number of craft of the type, but nevertheless should be considered as being possible.
EI Extremely
improbable An event that is so extremely remote that it should not be considered as possible to occur.
A Code
MI Minor An event or failure which can be readily compensated for by the crew A small increase in operational duties or in the difficulty of performing duties.
A moderate degradation in operational performance.
A slight modification of the permissible operating conditions.
MA Major A significant increase in operational duties or in the difficulty of
performing those duties: but not beyond their capability provided another major effect doesn’t occur simultaneously.
A significant degradation in operational performance.
A significant modification of the permissible operating conditions but will not preclude a safe mission.
H Hazardous A dangerous increase in operational duties or in the difficulty of
performing those duties: crew cannot be expected to cope.
A dangerous degradation in operational performance and strength of the rig.
Marginal conditions for crew. Injury to crew or public.
An essential need for outside assistance.
C Catastro-
-phic
Crew fatality Public fatality Loss of the boat 7. End events
7.1 The following list demonstrates how end events are created prior to beginning
the FMECA. Each end event is coded and a severity associated. Appropriate end events of this form must be created for each FMECA.
FMECA
Code End effect Details Severity
E1 Boat off service, i.e. cannot embark on service, taken off station
Boat cannot be sent to sea Boat cannot be recovered
Boat off service due to trailer fault Boat off service due to crew fault Boat off service due to tractor fault Boat off service due to boat fault
Major
MA
E2 Greatly reduced operational effectiveness
Mission threatening damage or equipment failure on boat, i.e. loss of all propulsive or electrical power, total
loss of comms., man overboard, reduced stability or buoyancy, capsize E3 Loss of boat Uncontrollable fire, boat sinks, boat
won’t right after capsize, separation from boat
Hazardous H E4 Reduced
operational effectiveness
Equipment failure on boat but not
mission threatening Minor MI
E5 Death or
disability Permanent or life-threatening injury of boat crew, shore crew, public or survivors
Loss of limbs Death
Catastrophi
c C
E6 Hospitalisation Broken limbs, major cuts Hazardous H E7 Major personnel
injury Requires First Aid and possible trip to casualty Time off work required
Major MA E8 Minor personnel
injury Small cuts and bruises Anything that can be treated by minor First Aid Minor MI 8. Risk Matrix 9. Risk Definitions FREQUENT REASONABLY PROBABLE REMOTE EXTREMELY REMOTE EXTREMELY IMPROBABLE
MINOR MAJOR HAZARDOUS CATASTROPHIC
SEVERITY