Time basis ship safety assessment model for a novel ship design

Ocean Engineering 59 (2013) 179–189

Contents lists available at SciVerse ScienceDirect

Ocean Engineering journal homepage: www.elsevier.com/locate/oceaneng

Time basis ship safety assessment model for a novel ship design Hee Jin Kang a,n, Young-Soon Yang b, Jin Choi a, Jong-Kap Lee a, Dongkon Lee a a b

Marine Transportation Research Division, Maritime and Ocean Engineering Research Institute, KIOST 1312 Beon-gi 32, Yuseongdaero, Yuseong-gu, Daejeon 305-343, Korea Research Institute of Marine System Engineering, Seoul National University, Gwanak-ro, Gwanak-gu, Seoul 151-744, Korea

a r t i c l e i n f o

abstract

Article history: Received 5 January 2012 Accepted 1 December 2012 Available online 8 January 2013

As the size of ships grow and new types of ships (so-called ‘‘novel ships’’) begin to appear, a single maritime accident can cause a massive loss of life and damage to the environment and property. To prevent and mitigate maritime accidents, the European Commission conducted the SAFEDOR project. The International Maritime Organization is developing new standards, such as the Formal Safety Assessment. From such activities, a considerable number of good methodologies, processes and tools have been developed. However, these standards are still not easily implemented for a novel ship design because of time and budget limitations in the design. From this perspective, a time basis ship safety assessment model has been proposed in this paper. This model will support the design process with repetitive and rapid safety assessments by establishing a common understanding among stakeholders in the early design phase without the need to reveal designers’ intellectual properties. As the models consider the time between failure propagation as time for damage mitigation, it is possible to generate more cost-effective risk control options or to give more design freedom. Furthermore, the damage effects assessment database using the model will be helpful for decision making in an emergency during operation phases. & 2012 Elsevier Ltd. All rights reserved.

Keywords: Novel ship Safety assessment Ship design Risk IMO FSA SAFEDOR

1. Introduction When we design a novel ship, the risk assessment process is required to ensure appropriate safety. Though related studies have applied risk-based approaches to ship design and rule making, such as those performed through the SAFEDOR (Design, Operation and Regulation for Safety) project, International Maritime Organization (IMO) activities and other valuable studies such as those by Papanikolaou (2009), Guedes and Teixeira (2001), Wang (2002), Konovessis and Vassalos (2008) and Vanem and Ellis (2010), a risk-based approach is still difficult and unfamiliar to ship designers. For risk-based design (RBD), defining design safety goals is required. Identification of hazards, risk analysis and assessment are also required (Papanikolaou, 2009). However, applying RBD to real ship design has a considerable number of challenges. Risk-based ship design is time consuming because there is an insufficient amount of needed information, unfamiliarity with the risk-based design methodology, and an approval process for the designers. As shown in Fig. 1, design freedom continually decreases, and any design changes in the late stages of the design phase can cause project failure.

*

Corresponding author. Tel.: þ82 42 866 3417; fax: þ82 42 866 3429. E-mail address: [email protected] (H.J. Kang).

0029-8018/$ - see front matter & 2012 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.oceaneng.2012.12.007

Safety assessments for a novel design often depend on expert opinions because of the lack of useful historical data. When performing safety assessment, it is important to share and foster the same views and ways of thinking with regard to the designed ship among stakeholders because each of the stakeholders has different levels of knowledge and standpoints. In addition, all design processes are limited by time and budget constraints. Finally, it is difficult for a shipyard to share all design data, information and knowledge that contains their intellectual property. From this perspective, for the practical design process of a novel ship, a concretized supplemental tool that allows the existing risk-based design methodologies is required because no existing rules can fulfill all of the needs of the designers and the specific character of a ship should also be considered during safety assessment. For this reason, a time-based ship safety assessment model (SSAM) and SSAM-based safety management framework is proposed in this paper as a supplemental tool to utilize the gains from SAFEDOR and the FSA. SSAM does not create the risk model. SSAM describes a ship with its mission based functional hierarchy. Mission related functions, systems and sub-systems including other safety related matters are dealt with in SSAM. A ship has missions (tasks) that have to be completed during loading, unloading and cruising. Furthermore, all of the missioncapability-related functions, systems and sub-systems should be defined and analyzed from the viewpoint of safety in mission

180

H.J. Kang et al. / Ocean Engineering 59 (2013) 179–189

Fig. 1. Design freedom, knowledge and product life-cycle cost related to the design process. (Verhagena et al., 2012).

capability. Sometimes, a single instance of damage to a subsystem (or piece of equipment) of a ship does not instantly cause upperlevel system or function failure, and the time required for failure to occur is a unique characteristic of each ship. The time between failure propagation is important if the failure can be mitigated or prevented in that time. The SSAM structurally describes a ship’s functional hierarchy, including not only functions, systems, and subsystems but also their environmental context, organizational/managerial infrastructure, personnel subsystems and technical/engineering systems on a time basis. Furthermore, the SSAM is used for safety assessments, for repetitive and rapid ship design and for life-cycle safety management. The concept of SSAM looks complex and may difficult to make. However, SSAM is reusable and helpful for understanding the cause and effect of each hazard and the effect of design changes (risk control options) in a safety viewpoint.

2. Study of recent developments 2.1. Risk based ship design Because a maritime accident can cause fatalities and environmental and property damage, ensuring appropriate safety measures and preventing or mitigating damage from an accident is very important. Recently, the SAFEDOR project has completed operations as an integrated project under the 6th framework program of the European Commission (Papanikolaou, 2009; Breinholt et al., 2009). From the SAFEDOR project, the definition of a safe ship design has been clarified, and the framework and tools for risk-based ship design have also been introduced. Though absolute safety does not exist, safety is defined as ‘freedom from unacceptable risk’, and safety can be achieved by reducing risk to a tolerable or acceptable level. For risk-based ship designs, the SAFEDOR project has had a pivotal role in providing methodologies, processes and tools. Risk is the combination of the frequency and the severity of consequence, as shown in Eqs. (1), (2) and (3) (Jasionowski and Vassalos 2006). RiskPLL ¼ EðNÞ ¼

N max X i¼0

F N ðiÞ

ð1Þ

N max X

FN ðNÞ ¼

f r N ðiÞ

ð2Þ

i¼N

f r N ðNÞ ¼

nhz X

    f r hz hzj Upr N N9hzj

ð3Þ

j¼1

where PLL is the potential loss of life, frN(N) is the frequency of exactly N fatalities occurring per ship year, nhz is the number of loss scenarios considered, hzj represents a loss scenario, frhz(hzj) is the frequency of scenario hzj occurring per ship year and prN(N9hzj) is the probability of exactly N fatalities occurring when hzj has occurred. The HAZID-based risk assessment process, shown in Fig. 2, is important when we are considering risk-based ship design. For a successful safe ship design, safety assessment should be performed during the early design phase, which has insufficient data, information and knowledge about the ship and safety related matters. For safety assessment, determining how to understand the design objectively and compromise between the different opinions of stakeholders are important. From these requirements, a supplement for aiding the stakeholder’s understanding about the design and safety assessment is required. 2.2. Formal safety assessment The FSA (formal safety assessment) is a tool for creating riskbased rules, but it is not a standard for ship design. Specifically, as presented by MSC/Circ.1023 and MEPC/Circ.392 (IMO, 2007), the FSA is a structured and systematic methodology based on risk analysis and cost-benefit assessment to secure higher levels of maritime safety with respect to life, health, the environment and property. For a novel ship design, risk modeling is required through Step 1 and Step 2 of the FSA, as shown in Fig. 3(a). For risk modeling and developing risk control options, the generic model of the FSA should be used for the systematic consideration of various factors and understanding among stakeholders. According to MSC/Circ.1023–MEPC/Circ.392, the generic model should describe the functions, features, characteristics and attributes in terms of the organizational, managerial, operational, human, electronics and hardware aspects that fulfill the defined functions. However, when we assume that the generic model of

H.J. Kang et al. / Ocean Engineering 59 (2013) 179–189

181

Fig. 2. Iterative process of risk assessment and risk reduction (ISO/IEC 1999, 1999).

the FSA is used for a novel ship design, the model is somewhat abstract for designers and confusing to use because the FSA serves as a concept of the generic model, as shown in Fig. 3(b) (IMO, 2007). As an integrated system for the design of a novel ship, the generic model should be functionally and hierarchically composited in a more detailed form. Each technical/engineering system and their relation to the organizational, managerial, operational, and human aspects should be structurally defined. Only from this definition can designers and stakeholders of safety assessment establish a common understanding, irrespective of their knowledge level and standpoint.

3. SSAM, a concretized generic model The understanding of the stakeholders affects the HAZID result during the design phase of a novel ship (KaijiKyokai, 2009). In addition, many risk control options should be repeatedly assessed and applied to the design result. However, the practical design process may not be viable because of limited time and budget constraints. Therefore, an objective and concretized generic model will be extremely helpful for safety assessments. Similar to how a product model is used for designing and building a ship, the SSAM is a type of model for safe ship design, especially for safety assessment activities during the early design phase. 3.1. IDEF0, a systematic backbone for SSAM To construct the generic model for safety assessments during the design phase of a novel ship, hierarchical elements of

functions and systems that affect the ship’s safety or mission capability should be defined. When we refer to the top level of the functional hierarchy of a ship, the mission (or task) is significant. For example, missions such as safe loading, unloading and shipping are the main duties of a cargo ship. The hierarchy of the mission may consist of several functions, systems and subsystems. Functions are the functional components of a mission. For example, maneuverability for safe shipping can be a function of a safe shipping mission. The systems are components of a function, and subsystems (or equipment) are a subset of a system. Each subsystem (equipment) consists of various compartments. After defining the functional hierarchy of a ship, it is important to determine how the environmental context, organizational/managerial infrastructure, personnel subsystem and technical/engineering systems in the functional hierarchy can be used effectively. To address this issue, the integration definition for function modeling(IDEF0) concept is considered in this paper. The IDEF0 is a function modeling methodology used to describe manufacturing functions that offer a functional modeling language for the analysis, development, re-engineering, and integration of informational systems, business processes, or software engineering analysis (Hanrahan, 1995). Using this concept, the environmental context, organizational/managerial infrastructure, personnel subsystem, and technical/engineering systems can be effectively considered to be the elements of the input, output, control and mechanism in each hierarchical level of the IDEF0 format. Fig. 4 and Table 1 show the IDEF0-based hierarchical representation concept for the SSAM from the point of view of the mission capability. In Fig. 4, the mission, functions, systems,

182

H.J. Kang et al. / Ocean Engineering 59 (2013) 179–189

subsystems and components are described by the input, output, control and mechanism of the IDEF0 format. Similarly, it is possible to consider variable factors such as the environmental context, organizational/managerial infrastructure, personnel subsystem and technical/engineering system in a simple format. Although the IDEF0 provides a good framework for the SSAM, the IDEF0 concept still requires complements to be used for ship design. At first, the location of each system and subsystem should be recorded in the SSAM because the location information for each

piece of equipment is required to assess the safety of some of the essential systems under specific damage scenarios. Secondly, the acceptable operational limit of each key system and subsystem, such as heel, trim, and vertical acceleration limit, should be recorded. When a ship is damaged, systems in the damaged zone are gradually affected and disabled by flooding water, or they are immediately affected by shock and structural transformation, and these characteristics should be considered. Other systems that are not directly affected by the accident can also be affected by the behavior of the ship as it changes over time. If flooding water gradually changes the behavior of the ship and finally causes excessive trim and heel to a system or subsystem, the system will fail to operate normally, and the subsequent failure will affect the related functions and mission operability. Then, the duration time, which is the time between a lower level failure and an upper level failure, should be identified and considered because a single failure of a subsystem or piece of equipment in a zone of a ship sometimes does not cause the immediate failure of a mission or function capability. Finally, the dependency between the upper and lower levels of the hierarchy should be defined. Table 2 shows additional components of the IDEF0-based SSAM.

3.2. Time basis safety assessment and FT diagram

Fig. 3. FSA: (a) Flow chart of the IMO FSA methodology and (b) components of the integrated system (IMO, 2007).

For better understanding of the safety assessment process and the results for stakeholders, this paper proposes timing diagrams and FTs. Timing diagrams and FTs are very well known methods and are easy to understand (Gajski, 1997; Vesely et al. 1981). When considering a ship that has two essential systems, A (navigation radar) and B (generator), it is possible to generate simple damage scenarios as shown in Fig. 5. If an accident occurs near the waterline, progressive flooding will affect the operability of system B as time progresses. If we assume that the time required to affect the operability of system B after the accident is ‘‘time a’’, then ‘‘time a’’ is the length of the first chance to mitigate the consequences of the damage. By using Boolean algebra and letting ‘‘1’’ denote mission capable status and ‘‘0’’ denote incapable status, it is possible to express the condition of the ship using a simple timing diagram. If systems A and B have an ‘‘AND’’ relationship with the mission capability, excessive heel resulting from flooding will affect the operability of system A after system B becomes disabled. If the period between the failure of systems

Fig. 4. IDEF0-based and hierarchical mission-based ship representation concepts for the SSAM.

H.J. Kang et al. / Ocean Engineering 59 (2013) 179–189

183

Table 1 Components and meaning of the IDEF0-based SSAM format. Level

Input

Control

Output

Mechanism

1 Mission

Linked functions to the mission (Ex) functions Linked technical/engineering systems to the function (Ex) systems Linked technical/engineering sub-systems to the system (Ex) sub-systems Linked technical/engineering sub-systems to the sub-system (Ex) other sub-systems

Points to be considered at each level (Ex) the environmental context, organizational/ management infrastructure, personal subsystem at the level, including rules and regulations.

Mission capability

Stakeholders in design, inspection, operation aspects at each level (Ex) designers, owners, equip. makers, classification societies.

2 Function 3 System 4 Sub-system

Table 2 Additional components of the IDEF0 for the SSAM. Location Limitation Duration time Dependency

Location of systems and subsystems Operational limit of heel, trim and vertical acceleration Time to affect upper-level missions, functions and systems Relationship between functions, systems and subsystems

A and B is ‘‘time b’’, the period of ‘‘time b’’ will be the second chance to mitigate the consequences of the damage. In the timing diagram, if a single subsystem failure has time to propagate before becoming an upper-system failure, the time between failures is treated as the time available for mitigating the consequences of a lower-level failure. This time is very important because it can change the risk control option and its effectiveness. This special feature of the SSAM provides useful information for all stakeholders who are involved in the ship design and safety assessment. The dependency between systems and subsystems can be expressed using Boolean algebra (such as ‘‘AND’’ and ‘‘OR’’) (Gajski, 1997). Then, the propagation of failure resulting from damage to a zone of a ship can be quickly checked and expressed in an FT diagram, which is well known and easy to use and understand. By using an FT diagram, the designers can apply system redundancy or reallocate the systems in a cost-effective manner with the objective of understanding and producing agreement with the stakeholders in the safety assessment. The FT of the SSAM is slightly different from the existing FTs for system safety assessment because it shows the duration time between failures, as shown in Fig. 6. The timing diagram is intuitive and easy to understand because it shows the operability of each mission, function, system and subsystems with a ‘1’ (operable) or ‘0’ (not operable) in a time basis. Fig. 7 presents an example of the ship definition format of the SSAM. When using the SSAM, the representational level of detail is flexible because the SSAM is applicable to the entire design phase of a ship. In the conceptual design phase, the SSAM can be composed of only primary systems; however, in the basic design phase, subsystems (or equipment) and component-level SSAMs can be outfitted as necessary. In this paper, only subsystem and equipment-level safety assessments are addressed because the design process of a ship does not address component-level design. After defining the missions, functions, systems and subsystems of the ship with the environmental context, organizational/managerial infrastructure, personnel subsystem and technical/engineering system in the design phase of a novel ship, damage scenarios or HAZID results can be applied to the SSAM for HazOP and the safety assessment. 3.3. Application concept Fig. 8 shows how to use the SSAM in a ship design phase. When SSAM is defined in the early design phase, safety-assessment-related

Inputs of upper level (Ex) mission. Inputs of upper level (Ex) functions. Inputs of upper level (Ex) systems.

stakeholders can understand a ship’s behavior, including hierarchically organized system functionality and mission capability under specific damage scenarios. The safety assessment result obtained using SSAM is used for improving and relocating the design for safety aspects. To use the SSAM, we considered a ship that has adequate reliability. In this case, SSAM is used to assess the safety of a ship from the viewpoint of mission capability rather than the reliability of a ship. In contrast to reliability, the safety of the systems of a ship can be defined as the ability to protect functions or mission capabilities from an unexpected accident or damage because serious maritime accidents usually begin with a loss of function and mission failure rather than from the damage itself. To explain the application concept of the SSAM, RoPax has been chosen for the sample design because of its high level of safety. From SOLAS (IMO, 2004), especially regulation 8-1, which is related to SRtP (safe return to port), it is easy to establish a simplified sample design with essential systems to explain the application concept. The LMIU RoPax casualty data from 1994 to 2004 for 1000 GRT and above indicates that collision, contact and hull damage account for 40% of the total incident numbers. The risk analysis results for RoPax indicate that 73% of PLLs consist of collision, grounding, impact and flooding. Because collision and grounding events are some of the most frequent causes of serious accidents at sea (Pedersen, 2010), a ship’s safety assessment usually includes collision as an important element in risk modeling. A collision incident may also propagate fire and flooding, and in practice, these events occur as a function of time. To mitigate the damage effects and improve ship safety, the IMO MSC 85/17/2 FSA-RoPax ship (IMO, 2008) contains recommendations for measures to improve damage stability and survivability. The RCO assumes that the survivability of a damaged ship is ‘‘sufficiently’’ reflected by the attained subdivision index (A) and that the required subdivision index (R) should be increased to above 0.9 for an average-sized ferry (1100 persons onboard). When a ship attains a value of A4 0.9, the most significant damage cases from potential collisions can provide a survival time of 30 min or longer. However, a value of A4 0.9 may not be attractive to ship designers for a novel design. Designers need a large space in the hull for novel designs, but the resulting design may not satisfy the requirement of A4 0.9. From the perspective of shipyards, designers should verify the safety of the ship if they want to design a ship with a value of A less than 0.9. In this case, 10% of the most serious cases of collisions should be applied to the ship to confirm the possibility of a survival time of 30 min using the new design. To do this analysis, the SSAM should first be constructed, and the ship motions after incurring damage should then be analyzed. From a safety aspect, confirming the mission capability and functionality of the ship systems is important because damage can lead to fatal consequences when a ship loses her mission capability or functionality, even with a survival time of 30 min. When we want to know the damage effect more precisely and easily, we can establish missions such as safe shipping. Then,

184

H.J. Kang et al. / Ocean Engineering 59 (2013) 179–189

Fig. 5. Time basis safety assessment from simplified damage scenarios.

Fig. 6. Example of a time basis fault tree diagram that was derived from the SSAM.

maneuverability can be one of the functions for the mission. The function is combined with complex systems and sub-systems. However, in this paper, a mission-based simplified ship that consists of the essential systems of propulsion, steering, steering control and navigation has been used. A real propulsion system has many tanks, valves, and pumps. However, a very simplified propulsion system with subsystems for the engine and fuel oil heater has been applied in this case study. Similarly, a simple subsystem set containing a steering control panel, an internal communication system and electricity for the steering system and the steering control system has been applied. In addition,

subsystems for the navigation radar, information receiver and electricity for the navigation system have been applied (IzadiZamanabadi and Blanke, 1999; DNV, 2005; Hammer, 2005). A simplified example of the ship definition format of the SSAM for this concept is shown in Fig. 9. In this SSAM, the input, output, control and mechanism of each mission, function, system and subsystem have been defined, including the duration for lowerlevel failure, the dependency on upper-level systems, the operational limitation and the location of each system and subsystem. When we assume that damage occurs in the hull of the generator room via a collision, and if the critical subsystem of the SS.1.1.1.2 fuel

H.J. Kang et al. / Ocean Engineering 59 (2013) 179–189

185

Fig. 7. Example of the SSAM definition format.

Fig. 8. Design process using Ship Systems Safety Assessment Model.

oil heater is located in the room, the flooding can cause the failure of S.1.1.1 propulsion. In this case, the SS.1.1.1.2 heater should be moved to another safe location or have redundancy, as suggested by SOLAS II-1 reg. 8-1 and SOLAS II-2 regs. 21 and 22. However, with the use of the SSAM for safety assessment, designers will be able to use their own novel design that does not follow SOLAS but still has a reasonable level of safety. For example, consider a damage case caused by a collision that does not affect the structural safety of the designed ship but can cause subsystem failure by flooding. We call the time to gradual flooding that affects the operability of the SS.1.1.1.2 fuel oil heater in the engine room after the damage TF, and we call the time to stop the flooding by the crew after the damage TP. If TF 4TP, then the design result can be assessed as safe for the damage case. If TF oTP, then the location of the SS.1.1.1.2 heater should be changed, or the subsystem should have redundancy. In any case, all of the design changes should be recorded with version information in the SSAM for repetitive and rapid safety assessments. For the S.1.1.2 steering system and steering control system, the SS.1.1.2.3 electricity can be affected by flooding in the generator room. However, the steering system can be manually operated in the steering gear room by using the SS.1.1.2.2 internal communication system between the steering gear room and the wheel house.

For the S.1.1.3 navigation system, the SS.1.1.3.3 electricity has a redundant power source in case of an emergency, as stipulated by the rules and regulations. However, gradual flooding can change the behavior of the ship, resulting in excessive heel and trim and causing navigation radar failure. If we call the time necessary for gradual flooding to cause heel and trim effects on the normal operation of the SS.1.1.3.1 navigation radar TH, and the time required to prevent excessive heel and trim by ballasting or other means TB, the design result can be assessed as safe for the damage case if TH 4TB. Fig. 10(a) shows the cause and effect of the damage from the viewpoint of mission capability with FTs. These FTs are derived from the ‘‘Dependency’’ information of the SSAM of Fig. 9. Fig. 10(b) shows the timing diagram of the sample damage scenario. From the event, SS.1.1.2.3 electricity will first be disabled. With increasing time, other systems will be affected by the ship’s behavior and flooding. This diagram intuitively presents the damage effects to the stakeholders. When we assume the time between failures from this diagram, it will be possible to generate more cost-effective valuable RCOs. In summary, partial improvement to the safety assessment of a novel ship using the SSAM is expected. To use existing methodologies, processes and tools for risk-based design, it is possible to confirm a

186

H.J. Kang et al. / Ocean Engineering 59 (2013) 179–189

Fig. 9. Example of the SSAM for the application concept study.

damaged ship’s behavior and the effects to the ship’s mission operability in timely manner using the SSAM. The timing diagram and FT-based safety check are easy to understand for all stakeholders in the safety assessment. For shipyard designers, the SSAM will provide more design freedom. When designers want a novel design that violates existing rules and regulations, they can determine the safety of their own design by showing the options to mitigate the consequences of damage during the time of failure propagation from the lower level to the upper level of functionality.

4. SSAM-based life-cycle safety management The results of a safety assessment in the design phase of a ship can be collected to produce a database for onboard damage effect assessments. The database includes the time gap between failures and the estimated effects of damage on mission operability. During the operation phase, the crew can use the database when damage occurs to make decisions regarding whether to request damage control from the crew or the systems or to estimate the results of the damage. Though this type of database will not reflect all damage situations, it will be helpful for the decision making of officers in an emergency. The difference between the database and a real accident can be monitored and calibrated during the operation phase of a ship’s life-cycle. The monitored results and records should then be used to assess the safety of other novel ships and to improve the design from the perspective of mission capability-based safety. For a more detailed explanation,

Fig. 11 illustrates how the safety assessment results from the design phase can be used in the operation phase to monitor and support emergency decision-making (Kang et al., 2011). 4.1. Ship product model and the SSAM The ship product model is a model for ship building. Generally, a ship product model is a combination of 3D geometry and non-graphic attributes used to define ship objects, such as a piece of equipment, deck, or bulkhead (Rando and Briggs, 2006). The data for the ship product model can be organized to define interim products and the entire ship. Furthermore, the ship product model includes part and system definitions, design definitions, physical (geometry and material connections) definitions, engineering definitions, process definitions and logistics support via BOMs (bills of materials) (Rando and Briggs, 2006; Hegge, 1992). From the perspective of ship design and building, each element of the ship product model is closely related to the safety assessment because all of the information regarding the ship that is needed for the safety assessment is included in the ship product model. For this reason, the SSAM and ship product model should be considered together. With the attribute data of the SSAM, the SSAM can be used with the ship product model in the design phase. It will be very helpful for the designers to consider the engineering and safety aspects of a ship concurrently. For owners, this approach enables the usability of data, information and knowledge of ship design to be extended to the ship operation phase. Fig. 12 illustrates how the SSAM can be linked to the ship product model with attribute data.

H.J. Kang et al. / Ocean Engineering 59 (2013) 179–189

187

Fig. 10. Examples of (a) a time-basis fault tree and (b) a timing diagram derived from the SSAM.

Fig. 11. Implementation concept of the SSAM and the safety management framework through life-cycle of a ship.

4.2. SSAM-based safety management framework In the design phase, thousands of damage cases may need to be tested to improve the safety of a ship by changing the location of the systems and subsystems or by building in redundancy. Of course, this safety assessment process requires a considerable amount of time and cost. Thus, determining how to assess each damage case quickly with sufficient accuracy is the most important aspect to consider. If possible, all systems and subsystems should be checked for their operability when damage occurs. However, in the design phase, this check is nearly impossible because of the number of damage cases and the lack of data. Therefore, the designed safety management framework should check the operability of missions, functions and systems from damaged subsystems in the time domain. In this manner, the original design is modified and improved to fulfill the safety requirements. Using this concept, an SSAM-based safety management framework for life-cycle safety management is proposed in this work.

Fig. 13 presents the framework that supports the safety assessment process in the design phase and the usage of SSAM in the operation phase. After concept design, the SSAM (as-is) should be constructed using data, information and knowledge from the concept design. The designed SSAM should be repeatedly assessed and reviewed among stakeholders through the initial design phase of the basic design. Before contract design of the basic design, all hazards are identified and assessed for risk modeling and assessment. The chosen RCOs will then be applied to the design result and repeatedly assessed via SSAM before the contract design of the basic design. After this process, the final design from a viewpoint of safety assessment will be established as the SSAM (to-be), and this SSAM will perform as a database for damage effect estimation for the onboard crew in the operation phase. After the design phase enters the detailed design and ship building phase, it is very difficult to change the design as a result of safety assessment. Through detailed design and building, the safety assessment result using SSAM will be validated. Furthermore, the safety assessment result will be monitored

188

H.J. Kang et al. / Ocean Engineering 59 (2013) 179–189

Fig. 12. Schematic diagram of the data linkage between the SSAM and the ship product model.

Fig. 13. SSAM-based safety management framework.

and calibrated through the operation phase of the ship. This framework is applicable to existing design processes because the framework is based on the IMO FSA and does not require significant changes to the existing ship design process.

By using the attribute data such as system or subsystem (or equipment) codes and location data provided by the SSAM, the framework can work with product data management (PDM) or product life-cycle management (PLM) software programs

H.J. Kang et al. / Ocean Engineering 59 (2013) 179–189

(Kropsu-Vehkapera et al., (2009); SAPAG, 2001). When a SSAM is merged with a product model in the design phase, it is possible to produce an integrated ship design environment not only for productivity but also for improved safety with respect to a ship’s life-cycle.

5. Conclusions Though this study still has considerable room for improvement, the proposed SSAM concept and the SSAM-based safety management framework will be valuable for all stakeholders of a ship’s lifecycle from a safety and cost-effectiveness perspective. By using the SSAM, anyone who participates in the safety assessment process can share the same viewpoint and retain objectivity regarding the ship design. Designers can also use the SSAM and the proposed safety management framework for their designs because these methods support a simple, fast and accurate safety assessment methodology while working with their own existing design processes and tools. For a shipyard, it may not desirable to use their intellectual property such as design reports and drawings for the safety assessment. The proposed SSAM contains just a ship’s mission related features for the safety assessment without reveal a shipyard’s intellectual property. The proposed SSAM is designed for time-based safety assessments. Because a single instance of damage to a subsystem (or equipment) in a ship sometimes does not cause immediate mission failure, the time between failures is important for both the ship designers and crew. By collaborating and producing a database of safety assessment results, the SSAM can support the emergencycontrol activity of the ship’s crew while onboard. The SSAM can also be integrated with a PLM (or PDM) system. By using the attribute data, a ship product model can be used with the SSAM in the design phase. This type of integrated work environment can help shipyards, equipment makers, classification societies and ship owners in terms of safety, productivity and cost. With more additional studies, we hope that this study will be helpful in designing safer ships using existing developed methodologies, processes and tools.

Acknowledgments This research was supported by the Inherent Research Project of MOERI/KIOST, PES150A. Some part of this paper has been introduced as a proceeding at IMDC 2012 in June 2012, Glasgow, UK.

189

References Breinholt, C., Ehrke, K., Pavaut, C., Sames, C., Skjong, P., Strang, R., Vassalos, D., T., 2009. SAFEDOR—the implementation of risk-based ship design. Trondheim, 697–704. DNV, 2005. Schematic Principles for Steering Gear Hydraulics. DNV, Hovik. Gajski, D.D., 1997. Principles of Digital Design. Prentice Hall, New Jersey. Guedes, C.S., Teixeira, A.P., 2001. Risk assessment in maritime transportation. Reliab. Eng. Syst. Saf. 74 (3), 299–309. Hanrahan, R.P., 1995. The IDEF Process Methodology. Software Technology Support Center, Tisea, Ogden. Hammer, J., 2005. Safety Analysis of an Approach Spacing for Instrument Approaches (ASIA) Application Using ADS-B, MITRE, Washington DC. Hegge, H.M.H., 1992. A generic bill-of-material processor using indirect identification of products. Prod. Plann. Control 3 (3), 336–342. IMO, 2004. SOLAS (Safety of Life at Sea). The Bath Press, London. IMO, 2007. IMO MSC/Circ.1023–MEPC/Circ.392 Guidelines for Formal Safety Assessment (FSA) for Use in the IMO Rule-Making Process. London. IMO, 2008. MSC 85/17/2 FSA-RoPax Ship. IMO, London. IMO Maritime Safety Committee, 2007. Formal Safety Assessment: Consolidated Text of the Guidelines for Formal Safety Assessment (FSA) for Use in the IMO rule-Making Process (MSC/Circ.1023-MEPC/Circ.392). IMO, London. ISO/IEC 1999, 1999. ISO/IEC Guide 51. Safety Aspects-Guidelines for their inclusion in standards. Izadi-Zamanabadi, R., Blanke, M., 1999. A ship propulsion system as a benchmark for fault-tolerant control. Control Eng. Pract. 7, 227–239. Jasionowski, A., Vasslos, D., 2006. Conceptualising Risk. Proceedings of the 9th International Conference on Stability of Ships and Ocean Vehicles. Rio de Janeiro, September. Kang, H.J., Shin, J.G., Lee, J.G., 2011. A study on business model based damage control support system design. Syst. Eng, 1–14(Wiley Online Library). Konovessis, D., Vassalos, D., 2008. Risk evaluation for RoPax vessels. Proc. Inst. Mech. Eng. M J. Eng. Marit. Environ. 222 (1), 13–26. Kropsu-Vehkapera, H., Haapasalo, H., Harkonen, J., Silvola, R., 2009. Product data management practices in high tech companies. Ind. Manage. Data Syst. 109 (6), 758–774. KaijiKyokai, Nippon, 2009. Risk Assessment Guidelines. Nippon KaijiKyokai, Tokyo. Papanikolaou, A.D. (Ed.), 2009. Tools and Applications. Springer-Verlag, Heidelberg, ISBN: 978-3-540-89041-6. Pedersen, P.T., 2010. Review and application of ship collision and grounding analysis procedures. Mar. Struct. 23 (3), 241–262. Rando, T., Briggs, T., 2006. Re-Use of Ship Production Model Data for Life-Cycle Support: Final Report. NSRP, Charleston. SAPAG, 2001. Product Lifecycle Management (PLM). SA PAG, Walldorf. Vanem, E., Ellis, J., 2010. Evaluating the cost-effectiveness of a monitoring system for improved evacuation from passenger ships. Saf. Sci. 48 (6), 788–802. Verhagena, W.J.C., Bermell-Garciab, P., Dijkc, R.E.C., Currana, R., 2012. Product lifecycle cost, design knowledge and freedom related to design process. Adv. Eng. Inf. 26 (1), 5–15. Vesely, W.E., Goldberg, F.F., Roberts, N.H., Haasl, D.F., 1981. Fault Tree Handbook. U.S. Nuclear Regulatory Commission, Rockville. Wang, J., 2002. Offshore safety case approach and formal safety assessment of ships. J. Saf. Res. 33 (1), 81–115.