Preliminary Hazard Analysis

Kul-24.
4230
Safety and Risks of Marine Traffic P
L7 – Preliminary Hazard Analysis
Course Lecturer: Jakub Montewka, PhD.

Learning points from L1-5
•  Risk fundamentals
•  Some epistemological concepts (risk perspective)
–  Events and consequences
–  Belief and knowledge
–  Uncertainty
–  Acceptance
•  Some concepts in risk measurement (risk description)
–  Probability
•  Risk framework
•  Hand-on exercises on the use of BBN in risk modelling
In this lecture
•  Risk picture according to IMO
•  Risk - what to analyse ?
•  Preliminary Hazard Analysis - PHA
•  Failure modes, effects, and criticality analysis - FMECA

RISK PICTURE
–  From Greek rhiza meaning cliff, from the hazards of sailing along
rocky coasts.
–  The term ‘risk’ has most likely come into English through Spanish or
Portuguese, where it was used to refer to sailing into uncharted
waters.
–  The idea of risk appears to have taken hold in the 16th and 17th
centuries, and was first coined by Western explorers as they set off on
their voyages to explore the world.
–  From the 16th century onwards, the term therefore attained a beneficial
meaning, for example in middle-high-German Rysigo was a technical
term for business, with the meaning “to dare, to undertake a
business and aspire for economic success”.
http://www.dnv.com/focus/risk_management/more_information/risk_origin/
HISTORICAL BACKGROUND OF RISK
MODELLING 2000
IMO adopted
1960 1988 guidelines for
Aerospace Offshore risk
industry industry assessment
Apollo Piper Alpha procedure
programme disaster FSA
1970 1992
Nuclear Maritime sector
industry Lord Carver’s
report
Formal Safety Assessment

FORMAL SAFETY ASSESSMENT - FSA
One way of ensuring that action is taken before a disaster occurs is the use a process
known as formal safety assessment.
Which has been described as
"a rational and systematic process for assessing the risks associated with shipping
activity and for evaluating the costs and benefits of IMO's options for reducing these
risks."
It can be used as a tool to help evaluate new regulations or to compare proposed changes
with existing standards.
It enables a balance to be drawn between the various technical and operational issues,
including the human element and between safety and costs.
FSA - which was originally developed partly at least as a response the Piper Alpha disaster
of 1988, when an offshore platform exploded in the North Sea and 167 people lost their lives
- is now being applied to the IMO rule making process.
Guidelines for Formal Safety Assessment (FSA) for use in the IMO rule-making process
were approved in 2002.
[IMO, Guidelines for Formal Safety Assessment (FSA), 2002 (MSC/Circ.1023/MEPC/Circ.392)]

LOGIC OF FSA
1.  What might go wrong? (a list of all relevant
accident scenarios with potential causes and
outcomes).
2.  How bad and how likely? (evaluation of risk

factors).
3.  Can matters be improved? (devising

regulatory measures to control and reduce
the identified risks).
4.  What would it cost and how much better

would it be? (determining cost effectiveness
of each risk control option).
5.  What actions should be taken? (information

about the hazards, their associated risks and
the cost effectiveness of alternative risk
control options is provided). [IMO, Guidelines for Formal Safety Assessment (FSA), 2002 (MSC/Circ.
1023/MEPC/Circ.392)]
RISK MODELLING
Risk Analysis
“the systematic use of available information to
identify hazards and to estimate the risk to
individuals or populations, property or the
environment” .
Risk Assessment
is to review the acceptability of risk that has
been analyzed and evaluated based on the
comparison with standards or criteria that define
the risk tolerability.
Risk Management
is the application of risk assessment with the
intention to inform the decision making process
with the appropriate risk reduction measures and
their possible implementation.
[Kotnovas C., Formal Safety Assessment Critical Review and Future

Role, 2005]
FSA – A RISK BASED APPROACH
http://www.imo.org/OurWork/HumanElement/VisionPrinciplesGoals/Documents/1023-MEPC392.pdf
FSA – PREPARATORY STEP
In other words: what can be addressed by FSA?
Relevant aspects when addressing ships and, thus, areas for which FSA studies may
be applied are according to the IMO Guidelines (§4.1) the following:
1.  ship category (e.g. type, new or existing, type of cargo);

2.  ship systems or functions (e.g. layout, subdivision, type of propulsion);
3.  ship operations (e.g. operations in port and/or during navigation);
4.  external influences on the ship (e.g. Vessel Traffic System)
5.  accident category (e.g. collision, explosion, fire);
6.  risks associated with consequences such as injuries and/or fatalities to
passengers and crew, environmental impact, damage to the ship or port facilites,
or commercial impact.
FSA – STEP 1
HAZARDS IDENTIFICATION (HAZID)
Two major objectives of HAZID are:
1.  Identification of all potential hazardous scenarios which could lead to
significant consequences.
2.  Prioritization them by risk level.
Identification can be done with a combination of creative and analytical techniques that
aim to identify all relevant hazards.
The creative part, which usually means brainstorming sessions, makes the
methodology proactive thus not limited to historical hazards only.
Scenarios considered are, typically, the sequence of events from the initiating event,
up to the consequence, through the intermediate stages of the scenario development.
Prioritization is to rank the hazards and to discard scenarios judged to be of minor

significance. Ranking is undertaken using available data supported by expert
judgement.
FSA – STEP 1
Accident data and relevant information collected in different databases (usually) can be used
for various reasons including HAZID.
If historical data are available, risk profiles can be drawn without need to model scenarios and
this approach was made in all FSA studies relevant to bulk carriers and RoPax.
However this usage has several disadvantages. The most important is that this whole
philosophy of using historical data is reactive rather than proactive and can be
questionable if the formal definition of risk is met (as the risk is about the future) and
therefore:
•  it can not be used for new designs,
•  it can not measure effects of newly implemented risk control options as it needs to wait
for accident to happen to have sufficient data.
In some cases, especially simple FSAs, historical data can be used, but in general creative
thinking and some modelling is strongly recommended J

Hazard Analysis
Excerpt taken from FSA guidelines:
5.2.1.1 The approach used for hazard identification generally comprises a combination
of both creative and analytical techniques, the aim being to identify all relevant
hazards. The creative element is to ensure that the process is proactive and not
confined only to hazards that have materialized in the past. It typically consists of
structured group reviews aiming at identifying the causes and effects of accidents and
relevant hazards. Consideration of functional failure may assist in this process.
The group carrying out such structured reviews should include experts in the various
appropriate aspects, such as ship design, operations and management and specialists
to assist in the hazard identification process and incorporation of the human element.
A structured group review session may last over a number of days.
The analytical element ensures that previous experience is properly taken into
account, and typically makes use of background information (for example applicable
regulations and codes, available statistical data on accident categories and lists of
hazards to personnel, hazardous substances, ignition sources, etc.)
FSA – STEP 1
1.  Hazards have to be defined.
2.  Hazards have to be prioritized.
3.  Risk matrices are traceble framework for explicit consideration of hte frequency
and consequences of defined hazards.
4.  Risk Matrix is the most important tool that is provided to the expert panel and is
being used to acomplish the first step of FSA (HAZID)

Hazard Analysis
Hazard analysis involves the identification of hazards at a facility and
evaluating possible scenarios leading to unwanted consequences.
The hazard analysis stage is a very important part of the risk management
process, as no action can be made to avoid, or reduce, the effects of
unidentified hazards.
The hazard analysis stage also has the largest potential for error with little or
no feedback of those errors.
Hazard Analysis
Hazard analysis relies on a structured and systematic approach to identify
potential hazards.
There are a large number of techniques that can be used to perform this task
at various stages during the life cycle of the process.
These vary from a concept safety review, which is performed as early as

possible in the concept stage of the process, to a study which can be
performed on a fully operational system (HAZOP). As well as being
performed at different stages during the life cycle of the process, the level of
detail for the different techniques is significant.
Concept safety review can only be used to provide insight in to the potential
major hazards of the process, and hence steer the design of the plant to be
more inherently safe. In contrast a HAZOP study is a systematic review of
the process and should be able to identify the causes and consequences of
deviations from the design intent.
Hazard Analysis
It is important to choose the most appropriate identification
technique, as this not only provides the appropriate level of detail,
but can also be aimed at identifying hazards relating to specific
areas.
There are many factors to consider when choosing a technique.

Many techniques have similar objectives and applied correctly should
give comparable results.
The hazard identification techniques are structured processes to

identifying fault conditions that lead to hazards, and reduce the
chance of missing hazardous events. They all require considerable
experience and expertise.
Hazard Analysis
List of techniques applicable for

hazard analysis.
Hazard Analysis
The cost of alterations to the system, to produce an inherently safer
process, corresponds to the stage in the process life cycle in which
they are performed.
Generally the earlier in the process life cycle the hazard is identified,
the lower the cost of improving the safety of the process is, as it
allows simple alterations to be performed before any of the items
have been built.
However, expense though is balanced with the inability of techniques

performed early in the process life cycle to identify all the hazards
associated with the process allowing the potential for hazards to be
missed.
Hazard Analysis
Hazard identification studies can be

performed at seven stages during
key stages in the life cycle of a new
process.
Hazard Analysis
Not all of the hazard
identification techniques are
suitable for all stages in the life
cycle.
Some of the techniques may

be suitable to more than one
stage in the life cycle, but
others have been specifically
developed for one stage and it
would be inappropriate to apply
these in some of the other
stages.
Hazard Analysis
For some of the techniques there is a large supply of reference material to
aid in their understanding and performance. Examples of these are:
•  HAZOP,
•  fault tree analysis,
•  safety audit,
•  failure mode and effect analysis,
•  task analysis.
These techniques are all popular for identifying hazards, though are complex
to perform to the appropriate standard, and have been used for a long time.
The newer hazard identification technique, and the common techniques
which are less complex (i.e. ‘what if?’ analysis, checklists), have less
reference material available, and for checklists it mainly consists of lists of
questions to be applied to various processes.
Hazard Analysis
FSA recommends:
•  Preliminary hazard analysis
•  Fault tree analysis
•  Failure Mode and Effect
Analysis (FMEA)
•  H a z a r d a n d O p e r a b i l i t y
Studies (HAZOP)
•  What If Analysis Technique
•  Event tree analysis

•  Risk Contribution Tree (RCT)
•  Influence Diagrams
Marvin Rausand. Risk Assessment Section 9.4

Preliminary Hazard Analysis (PHA)
Preliminary Hazard Analysis
PHA
What is PHA?
Preliminary hazard analysis (PHA) is a semi-quantitative analysis
that is performed to:
•  Identify all potential hazards and hazardous events that may lead
to an accident.
•  Rank the identified hazardous events according to their severity.
•  Identify required hazard controls and follow-up actions.
Several variants of PHA are used, and sometimes under different

names such as:
•  Rapid Risk Ranking
•  Hazard identification (HAZID)

What can PHA be used for?
1.  As an initial risk study in an early stage of a project (e.g., of a new ship).
Accidents are mainly caused by release of energy. The PHA identifies where
energy may be released and which hazardous events that may occur, and gives a
rough estimate of the severity of each hazardous event. The PHA results are
used to:
i.  compare main concepts,
ii.  focus on important risk issues,
iii.  input to more detailed risk analyses.
2.  As an initial step of a detailed risk analysis of a system concept or an

existing system. The purpose of the PHA is then to identify those hazardous
events that should be subject to a further, and more detailed risk analysis.
3.  As a complete risk analysis of a rather simple system. Whether or not a PHA
will be a sufficient analysis depends both on the complexity of the system and the
objectives of the analysis.

The PHA shall consider
1.  Hazardous components.
2.  Safety related interfaces between various system elements, including
software.
3.  Environmental constraints including operating environments.
4.  Operating, test, maintenance, built-in-tests, diagnostics, and emergency
procedures.
5.  Facilities, real property installed equipment, support equipment, and
training.
6.  Safety related equipment, safeguards, and possible alternate approaches.
7.  Malfunctions to the system, subsystems, or software.
– Source: MIL-STD 882C

Preliminary Hazard Analysis - procedure
PHA main steps
1.  PHA prerequisites
2.  Hazard identification
3.  Consequence and frequency estimation
4.  Risk ranking and follow-up actions

PHA prerequisites
1.  Establish the PHA team
2.  Define and describe the system to be analyzed

i.  System boundaries (which parts should be included and which
should not).
ii.  System description; including layout drawings, process flow
diagrams, block diagrams.
iii.  Use and storage of energy and hazardous materials in the system.
iv.  Operational and environmental conditions to be considered.
v.  Systems for detection and control of hazards and hazardous
events, emergency systems, and mitigation actions.
3.  Collect risk information from previous and similar systems (e.g.,
from accident data bases)
PHA team
A typical PHA team may consist of:
1.  A team leader (facilitator) with competence and experience in the

method to be used.
2.  A secretary who will report the results.
3.  Team members (2-6 persons) who can provide necessary
knowledge and experience on the system being analyzed.
How many team members who should participate will depend on the
complexity of the system and also of the objectives of the analysis.
Some team members may participate only in parts of the analysis.

System functions
As part of the system familiarization it is important to consider:
1.  What is the system dependent upon (inputs)?
2.  What activities are performed by the system (functions)?
3.  What services does the system provide (output)?

System breakdown
To be able to identify all hazards and events, it is often necessary to

split the system into manageable parts, for example, into three
categories:
1.  System parts (e.g., process units)
2.  Activities
3.  Exposed to risk (who, what are exposed?)

Selection of PHA worksheet
The results of the PHA are usually reported by using a PHA worksheet (or, a
computer program). A typical PHA worksheet is shown below. Some
analyses may require other columns, but these are the most common.

Winter navigation system – an example of systematic
hazard identification
Critch S., Goerlandt F., Montewka J., Kujala P. Towards a risk model for the Baltic maritime winter navigation system.
IWNTM13: International Workshop on Nautical Traffic Models 2013, Delft, The Netherlands, July 5-7, 2013
http://repository.tudelft.nl/view/conferencepapers/uuid:f8e5f51d-7db9-4219-959f-2a39ebf35621/
Hazard identification
All hazards and possible hazardous events must be identified.
It is important to consider all parts of the system, operational modes,

maintenance operations, safety systems, and so on.
All findings shall be recorded. No hazards are too insignificant to be

recorded.
“If something can go wrong, sooner or later it will”.

How to identify the hazards ?
•  Examine similar existing systems.
•  Review previous hazard analyses for similar systems.
•  Review hazard checklists and standards.
•  Consider energy flow through the system.
•  Consider inherently hazardous materials.
•  Consider interactions between system components.
•  Review operation specifications, and consider all environmental
factors.
•  Use brainstorming in teams.
•  Consider human/machine interface.
•  Consider usage mode changes.
•  Try small scale testing, and theoretical analysis.
•  Think through a worst case what-if analysis.

Additional data sources
To aid prediction of what can happen in the future it is possible to see what actually
has happened in the past:
•  Accident reports/databases
•  Accident Investigation Boards
•  Accident statistics
•  Relevant maritime authorities e.g. HELCOM, DAMSA, TraFi
•  Near miss/ dangerous occurrence reports
•  VTS reports
•  Reports from authorities or governmental bodies
•  Expert judgment
•  Workshops, interviews, questionnaires.
A list of accident data sources may be found on:

http://www.ntnu.edu/ross/books/risk

Frequency and consequence estimation
The risk related to a hazardous event is a function of the frequency of the event and
the severity of its potential consequences.
To determine the risk indicator (RI), the frequency and the severity of each hazardous
event is to be assessed.
A hazardous event may lead to a wide range of consequences, ranging from negligible
to catastrophic.
A fire may, for example, be extinguished very fast and give minor consequences, or
lead to a disaster.
In some applications the severity of an average consequence of a hazardous event is
assessed.
In other applications we consider several possible consequences, including the worst
foreseeable consequence of the hazardous event.

Severity of the consequences - classes
Definition of consequences index [Ostvik I.HAZID for LNG tankers. 2005]
Severity of the consequences - estimation
When estimating the frequency of an event, we have to bear in mind which consequences we
consider.
•  In some applications we estimate the frequency of each hazardous event. To be used in risk
ranking, this frequency has to be related to the severity of an average consequence of each
particular hazardous event.
•  In other applications we consider specific (e.g., worst case) consequences of a hazardous
event. We must then estimate the frequency that the hazardous event produces a specific
consequence. This may involve a combined assessment, for example, the frequency of the
hazardous event, the probability that personnel are present, the probability that the personnel
are not able to escape, and so on.
For each hazardous event, we may want to present several consequences with associated
frequencies. Consider a hazardous event where a ship navigating along the ice channel in a
convoy collides with another ship in the convoy. In most cases the consequence of such an
accident be minor (low severity and rather high frequency). In a very seldom case, the collision
may result in a ship loss (high severity and very low frequency). Both consequences should be
recorded in the PHA worksheet.
In some applications we may want to present both the frequency of the hazardous event and
frequencies of various consequences.

Frequency - classes
Definition of probability index [Ostvik I.HAZID for LNG tankers]
Risk index ranking
The risk matrix is used to assign risk levels to each of the combinations of probability
of occurrence and consequence of events.
The risk levels are effectively measured on a logarithmic scale:
Risk Index = Probability * Consequence

log (Risk Index) = log (Probability) + log (Consequence)
Acceptable
Acceptable – use ALARP principle and consider further investigation
Not acceptable – risk reducing measures required
Risk index ranking
The matrix defines three risk levels:
1.  Negligible risk
2.  Acceptable risk if ALARP (As Low As Reasonably Practicable)
3.  Unacceptable risk
Risk matrix provides a traceable framework for explicit consideration of the frequency
and consequences of hazards.
Risk index ranking
[Ostvik I.HAZID for LNG tankers. 2005]

Risk index ranking
http://www.lgi.ecp.fr/~li/materials/keynote_Enrico_Zio_PSAM_11_ESREL_2012.pdf
Preliminary Hazard Analysis – reviewing
and revising
Review/update a PHA whenever:
•  The system matures and more is learned about it.

•  The system equipment is modified.
•  Maintenance or operating procedures change.
•  A mishap or near-miss occurs.
•  Environmental conditions change.
•  Operating parameters change.

Preliminary Hazard Analysis – pros and
cons
Pros:
•  Helps ensure that the system is safe.
•  Modifications are less expensive and easier to implement in the earlier
stages of design.
•  Decreases design time by reducing the number of surprises.
Cons:
•  Hazards must be foreseen by the analysts.
•  The effects of interactions between hazards are not easily recognized.

Preliminary Hazard Analysis in a nutshell
Risk index level and actions
Each entry in the PHA worksheet may be given a specific risk level, for example, (from
Norsh Hydro, 2002):

Failure modes, effects, and criticality
analysis
FMECA
analysis (FMECA)
Failure modes, effects, and criticality analysis (FMECA) is a methodology to
identify and analyze:
•  All potential failure modes of the various parts of a system
•  The effects these failures may have on the system
•  How to avoid the failures, and/or mitigate the effects of the failures on the
system
FMECA is a technique used to identify, prioritize, and eliminate potential

failures from the system, design or process before they reach the customer –
Omdahl (1988).
FMECA is a technique to “resolve potential problems in a system before they

occur.”

FMECA
analysis (FMECA)
Initially, the FMECA was called FMEA (Failure modes and effects analysis).
The C in FMECA indicates that the criticality (or severity) of the various
failure effects are considered and ranked.
Today, FMEA is often used as a synonym for FMECA. The distinction

between the two terms has become blurred.

FMECA
FMECA - background
•  FMECA was one of the first systematic techniques for failure analysis.
•  FMECA was developed by the U.S. Military. The first guideline was Military
Procedure MIL-P-1629 “Procedures for performing a failure mode, effects
and criticality analysis” dated November 9, 1949.
•  FMECA is the most widely used reliability analysis technique in the initial
stages of product/system development.
•  FMECA is usually performed during the conceptual and initial design
phases of the system in order to assure that all potential failure modes
have been considered and the proper provisions have been made to
eliminate these failures.

FMECA
FMECA – where can be used ?
•  Assist in selecting design alternatives with high reliability and high safety
potential during the early design phases.
•  Ensure that all conceivable failure modes and their effects on operational
success of the system have been considered.
•  List potential failures and identify the severity of their effects.
•  Develop early criteria for test planning and requirements for test
equipment.
•  Provide historical documentation for future reference to aid in analysis of
field failures and consideration of design changes.
•  Provide a basis for maintenance planning.
•  Provide a basis for quantitative reliability and availability analyses.

FMECA
FMECA – basic questions
•  How can each part conceivably fail?

•  What mechanisms might produce these modes of failure?
•  What could the effects be if the failures did occur?
•  Is the failure in the safe or unsafe direction?
•  How is the failure detected?
•  What inherent provisions are provided in the design to compensate for
the failure?

FMECA
FMECA – when to perform ?
FMECA should be initiated as early in the design process, where we are able
to have the greatest impact on the equipment reliability.
The locked-in cost versus the total cost of a product is illustrated in the figure:
Locked-in costs. Costs that have not

yet been incurred but that will be
incurred in the future on the basis of
decisions that have already been
made. Also called designed-in costs.

FMECA
Types of FMECA
•  Design FMECA is carried out to eliminate failures during equipment
design, taking into account all types of failures during the whole life-span
of the equipment.
•  Process FMECA is focused on problems stemming from how the

equipment is manufactured, maintained or operated.
•  System FMECA looks for potential problems and bottlenecks in larger

processes, such as entire production lines.

FMECA
Two approaches to FMECA
Bottom-up approach
•  The bottom-up approach is used when a system concept has been
decided.
•  Each component on the lowest level of indenture is studied one-by-one.
The bottom-up approach is also called hardware approach.
•  The analysis is complete since all components are considered.
Top-down approach
•  The top-down approach is mainly used in an early design phase before
the whole system structure is decided.
•  The analysis is usually function oriented. The analysis starts with the main
system functions - and how these may fail. Functional failures with
significant effects are usually prioritized in the analysis.
•  The analysis will not necessarily be complete.
•  The top-down approach may also be used on an existing system to focus
on problem areas.

FMECA
FMECA standards
•  MIL-STD 1629 “Procedures for performing a failure mode and effect
analysis”
•  IEC 60812 “Procedures for failure mode and effect analysis (FMEA)”
•  BS 5760-5 “Guide to failure modes, effects and criticality analysis (FMEA
and FMECA)”
•  SAE ARP 5580 “Recommended failure modes and effects analysis
(FMEA) practices for non-automobile applications”
•  SAE J1739 “Potential Failure Mode and Effects Analysis in Design
(Design FMEA) and Potential Failure Mode and Effects Analysis in
Manufacturing and Assembly Processes (Process FMEA) and Effects
Analysis for Machinery (Machinery FMEA)”
•  SEMATECH (1992) “Failure Modes and Effects Analysis (FMEA): A Guide
for Continuous Improvement for the Semiconductor Equipment Industry

FMECA
FMECA – main steps
1.  FMECA prerequisites
2.  System structure analysis
3.  Failure analysis and preparation of FMECA worksheets
4.  Team review
5.  Corrective actions

FMECA
FMECA – prerequisites
1  Define the system to be analyzed
i.  System boundaries (which parts should be included and which
should not).
ii.  Main system missions and functions (incl. functional requirements).
iii.  Operational and environmental conditions to be considered.
iv.  Interfaces that cross the design boundary should be included in the
analysis.
2  Collect available information that describes the system to be analyzed;

including drawings, specifications, schematics, component lists, interface
information, functional descriptions.
3  Collect information about previous and similar designs from internal and
external sources, interviews with design personnel, operations and
maintenance personnel, component suppliers.

FMECA
FMECA – system structure analysis
•  Divide the system into manageable units - typically functional elements.
•  To what level of detail we should break down the system will depend on
the objective of the analysis.
•  It is often desirable to illustrate the structure by a hierarchical tree
diagram:

FMECA
•  In some applications it may be beneficial to illustrate the system by a
functional block diagram (FBD) as illustrated in the following figure.

FMECA
•  The analysis should be carried out on an as high level in the system
hierarchy as possible.
•  If unacceptable consequences are discovered on this level of resolution,

then the particular element (subsystem, sub-subsystem, or component)
should be divided into further detail to identify failure modes and failure
causes on a lower level.
•  To start on a too low level will give a complete analysis, but may at the
same time be a waste of efforts and money.

FMECA
FMECA worksheet
A suitable FMECA worksheet has to be decided. In many cases the client
(customer) will have requirements to the worksheet format – for example to
fit into her maintenance management system.
For each system element
(subsystem, component) the
analyst must consider all the
functions of the elements in all its
operational modes, and ask if
any failure of the element may
result in any unacceptable
system effect.
If the answer is no, then no

further analysis of that element is
necessary.
If the answer is yes, then the

element must be examined
further

FMECA
FMECA – risk ranking
The risk related to the various failure modes is often presented either by a:
•  Risk matrix,
•  Risk priority number (RPN).

FMECA
FMECA – risk ranking
Risk priority number (RPN)
RPN = S x O x D
O - the rank of the occurrence of the failure mode
S - the rank of the severity of the failure mode
D - the rank of the likelihood the the failure will be detected before the system
reaches the end-user/customer.
•  All ranks are given on a scale from 1 to 10 and the smaller the RPN the better.
•  Definition of the ranks of O, S, and D depend on the application and the FMECA
standard that is used.
•  The O, S, D, and the RPN can have different meanings for each FMECA.
•  Sharing numbers between companies and groups is very difficult.

FMECA
FMECA – review team
A design FMECA should be initiated by the design engineer.
A system/process FMECA should be initiated by the systems engineer.
The following personnel may participate in reviewing the FMECA (the participation will
depend on type of equipment, application, and available resources):
•  Project manager
•  Design engineer (hardware/software/systems)
•  Test engineer
•  Reliability engineer
•  Quality engineer
•  Maintenance engineer
•  Field service engineer
•  Manufacturing/process engineer
•  Safety engineer

FMECA
FMECA – review objectives
The review team studies the FMECA worksheets and the risk matrices and/or the risk
priority numbers (RPN).
The main objectives of the review are:
•  To decide whether or not the system is acceptable.
•  To identify feasible improvements of the system to reduce the risk.
This may be achieved by:

•  Reducing the likelihood of occurrence of the failure.
•  Reducing the effects of the failure.
•  Increasing the likelihood that the failure is detected before the system reaches
the end-user.
If improvements are decided, the FMECA worksheets have to be revised and the RPN
should be updated.
Problem solving tools like brainstorming, flow charts, Pareto charts and nominal group
technique may be useful during the review process

FMECA
FMECA – selection of actions
The risk may be reduced by introducing:
•  Design changes
•  Engineered safety features
•  Safety devices
•  Warning devices
•  Procedures/training
The risk reduction related to a corrective action may be comparing the RPN for the
initial and revised concept, respectively. A simple example is given in the following
table.

FMECA
FMECA – application areas
•  Design engineering.
The FMECA worksheets are used to identify and correct potential design
related problems.
•  Manufacturing.
The FMECA worksheets may be used as input to optimize production,
acceptance testing, etc.
•  Maintenance planning.
The FMECA worksheets are used as an important input to maintenance
planning – for example, as part of reliability centered maintenance
(RCM). Maintenance related problems may be identified and corrected.

FMECA
FMECA in design

FMECA
FMECA – in nutshell

FMECA
FMECA – pros and cons
PROS:
•  FMECA is a very structured and reliable method for evaluating hardware
and systems.
•  The concept and application are easy to learn, even by a novice.
•  The approach makes evaluating even complex systems easy to do.
CONS:
•  The FMECA process may be tedious, time-consuming (and expensive).
•  The approach is not suitable for multiple failures.
•  It is too easy to forget human errors in the analysis.

FMECA
Next lecture
•  Techniques for Human Reliability Analysis
•  Examples

Preliminary Hazard Analysis

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Preliminary Hazard Analysis

Enviado por

Direitos autorais:

Formatos disponíveis

Kul-24.

L7 – Preliminary Hazard Analysis

Course Lecturer: Jakub Montewka, PhD.

• Risk picture according to IMO

• Risk - what to analyse ?

• Preliminary Hazard Analysis - PHA

• Failure modes, effects, and criticality analysis - FMECA

Formal Safety Assessment

[IMO, Guidelines for Formal Safety Assessment (FSA), 2002 (MSC/Circ.1023/MEPC/Circ.392)]

2. How bad and how likely? (evaluation of risk

3. Can matters be improved? (devising

4. What would it cost and how much better

5. What actions should be taken? (information

[Kotnovas C., Formal Safety Assessment Critical Review and Future

1. ship category (e.g. type, new or existing, type of cargo);

2. Prioritization them by risk level.

Prioritization is to rank the hazards and to discard scenarios judged to be of minor

Formal Safety Assessment

2. Hazards have to be prioritized.

Formal Safety Assessment

These vary from a concept safety review, which is performed as early as

There are many factors to consider when choosing a technique.

The hazard identification techniques are structured processes to

List of techniques applicable for

However, expense though is balanced with the inability of techniques

Hazard identification studies can be

Some of the techniques may

• Event tree analysis

Marvin Rausand. Risk Assessment Section 9.4

Several variants of PHA are used, and sometimes under different

Marvin Rausand. Risk Assessment Section 9.4

2. As an initial step of a detailed risk analysis of a system concept or an

Marvin Rausand. Risk Assessment Section 9.4

– Source: MIL-STD 882C

1. PHA prerequisites

2. Hazard identification

3. Consequence and frequency estimation

4. Risk ranking and follow-up actions

Marvin Rausand. Risk Assessment Section 9.4

1. Establish the PHA team

2. Define and describe the system to be analyzed

A typical PHA team may consist of:

1. A team leader (facilitator) with competence and experience in the

Marvin Rausand. Risk Assessment Section 9.4

As part of the system familiarization it is important to consider:

1. What is the system dependent upon (inputs)?

2. What activities are performed by the system (functions)?

3. What services does the system provide (output)?

Marvin Rausand. Risk Assessment Section 9.4

To be able to identify all hazards and events, it is often necessary to

1. System parts (e.g., process units)

3. Exposed to risk (who, what are exposed?)

Marvin Rausand. Risk Assessment Section 9.4

Marvin Rausand. Risk Assessment Section 9.4

It is important to consider all parts of the system, operational modes,

All findings shall be recorded. No hazards are too insignificant to be

“If something can go wrong, sooner or later it will”.

Marvin Rausand. Risk Assessment Section 9.4

Marvin Rausand. Risk Assessment Section 9.4

A list of accident data sources may be found on:

Marvin Rausand. Risk Assessment Section 9.4

Marvin Rausand. Risk Assessment Section 9.4

Marvin Rausand. Risk Assessment Section 9.4

•  Risk picture according to IMO

•  Risk - what to analyse ?

•  Preliminary Hazard Analysis - PHA

•  Failure modes, effects, and criticality analysis - FMECA

2.  How bad and how likely? (evaluation of risk

3.  Can matters be improved? (devising

4.  What would it cost and how much better

5.  What actions should be taken? (information

1.  ship category (e.g. type, new or existing, type of cargo);

2.  Prioritization them by risk level.

2.  Hazards have to be prioritized.

•  Event tree analysis

2.  As an initial step of a detailed risk analysis of a system concept or an

1.  PHA prerequisites

2.  Hazard identification

3.  Consequence and frequency estimation

4.  Risk ranking and follow-up actions

1.  Establish the PHA team

2.  Define and describe the system to be analyzed

1.  A team leader (facilitator) with competence and experience in the

1.  What is the system dependent upon (inputs)?

2.  What activities are performed by the system (functions)?

3.  What services does the system provide (output)?

1.  System parts (e.g., process units)

3.  Exposed to risk (who, what are exposed?)

•  The system matures and more is learned about it.

•  How can each part conceivably fail?

•  Process FMECA is focused on problems stemming from how the

•  System FMECA looks for potential problems and bottlenecks in larger

2.  System structure analysis

3.  Failure analysis and preparation of FMECA worksheets

4.  Team review

5.  Corrective actions

2  Collect available information that describes the system to be analyzed;

•  If unacceptable consequences are discovered on this level of resolution,

•  Risk priority number (RPN).