SAFEDOR – The Mid Term Conference, May 2007.

HAZARD IDENTIFICATION R Skjong, Det Norske Veritas, Norway, SUMMARY Hazard identification is the first step in the Formal Safety Assessment (FSA) process and is also a crucial step in the Risk Based Design (RBD) and Approval Process. In SAFEDOR Hazard identifications have been carried out in the four FSA studies, in many of the RBD projects and also in an early phase of the tool development projects. The paper will give a short introduction to the basic terminology and the various available Hazid techniques, and explain benefits and weaknesses of available methods, like Structured What-If Techniques (SWIFT), What-If/Checklist Analysis, HAZOP and FMEA. Emphasise will also be on the selection of experts that participate in the Hazid. As described in the FSA guidelines the Hazid contains a subjective ranking of hazards. Based on the experience from SAFEDOR and other projects the paper will give some hints on how this could best be carried out, together with some known pitfalls. The paper ends with a general description of the experience with Hazids carried out in SAFEDOR. NOMENCLATURE FMECA Failure Mode Effect and Criticality Analysis FMEA Failure Mode Effect analysis FSA Formal Safety Assessment GBS Goal Based Standard IACS International Association of Classification

Societies HAZID Hazard Identification HAZOP Hazard and Operability Study HSC High Speed Craft RBA Risk Based Approval (Approval of RBD) RBD Risk Based Design SWIFT Structured What If Technique 1. INTRODUCTION Hazard Identification techniques were developed to anticipate problems before they occurred, and are one of the main reasons FSA and risk analysis are said to be proactive.

Figure 1: Steps of Formal Safety Assessment (IACS) The objective of the Step 1 of a risk analysis or Formal Safety Assessment, see Figure 1. Hazard Identification is to identify all relevant hazards and to generate a

prioritised list of accidents scenarios. Because hazards not identified cannot be analysed, proper risk reduction can only be applied effectively after the hazards are properly identified. A hazard is a physical situation with a potential for human injury, damage to property, damage to the environment or some combination of these. It describes some inherent property (of a procedure or system for instance) that has the potential to develop into an accident in adverse circumstances and thereby cause harm. The most simplistic definition is maybe simply to say that a hazard is "Something that has the potential to cause harm". Hazard identification by formal methods has been performed in other industries for more than 40 years. Other, less systematic reviews have been performed for even longer. Over the years, hazard assessment studies have been called by different names. Hazard evaluation, Process Hazard Analysis, Process Safety Review and Hazard Study have been the popular terms used as synonyms for hazard assessment. However, the specific terms used are not important as long as the people involved know what is meant when these different terms are used. Hazard identification studies can occasionally be performed by a single person, depending upon the specific needs for the analysis, technique selected, the perceived hazard of the situation being analysed, and the resources available. However, most high quality hazard identification studies require the combined efforts of a multidisciplinary team – and the process starts by a brainstorming type of activity. In most FSA studies, in particular the high level FSAs as performed in SAFEDOR, a multidisciplinary team of experts has always been used. The HAZID team uses the combined experience and judgement of its members to identify potential problems

SAFEDOR – The Mid Term Conference, May 2007.

and to determine if the identified problems are serious enough to warrant analysis. 2. HAZID 2.1 METHODS There are a number of techniques that can be used for the activities involved in Step 1. The following is a list of the most common ones that can be used in the maritime industry: - What-If / Checklist Analysis - Hazard and Operability Analysis - Failure Modes and Effects Analysis -Failure modes, effects and criticality analysis (FMECA) - Fault Tree Analysis as Hazid - Task Analysis In this brief paper it is not possible to describe all these techniques in any detail. Readers are referred to general literature on Risk assessment, which normally contain a chapter on hazard identification, and to training courses, like the International association of Classification Societies’ (IACS) training course on FSA. The following sections contain only a brief description of the Structured What If Technique (SWIFT), which is the technique that has been used in most high level FSA studies so far. Other techniques are commonly used for more detailed studies, for example the industry is quite used to using FMEA or FMECA for analysing ship systems. For High Spead Crafts (HSC) this technique is also required used according to the HSC Code. 2.2 SWIFT 2.2 (a) General Description SWIFT is a systematic team-oriented technique for hazard identification (HAZID). It can be contrasted with other HAZID techniques as follows: • SWIFT can be used to address systems and

procedures at a high level. It considers deviations from normal operations identified by brainstorming, supported by checklists.

• Standard HAZOP (hazard and operability study) is

usually applied to process flow at a detailed piping & instrumentation level, and identifies deviations from design intent by means of guide-words. It may be noted that in the marine industry the term HAZOP is often used loosely where the term HAZID (for an operation) would be more appropriate.

• FMEA (failure modes and effects analysis)

addresses hardware at the level of detailed

equipment items, and does not usually consider the human element.

SWIFT, like standard HAZOP, can be used to address operability issues as well as safety hazards. SWIFT may be used simply to identify hazards for subsequent quantitative evaluation, or alternatively to provide a qualitative evaluation of the hazards and to recommend further safeguards where appropriate. SWIFT, like any group-based HAZID technique, relies on expert input from the team to identify and evaluate hazards. The SWIFT facilitator’s function is to structure the discussion. The SWIFT recorder keeps an on-line record of the discussion on a standard log-sheet. At the end of the HAZID sessions the HAZID report is therefore final and agreed by the team members. With the exception of minor updates/corrections, a HAZID report can not be changed after the meeting. On a detailed level, there is no single standard approach to SWIFT - one of its strengths is that it is flexible, and can be modified to suit each individual application. 2.2 (b) Selection of the Team Not surprisingly, one of the most crucial points is the selection of the Hazid team. This team has to be selected based on a description of the qualification or competence of each participant, coupled with the qualification needs for the specific topic studied. The technique requires experienced people to be successful. Usually there is little duplication of qualifications in the team. It may therefore be necessary that the team leader keep a list of deputies for each participant, as one no-show at the meeting may disqualify the team. It is also important not to include the decision makers in the team, to look for creative people and avoid too dominating persons. As an example, the following qualification was used in the HAZID on ballast water exchange for bulk carriers MEPC45/2/1 [1]: Structures/Strength, Stability, Hydrodynamics, Machinery/Electrical, Piping and Systems, Operation (Captain) and Human Element (Psychologist). Typically, including the facilitator and the recorder the team will be about 7-11 people. 2.2 (c) Initiating the HAZID At the start of the HAZID the facilitator is responsible for: verifying that the team is qualified, presenting the background information (drawings/data/etc), explaining the approach to be used and ensure that all participants understand the issues. This will typically result in an extensive discussion between participants, where each profession contributes.

SAFEDOR – The Mid Term Conference, May 2007.

2.2 (d) Brainstorming (Diverging phase) The brainstorming part of the HAZID is the most important part in ensuring that all hazards are covered. Brainstorming is a technique for tapping the creative thinking of a team to generate and clarify a list of ideas, problems and issues. This creativity is generated in the interaction of a team with diverse backgrounds. The success of the study requires that all participants freely express their views and participants should refrain from criticising each other thereby stifling the creative process. This creative activity combined with the use of a systematic protocol for examining hazardous situations helps improve the thoroughness of the study. Key hazards are recorded. 2.2 (e) Converging phase This is the phase that takes most time. The team goes through the list of hazards from the brainstorming session in an agreed sequence (e.g. following a timeline, or from dominating to less dominating hazard). In this process the team record the hazard, causes (may be multiple), consequences, risk control options in place, proposed new risk control options. This is recorded in tables. Usually, the team will find that some of the ‘hazards’ from the brainstorming belong under causes or consequences after renaming the hazard. In this phase, if times allow, and the issues are well understood, the team may also decide to develop the accident scenarios. 2.2 (f) Ranking The ranking of hazards is very well described in the IMO FSA Guidelines [1], and is not repeated here. The recorder should prepare a spreadsheet with the list of hazards, with columns for the Severity Index and the Frequency Index from each participant, and include calculation of mean values and e.g. extremes. The participants should preferably write down their evaluation independently, before this is entered into the spreadsheets. As the description of hazards may open for diverging interpretations, it is recommended that the participants record the consequence index first, and than the frequency index (conditional on the consequence index). If time allows, the participants that have assigned the extreme indices should defend their assignment. The ranking may thereafter be redone (like a Delphi session). 2.2 (g) Reporting There are many good examples of the reporting already submitted to IMO (e.g. [1] mentioned before). Most importantly, it should be noted that the result of the HAZID is an agreed list of hazards by the team of experts participating. The HAZID is subjective. Further analysis in later steps of the risk analysis may show that the team was not correct in its assessment. This is not a failure of the hazard identification. A failure of a HAZID

is rather associated with later observing that important hazards were not identified, e.g. during later analysis or following an accident. 3. SOME EXPERIENCE 3.1 The Facilitator In SAFEDOR and also other projects we have seen some examples of Hazids that have been carried out without a trained Hazid facilitator. When this happen the Hazid is largely wasted time, as the information collected is not well organised, and the report from the meeting can end up going back and forth between the participants many times before the report is agreed. The advise here is that an expert should not become facilitator without training, and should have both some experience with the subject of the analysis a of HAZID techniques. For example, it could be an idea to act as recorder for an experienced facilitator before acting as facilitator. 3.2 The Team The team selection is a challenge, in particular because one no-show may disqualify a team. As most teams in shipping are international this requires good planning, including a back-up plan. There is also a tendency to see the HAZID team as representatives of the stakeholders. This is a misunderstanding; the team is put together based on qualification, not based on which interests the individuals represent. It is also not uncommon that the team lack members with up to date operational experience. This is very crucial for the result, and strongly linked to the possibility of being proactive. If there are genuinely new hazards, those personnel with current operational experience are most likely to know. It usually takes some years before new trends show up in the data-bases. 3.3 Ranking It is known from many HAZIDS that the team get into a mood that can become excessively pessimistic. This may result in rather conservative assignment of risks to hazards. It is therefore important that the facilitator explains the risk indices properly, and maybe use historic data to suggest that the perception of the team may be biased.

SAFEDOR – The Mid Term Conference, May 2007.

Table 1: Frequency Indices FI Frequency Definition F/ship-year 8 Very

Frequent Likely to happen once or twice a week

100

7 Frequent Likely to occur once per month on one ship

10

6 Probable Likely to occur once per year on one ship

1

5 Reasonably Probable

Likely to occur once per year in a fleet of 10 ships, i.e. likely to occur a few times during the ship’s life

0.1

4 Unlikely Likely to occur once per year in a fleet of 100 ships

0.01

3 Remote Likely to occur once per year in a fleet of 1,000 ships, i.e. likely to occur in the total life of several similar ships

0.001

2 Very Remote

Likely to occur once per year in a fleet of 10,000 ships

0.0001

1 Extremely Remote

Likely to occur once in the lifetime (20 years) of a world fleet of 5,000 ships

0.00001

In the SAFEDOR project it was also felt necessary to extend the IMO Frequency Indices (Table 1) and to extend the Severity Indices to cover monetary losses and damage to the environment, see Table 2 (Appendix). The resulting risk indices are shown in Table 3. It is noted that the same approach as described in [2] has been used:

Risk = Frequency x Consequence Therefore

Log (Risk) = Log (Frequency) + Log (Consequence)

And therefore (with the indices defined):

RI = FI + SI 4. CONCLUSIONS Hazard identification techniques have been developed and used in other industries for a period of at least forty years. The techniques are well documented in the general risk literature, and only few adaptations are needed for use by the maritime industry. However, the techniques are not necessarily easy to use. Whilst many hazard

identification reports are of high quality, some errors are made relating to techniques used and selection of participants. It is therefore emphasised that the job as HAZID facilitator is demanding and requires training. 5. ACKNOWLEDGEMENTS The work reported in this paper has been carried out under the SAFEDOR project, IP-516278, with partial funding from the European Commission. The opinions expressed are those of the authors and should not be construed to represent the views of the SAFEDOR partnership. 6. REFERENCES 1. IACS (2000) ‘IACS Hazard Identification (HAZID)

of Ballast Water Exchange at Sea - Bulk Carriers’, MEPC 45/2/1

2. IMO (2002) ‘Guidelines for Formal Safety

Assessment (FSA) for use in the IMO rule-making process’ MSC Circ1023, MEPC Circ392

7. AUTHORS’ BIOGRAPHIES Dr Rolf Skjong’s current position is Chief Scientist for Risk and Reliability in DNV. He is chairman of the IACS Expert Group on FSA, and is adviser for Norway on FSA and GBS at IMO. He has 25 years of experience with probabilistic analysis/design, risk analysis, risk based design and structural reliability analysis. Rolf.skjong@dnv.com

SAFEDOR – The Mid Term Conference, May 2007.

8. APPENDIX Table 2: Severity Indices, including monetary losses and damages to the environment

Table 3: Risk Indices resulting from the extended frequency and severity indices