A systematic hazard analysis and management process for the concept design phase of an autonomous vessel.

Similar documents
HAZARD ANALYSIS PROCESS FOR AUTONOMOUS VESSELS. AUTHORS: Osiris A. Valdez Banda Aalto University, Department of Applied Mechanics (Marine Technology)

Safety Critical Systems

Systems Theoretic Process Analysis (STPA)

Understanding safety life cycles

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

Solenoid Valves used in Safety Instrumented Systems

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

Basic STPA Exercises. Dr. John Thomas

Safety-critical systems: Basic definitions

Basic STPA Tutorial. John Thomas

Every things under control High-Integrity Pressure Protection System (HIPPS)

Aeronautical studies and Safety Assessment

Systems Theoretic Process Analysis (STPA)

STPA Systems Theoretic Process Analysis John Thomas and Nancy Leveson. All rights reserved.

Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

Analysis of Ship Accidents in Turkey from 2005 to 2015

Probability Risk Assessment Methodology Usage on Space Robotics for Free Flyer Capture

Reliability of Safety-Critical Systems Chapter 10. Common-Cause Failures - part 1

A study on the relation between safety analysis process and system engineering process of train control system

CASE STUDY. Compressed Air Control System. Industry. Application. Background. Challenge. Results. Automotive Assembly

Ultima. X Series Gas Monitor

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

World Shipping Council. National Oceanographic and Atmospheric Administration

INNOVATIVE MOORING SYSTEMS

STAMP/STPA Beginner Introduction. Dr. John Thomas System Engineering Research Laboratory Massachusetts Institute of Technology

Section 1: Multiple Choice

Using STPA in the Design of a new Manned Spacecraft

Real-Time & Embedded Systems

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Point level switches for safety systems

Safety Engineering - Hazard Identification Techniques - M. Jahoda

SUMMARY OF SAFETY INVESTIGATION REPORT

Safety Manual VEGAVIB series 60

Sharing practice: OEM prescribed maintenance. Peter Kohler / Andy Webb

Session One: A Practical Approach to Managing Safety Critical Equipment and Systems in Process Plants

DATA ITEM DESCRIPTION Title: Failure Modes, Effects, and Criticality Analysis Report

Safety Analysis Methodology in Marine Salvage System Design

Article. By: Capt. Himadri Lahiry; Prof. Reza Ziarati

Vessel Impacts with Floating Piers

Safety Manual VEGAVIB series 60

Tools for safety management Effectiveness of risk mitigation measures. Bernhard KOHL

AUSTRALIA ARGENTINA CANADA EGYPT NORTH SEA U.S. CENTRAL U.S. GULF. SEMS HAZARD ANALYSIS TRAINING September 29, 2011

NCCP Swimming 301 Course Summary

Safety-Critical Systems

LECTURE 3 MAINTENANCE DECISION MAKING STRATEGIES (RELIABILITY CENTERED MAINTENANCE)

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

IALA Recommendation O-130. Categorisation and Availability Objectives for Short Range Aids to Navigation. Edition 1. December 2004

DIGITAL SOLUTIONS TRAINING CATALOGUE. QRA and CFD simulation. Phast, Safeti and KFX SAFER, SMARTER, GREENER

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

DeZURIK. KSV Knife Gate Valve. Safety Manual

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

AK-APC-NTV Operating Procedures for Cargo and Passenger Non Tank Vessels Transiting and Operating in Alaska Waters December 26, 2015

Workshop Information IAEA Workshop

Hazards Associated with High-Speed Rail (HSR) Operation Adjacent to Conventional Tracks

EL-O-Matic E and P Series Pneumatic Actuator SIL Safety Manual

UCA CORE FYS TASK FORCE

Introduction to Emergency Response & Contingency Planning

FLIGHT TEST RISK ASSESSMENT THREE FLAGS METHOD

Hydraulic and Economic Analysis of Real Time Control

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

Eliminating Dropped Objects at the Worksite

MARINE SAFETY PLAN

Advanced Test Equipment Rentals ATEC (2832) OMS 600

A quantitative software testing method for hardware and software integrated systems in safety critical applications

Missing no Interaction Using STPA for Identifying Hazardous Interactions of Automated Driving Systems

OFFICIAL MESSAGE CIRCULAR

Section 1: Multiple Choice Explained EXAMPLE

Introducing STAMP in Road Tunnel Safety

Identification of emergent hazards and behaviour Shifting the boundary between unimaginable and imaginable hazards. Hans de Jong and Henk Blom (NLR)

IEM on Severe Accident Management in the light of the accident at the Fukushima Daïchi NPP

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Adaptability and Fault Tolerance

Performing Hazard Analysis on Complex, Software- and Human-Intensive Systems

System Operating Limit Definition and Exceedance Clarification

The Best Use of Lockout/Tagout and Control Reliable Circuits

2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic. Pressure Measurement Engineered solutions for all applications

Operating Committee Strategic Plan

National Robotics Competition 2018 NRC WRO Challenge Manual

Success Paths: A Risk Informed Approach to Oil & Gas Well Control

Engr2110. Week 6 Product Safety/Liability

Guidelines on Surveys for Dynamic Positioning System

Hazard Identification

Risk Management Qualitatively on Railway Signal System

Hazard Identification

WHEN YOU RE OUT THERE, WE RE WITH YOU CENTRE INFORMATION AND COURSE DIRECTORY

High Integrity Pressure Protection Systems HIPPS

Moor, Tend Mooring And Unmoor Ship - Supervisor Level -

IST-203 Online DCS Migration Tool. Product presentation

Valve Communication Solutions. Safety instrumented systems

MAHB. INSPECTION Process Hazard Analysis

CHAPTER 28 DEPENDENT FAILURE ANALYSIS CONTENTS

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

Study Proposal for the Batu Berhenti Light Buoy

USING HAZOP TO IDENTIFY AND MINIMISE HUMAN ERRORS IN OPERATING PROCESS PLANT

Phase B: Parameter Level Design

Using what we have. Sherman Eagles SoftwareCPR.

Impact on People. A minor injury with no permanent health damage

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

Transcription:

A systematic hazard analysis and management process for the concept design phase of an autonomous vessel. Osiris A. Valdez Banda ᵃᵇ, Sirpa Kannos, Floris Goerlandt ᵃ, Piet er van Gelder ᵇ, Mart in Bergst röm ᵃ and Pent t i Kujala ᵃ ᵃ Aa l t o Universit y, Marine and Arct ic Technology, Espoo, Finland. ᵇTU Delft, Facult y of Technology, Policy and Managem ent, Safet y and Securit y Science Group, Delft, t he Net herlands. c NOVIA Universit y of Applied Science, Turku, Finland. International Seminar on Safety and Security of Autonomous Vessels (ISSAV) 2018 21.03.2018, Delft, Netherlands

Aim of the study This study presents and applies a hazard analysis and management process for the concept design phase of an autonomous vessel. The aim is to create a process capable of executing an initial analysis of safety hazards in the earliest design phase of an autonomous vessel. The analysis produces valuable information to make the systematic and systemic integration of safety controls that need to be included in the safety management strategy of the autonomous vessel.

Background

Context for the process application This process is applied to analyse the safety hazards in the foreseen functioning of two concepts of autonomous ferries aiming operations in urban waterways in and near the city of Turku in Finland. The first concept (ferry A) has a mission to transport passengers from one side to the Aura River in the city of Turku to the other Route ferry A Route ferry B

Context for the process application The second concept (ferry B) has the mission to transport passengers from a location in Turku downtown by the Aura river to a new pier to be located in the Ruissalo Island. Route ferry A Route ferry B The process uses information produced in previous maritime risk analysis and the analysis of the new operational context of these autonomous vessels (expert consultation).

Methodology

Methodology foundations The proposed process is based on a safety engineering approach linked to the System- Theoretic Process Analysis (STPA) included within the Systems-Theoretic Accident Modelling and Processes (STAMP). STAMP is a relative new approach to depict and review the function of safety from a systemic perspective. STPA is a hazard analysis technique that identifies accident scenarios that encompass the entire accident process.

Methodology foundations The foundations of STAMP and STPA enable the development of an analysis process that can be used in the earliest design phase, providing initial information to guide the subsequent design stages. The process includes the analysis of design errors, component interactions, and other social, organizational, and management factors. The aim is to support the subsequent design stages with the provision of valuable information to improve efficiency and safety. 22.3.2018 8

Process

Definition of accidents and identification of hazards: step one Accident represents an undesired and unplanned event that results in a loss and affectations, including the loss of human life or injury, property damage, equipment damage or environmental pollution, delays in the system operations and repair costs. The identification of those hazards which can lead to the defined accidents. The aim is to detect a certain system state or set of conditions, which in a particular set of worst-case conditions in the operational context, lead to the defined accidents. 22.3.2018 10

Detailed hazard description and definition of mitigation actions: step two The description and effects of the hazards The identification of potential causal factors of the hazard The initial definition of mitigation actions, following four categories: Mitigation action that attempts to reduce the damage if the accident occurs Mitigation action that attempts to reduce the likelihood that the hazard results in an accident Mitigation action that attempts to reduce the likelihood that the hazard will occur Mitigation action that attempts to completely eliminate the hazard 22.3.2018 11

Definition of the safety controls: step three Defining safety controls based on the adopted mitigation actions This task demands the review and prioritization of the mitigations actions that will be further developed as the safety controls of the initial safety management strategy. The aim is to assess (together with experts) if the safety controls are objective and relevant to continue their analysis and development into the initial safety management strategy. 22.3.2018 12

Unsafe control actions (UCAs) and redefinition of safety controls: step four The objective is to analyse each hazard and its defined safety controls with the STPA: One: for each defined safety control, identify unsafe control actions (UCAs) that could lead to a hazardous state in the system Two: Define why and how UCAs could occur Examine the elements included in the functioning of the safety control Consider how the safety control could degrade over the time 22.3.2018 13

Representation of the initial safety management strategy: step five Step five focuses on developing a systematic representation of the main components emerged in the analysis: the safety controls, their logic principle, and the link to the accidents that these aim to prevent or respond to. This step provides a detailed representation of the initial safety management strategy of the autonomous vessel. 22.3.2018 14

Results

Accidents and hazards: step one 10 accidents covered 15 Hazards identified and analysed Clear interconnection among accidents and hazards Combinatorial analysis of current accidents and expected accidents for autonomous vessels Accident Hazards 1. Allision with a pier H1. Object detection sensor error H2. Al software failure H3. Technical fault (e.g. mechanical failure) H4. Heavy weather/sea conditions H5. Strong currents H6. Position reference equipmentfailure 2. Collisionwith a moving object 2.1 Collisionwith another vessel H1. Object detection sensor error H2. Al software failure H3. Technical fault (e.g. mechanical fault) 2.2 Collision with a small moving target (e.g. canoe, SUP-board, etc.) 3. Collision with a fixed object (e.g. buoys, beacons, etc.) H1. Object detection sensor error H2. Al software failure H3. Technical failure (e.g. mechanical failure) H1. Object detection sensor error H2. Al software failure H3. Technical fault (e.g. mechanical failure) H4. Heavy weather/sea conditions H5. Strong currents H6. Position reference equipmentfailure 4. Grounding H2. AI software failure H3. Technical failure (e.g. mechanical failure) H6. Position reference equipmentfailure H4. Heavy weather/sea conditions H5. Strong currents 5. Bottom touch H2. AI software failure H3. Technical failure (e.g. mechanical failure) H6. Position reference equipmentfailure H4. Heavy weather/sea conditions H5. Strong currents 6. Capsizing/ Sinking H7. Overloading of the vessel H8. Shifting of weights H9. Flooding 7. Fire on board H10. Ignition of electrical equipmentor wiring H11. Passenger starting a fire 8. Man over board H12. Unintended falling overboard H13. Intended jumpingoverboard 9. Medical emergency on board H14. Person(s) getting injured H15. Person(s) medical condition 10. Medical emergency on pier H14. Person(s) getting injured H15. Person(s) medical condition 22.3.2018 16

Detailed hazard description: step two Hazard H1. Object detection sensor error Hazard effect/ In case of object detection sensor error, the information about objects around the vessel is not reliable and thus the vessel description may not be able to navigate safely and avoid collisions with moving objects according to the rules of the road or collisions with fixed objects. This hazard may What not affect exactly? the ship operation How significantly severe? in mostpotential cases, but in a more consequences? severe scenario, the hazard can have a negative impact on people, property, and environment. It can result in injuries, the loss of human life, severe damage or loss of property (own and others property) and environmental effects such as oil spills or other damage of a sensitive area. Causal factors Loss of power- Equipment malfunction- Dirt- Icing- Overheating- Equipment interference- Inappropriate maintenance- Incorrect sensor set and/or positioning of the Potential sensors- Targets causes? impossible to detect- Corrupted readings- Complete equipment failure Mitigation actions - Sensor system redundancy and diversity - UPS (Uninterrupted Power Source) - Appropriate heating, cooling and cleaning systems *Mitigation approach What can we do? How to mitigate/control it? - Thorough commissioning of equipment set - Appropriate and continuous maintenance program - Continuing system diagnosis and proof testing - Autonomous Integrity monitoring Level 4 3 2 1 Cost/Difficulty High Low Medium Medium Low Low Low Detailed description Attempt to completely eliminate the hazard Attempt to reduce the likelihood that the hazard will occur Attempt to reduce the likelihood that the hazard results in an accident Attempt to reduce the damage if the accident occurs Approach (1-4) * 4 3 3 4/3 3 3 2 22.3.2018 17

Safety controls: step three Mitigation Code approach* H1. Object detection sensor error Safety controls 4 SC 1 Sensor system redundancy and diversity 3 SC 1 SC 2 SC 3 SC 4 SC 5 UPS (Uninterrupted Power Source) Appropriate heating, cooling, and cleaning systems Thorough commissioning of equipment set Appropriate and continuous on board maintenance program Continuing system diagnosis and proof testing 2 SC 1 Autonomous Integrity monitoring *Mitigation approach Level 4 3 2 1 Detailed description Attempt to completely eliminate the hazard Attempt to reduce the likelihood that the hazard will occur Attempt to reduce the likelihood that the hazard results in an accident Attempt to reduce the damage if the accident occurs 22.3.2018 18

UCAs and redefinition: step four Safety controls (mitigation approach) SC 1 Sensor system redundancy and diversity Detecting potentially Unsafe Controlled Actions (UCAs) and redefining the safety control UCA 1. Sensor does not function properly and there is no other sensor available Potential causes - Lack of economic resources UCA 2. Equipment chosen to provide the redundancy are not suitable Potential causes - Lack of economic resources - Lack of knowledge of sensors characteristics when planning the equipment set needed UCA 3. Sensor failure is not detected Potential causes - Not enough coverage with the diagnosis UCA 4. External or common cause failures takes several equipment down at the same time Potential causes - Inappropriate system design - Incorrect installation - Incorrect usage - Environmental conditions Non-existent/ enough Wrong type Wrong testing Wrong design or utilization = Redefining of the safety control - If one sensor fails the redundancy ensures there is going to be another sensor functioning - Equipment chosen to provide the redundancy have to be the correct ones in order to provide the user with the required information at all times REDIFINE 22.3.2018 19

Safety management strategy: step five Hazard Safety Control (SC) Control logic principle Risks mitigated 1 1. Object detection sensor error 1. Sensor system redundancy and diversity If one sensor fails the redundancy ensures there is going to be another sensor functioning. The quipment chosen to provide the redundancy has to be the correct in order to provide the user with the required information at all times > Innapropriate functioning and availability of the sensor > Correctness on the selection of redundancy equipment on time detection sensor failure > External failures affecting the functioning of the sensor 1. Object detection sensor error 1. UPS (Uninterrupted Power Source) 2. Appropriate heating, cooling and cleaning systems 3. Thorough commissioning of equipment set 4. Appropriate and continuous on board maintenance programs 5. Continuing system diagnosis and proof testing If there is a disturbance in the vessel power system the UPS can temporarily provide power > There is a disturbance in vessel s power system and the equipment is not backed for the critical equipment. When the UPS setup is planned, installed and maintained up with UPS properly, the user can count on a reliable backup system > The UPS does not work or take too long to switch on > The capacity of the UPS is not sufficient to provide power for the equipment By applying sensors with proper heating and/or cooling systems it can be ensured that they function properly in all operating conditions. Proper automatic cleaning systems can ensure the appropriate function of the sensors outdoors > Equipment is not able to function properly in winter conditions > Equipment is not able to function properly due to the high temperature > Equipment lens is dirty > Condensation inside equipment When the equipment set is thoroughly tested and certified (preferably by an independent > The equipment set has not been properly tested or not tested at all before body) it ensures that the equipment functions properly, is compatible and the operation can operation be run safely. By implementing a maintenance program it can be ensured that all critical systems remain functional at all times. A well planned maintenance program covers all necessary areas on board and it is adjusted separately for each vessel. Maintenance done timely and accordingly to the program by competent personnel ensures the smooth operation of the sensors. Continuing system diagnosis and regular proof testing ensures that the system functions as it should. Test design should be planned carefully and updated after changes in the system in order to cover all the necessary functions and recognize potential problems. Possible effect on the operation should be taken into account in planning > There is no maintenance program > The maintenance program does not cover the necessary elements and the life cycle of the hardware > The maintenance program is not followed or it is wrongly applied > There is not continuing system diagnosis and proof testing > The continuing system diagnosis and proof testing does not cover all necessary functions > The test is not able to recognize problems Safety control strategy Attempt to eliminate the hazard Reduce the likelihood that the hazard will occur Reduce the likelihood that the hazard results in an accident Reduce the damage if the accident occur 1. Autonomous integrity monitoring Well designed and up to date integrity monitoring system ensures that the data has not been damaged or manipulated > There is not integrity monitoring > Integrity monitoring gives wrong information 22.3.2018 20

Safety management strategy: step five Safety Control Accident (SC) 1 2,1 2,2 3 4 5 6 7 8 9 10 1 H1 H1 H1 H1 H1 H1 H1 H1 H1 H1 H1 H1 H1 H1 H10 2 H2 H1 H4 H2 H1 H2 H1 H2 H1 H4 H2 H4 H2 H4 H10 3 H2 H1 H4 H2 H1 H2 H1 H2 H1 H4 H2 H4 H2 H4 H11 4 H3 H1 H4 H3 H1 H3 H1 H3 H1 H4 H3 H4 H3 H4 H12 H12 H12 5 H3 H1 H4 H3 H1 H3 H1 H3 H1 H4 H3 H4 H3 H4 H12 H12 H12 6 H4 H2 H4 H2 H2 H4 H2 H4 H4 H2 H4 H4 H2 H4 H8 H12 7 H4 H2 H4 H2 H2 H4 H2 H4 H4 H2 H4 H4 H2 H4 H9 H12 8 H4 H2 H2 H2 H4 H2 H4 H2 H4 H2 H7 H9 H12 9 H3 H3 H3 H3 H3 H3 H7 H11 H12 10 H3 H3 H3 H3 H3 H3 H7 H11 H14 H14 11 H4 H4 H4 H4 H7 H11 H14 H14 12 H4 H4 H4 H4 H8 H14 H14 13 H6 H6 H6 H6 H8 H14 H14 14 H6 H6 H6 H6 H9 15 H6 H6 H6 H6 H9 16 H6 H6 H6 H6 H8 H10 17 H8 H12 18 H9 H12 19 H9 H14 H14 20 H10 21 H10 22 H10 23 H11 24 H11 25 H12 H12 H12 26 H12 27 H14 H14 Total SC 31 16 16 31 25 25 15 12 10 9 9 SC control strategy: Attempt to eliminate the hazard Reduce the likelihood that the hazard will occur Reduce the likelihood that the hazard results in an accident Reduce the damage if the accident occur 21

Conclusions

Conclusions 10 Accidents and 15 hazards were analyzed The initial safety management strategy includes 73 safety controls Safety control mitigation approach Safety controls defined Attempt to completely eliminate the hazard 20 Attempt to reduce the likelihood that the hazard will 27 occur Attempt to reduce the likelihood that the hazard results 13 in an accident Attempt to reduce the damage if the accident occurs 13

Conclusions The process produces itemized information to guide the initial design of an autonomous ferry and its operational system. The logic principle of the safety controls provides the foundations for developing a safety management strategy in the earliest design phase. The study results support the elaboration of plans, conceptual designs, ship arrangements, and the setting of other crucial elements for designing and building the autonomous vessels.

Limitations The main process limitation is linked to the decision about the level of details that the analysis needs to include. The results are limited the mitigation, prevention, and response to 10 accidents and 15 hazards. A failure example in the analysis: The incorrect interpretation or execution of the international regulations for preventing collisions at sea (COLREGs) was initially listed as one hazard. However, as the hazard is actually composed by different elements and complex interactions, the experts mentioned that COLREGs implementation in autonomous vessels should be analyzed separately.

This study is part of the Smart City Ferries (ÄLYVESI) Project Thank you International Seminar on Safety and Security of Autonomous Vessels (ISSAV) 2018

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback