Project
NAME:
Passing vessel collision event tree2.sbmx
DESCRIPTION
Event tree description of ship colliding with an offshore installation. Project is divided into two diagrams; the first diagram assesses the damage to the assets, the second the consequences for fatalities. The output of the first diagram (slow and fast collapse) is used as conditional input to the second diagram. Note that the "ancestor" rule is used to accept that the two inputs to the AND gates both are events (frequencies). Because all events originate from the "ship collision" event (initial condition in both diagrams, the "ancestor" of all events in the project), it is acceptable.
Last diagram shows how results can be summed.
Initial Event
NAME:
Ship collision
Expected Frequency of Occurrence per Year:
0.000624
Intermediate Event
NAME:
Platform manned
Expected Frequency of Occurrence per Year:
0.000624
Consequence
NAME:
Platform not manned - no fatalities
Expected Frequency of Occurrence per Year:
0
Intermediate Event
NAME:
Prev evacuation
Expected Frequency of Occurrence per Year:
6.24E-6
Intermediate Event
NAME:
No Prev evacuation
Expected Frequency of Occurrence per Year:
0.0006178
Consequence
NAME:
Preventive evacuation by helicopter - no fatalities
Expected Frequency of Occurrence per Year:
3.12E-6
Intermediate Event
NAME:
Preventive evacuation by Lifeboat
Expected Frequency of Occurrence per Year:
3.12E-6
Intermediate Event
NAME:
No Collapse
Expected Frequency of Occurrence per Year:
0.0005242
Intermediate Event
NAME:
Collapse due to impact
Expected Frequency of Occurrence per Year:
9.984E-5
Consequence
NAME:
Slow collapse
Expected Frequency of Occurrence per Year:
0.0001023
DESCRIPTION
Consequence
NAME:
Fast collapse
Expected Frequency of Occurrence per Year:
4.992E-5
DESCRIPTION
Intermediate Event
NAME:
Riser Fire and possible collapse
Expected Frequency of Occurrence per Year:
5.242E-5
Intermediate Event
NAME:
No Riser Fire - No Fatalities
Expected Frequency of Occurrence per Year:
0.0004717
Consequence
NAME:
Many Fatalities due to Fast collapse
Expected Frequency of Occurrence per Year:
2.471E-5
Consequence
NAME:
Fatalities POB evacuation by lifeboat
Expected Frequency of Occurrence per Year:
5.066E-7
Consequence
NAME:
Minor damage
Expected Frequency of Occurrence per Year:
0.0004057
Consequence
NAME:
Significant damage
Expected Frequency of Occurrence per Year:
6.604E-5
Consequence
NAME:
Fatalities Preventive evacuation by Lifeboat
Expected Frequency of Occurrence per Year:
1.56E-8
Intermediate Event
NAME:
Fast Collapse and POB in the water
Expected Frequency of Occurrence per Year:
4.942E-5
Intermediate Event
NAME:
Slow Collapse, POB evacuate
Expected Frequency of Occurrence per Year:
0.0001013
Consequence
NAME:
Total individual risk
Expected Frequency of Occurrence per Year:
2.523E-5
Barrier Diagram
NAME:
Passing Vessel Collision Event tree asset damage
DESCRIPTION
Event tree for asset damage assessment in case of ship collision
Event Tree Branch
NAME:
Significant damage?
Event Tree Branch
NAME:
Riser failure and fire?
OR Gate
NAME:
Slow collapse
Event Tree Branch
NAME:
Total Platform collapse?
Event Tree Branch
NAME:
Fast collapse?
Barrier Diagram
NAME:
Passing Vessel Collision Event tree fatality's assessment
DESCRIPTION
Event tree for consequence assessment on personal risk due to ship collision. Note that when the fatality factors (in the conditional probabilities on the rght hand side of the diagram) are considered as personal exposure factors, the frequencies of the outputs can be considered as the individual risk of fatality.
(see third diagram for summation).
Note that the "preventive evacuation" could have been replaced by a barrier (the evaciuation is a barrier function)
Event Tree Branch
NAME:
Preventive evacuation?
DESCRIPTION
Event Tree Branch
NAME:
Evacuation by helicopter?
Event Tree Branch
NAME:
Fatality POB evacuate prev.
AND Gate
NAME:
Fast collapse condition
AND Gate
NAME:
slow collapse condition
Event Tree Branch
NAME:
Fatality POB evacuate
Event Tree Branch
NAME:
Fatality POB in water
Event Tree Branch
NAME:
Platform manned?
Barrier Diagram
NAME:
Individual risk summation
OR Gate
NAME:
Sum
| Barrier Diagram | Consequence | Prob./Expected Freq. | (Unit) | Severity |
|---|---|---|---|---|
| Passing Vessel Collision Event tree asset damage | Significant damage | 6.604E-5 | Expected Frequency of Occurrence per Year | 0: No Consequences |
| Passing Vessel Collision Event tree asset damage | Minor damage | 0.0004057 | Expected Frequency of Occurrence per Year | 0: No Consequences |
| Passing Vessel Collision Event tree asset damage | Slow collapse | 0.0001023 | Expected Frequency of Occurrence per Year | 5.1: Major Accident - <10 fatalities/limited damage to the environment |
| Passing Vessel Collision Event tree asset damage | Fast collapse | 4.992E-5 | Expected Frequency of Occurrence per Year | 5.1: Major Accident - <10 fatalities/limited damage to the environment |
| Passing Vessel Collision Event tree fatality's assessment | Preventive evacuation by helicopter - no fatalities | 3.12E-6 | Expected Frequency of Occurrence per Year | 0: No Consequences |
| Passing Vessel Collision Event tree fatality's assessment | Fatalities Preventive evacuation by Lifeboat | 1.56E-8 | Expected Frequency of Occurrence per Year | 5.1: Major Accident - <10 fatalities/limited damage to the environment |
| Passing Vessel Collision Event tree fatality's assessment | Fatalities POB evacuation by lifeboat | 5.066E-7 | Expected Frequency of Occurrence per Year | 5.1: Major Accident - <10 fatalities/limited damage to the environment |
| Passing Vessel Collision Event tree fatality's assessment | Many Fatalities due to Fast collapse | 2.471E-5 | Expected Frequency of Occurrence per Year | 5.2: Major Accident - >10 fatalities/extensive damage to the environment |
| Passing Vessel Collision Event tree fatality's assessment | Platform not manned - no fatalities | 0 | Expected Frequency of Occurrence per Year | 0: No Consequences |
| Individual risk summation | Total individual risk | 2.523E-5 | Expected Frequency of Occurrence per Year |
| Barrier Diagram | Critical Event | Prob./Expected Freq. | (Unit) |
|---|
| Expected Frequency of Occurrence per Year | 0: No Consequences | 1: Insignificant Consequences | 2: Noticeable Consequences | 3: Significant Consequences | 4: Serious Consequences | 5.1: Major Accident - <10 fatalities/limited damage to the environment | 5.2: Major Accident - >10 fatalities/extensive damage to the environment | |
|---|---|---|---|---|---|---|---|---|
| Frequent | More likely than: 0.1 | |||||||
| Probable | Less likely than: 0.1 | |||||||
| Improbable | Less likely than: 0.001 | Significant damage; Minor damage | Slow collapse; Fast collapse | Many Fatalities due to Fast collapse | ||||
| Very Improbable | Less likely than: 1E-5 | Preventive evacuation by helicopter - no fatalities | Fatalities POB evacuation by lifeboat | |||||
| Negligible | Less likely than: 1E-7 | Platform not manned - no fatalities | Fatalities Preventive evacuation by Lifeboat |
| Barrier | Barrier Diagram | Generic Barrier | Barrier Type | PFD | Description | 1st ARAMIS Item, Manpower Planning and Availability | 2nd ARAMIS Item, Competence and Suitability | 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution | 4th ARAMIS Item, Communication and Coordination | 5th ARAMIS Item, Procedures, rules, and goals | 6th ARAMIS Item, Hard/software purchase, build, interface, install | 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement | 0th ARAMIS Item, Safety Culture | A Risk analysis and selection of safety barriers | B Learning and management of change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | ||||||
| Generic Barrier | Barrier Type | PFD | Description | 1st ARAMIS Item, Manpower Planning and Availability | 2nd ARAMIS Item, Competence and Suitability | 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution | 4th ARAMIS Item, Communication and Coordination | 5th ARAMIS Item, Procedures, rules, and goals | 6th ARAMIS Item, Hard/software purchase, build, interface, install | 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement | 0th ARAMIS Item, Safety Culture | A Risk analysis and selection of safety barriers | B Learning and management of change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | ||||
| Barrier Type | Description | 1st ARAMIS Item, Manpower Planning and Availability | 2nd ARAMIS Item, Competence and Suitability | 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution | 4th ARAMIS Item, Communication and Coordination | 5th ARAMIS Item, Procedures, rules, and goals | 6th ARAMIS Item, Hard/software purchase, build, interface, install | 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement | 0th ARAMIS Item, Safety Culture | A Risk analysis and selection of safety barriers | B Learning and management of change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | ||
| 1 EXCESSIVELY CONSERVATIVE DESIGN AND MECHANICAL REDUNDANCY | DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Resilience and redundancy withstanding physical forces DESCRIPTION "Excessively conservative" means that the relevant characteristics of equipment (e.g. wall thickness) are at least a factor two more than what would be required using state-of-the-art or traditional standards used for that process. Redundancy means that under normal conditions forces are transmitted through multiple independent paths and each path has the capacity to perform the desired function alone. Evaluation of redundancy must consider whether the redundant systems can be affected simultaneously by an accident or deviation (independence). Redundancy that requires an active shift to another system must be perceived as an intervention (not permanent). EXAMPLES Over dimensioned wall thickness, fitted with double steering cables or rods, fitted with double electrical connections. FAILURE MECHANISMS Material failure or installation errors, in particular following maintenance; slow degradation; process conditions that exceed even so the material strength, in particular following changes in process conditions; simultaneous (common cause) failure of redundant systems. | 0.43 | 1 | 0.17 | 1 | 0.1 | 1 | 0.05 | 1 | ||||||||||||
| 2 PERMANENT PASSIVE BARRIER | DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Strength or capacity to handle the deviation or threat. DESCRIPTION Passive Barriers are elements in a system that are constantly present (i.e. they do not need to be activated), and that are installed with the only reason to avoid or limit hazardous situations (i.e. the installation can in principle operate without those barriers). EXAMPLES: Tank bunds, dyke, fire protection, drainage sump, fence, lightning conductors, collision barrier, edge protection, hardware protection against body parts entering hazard zones. FAILURE MECHANISMS: Lacking strength or capacity, construction error, slow degradation, human error causing flaws (e.g. open rain-water drains in tank bunds), removed (e.g. protection) or not installed or not re-installed after maintenance. | 0.43 | 1 | 0.17 | 1 | 0.05 | 1 | 0.1 | 1 | ||||||||||||
| 3 PERMANENT BARRIER: ENERGIZED | DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Capacity to perform the barrier function DESCRIPTION These barriers are constantly present, but need an energy source to work. If activation is required upon certain conditions, consider classification as temporary barrier. EXAMPLES Ventilation, active corrosion prevention, circulation of material, continuous inerting of systems, pilot flames, continuous addition of inhibitors. FAILURE MECHANISMS Not turned on/not activated, lacking capacity, lacking energy supply or material (gas) supply. | 0.13 | 1 | 0.43 | 1 | 0.17 | 1 | 0.05 | 1 | 0.1 | 1 | ||||||||||
| 4 TEMPORARY BARRIER (PASSIVE OR ENERGIZED) | DETECTION: The effect does not depend on the detection of a deviation, but the barrier need to be present or working. DIAGNOSE: Not relevant ACTION: Hardware: Strength or capacity to handle the deviation or threat. DESCRIPTION Barriers temporary put in place or temporary used, depending on a temporary situation (such as maintenance or repair works) or within a specific time spans or locations. Installation and use depends to a high degree on routines, procedures and rules. EXAMPLES Barriers around repair work, blind flanges over open pipes, spades in pipes, inhibitors in substances, personal protection equipment (PPE: e.g. hard hats, safety goggles, safety clothing, safety gloves), clothes and shoes to avoid static electricity, earthing of tanks during (un)loading FAILURE MECHANISMS Not put in place, not donned (PPE), not appropriate for the hazard (chemicals, heat, pressure, wrongly mounted. | 0.29 | 1 | 0.18 | 1 | 0.13 | 1 | 0.09 | 1 | 0.22 | 1 | 0.08 | 1 | 0.04 | 0.75 | 0.03 | 1 | 0.03 | 1 | ||
| 5 RESPECT SAFETY ZONES AND WARNINGS | DETECTION: Detection relates to warnings and signs, not to detection of deviations (passive barrier as regards to deviations). DIAGNOSE: Not relevant ACTION: Behaviour: To respect markings and warning signs: refrain from entering danger zones and refrain from manipulating marked parts of installations. DESCRIPTION Symbols, markings and warning signs (passive, i.e. not alarms) request to perform or refrain from certain behaviour. Implies in general refraining from certain actions (not touching, not operating, not entering not smoking). Respecting danger zones prevents people from getting hurt when deviations occur (mitigating barrier), Awareness of valves closing off dangerous substances may prevent erroneous operation. Note that the barrier consists of the behaviour itself, not the signalling. (Note that marking components such as valves in order to support correct operation is part of a management obligation to provide a sufficiently good human-machine interface and work place, and should NOTbe considered a safety barrier.) EXAMPLES Not entering danger zones (e.g. at cranes or robot stations, open containers, rotating machinery) , refrain from operating valves, avoid contact with hot parts, respecting smoking prohibitions, obeying speed limits. FAILURE MECHANISMS Not respecting signs and markings, lacking signs, unclear signs, and conflicts with work tasks. | 0.1 | 1 | 0.09 | 1 | 0.5 | 0 | 0.5 | 0 | 0.08 | 0.75 | 0.1 | 1 | 0.05 | 1 | ||||||
| 6 PREVENTIVE PROCEDURAL ACTION | DETECTION: Detection concerns attention to situations where the preventive action is required according to procedure, the deviation or threat is not detected. DIAGNOSE: Not relevant ACTION: Behaviour or hardware: To follow rules and procedures which apply to the situation at hand or (activate) automated sequencing through steps in a process. DESCRIPTION The activity is performed as part of a procedure for some operation or step in a process in order to prevent dangerous situations, even when the dangerous situation not necessarily is present. There may be overlap with “Temporary barrier” (e.g. making a ground connection and leaving it in place during the (un)loading), but this barrier focuses on actions performed prior to the hazardous activity, i.e. detached in time. EXAMPLES Venting of closed spaces before entering, venting/emptying hoses before detachment, earthing tankers before (un)loading to prevent static electricity, inerting vessels or reactors before taking into use. FAILURE MECHANISMS Not executing the action, incomplete or faulty execution. | 0.29 | 1 | 0.36 | 1 | 0.2 | 1 | 0.25 | 1 | 0.18 | 1 | 0.08 | 0.75 | 0.1 | 1 | 0.05 | 1 | ||||
| 7 HARDWARE INTERVENTION | DETECTION: Hardware DIAGNOSE: Hardware ACTION: Hardware DESCRIPTION Barriers that by means of direct mechanical-physical principles both detect the deviation and perform the necessary action. EXAMPLES Pressure relief valves, bursting disks, sprinkler heads, explosion relief hatches FAILURE MECHANISMS Insufficient capacity (too small, too slow), wrong set point, blocked (including piping towards the barrier), stuck. | 0.43 | 1 | 0.17 | 1 | 0.1 | 1 | 0.05 | 1 | ||||||||||||
| 8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS) | DETECTION: Hardware DIAGNOSE: Hardware/software ACTION: Hardware DESCRIPTION Automated intervention by a system of electrical/electronic/programmable electronic (E/E/PE) components, that on the basis of input from sensors is able to determine what intervention needs to be made, and activates actuators (like powered valves) to perform this intervention. In order for an automated system to be considered to be an independent safety barrier (independent protection layer) the components that make up the automated system should not be part of the basic process control system (BPCS). EXAMPLES Emergency shutdown system (ESD), emergency blowdown system, FAILURE MECHANISMS Component failure, software failure, design failure, common cause failure | 0.43 | 1 | 0.17 | 1 | 0.1 | 1 | 0.05 | 1 | ||||||||||||
| 9 HUMAN INTERVENTION FOLLOWING ALARM | DETECTION: Hardware/software DIAGNOSE: Behaviour according to clear procedures ("Skill & Rule based") ACTION: Behaviour according to clear procedures ("Skill & Rule based") (may include activation of powered components) DESCRIPTION Actions of operators in response to clear instrument signals or alarms. There will be clear instructions describing the actions that are required to respond to the each of the alarms. The sensors, transmitters and actuators are part of the barrier system. In order for the alarm system to be considered to be an independent safety barrier (independent protection layer) the components that make up the alarm system should not be part of the basic process control system (BPCS). EXAMPLES Manual shutdown or adjustment, evacuation, calling fire brigade on alarm, close/open (correct) valve FAILURE MECHANISMS Failure of sensors, transmitters or software, flaws in instructions, wrong intervention, operator not present. | 0.58 | 1 | 0.36 | 1 | 0.2 | 1 | 0.09 | 1 | 0.22 | 1 | 0.08 | 1 | 0.08 | 0.75 | 0.05 | 1 | 0.1 | 1 | ||
| 10 SITUATIONAL HUMAN INTERVENTION (PROCEDURAL) | DETECTION: Human observation and interpretation DIAGNOSE: Behaviour according to clear procedures ("Skill & Rule based") ACTION: Behaviour according to clear procedures ("Skill & Rule based") DESCRIPTION The hazardous situation is detected by human observation of (a combination) factors in accordance with clear rules and procedures. There are no clear alarms, the hazardous situation needs to be derived from a combination of inputs. Instrument failure can both be considered to be a part of the initiating deviation (a dangerous failure in the sense that a deviation does not show up) or as part of the barrier failure. Actions can be similar to "Human Intervention Following Alarm", but the detection is by observing normal indicators (including measurement displays) BEFORE alarms (if any) are raised. This barrier also includes actions of supervisors supervising other operator’s tasks. EXAMPLES To adjust hardware set-points, abort operations developing outside safe area, start alternative (back-up) capacity, redirect flows (e.g. dump), warning others for action or evacuation, to disconnect tanks, hoses or pipes, to avoid escalation by protecting equipment with foam or fire-fighting water. FAILURE MECHANISMS Failure of instruments or software, flaws in instruction, lack of attention, wrong intervention. | 0.29 | 1 | 0.36 | 1 | 0.2 | 1 | 0.25 | 1 | 0.09 | 1 | 0.15 | 0.75 | 0.1 | 1 | 0.05 | 1 | ||||
| 11 KNOWLEDGE-BASED HUMAN INTERVENTION (AD HOC) | DETECTION: Human observation and interpretation. DIAGNOSE: Behaviour on the basis of knowledge and reasoning ("Knowledge based") ACTION: Behaviour DESCRIPTION Intervention that requires a continuous knowledge-based assessment of the situation (e.g. during a rescue operation) and/or requires detailed analysis in cases where no procedures or rules apply. This barrier type is provided for sake of completeness. Apart from use as a mitigating barrier (emergency response) at the far right-hand side of the diagram or bow-tie, prevention of foreseeable events should be dealt with by procedures, i.e. “Rule and Skill-based” barriers. EXAMPLES Fire-fighting, emergency response, to (re)gain control over a complex system (such as a nuclear reactor) and take it to a safe condition. FAILURE MECHANISMS Wrong assessment, inadequate intervention, intervention too late, too early. | 0.87 | 1 | 1 | 1 | 0.17 | 1 | 0.83 | 1 | 0.09 | 1 | 0.13 | 0.75 | 0.01 | 1 | 0.05 | 1 | ||||
| Barrier Element | PFD | Description | 1st ARAMIS Item, Manpower Planning and Availability | 2nd ARAMIS Item, Competence and Suitability | 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution | 4th ARAMIS Item, Communication and Coordination | 5th ARAMIS Item, Procedures, rules, and goals | 6th ARAMIS Item, Hard/software purchase, build, interface, install | 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement | 0th ARAMIS Item, Safety Culture | A Risk analysis and selection of safety barriers | B Learning and management of change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | Weight | Rating | |||
| Gate | Barrier Diagram | Gate Type | Description |
|---|---|---|---|
| Slow collapse | Passing Vessel Collision Event tree asset damage | OR Gate | |
| Fast collapse condition | Passing Vessel Collision Event tree fatality's assessment | AND Gate | |
| slow collapse condition | Passing Vessel Collision Event tree fatality's assessment | AND Gate | |
| Sum | Individual risk summation | OR Gate |
| Condition | Condition Type | Freq. or Prob. | Unit | Description | Severity |
|---|---|---|---|---|---|
| Ship collision | Initial Event | 0.000624 | Expected Frequency of Occurrence per Year | ||
| Platform manned | Intermediate Event | 0.000624 | Expected Frequency of Occurrence per Year | ||
| Platform not manned - no fatalities | Consequence | 0 | Expected Frequency of Occurrence per Year | 0: No Consequences | |
| Prev evacuation | Intermediate Event | 6.24E-6 | Expected Frequency of Occurrence per Year | ||
| No Prev evacuation | Intermediate Event | 0.0006178 | Expected Frequency of Occurrence per Year | ||
| Preventive evacuation by helicopter - no fatalities | Consequence | 3.12E-6 | Expected Frequency of Occurrence per Year | 0: No Consequences | |
| Preventive evacuation by Lifeboat | Intermediate Event | 3.12E-6 | Expected Frequency of Occurrence per Year | ||
| No Collapse | Intermediate Event | 0.0005242 | Expected Frequency of Occurrence per Year | ||
| Collapse due to impact | Intermediate Event | 9.984E-5 | Expected Frequency of Occurrence per Year | ||
| Slow collapse | Link between 2 diagrams | 0.0001023 | Expected Frequency of Occurrence per Year | This is a result (Consequence) from the ship collision - asset damage assessment It is an input to the assessment of personal risk, because the type of collapse determines the possibilities of survival. | 5.1: Major Accident - <10 fatalities/limited damage to the environment |
| Fast collapse | Link between 2 diagrams | 4.992E-5 | Expected Frequency of Occurrence per Year | This is a result (Consequence) from the ship collision - asset damage assessment It is an input to the assessment of personal risk, because the type of collapse determines the possibilities of survival. | 5.1: Major Accident - <10 fatalities/limited damage to the environment |
| Riser Fire and possible collapse | Intermediate Event | 5.242E-5 | Expected Frequency of Occurrence per Year | ||
| No Riser Fire - No Fatalities | Intermediate Event | 0.0004717 | Expected Frequency of Occurrence per Year | ||
| Many Fatalities due to Fast collapse | Link between 2 diagrams | 2.471E-5 | Expected Frequency of Occurrence per Year | 5.2: Major Accident - >10 fatalities/extensive damage to the environment | |
| Fatalities POB evacuation by lifeboat | Link between 2 diagrams | 5.066E-7 | Expected Frequency of Occurrence per Year | 5.1: Major Accident - <10 fatalities/limited damage to the environment | |
| Minor damage | Consequence | 0.0004057 | Expected Frequency of Occurrence per Year | 0: No Consequences | |
| Significant damage | Consequence | 6.604E-5 | Expected Frequency of Occurrence per Year | 0: No Consequences | |
| Fatalities Preventive evacuation by Lifeboat | Link between 2 diagrams | 1.56E-8 | Expected Frequency of Occurrence per Year | 5.1: Major Accident - <10 fatalities/limited damage to the environment | |
| Fast Collapse and POB in the water | Intermediate Event | 4.942E-5 | Expected Frequency of Occurrence per Year | ||
| Slow Collapse, POB evacuate | Intermediate Event | 0.0001013 | Expected Frequency of Occurrence per Year | ||
| Total individual risk | Consequence | 2.523E-5 | Expected Frequency of Occurrence per Year |
| Measure | Description | Applies to: Barriers | Applies to: Initial Conditions | Management Issue |
|---|
| Management Issue | Performance | Description |
|---|---|---|
| 1st ARAMIS Item, Manpower Planning and Availability | 1 | Manpower Planning covers allocating the necessary time (or numbers) of competent people to the tasks that have to be carried out, at the moment (or within the time frame) when they should be carried out. It also covers the process of planning and allocation of tasks over time, including coverage for: Holidays, Sick leave, Peak loads, Ensuring breaks and rest pauses, and Limiting overtime and fatigue. Personnel Availability ensures that personnell is available for all relevant tasks in relation to the functioning and management of barriers (operations, maintenance, emergency), including: Operating personnel, Maintenance personnel, Inspection & testing incl. general plantwalk-rounds, Supervision, and Back-up & emergency crews,. |
| 2nd ARAMIS Item, Competence and Suitability | 1 | Competence covers the knowledge, skills, and abilities of first-line and/or back-up personnel for the safe execution of safety-critical tasks related to barrier functioning or management. Competence covers the cognitive aspects of behaviour, which can be learned through training, experience and practice. They include: Job content/safety, e.g.: Plant & process knowledge: - Operating procedures, critical tasks, action alternatives, skills - Boundary of safety operations - Hazards, safety consequences of actions, safety priorities - Safety responsibility/task boundaries Inspection & testing procedures: - Fault diagnosis & response - Emergency procedures - Maintenance diagnosis - Safe isolation and recommissioning - Equipment dismantling, repair, testing & reassembly Other skills: - Communications - Team work - Supervision/management - Issuing instructions Suitability covers physical attributes that are usually more permanent characteristics of an individual, though some can be modified or compensated for over the longer term. They include: Size, strength, dexterity, Physical condition, health, Visual acuity, colour blindness, and Hearing. |
| 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution | 1 | Commitment and conflict resolution are concerned with: - Information, training and discussion on what is important and has priority - Rapid confrontation and correction of deviations from the desired working method, state or condition - High (publicity) profile and reward for achievements on safety - Appraisal schemes with explicit attention to safety performance - Recurrent active attention to safety in meetings, discussions and actions - Procedure violations - Keeping to the prescribed operating envelope - Safety and production/time pressures e.g. production pressures reducing scheduled maintenance/inspection, operations which come under time pressure for implementation, reluctance to declare emergencies or shutdown plant because of loss of production - Safety critical maintenance priority over production - Balancing production targets, resource availability/costs and inspection and maintenance requirements via e.g. time schedules and budget setting - Safety budget (increased/decreased) |
| 4th ARAMIS Item, Communication and Coordination | 1 | The communication and coordination concerns itself with: - Communication channels (phone, radio, minutes, reports, etc.) - Coordination methods (e.g. meetings, supervision) - Communication between: Different persons engaged on one task as team or working in sequence, and Shifts at changeover - Communication about: Work content Barrier/plant status Job instructions Priorities Who does what, where and when Need for action or (back-up) personnel and equipment - Communication systems for sharing operation/maintenance hazard concerns and experience |
| 5th ARAMIS Item, Procedures, rules, and goals | 1 | The procedures, rules and goals delivery system is occupied with identifying tasks that need (detailed) written rules and procedures, and subsequently providing and promulgating these. This system also delivers output goals for tasks that do not need a detailed procedure. Procedures and rules are specific performance criteria, which specify in detail, usually in written form, a formalised 'normative' behaviour or method for carrying out an activity (checklist, task list, action steps, plan, instruction manual, fault-finding heuristic, form to be completed, etc.). Output goals are performance measures for an activity, which specify what the result of the activity should be, but not how the results should be achieved. They are objectives, goals or outputs. The procedures, rules and goals delivery system concerns itself with: Coverage (i.e. all safety situations), Accuracy, Readability/usability, Size/complexity/overload or rule sets, Clarity/ambiguity, Up-to-date, Indicating priorities. |
| 6th ARAMIS Item, Hard/software purchase, build, interface, install | 1 | Management of barrier (and spares) purchase, construction, installation and adjustment deals with the management process for ensuring that the hardware/ software barriers and barrier elements in agreement with specifications are acquired, either by purchase from outside, or by construction on site, are put in place and adjusted and that the spare parts or replacements purchased and stored for the maintenance phase of their life cycle are the correct ones and are in good condition when used. The process should pay explicit attention to the human factors aspects of the interface between barrier elements and their users in the case of mixed barriers. |
| 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement | 1 | Management of inspection, maintenance and replacement deals with the management processes for ensuring that the specified hardware/software barriers and barrier elements are kept in an effective state. It covers all hardware and software which has a function within any barrier designed to fulfill a safety function in the plant. It forms the part of the life cycle of these barrier elements from the point where they have been installed and adjusted and are ready for use. It covers all the activities which monitor the working of the barriers, detect the (chance of) deviation from the designed working and identify the need for work to be done to restore the functioning or replace the barrier (elements) with new ones. This process also manages small modifications which are carried out at the same time as, and under the same management as the maintenance activities. Where the modifications are of a more major type, which are (or should be) dealt with by a change management process, these are covered by the protocol on learning and change. |
| 0th ARAMIS Item, Safety Culture | 0.75 | Safety culture can be assessed by questionnaire surveys of the personnel. Safety culture addresses the following issues: Learning and willingness to report: the employees' willingness / reluctance to report accidents and incidents, their perception of feedback from reporting and dissemination of lessons learned. Safety prioritisation, rules and compliance covering use of and familiarity with rules and instructions; the prioritisation of safety versus productivity and ease of work; the extent to which and the circumstances under which safety procedures may be violated Leadership involvement and commitment concerns both the avowed involvement and commitment of management and supervisors and team leaders as well as employee perception of their commitment and involvement Risk and human performance limitation perception concerns management and employee awareness of hazards, risks and human error potentials (fatigue, automation etc.) relevant to their work. Felt responsibility concerns the employee's perception of who is responsible for safety at work including felt ownership of responsibility Trust and fairness involves management's trust in employees and, crucially, employees' trust in top management and their immediate leaders and employee perception of fairness in the workplace Work team atmosphere and support comprises employees' perception of teamwork and the 'spirit' in their respective teams; the extent to which the team gives its members support and help; and the extent to which respondents are willing to speak up and warn each other of dangers. Motivation, influence and involvement comprises (i) work as meaningful; (ii) own influence on work planning and execution; (iii) motivation and involvement; and (iv) feeling informed and finding work predictable |
| A Risk analysis and selection of safety barriers | 1 | This issue covers the process of risk assessment and selection of the barriers. Definitions and coverage: Barrier functions and elements - The process emphasises that barrier functions should first be defined (prevent, protect, mitigate), followed by a choice between all possible principles and forms of barrier which could fulfil that function. Most barrier forms chosen will be combinations of hardware and software elements with behavioural elements. Some barriers may be pure hardware, either passive, in which case it requires no activation after its installation (temporarily or permanently), or with active elements, which require adjustment and activation. A number of barriers may be purely dependent on behaviour, such as evacuation, or skilled dismantling of equipment. The elements out of which the complete barriers are constructed must consist (except in the case of passive barriers) of elements which perform the functions of detection or diagnosis of the need to respond, activation of the barrier and its response. Either hardware or behaviour elements can fulfil each of the functions and these can be combined in many different ways. The company must make its choices out of these combinations. Coverage - The process should cover all accident scenarios which the company wishes to control, or wishes to demonstrate to regulators that it has controlled. The steps follow the normal processes of risk assessment, but emphasise more clearly the selection and specification of barriers to control the hazards. They also emphasise that barrier selection should take account of the whole life cycle of the barrier and its elements in deciding what is likely to be the most effective choice to make. |
| B Learning and management of change | 1 | This issue deals with the management processes designed to achieve continuous improvement and adaptation of barrier performance to the current best practice and to the current state of the risks in the organisation. Definitions and coverage: Learning - Learning is defined as the collection of information about the performance of a barrier (element) or management process relating to barrier performance, the analysis of the performance data, its comparison with desired performance and/or good practice, the drawing of conclusions about improvements and changes which are required to bring about better performance, and the implementation throughout the organisation of the changes. Learning should be triggered by both deviations from expected or desired performance within the organisation, as by comparisons with good practice outside it. Change management - Change management is designed to ensure that any changes to the technical, human or organisational aspects of the design, layout, functioning, control or management of the organisation are reflected in changes to the barriers provided to control risk and/or changes to the appropriate part of the life cycle or management processes which ensure the functioning of the barriers. This requires that the organisation specify and identify what will be considered to be ‘significant changes’ requiring assessment. Incident, accident and failure - Incident: any deviation from expected or desired operation or performance, which, if uncorrected, would lead to damage, injury or other undesired outcome, and which is defined as relevant to be recorded for the purposes of learning. Accident: any deviation from expected or desired operation or performance, which leads to actual damage, injury or other undesired outcome. Failure: any deviation of a barrier (element) or management process relevant to barrier performance which results in a partial or complete loss of function of that barrier (element) or management process. Coverage - The learning and change control system covers the performance of all barriers and their elements, whether they are achieved by hardware, software or behaviour. |
| Diagram Name | Number of: Barriers | Number of: Gates | Number of: Event Tree Branches | Description |
|---|---|---|---|---|
| Passing Vessel Collision Event tree asset damage | 0 | 1 | 4 | Event tree for asset damage assessment in case of ship collision |
| Passing Vessel Collision Event tree fatality's assessment | 0 | 2 | 6 | Event tree for consequence assessment on personal risk due to ship collision. Note that when the fatality factors (in the conditional probabilities on the rght hand side of the diagram) are considered as personal exposure factors, the frequencies of the outputs can be considered as the individual risk of fatality. (see third diagram for summation). Note that the "preventive evacuation" could have been replaced by a barrier (the evaciuation is a barrier function) |
| Individual risk summation | 0 | 1 | 0 |
| Event Tree Branch Name | Diagram Name | Number of: Event Tree Branches | Event Tree Branches & Probability | Description |
|---|---|---|---|---|
| Significant damage? | Passing Vessel Collision Event tree asset damage | 2 | No: 0.86; Yes: 0.14. | |
| Riser failure and fire? | Passing Vessel Collision Event tree asset damage | 2 | No: 0.9; Yes: 0.1. | |
| Total Platform collapse? | Passing Vessel Collision Event tree asset damage | 2 | No: 0.84; Yes: 0.16. | |
| Fast collapse? | Passing Vessel Collision Event tree asset damage | 2 | No: 0.5; Yes: 0.5. | |
| Preventive evacuation? | Passing Vessel Collision Event tree fatality's assessment | 2 | No: 0.99; Yes: 0.01. | Preventive evacuation before collision |
| Evacuation by helicopter? | Passing Vessel Collision Event tree fatality's assessment | 2 | No: 0.5; Yes: 0.5. | |
| Fatality POB evacuate prev. | Passing Vessel Collision Event tree fatality's assessment | 1 | : 0.005. | |
| Fatality POB evacuate | Passing Vessel Collision Event tree fatality's assessment | 1 | : 0.005. | |
| Fatality POB in water | Passing Vessel Collision Event tree fatality's assessment | 1 | : 0.5. | |
| Platform manned? | Passing Vessel Collision Event tree fatality's assessment | 2 | No: 0; Yes: 1. |