SafetyBarrier

i

Viewer

Passing vessel collision event tree2.sbmx

Passing Vessel Collision Event tree asset damage

SBMImage SBMImage SBMImage
SBMImage SBMImage SBMImage

Passing Vessel Collision Event tree fatality's assessment

SBMImage SBMImage SBMImage
SBMImage SBMImage SBMImage

Individual risk summation

SBMImage SBMImage SBMImage
SBMImage SBMImage SBMImage
Early detection and warning Slow collapse Riser failure and fire? Damage to platform? Ship on collision course Riser Fire and possible collapse Impact on installation Ship collision Minor damage Severe damage/Slow collapse Fast collapse Significant damage Early detection and warning Slow collapse Riser failure and fire? Damage to platform? Ship on collision course Riser Fire and possible collapse Impact on installation Ship collision Minor damage Severe damage/Slow collapse Fast collapse Significant damage Preventive evacuation Fast collapse condition slow collapse condition Evacuation by helicopter? Fatality lifeboat evac. (prev.) Fatality lifeboat evac. Fatality POB in water Installation manned? Fast collapse Severe damage/Slow collapse Ship collision Preventive evacuation Preventive evacuation by Lifeboat No Preventive evacuation Slow Collapse, POB evacuate Fast Collapse and POB in the water Platform manned Preventive evacuation by helicopter/no fatalities Fatalities Preventive evacuation by Lifeboat Fatalities POB evacuation by lifeboat Many Fatalities due to Fast collapse Platform not manned - no fatalities Preventive evacuation Fast collapse condition slow collapse condition Evacuation by helicopter? Fatality lifeboat evac. (prev.) Fatality lifeboat evac. Fatality POB in water Installation manned? Fast collapse Severe damage/Slow collapse Ship collision Preventive evacuation Preventive evacuation by Lifeboat No Preventive evacuation Slow Collapse, POB evacuate Fast Collapse and POB in the water Platform manned Preventive evacuation by helicopter/no fatalities Fatalities Preventive evacuation by Lifeboat Fatalities POB evacuation by lifeboat Many Fatalities due to Fast collapse Platform not manned - no fatalities Sum Fatalities Preventive evacuation by Lifeboat Fatalities POB evacuation by lifeboat Many Fatalities due to Fast collapse Total individual risk Sum Fatalities Preventive evacuation by Lifeboat Fatalities POB evacuation by lifeboat Many Fatalities due to Fast collapse Total individual risk

Project

NAME: Passing vessel collision event tree2.sbmx
DESCRIPTION
Event tree description of ship colliding with an offshore installation. Project is divided into two diagrams: the first diagram assesses the damage to the assets, the second the consequences for fatalities. The output of the first diagram is used as conditional input to the second diagram. Note that the "ancestor" rule is used to accept that the two inputs to the AND gates both are events (frequencies). Because all events originate from the "ship collision" event (initial condition in both diagrams, the "ancestor" of all events in the project), it is acceptable.
Last diagram shows how results can be summed.

Intermediate Event

NAME: Ship collision
Expected Frequency of Occurrence per Year: 0.00182
DESCRIPTION

Intermediate Event

NAME: Platform manned
Expected Frequency of Occurrence per Year: 0.001274

Consequence

NAME: Platform not manned - no fatalities
Expected Frequency of Occurrence per Year: 0.000546

Intermediate Event

NAME: Preventive evacuation
Expected Frequency of Occurrence per Year: 0.0001274

Intermediate Event

NAME: No Preventive evacuation
Expected Frequency of Occurrence per Year: 0.001147

Consequence

NAME: Preventive evacuation by helicopter/no fatalities
Expected Frequency of Occurrence per Year: 6.37E-5

Intermediate Event

NAME: Preventive evacuation by Lifeboat
Expected Frequency of Occurrence per Year: 6.37E-5

Intermediate Event

NAME: Impact on installation
Expected Frequency of Occurrence per Year: 0.0002548
DESCRIPTION

Intermediate Event

NAME: Severe damage/Slow collapse
Expected Frequency of Occurrence per Year: 0.0006261
DESCRIPTION

Intermediate Event

NAME: Fast collapse
Expected Frequency of Occurrence per Year: 9.1E-5
DESCRIPTION

Intermediate Event

NAME: Riser Fire and possible collapse
Expected Frequency of Occurrence per Year: 2.548E-5
DESCRIPTION

Intermediate Event

NAME: Many Fatalities due to Fast collapse
Expected Frequency of Occurrence per Year: 4.701E-5

Intermediate Event

NAME: Fatalities POB evacuation by lifeboat
Expected Frequency of Occurrence per Year: 1.775E-5

Consequence

NAME: Minor damage
Expected Frequency of Occurrence per Year: 0.0003276
DESCRIPTION

Consequence

NAME: Significant damage
Expected Frequency of Occurrence per Year: 0.0002293
DESCRIPTION

Intermediate Event

NAME: Fatalities Preventive evacuation by Lifeboat
Expected Frequency of Occurrence per Year: 2.866E-6

Intermediate Event

NAME: Fast Collapse and POB in the water
Expected Frequency of Occurrence per Year: 5.733E-5

Intermediate Event

NAME: Slow Collapse, POB evacuate
Expected Frequency of Occurrence per Year: 0.0003944

Consequence

NAME: Total individual risk
Expected Frequency of Occurrence per Year: 6.763E-5

Initial Event

NAME: Ship on collision course
Expected Frequency of Occurrence per Year: 0.0091
DESCRIPTION

Barrier Diagram

NAME: Passing Vessel Collision Event tree asset damage
DESCRIPTION
Event tree for asset damage assessment in case of passing ship collision with an offshore. It is assumed that the field is overlooked by a Control Centre with AIS and radar coverage and automatic warnings (the barrier "Early detectio and warning")

Event Tree Branch

NAME: Riser failure and fire?
DESCRIPTION

OR Gate

NAME: Slow collapse

Event Tree Branch

NAME: Damage to platform?
DESCRIPTION

Barrier

NAME: Early detection and warning
Probability of Failure on Demand (PFD): 0.2
DESCRIPTION

BARRIER TYPE: 9 HUMAN INTERVENTION FOLLOWING ALARM
BARRIER TYPE DESCRIPTION

Barrier Diagram

NAME: Passing Vessel Collision Event tree fatality's assessment
DESCRIPTION
Event tree for consequence assessment on personal risk due to ship collision. Note that when the fatality factors (in the conditional probabilities on the rght hand side of the diagram) are considered as personal exposure factors, the frequencies of the outputs can be considered as the individual risk of fatality.
(see third diagram for summation).

Event Tree Branch

NAME: Evacuation by helicopter?

Event Tree Branch

NAME: Fatality lifeboat evac. (prev.)
DESCRIPTION

AND Gate

NAME: Fast collapse condition

AND Gate

NAME: slow collapse condition

Event Tree Branch

NAME: Fatality lifeboat evac.
DESCRIPTION

Event Tree Branch

NAME: Fatality POB in water
DESCRIPTION

Event Tree Branch

NAME: Installation manned?
DESCRIPTION

Barrier

NAME: Preventive evacuation
Probability of Failure on Demand (PFD): 0.9
DESCRIPTION

BARRIER TYPE: 11 KNOWLEDGE-BASED HUMAN INTERVENTION (AD HOC)
BARRIER TYPE DESCRIPTION

Barrier Diagram

NAME: Individual risk summation

OR Gate

NAME: Sum

Consequences

Barrier Diagram Consequence Prob./Expected Freq. (Unit) Severity
Passing Vessel Collision Event tree asset damage Minor damage 0.0003276 Expected Frequency of Occurrence per Year 1: Insignificant Consequences
Passing Vessel Collision Event tree asset damage Severe damage/Slow collapse 0.0006261 Expected Frequency of Occurrence per Year 4: Serious Consequences
Passing Vessel Collision Event tree asset damage Fast collapse 9.1E-5 Expected Frequency of Occurrence per Year 4: Serious Consequences
Passing Vessel Collision Event tree asset damage Significant damage 0.0002293 Expected Frequency of Occurrence per Year 2: Noticeable Consequences
Passing Vessel Collision Event tree fatality's assessment Preventive evacuation by helicopter/no fatalities 6.37E-5 Expected Frequency of Occurrence per Year 0: No Consequences
Passing Vessel Collision Event tree fatality's assessment Fatalities Preventive evacuation by Lifeboat 2.866E-6 Expected Frequency of Occurrence per Year 5.1: Major Accident - <10 fatalities/limited damage to the environment
Passing Vessel Collision Event tree fatality's assessment Fatalities POB evacuation by lifeboat 1.775E-5 Expected Frequency of Occurrence per Year 5.1: Major Accident - <10 fatalities/limited damage to the environment
Passing Vessel Collision Event tree fatality's assessment Many Fatalities due to Fast collapse 4.701E-5 Expected Frequency of Occurrence per Year 5.2: Major Accident - >10 fatalities/extensive damage to the environment
Passing Vessel Collision Event tree fatality's assessment Platform not manned - no fatalities 0.000546 Expected Frequency of Occurrence per Year 0: No Consequences
Individual risk summation Total individual risk 6.763E-5 Expected Frequency of Occurrence per Year  

Critical Events

Barrier Diagram Critical Event Prob./Expected Freq. (Unit)

Risk Matrix

  Expected Frequency of Occurrence per Year 0: No Consequences 1: Insignificant Consequences 2: Noticeable Consequences 3: Significant Consequences 4: Serious Consequences 5.1: Major Accident - <10 fatalities/limited damage to the environment 5.2: Major Accident - >10 fatalities/extensive damage to the environment
Frequent More likely than: 0.1              
Probable Less likely than: 0.1              
Improbable Less likely than: 0.001 Preventive evacuation by helicopter/no fatalities; Platform not manned - no fatalities Minor damage Significant damage   Severe damage/Slow collapse; Fast collapse Fatalities POB evacuation by lifeboat Many Fatalities due to Fast collapse
Very Improbable Less likely than: 1E-5           Fatalities Preventive evacuation by Lifeboat  
Negligible Less likely than: 1E-7              

Barriers

Barrier Barrier Diagram Generic Barrier Barrier Type PFD Description 1st ARAMIS Item, Manpower Planning and Availability 2nd ARAMIS Item, Competence and Suitability 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution 4th ARAMIS Item, Communication and Coordination 5th ARAMIS Item, Procedures, rules, and goals 6th ARAMIS Item, Hard/software purchase, build, interface, install 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement 0th ARAMIS Item, Safety Culture A Risk analysis and selection of safety barriers B Learning and management of change
            Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating
Early detection and warning Passing Vessel Collision Event tree asset damage   9 HUMAN INTERVENTION FOLLOWING ALARM 0.2 Offshore field surveillance by a Control Centre. The CC is equipped with radar, AIS and automatic warning systems for vessels heading towards offshore installations or coming within close range without permission. Alarms lead to operators contacting vessels and instructing to change course. Subjective assessments suppose CC and AIS systems to reduce the number of collisions perhaps to 10%. Here 20% is included, as the resulting collision frequency coincides with the 1990-2005 statistics for the UKCS (IOGP report 434-16, Table 2.4) 0.58 1 0.36 1 0.2 1     0.09 1 0.22 1 0.08 1 0.08 0.75 0.05 1 0.1 1
Preventive evacuation Passing Vessel Collision Event tree fatality's assessment   11 KNOWLEDGE-BASED HUMAN INTERVENTION (AD HOC) 0.9 With sufficient warning (especially with sloqly moving drifting vesels/non-powered vessels in distress) it may be possible to evacuate the installation before the impact. In case of vessels approaching under power, the available time, and the uncertainty whether or where the final collision will take place may be prohibitive for preventive evacuation. therefore the low success probability for this barrier 0.87 1 1 1 0.17 1 0.83 1 0.09 1         0.13 0.75 0.01 1 0.05 1

Generic Barriers

Generic Barrier Barrier Type PFD Description 1st ARAMIS Item, Manpower Planning and Availability 2nd ARAMIS Item, Competence and Suitability 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution 4th ARAMIS Item, Communication and Coordination 5th ARAMIS Item, Procedures, rules, and goals 6th ARAMIS Item, Hard/software purchase, build, interface, install 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement 0th ARAMIS Item, Safety Culture A Risk analysis and selection of safety barriers B Learning and management of change
        Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating

Barrier Types

Barrier Type Description 1st ARAMIS Item, Manpower Planning and Availability 2nd ARAMIS Item, Competence and Suitability 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution 4th ARAMIS Item, Communication and Coordination 5th ARAMIS Item, Procedures, rules, and goals 6th ARAMIS Item, Hard/software purchase, build, interface, install 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement 0th ARAMIS Item, Safety Culture A Risk analysis and selection of safety barriers B Learning and management of change
    Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating
1 EXCESSIVELY CONSERVATIVE DESIGN AND MECHANICAL REDUNDANCY DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Resilience and redundancy withstanding physical forces DESCRIPTION "Excessively conservative" means that the relevant characteristics of equipment (e.g. wall thickness) are at least a factor two more than what would be required using state-of-the-art or traditional standards used for that process. Redundancy means that under normal conditions forces are transmitted through multiple independent paths and each path has the capacity to perform the desired function alone. Evaluation of redundancy must consider whether the redundant systems can be affected simultaneously by an accident or deviation (independence). Redundancy that requires an active shift to another system must be perceived as an intervention (not permanent). EXAMPLES Over dimensioned wall thickness, fitted with double steering cables or rods, fitted with double electrical connections. FAILURE MECHANISMS Material failure or installation errors, in particular following maintenance; slow degradation; process conditions that exceed even so the material strength, in particular following changes in process conditions; simultaneous (common cause) failure of redundant systems.                     0.43 1 0.17 1     0.1 1 0.05 1
2 PERMANENT PASSIVE BARRIER DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Strength or capacity to handle the deviation or threat. DESCRIPTION Passive Barriers are elements in a system that are constantly present (i.e. they do not need to be activated), and that are installed with the only reason to avoid or limit hazardous situations (i.e. the installation can in principle operate without those barriers). EXAMPLES: Tank bunds, dyke, fire protection, drainage sump, fence, lightning conductors, collision barrier, edge protection, hardware protection against body parts entering hazard zones. FAILURE MECHANISMS: Lacking strength or capacity, construction error, slow degradation, human error causing flaws (e.g. open rain-water drains in tank bunds), removed (e.g. protection) or not installed or not re-installed after maintenance.                     0.43 1 0.17 1     0.05 1 0.1 1
3 PERMANENT BARRIER: ENERGIZED DETECTION: Not relevant DIAGNOSE: Not relevant ACTION: Hardware: Capacity to perform the barrier function DESCRIPTION These barriers are constantly present, but need an energy source to work. If activation is required upon certain conditions, consider classification as temporary barrier. EXAMPLES Ventilation, active corrosion prevention, circulation of material, continuous inerting of systems, pilot flames, continuous addition of inhibitors. FAILURE MECHANISMS Not turned on/not activated, lacking capacity, lacking energy supply or material (gas) supply.             0.13 1 0.43 1 0.17 1         0.05 1 0.1 1
4 TEMPORARY BARRIER (PASSIVE OR ENERGIZED) DETECTION: The effect does not depend on the detection of a deviation, but the barrier need to be present or working. DIAGNOSE: Not relevant ACTION: Hardware: Strength or capacity to handle the deviation or threat. DESCRIPTION Barriers temporary put in place or temporary used, depending on a temporary situation (such as maintenance or repair works) or within a specific time spans or locations. Installation and use depends to a high degree on routines, procedures and rules. EXAMPLES Barriers around repair work, blind flanges over open pipes, spades in pipes, inhibitors in substances, personal protection equipment (PPE: e.g. hard hats, safety goggles, safety clothing, safety gloves), clothes and shoes to avoid static electricity, earthing of tanks during (un)loading FAILURE MECHANISMS Not put in place, not donned (PPE), not appropriate for the hazard (chemicals, heat, pressure, wrongly mounted. 0.29 1 0.18 1     0.13 1 0.09 1 0.22 1 0.08 1 0.04 0.75 0.03 1 0.03 1
5 RESPECT SAFETY ZONES AND WARNINGS DETECTION: Detection relates to warnings and signs, not to detection of deviations (passive barrier as regards to deviations). DIAGNOSE: Not relevant ACTION: Behaviour: To respect markings and warning signs: refrain from entering danger zones and refrain from manipulating marked parts of installations. DESCRIPTION Symbols, markings and warning signs (passive, i.e. not alarms) request to perform or refrain from certain behaviour. Implies in general refraining from certain actions (not touching, not operating, not entering not smoking). Respecting danger zones prevents people from getting hurt when deviations occur (mitigating barrier), Awareness of valves closing off dangerous substances may prevent erroneous operation. Note that the barrier consists of the behaviour itself, not the signalling. (Note that marking components such as valves in order to support correct operation is part of a management obligation to provide a sufficiently good human-machine interface and work place, and should NOTbe considered a safety barrier.) EXAMPLES Not entering danger zones (e.g. at cranes or robot stations, open containers, rotating machinery) , refrain from operating valves, avoid contact with hot parts, respecting smoking prohibitions, obeying speed limits. FAILURE MECHANISMS Not respecting signs and markings, lacking signs, unclear signs, and conflicts with work tasks.         0.1 1     0.09 1 0.5 0 0.5 0 0.08 0.75 0.1 1 0.05 1
6 PREVENTIVE PROCEDURAL ACTION DETECTION: Detection concerns attention to situations where the preventive action is required according to procedure, the deviation or threat is not detected. DIAGNOSE: Not relevant ACTION: Behaviour or hardware: To follow rules and procedures which apply to the situation at hand or (activate) automated sequencing through steps in a process. DESCRIPTION The activity is performed as part of a procedure for some operation or step in a process in order to prevent dangerous situations, even when the dangerous situation not necessarily is present. There may be overlap with “Temporary barrier” (e.g. making a ground connection and leaving it in place during the (un)loading), but this barrier focuses on actions performed prior to the hazardous activity, i.e. detached in time. EXAMPLES Venting of closed spaces before entering, venting/emptying hoses before detachment, earthing tankers before (un)loading to prevent static electricity, inerting vessels or reactors before taking into use. FAILURE MECHANISMS Not executing the action, incomplete or faulty execution. 0.29 1 0.36 1 0.2 1 0.25 1 0.18 1         0.08 0.75 0.1 1 0.05 1
7 HARDWARE INTERVENTION DETECTION: Hardware DIAGNOSE: Hardware ACTION: Hardware DESCRIPTION Barriers that by means of direct mechanical-physical principles both detect the deviation and perform the necessary action. EXAMPLES Pressure relief valves, bursting disks, sprinkler heads, explosion relief hatches FAILURE MECHANISMS Insufficient capacity (too small, too slow), wrong set point, blocked (including piping towards the barrier), stuck.                     0.43 1 0.17 1     0.1 1 0.05 1
8 AUTOMATED INTERVENTION/SAFETY INSTRUMENTED SYSTEM (SIS) DETECTION: Hardware DIAGNOSE: Hardware/software ACTION: Hardware DESCRIPTION Automated intervention by a system of electrical/electronic/programmable electronic (E/E/PE) components, that on the basis of input from sensors is able to determine what intervention needs to be made, and activates actuators (like powered valves) to perform this intervention. In order for an automated system to be considered to be an independent safety barrier (independent protection layer) the components that make up the automated system should not be part of the basic process control system (BPCS). EXAMPLES Emergency shutdown system (ESD), emergency blowdown system, FAILURE MECHANISMS Component failure, software failure, design failure, common cause failure                     0.43 1 0.17 1     0.1 1 0.05 1
9 HUMAN INTERVENTION FOLLOWING ALARM DETECTION: Hardware/software DIAGNOSE: Behaviour according to clear procedures ("Skill & Rule based") ACTION: Behaviour according to clear procedures ("Skill & Rule based") (may include activation of powered components) DESCRIPTION Actions of operators in response to clear instrument signals or alarms. There will be clear instructions describing the actions that are required to respond to the each of the alarms. The sensors, transmitters and actuators are part of the barrier system. In order for the alarm system to be considered to be an independent safety barrier (independent protection layer) the components that make up the alarm system should not be part of the basic process control system (BPCS). EXAMPLES Manual shutdown or adjustment, evacuation, calling fire brigade on alarm, close/open (correct) valve FAILURE MECHANISMS Failure of sensors, transmitters or software, flaws in instructions, wrong intervention, operator not present. 0.58 1 0.36 1 0.2 1     0.09 1 0.22 1 0.08 1 0.08 0.75 0.05 1 0.1 1
10 SITUATIONAL HUMAN INTERVENTION (PROCEDURAL) DETECTION: Human observation and interpretation DIAGNOSE: Behaviour according to clear procedures ("Skill & Rule based") ACTION: Behaviour according to clear procedures ("Skill & Rule based") DESCRIPTION The hazardous situation is detected by human observation of (a combination) factors in accordance with clear rules and procedures. There are no clear alarms, the hazardous situation needs to be derived from a combination of inputs. Instrument failure can both be considered to be a part of the initiating deviation (a dangerous failure in the sense that a deviation does not show up) or as part of the barrier failure. Actions can be similar to "Human Intervention Following Alarm", but the detection is by observing normal indicators (including measurement displays) BEFORE alarms (if any) are raised. This barrier also includes actions of supervisors supervising other operator’s tasks. EXAMPLES To adjust hardware set-points, abort operations developing outside safe area, start alternative (back-up) capacity, redirect flows (e.g. dump), warning others for action or evacuation, to disconnect tanks, hoses or pipes, to avoid escalation by protecting equipment with foam or fire-fighting water. FAILURE MECHANISMS Failure of instruments or software, flaws in instruction, lack of attention, wrong intervention. 0.29 1 0.36 1 0.2 1 0.25 1 0.09 1         0.15 0.75 0.1 1 0.05 1
11 KNOWLEDGE-BASED HUMAN INTERVENTION (AD HOC) DETECTION: Human observation and interpretation. DIAGNOSE: Behaviour on the basis of knowledge and reasoning ("Knowledge based") ACTION: Behaviour DESCRIPTION Intervention that requires a continuous knowledge-based assessment of the situation (e.g. during a rescue operation) and/or requires detailed analysis in cases where no procedures or rules apply. This barrier type is provided for sake of completeness. Apart from use as a mitigating barrier (emergency response) at the far right-hand side of the diagram or bow-tie, prevention of foreseeable events should be dealt with by procedures, i.e. “Rule and Skill-based” barriers. EXAMPLES Fire-fighting, emergency response, to (re)gain control over a complex system (such as a nuclear reactor) and take it to a safe condition. FAILURE MECHANISMS Wrong assessment, inadequate intervention, intervention too late, too early. 0.87 1 1 1 0.17 1 0.83 1 0.09 1         0.13 0.75 0.01 1 0.05 1

Common Elements

Barrier Element PFD Description 1st ARAMIS Item, Manpower Planning and Availability 2nd ARAMIS Item, Competence and Suitability 3rd ARAMIS Item, Commitment, Compliance and Conflict resolution 4th ARAMIS Item, Communication and Coordination 5th ARAMIS Item, Procedures, rules, and goals 6th ARAMIS Item, Hard/software purchase, build, interface, install 7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement 0th ARAMIS Item, Safety Culture A Risk analysis and selection of safety barriers B Learning and management of change
      Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating Weight Rating

Gates

Gate Barrier Diagram Gate Type Description
       
Slow collapse Passing Vessel Collision Event tree asset damage OR Gate  
Fast collapse condition Passing Vessel Collision Event tree fatality's assessment AND Gate  
slow collapse condition Passing Vessel Collision Event tree fatality's assessment AND Gate  
Sum Individual risk summation OR Gate  

Conditions

Condition Condition Type Freq. or Prob. Unit Description Severity
Ship collision Intermediate Event 0.00182 Expected Frequency of Occurrence per Year Collision of a passing vessel with an offshore installation that is manned some fraction of time. The frequency mentioned in the IOGP Data Directory report 434-13, Table 2-4, collisions in the UKCS 1990-2005, is 2.2E-3 per year  
Platform manned Intermediate Event 0.001274 Expected Frequency of Occurrence per Year    
Platform not manned - no fatalities Consequence 0.000546 Expected Frequency of Occurrence per Year   0: No Consequences
Preventive evacuation Intermediate Event 0.0001274 Expected Frequency of Occurrence per Year    
No Preventive evacuation Intermediate Event 0.001147 Expected Frequency of Occurrence per Year    
Preventive evacuation by helicopter/no fatalities Consequence 6.37E-5 Expected Frequency of Occurrence per Year   0: No Consequences
Preventive evacuation by Lifeboat Intermediate Event 6.37E-5 Expected Frequency of Occurrence per Year    
Impact on installation Intermediate Event 0.0002548 Expected Frequency of Occurrence per Year Significant/serious damage to module and local area of the unit; minor damage to loadbearing structures; significant damage to single essential equipment; damage to more essential equipment. This may include damage to risers and other HC equipment  
Severe damage/Slow collapse Link between 2 diagrams 0.0006261 Expected Frequency of Occurrence per Year Severe damage will require evacuation. Slow collapse will allow for controlled evacuation using lifeboats or better options (helicopter). This event is input to the assessment of fatality risk. 4: Serious Consequences
Fast collapse Link between 2 diagrams 9.1E-5 Expected Frequency of Occurrence per Year Total loss of asset. Fast collapse will make controlled evacuation impossible. This event is input to the assessment of fatality risk. 4: Serious Consequences
Riser Fire and possible collapse Intermediate Event 2.548E-5 Expected Frequency of Occurrence per Year Riser fire may escalate and cause collapse of structure  
Many Fatalities due to Fast collapse Link between 2 diagrams 4.701E-5 Expected Frequency of Occurrence per Year   5.2: Major Accident - >10 fatalities/extensive damage to the environment
Fatalities POB evacuation by lifeboat Link between 2 diagrams 1.775E-5 Expected Frequency of Occurrence per Year   5.1: Major Accident - <10 fatalities/limited damage to the environment
Minor damage Consequence 0.0003276 Expected Frequency of Occurrence per Year Minor damage to asset 1: Insignificant Consequences
Significant damage Consequence 0.0002293 Expected Frequency of Occurrence per Year Significant damage to asset 2: Noticeable Consequences
Fatalities Preventive evacuation by Lifeboat Link between 2 diagrams 2.866E-6 Expected Frequency of Occurrence per Year   5.1: Major Accident - <10 fatalities/limited damage to the environment
Fast Collapse and POB in the water Intermediate Event 5.733E-5 Expected Frequency of Occurrence per Year    
Slow Collapse, POB evacuate Intermediate Event 0.0003944 Expected Frequency of Occurrence per Year    
Total individual risk Consequence 6.763E-5 Expected Frequency of Occurrence per Year    
Ship on collision course Initial Event 0.0091 Expected Frequency of Occurrence per Year Frequency of the event is the frequency of UKCS collision events 1990-2005 (IOGP Risk Assessment Data Directory 434-16, Table 2.3  

Measures

Measure Description Applies to: Barriers Applies to: Initial Conditions Management Issue

Management Issues

Management Issue Performance Description
1st ARAMIS Item, Manpower Planning and Availability 1 Manpower Planning covers allocating the necessary time (or numbers) of competent people to the tasks that have to be carried out, at the moment (or within the time frame) when they should be carried out. It also covers the process of planning and allocation of tasks over time, including coverage for: Holidays, Sick leave, Peak loads, Ensuring breaks and rest pauses, and Limiting overtime and fatigue. Personnel Availability ensures that personnell is available for all relevant tasks in relation to the functioning and management of barriers (operations, maintenance, emergency), including: Operating personnel, Maintenance personnel, Inspection & testing incl. general plantwalk-rounds, Supervision, and Back-up & emergency crews,.
2nd ARAMIS Item, Competence and Suitability 1 Competence covers the knowledge, skills, and abilities of first-line and/or back-up personnel for the safe execution of safety-critical tasks related to barrier functioning or management. Competence covers the cognitive aspects of behaviour, which can be learned through training, experience and practice. They include: Job content/safety, e.g.: Plant & process knowledge: - Operating procedures, critical tasks, action alternatives, skills - Boundary of safety operations - Hazards, safety consequences of actions, safety priorities - Safety responsibility/task boundaries Inspection & testing procedures: - Fault diagnosis & response - Emergency procedures - Maintenance diagnosis - Safe isolation and recommissioning - Equipment dismantling, repair, testing & reassembly Other skills: - Communications - Team work - Supervision/management - Issuing instructions Suitability covers physical attributes that are usually more permanent characteristics of an individual, though some can be modified or compensated for over the longer term. They include: Size, strength, dexterity, Physical condition, health, Visual acuity, colour blindness, and Hearing.
3rd ARAMIS Item, Commitment, Compliance and Conflict resolution 1 Commitment and conflict resolution are concerned with: - Information, training and discussion on what is important and has priority - Rapid confrontation and correction of deviations from the desired working method, state or condition - High (publicity) profile and reward for achievements on safety - Appraisal schemes with explicit attention to safety performance - Recurrent active attention to safety in meetings, discussions and actions - Procedure violations - Keeping to the prescribed operating envelope - Safety and production/time pressures e.g. production pressures reducing scheduled maintenance/inspection, operations which come under time pressure for implementation, reluctance to declare emergencies or shutdown plant because of loss of production - Safety critical maintenance priority over production - Balancing production targets, resource availability/costs and inspection and maintenance requirements via e.g. time schedules and budget setting - Safety budget (increased/decreased)
4th ARAMIS Item, Communication and Coordination 1 The communication and coordination concerns itself with: - Communication channels (phone, radio, minutes, reports, etc.) - Coordination methods (e.g. meetings, supervision) - Communication between: Different persons engaged on one task as team or working in sequence, and Shifts at changeover - Communication about: Work content Barrier/plant status Job instructions Priorities Who does what, where and when Need for action or (back-up) personnel and equipment - Communication systems for sharing operation/maintenance hazard concerns and experience
5th ARAMIS Item, Procedures, rules, and goals 1 The procedures, rules and goals delivery system is occupied with identifying tasks that need (detailed) written rules and procedures, and subsequently providing and promulgating these. This system also delivers output goals for tasks that do not need a detailed procedure. Procedures and rules are specific performance criteria, which specify in detail, usually in written form, a formalised 'normative' behaviour or method for carrying out an activity (checklist, task list, action steps, plan, instruction manual, fault-finding heuristic, form to be completed, etc.). Output goals are performance measures for an activity, which specify what the result of the activity should be, but not how the results should be achieved. They are objectives, goals or outputs. The procedures, rules and goals delivery system concerns itself with: Coverage (i.e. all safety situations), Accuracy, Readability/usability, Size/complexity/overload or rule sets, Clarity/ambiguity, Up-to-date, Indicating priorities.
6th ARAMIS Item, Hard/software purchase, build, interface, install 1 Management of barrier (and spares) purchase, construction, installation and adjustment deals with the management process for ensuring that the hardware/ software barriers and barrier elements in agreement with specifications are acquired, either by purchase from outside, or by construction on site, are put in place and adjusted and that the spare parts or replacements purchased and stored for the maintenance phase of their life cycle are the correct ones and are in good condition when used. The process should pay explicit attention to the human factors aspects of the interface between barrier elements and their users in the case of mixed barriers.
7th ARAMIS Item, Hard/software Inspection, Maintenance, and Replacement 1 Management of inspection, maintenance and replacement deals with the management processes for ensuring that the specified hardware/software barriers and barrier elements are kept in an effective state. It covers all hardware and software which has a function within any barrier designed to fulfill a safety function in the plant. It forms the part of the life cycle of these barrier elements from the point where they have been installed and adjusted and are ready for use. It covers all the activities which monitor the working of the barriers, detect the (chance of) deviation from the designed working and identify the need for work to be done to restore the functioning or replace the barrier (elements) with new ones. This process also manages small modifications which are carried out at the same time as, and under the same management as the maintenance activities. Where the modifications are of a more major type, which are (or should be) dealt with by a change management process, these are covered by the protocol on learning and change.
0th ARAMIS Item, Safety Culture 0.75 Safety culture can be assessed by questionnaire surveys of the personnel. Safety culture addresses the following issues: Learning and willingness to report: the employees' willingness / reluctance to report accidents and incidents, their perception of feedback from reporting and dissemination of lessons learned. Safety prioritisation, rules and compliance covering use of and familiarity with rules and instructions; the prioritisation of safety versus productivity and ease of work; the extent to which and the circumstances under which safety procedures may be violated Leadership involvement and commitment concerns both the avowed involvement and commitment of management and supervisors and team leaders as well as employee perception of their commitment and involvement Risk and human performance limitation perception concerns management and employee awareness of hazards, risks and human error potentials (fatigue, automation etc.) relevant to their work. Felt responsibility concerns the employee's perception of who is responsible for safety at work including felt ownership of responsibility Trust and fairness involves management's trust in employees and, crucially, employees' trust in top management and their immediate leaders and employee perception of fairness in the workplace Work team atmosphere and support comprises employees' perception of teamwork and the 'spirit' in their respective teams; the extent to which the team gives its members support and help; and the extent to which respondents are willing to speak up and warn each other of dangers. Motivation, influence and involvement comprises (i) work as meaningful; (ii) own influence on work planning and execution; (iii) motivation and involvement; and (iv) feeling informed and finding work predictable
A Risk analysis and selection of safety barriers 1 This issue covers the process of risk assessment and selection of the barriers. Definitions and coverage: Barrier functions and elements - The process emphasises that barrier functions should first be defined (prevent, protect, mitigate), followed by a choice between all possible principles and forms of barrier which could fulfil that function. Most barrier forms chosen will be combinations of hardware and software elements with behavioural elements. Some barriers may be pure hardware, either passive, in which case it requires no activation after its installation (temporarily or permanently), or with active elements, which require adjustment and activation. A number of barriers may be purely dependent on behaviour, such as evacuation, or skilled dismantling of equipment. The elements out of which the complete barriers are constructed must consist (except in the case of passive barriers) of elements which perform the functions of detection or diagnosis of the need to respond, activation of the barrier and its response. Either hardware or behaviour elements can fulfil each of the functions and these can be combined in many different ways. The company must make its choices out of these combinations. Coverage - The process should cover all accident scenarios which the company wishes to control, or wishes to demonstrate to regulators that it has controlled. The steps follow the normal processes of risk assessment, but emphasise more clearly the selection and specification of barriers to control the hazards. They also emphasise that barrier selection should take account of the whole life cycle of the barrier and its elements in deciding what is likely to be the most effective choice to make.
B Learning and management of change 1 This issue deals with the management processes designed to achieve continuous improvement and adaptation of barrier performance to the current best practice and to the current state of the risks in the organisation. Definitions and coverage: Learning - Learning is defined as the collection of information about the performance of a barrier (element) or management process relating to barrier performance, the analysis of the performance data, its comparison with desired performance and/or good practice, the drawing of conclusions about improvements and changes which are required to bring about better performance, and the implementation throughout the organisation of the changes. Learning should be triggered by both deviations from expected or desired performance within the organisation, as by comparisons with good practice outside it. Change management - Change management is designed to ensure that any changes to the technical, human or organisational aspects of the design, layout, functioning, control or management of the organisation are reflected in changes to the barriers provided to control risk and/or changes to the appropriate part of the life cycle or management processes which ensure the functioning of the barriers. This requires that the organisation specify and identify what will be considered to be ‘significant changes’ requiring assessment. Incident, accident and failure - Incident: any deviation from expected or desired operation or performance, which, if uncorrected, would lead to damage, injury or other undesired outcome, and which is defined as relevant to be recorded for the purposes of learning. Accident: any deviation from expected or desired operation or performance, which leads to actual damage, injury or other undesired outcome. Failure: any deviation of a barrier (element) or management process relevant to barrier performance which results in a partial or complete loss of function of that barrier (element) or management process. Coverage - The learning and change control system covers the performance of all barriers and their elements, whether they are achieved by hardware, software or behaviour.

Barrier Diagrams

Diagram Name Number of: Barriers Number of: Gates Number of: Event Tree Branches Description
Passing Vessel Collision Event tree asset damage 1 1 2 Event tree for asset damage assessment in case of passing ship collision with an offshore. It is assumed that the field is overlooked by a Control Centre with AIS and radar coverage and automatic warnings (the barrier "Early detectio and warning")
Passing Vessel Collision Event tree fatality's assessment 1 2 5 Event tree for consequence assessment on personal risk due to ship collision. Note that when the fatality factors (in the conditional probabilities on the rght hand side of the diagram) are considered as personal exposure factors, the frequencies of the outputs can be considered as the individual risk of fatality. (see third diagram for summation).
Individual risk summation 0 1 0  

Event Tree Branches

Event Tree Branch Name Diagram Name Number of: Event Tree Branches Event Tree Branches & Probability Description
Riser failure and fire? Passing Vessel Collision Event tree asset damage 2 No: 0.9; Yes: 0.1. Impacts on the installation may hit and damage risers and similar equipment, leading to release of large amounts of hydrocarbons. The probability is a subjective estimate, covering both probability of damage to riser and ignition. Ignition is considered likely because of the imact energy in the collision.
Damage to platform? Passing Vessel Collision Event tree asset damage 4 Minor: 0.18; Significant: 0.14; Severe: 0.33; Fast collapse: 0.05. The collapse frequency are taken from OGP Data Directory 434-16, Table 2-2 Total Loss is expected to be immediate (fast) collapse Severe damage is expected to require evacuation Siignificant damage may involve damage to risers, etc, leading to HC release Damage Passing Vessels I Total Loss 5% Severe 33% Significant 14% Minor 18% Insign./No 30% Note that "Insign/No Damage" is not included in the event tree; the sum of event tree probabilities is thus 70%
Evacuation by helicopter? Passing Vessel Collision Event tree fatality's assessment 2 No: 0.5; Yes: 0.5.  
Fatality lifeboat evac. (prev.) Passing Vessel Collision Event tree fatality's assessment 1 : 0.045. conditional probability of fatality when evacuation by lifeboat. Data for free fall lifeboats are used from IOGP RADD 434-19, Table 2.5 Probability of success evacuation (no fatalities): 95% Probability of immediate fatality on lifebaot failure: 50% Probability of fatality when ending up in sea, no SBV present: 80% (IOGP RADD 434-19, Table 2.8) So: 5%*(50%+50%*80%) = 4.5%
Fatality lifeboat evac. Passing Vessel Collision Event tree fatality's assessment 1 : 0.045. Data for free fall lifeboats are used from IOGP RADD 434-19, Table 2.5 Probability of success evacuation (no fatalities): 95% Probability of immediate fatality on lifebaot failure: 50% Probability of fatality when ending up in sea, no SBV present: 80% (IOGP RADD 434-19, Table 2.8) So: 5%*(50%+50%*80%) = 4.5%
Fatality POB in water Passing Vessel Collision Event tree fatality's assessment 1 : 0.82. Conditional probability of fatality on fast collapse, it is assumed that all personnel escape directly to sea Sample Rule Set for Immediate Fatality Probability due to Jumping to Sea from a North Sea Lower Deck: fatality 10% (IOGP RADD 434-19, Table 2.7) Fatality Probability Upon Entering the Sea to Escape (North Sea Data), average, no SBV: 80% So result: 0.1+0.9*0.8 = 82%
Installation manned? Passing Vessel Collision Event tree fatality's assessment 2 No: 0.3; Yes: 0.7. Fraction of time that the offshore structure is manned