Risk-Based Methodology, the ISM Code and Vessel Safety Management Systems
Dr. Vladimir M. Trbojevic, EQE International Ltd..

A number of accidents in the chemical, oil and gas, shipping and nuclear industries have, over the past decade or so, increased the public and political pressure to improve the safety which protects people and the environment. In the evolution of the approach to safety and loss prevention, it is clear that there has been an increasing move towards risk management, as opposed to more technical solutions.

In the evolution of the approach to safety and loss prevention, it is clear that there has been an increasing move towards risk management, as opposed to more technical solutions.

The reason for this evolutionary trend is simple; while design standards and technical solutions have improved, major accidents continue to occur as a function of failures in the safety management system. Analysis of underlying causes of failure are increasingly viewed as originating not in the failure of the front-line technical and human control systems, but in the safety management practices that are supposed to keep them in place. Regulations in hazardous industries reflect that, and the shipping industry, with the introduction of the ISM Code, is no exception.

It is important to recognize that it is the major accidents in hazardous industries that have focused attention on the Safety Management System. A major accident has the potential to cause multiple fatalities, extensive pollution, or huge losses. In any hazardous system there are a number of barriers to failure, both human and hardware, such as the competence of personnel and the structural integrity of a ship. So, there are two pre-requisites for accident prevention, preparedness and response in operating a hazardous system:

Safe design of the physical technical components of the system, in the sense that the foreseeable hazards can be controlled;

Ensuring that people operate the physical systems within the boundary conditions for which they were designed.

For the shipping industry the ISM Code not only introduces a Safety Management System but particularly addresses hazard management. It establishes a link between the identified risk controls and the activities the vessel crew have to undertake to ensure effective risk management.

The ISM Code does not demand specific safety studies such as hazard identification or risk assessment. It does, nonetheless, require safeguards to be established against all identified risks (para. 1.2.2.2), and that the com-pany can respond at any time to hazards, accidents and emergency situations involving ships (para. 1.4.5). These requirements imply that those hazards and risks are identified. The first step is clearly defining the risk management process.

Table 1: Risk Management Process

RISK MANAGEMENT
The risk management process provides a structured approach to hazard identification, risk evaluation, and the development of risk controls to prevent hazard release and/or mitigate the consequences of such release. The essential steps of the risk management process are presented in Table 1.

 

 

Table 2: List of Hazards

HAZARD IDENTIFICAION
Hazard identification is the first and, in many ways, the most important step in a risk assessment. The aim of the hazard identification is to produce a comprehensive list of all foreseeable hazards.

It is important to distinguish between hazards and consequences. A ship 'grounding' is considered a possible consequence of hazards related, for example, to navigation error/failure, and not as a hazard itself. Similarly, 'navigation,' 'ship manoeuvring,' etc. are considered as hazardous operations because a component failure could lead to a chain of unwanted outcomes.

An example is the interaction of a tanker with a port. A possible hazard list developed for tanker operations in a port is presented in Table 2.

A hazard analysis approach considered suitable for vessels is based on a 'bow-tie' diagram. This assumes that each specific hazard can be represented by one or several threats that have the potential to lead to a top (initiating) event.

Figure 1: Bow Tie Diagram

In the example shown in Figure 1, top event is 'vessel not under command,' which can be initiated by loss of propulsion, loss of steering, loss of electrical power, or a duty officer error. Consequences of the 'vessel not under command' can be grounding, collision, drifting vessel, etc.

 

 

Figure 2: Risk Matrix
Figure 2

RISK ASSESSMENT
Risk can be qualitatively-assessed using a risk matrix. A typical matrix has rows representing increasing severity of consequences of a released hazard and columns representing increasing likelihood of these consequences,
Figure 2.

The matrix indicates the combinations of likelihood and consequence. Typically there are three regions: an area of broadly acceptable risk in which risk has to be managed for continuous improvement, an intermediate region in which risks have to be reduced to a level which is as low as reasonably practicable, and an intolerable region.

CONTROL
For each threat one or several 'barriers' (risk controls) can be specified to prevent or minimise the likelihood of hazard release. In the example in Figure 3, the barriers to the 'loss of propulsion' are 'monitoring failsafe devices and interlocks,' 'monitoring fuel systems and supply,' and 'correct operational procedures.'

For any barrier there may be internal or external factors which affect its effectiveness. For example, some failsafe devices and interlocks may not be operational due to lack of maintenance, in which case the first barrier will fail. To prevent escalation of a hazard, additional control measures can be specified (escalation factor control), Figure 3.

Figure 3: Barriers, Escalation Factors and Controls
Figure 3

RECOVERY MEASURES
If all barriers are breached, the incident (top event) can escalate to unwanted consequences. To prevent escalation, the mitigation measures, emergency preparedness (recovery) and escalation control measures need to be in place to stop chain of events propagation and/or to minimize the consequences of escalation. This is shown graphically in Figure 4, where a 'vessel not under command' has occurred and the emergency (recovery) mode is triggered to avoid, in this example, grounding.

Figure 4: Recovery Preparedness Measures
Figure 4

Recovery measures that would prevent this are 'start emergency generators,' 'start main generators,' 'execute recovery plan,' 'drop anchors,' and 'call tug assistance.' Each recovery measure can be associated with one or several failure modes, and to prevent the escalation, the additional control measures can be specified.

LINKING RISK CONTROLS TO
MANAGEMENT ACTIVITIES
The most significant development in this approach is the linkage between hazard barriers and recovery measures with the operating procedures and the safety-critical activities and tasks carried out by a crew and the management. The safety-critical activity integrates the safety objectives, strategy and review (at the senior management level), operating procedures (at a technical support level), responsibilities related to planning and executing work (at an operational level), and at task level, the responsibility for direct management of control or recovery measures, as shown graphically in Figure 5.

Figure 5: Specification of Safety Critical Activity
Figure 5

 

 

 

 

 

 

 

CONCLUSIONS
The main advantages of this risk management approach are:

it is easily understood by all parties involved;

accountability and responsibilities are well defined;

every crew member clearly knows how his/her task is linked to hazard management;

risk management can be demonstrated to the clients, regulators and insurers.

Copyright 1999 American Bureau of Shipping. All rights reserved.