Integration of safety studies into a

detailed design phase for a navy ship

A. Fulfaro & F. Testa
Fincantieri-Direzione Navi Militari, 16129 Genova, Italy

Abstract
The latest generation of Italian Navy ships has moved a giant step forward in the
approach to the main relevant transwarship activities which have an impact on all
the design phases and at the whole warship level.
Among all the activities developed, the safety topics have been implemented
more and more, shifting from prescriptions essentially based on past experience
to goals based on risk considerations, that were included in the scope of the
contractual specifications. In its supplier role, Fincantieri for the first time has
been challenged with the requirement of demonstrating the vessel safety by
means of risk assessment studies during the developed design phases. The
studies followed a twofold stream of activities, that is, analysis of the ship’s
systems (including Platform and Combat System) and analysis of the health and
safety of the persons onboard.
The safety analysis was essentially based on the study of some contractual
hazards already selected by the Client. By means of the typical risk assessment
tools (such as Fault Tree Analysis), properly injected as far as possible with
Navy operating experience, a level of probability and severity was associated to
each hazard, a risk matrix was constructed and the results checked against the
Navy acceptance criteria.
The process has been completed with the integration of the main safety
requirements into the design.
The aim of the present paper is to give an overview of the process.
Keywords: transwarship, safety cases, design measures, requirements, hazard,
risk analysis, fire propagation, preliminary, final, navy, military ship.

Risk Analysis IV, C. A. Brebbia (Editor)

© 2004 WIT Press, www.witpress.com, ISBN 1-85312-736-1
800 Risk Analysis IV

1 Introduction
This section provides an overview of the general methodology used for
implementing a safety approach into the design of the latest generation of multi-
national Navy ships (frigates), according to consolidated standards.
The major item is to point out the increased impact of the safety studies in the
different ship design phases as well as on the whole ship considering it in a more
global vision of the new transwarship activities

2 Background
The modern military transwarship activities have been raised out in the last ten
years with the principal scope to increase the level of survivability of a ship.
Different fields of application have reached a stronger relevance mainly to
provide a better evaluation of the susceptibility, vulnerability and recoverability
of a ship (see also fig. 1: Survivability approach for advanced ship design)
Survivability approach for advanced ship design

SURVIVABILITY

Susceptibility Vulnerability Recoverability

(Inability to avoid
(Inability
to withstand (Capacity to re-operate after
weapon effect)
weapon effect) sustained damage )

Safety
and
Damage Control

Figure 1: Survivability approach for advanced ship design.

One of the major developed characteristic in the survivability studies is the

new increased attention to all the critical aspects for the safety of a ship and of
the persons on board during a normal mission.
The principal scope is to reach an adequate availability for the main
systems\equipment on board optimizing the time stressed procedures, the level of
training and the criteria to reduce and control a risk also with design
modifications.
The safety activity is generally subdivided into the following two tasks:
• Selection analysis and of the Laws and Regulations relevant for the safety of
the ship and of the persons

Risk Analysis IV, C. A. Brebbia (Editor)

© 2004 WIT Press, www.witpress.com, ISBN 1-85312-736-1
 Risk Analysis IV 801

• Safety studies related to the main hazardous event on board (risk analysis to
evaluate the probability and severity of an hazardous event and to define the
risk classification.
The above last point is the matter of the present paper showing how a
consolidated and usual methodology is going to be integrated in the different
design phases.
The five steps of the applied methodology are: hazard identification, risk
assessment, risk control options, cost benefit assessment and decision making
recommendations.
A short overview for each step is also provided.

SAFETY PROCESS
DEFINITION

HazardIdentification
LAWS ANDRULES
APPLICABLE
PRELIMINARY SAFETY
STUDIES

LIST OF MAJOR RISKS

COVEREDBY NO
L &R
DEVELOPMENT AND PRODUCTION

YES DETAILED
SAFETY REQUIREMENTS HAZARDOR
ZONAL ANALYSIS
DEFINITION OF SAFETY REQUIREMENTS
ANDQ&A PARAMETERS
MITIGATIONMEASURES

INDUSTRY SAFETY Check if thereisa gap between

REVIEWS safety requirementsand design

NO YES
COMPLIANCE?
RESIDUAL RISKS
ANALYSIS WARSHIP SAFETY
CERTIFICATION
RESIDUAL RISK REPORT FINAL SAFETY REPORT

CUSTOMER ACCEPTANCE SAFETY REVIEW

Figure 2: Safety process.

3 General methodology for Warship risk analysis

The primary effort is to identify the potential univocal causes of accidents for the
ship or the systems on board that are not otherwise addressed in the safety
standards. As a consequence of this process, additional risk control options or

Risk Analysis IV, C. A. Brebbia (Editor)

© 2004 WIT Press, www.witpress.com, ISBN 1-85312-736-1
802 Risk Analysis IV

safety requirements are determined and evaluated to minimise the risks of

damage and injury.
If the risk cannot be fully eliminated due to design constraints a sort of risk
register is proposed to the customer for acceptance.
Hereafter is provided a short overview of the general process.
3.1 Hazard identification (HI)
The first step of work is an Hazard identification adapted on the type of ship
considered and on its own operative profile.
A list of hazards only indicative is here proposed:
Loss of a propulsion line during Replenishment at Sea (RAS) operations in
rough sea
Fire out of control due to:
-Human factor (negligence or maintenance activity)
- Electrical hazard (short circuit)
- Fire fighting failure (mechanical or human non action)
Smoke propagation due to:
- Fire not immediately under control.
- Bad disposition of ventilation (operating configuration) with a fire hazard
in other adjacent rooms.
Loss of integrity of pressure pipes or carrying hazardous substances due to:
-Leak on a coupling or on a clamp.
-Vaporisation in case of pressured circuit
- Leak of gas on bringing to air piping or during black water tank opening
- Closing of air intakes or of ventilation holes
- Maintenance without individual protection (breathable air)
Risk of Intoxication due to:
-Polluted water supplied in a harbour.
-Maintenance defect (failure in periodic quality controls)
-Polluted water produced by ship osmoses
-Lack of hygiene in food catering or during preparing phases
(bacteriological contamination)
Collision due to Total loss of Propulsion or Fire in propulsion room.
3.2 Preliminary hazard analysis
The Preliminary hazard analysis (PHA) is a task of the Safety Studies started
during the Preliminary Phase of the design.
The objective of this task is to define a first assessment for the safety
requirements with a preliminary evaluation of the main hazards selected from the
Hazard Identification for both Platform and Combat Systemand a first evaluation
of the consequences.
The first step of this analysis is a preliminary hazard identification with no
assessment of the perceived risk, which would determine the acceptability of a
hazard as a product of the severity and probability of occurrence.
This full analysis will be assessed only in the design phase due to insufficient
information available to provide acceptable levels of safety in the feasibility

Risk Analysis IV, C. A. Brebbia (Editor)

© 2004 WIT Press, www.witpress.com, ISBN 1-85312-736-1
 Risk Analysis IV 803

phase therefore, until an analysis of the hazard is undertaken, the judgement of

the significant safety issues that can have an impact on the outline design
remains, to some degree, subjective.
The main stone for the PHA will be:

• Previous incident where known

• Perceived hazards, event sequence and potential consequences
• Engineered safeguards and operational procedures

During the course of the safety assessment, generic hazard will be identified
(Hazard Identification) in relation to the whole warship and its operational
profile, together with more specific hazards for each of the key areas here
summarised:

KEY AREAS
General Arrangement and Overall Ship aspects
Magazine and Weapons ditching
Lifesaving, Escape route, Seamanship and Replenishment at Sea operation
Firefighting
Platform Management System
Electrical generation and distribution
Helo and Combat System interface

The Preliminary hazard identification report provides an initial baseline

document for each nation to develop the safety substantiation and justification
during the next design phase as the detailed design develops.
Dedicated recommendations will be foreseen for the overall ship issues and
more specific systems or operational areas.
Guidelines on way ahead will complete the work by using dedicated tables as
follow to summarize the results:

Table 1: Preliminary hazards analysis.

Hazard type Key Description Zone\system\ Prel. Recommendation\ Number of event

area equipment Mitigation sequence

In the first table after having assessed the hazard type linked with a pre-
selected key area more detailed information are expected regarding the relevant
design area and the systems\equipment which will be subjected to complete full
analysis in the design phases.

Risk Analysis IV, C. A. Brebbia (Editor)

© 2004 WIT Press, www.witpress.com, ISBN 1-85312-736-1
804 Risk Analysis IV

Table 2: Consequence.

Number of event sequence Consequences Safeguard

description

The preliminary recommendations and mitigation measures give a guideline

for the technical experts recollecting all the safety issues.
All the event sequences identified will be completed with a
severity\probability risk analysis when the data are available in the following
phases of the project and collected in the full risk analysis.

3.3 Full risk analysis

The study was conducted through typical risk assessment techniques, that had to
be adjusted to the frigate context,
For all the hazards, the applied policy required the analysis to cover the
operational scenarios corresponding to peacetime operation and combat situation
with no damage, and the risks to be compliant with the Safety Principles and the
Risk Classification Scheme, described below .
The Safety Principles to be met were generally:
• the compliance with the relevant safety legislation of the Nations
involved;
• the application of the “As Low As Reasonably Practicable” principle, if
necessary;
• the use of international safety standards;
• the implementation of a Safety Management System.
The result was in form of tables including a description of the hazard, the
conditions that may cause it to generate a mishap, and the consequences that
result when a mishap occurs.
For the classification of the accidents in severity categories and in probability
categories, the following methods should be used, as far as possible:
- use of Navies statistics / lessons learnt
- agreed qualitative assessments by experts (from the Nations and from
industry),
- results of dedicated studies, if necessary (e.g. in relation to specific
requirements from other industrial entities which products are to be integrated on
board) and/or as far as major risks are concerned.
However, on Navy ships the probabilistic quantification was found not to be
always viable, due the novelty of the approach and the lack of publicly available
information on equipment failures, incidents, casualties etc. Therefore, priority to
the possible consequences was given in order to classify the risks.

3.4 Main process and results

After the assessment, each hazard was verified against its acceptability criteria.

Risk Analysis IV, C. A. Brebbia (Editor)

© 2004 WIT Press, www.witpress.com, ISBN 1-85312-736-1
 Risk Analysis IV 805

The ALARP approach implies that, if the resulting occurrence probability of

the hazard under investigation (calculated in the analysis) does not meet the
defined requirements, an action to reduce the risk is needed. This will be
evaluated by applying the “As Low As Reasonably Practicable” (ALARP)
principle. This calls for weighing the efficacy that any particular measure will
have in reducing the calculated risk against the costs in money, time and
resources required to avert it and other consequences of introducing the measure.
The aim is to reduce every possible risk so that it is falls in the acceptable region.
The risk can be considered tolerable only if the reduction is impracticable, or if
its cost is disproportionate to the gained improvement
The output study was generally organized in tables (see table 3 for example),
drafted for each of the selected hazards.

Table 3: Example of output risk analysis.

Design
Subsystem Initiating Immediate Aggravating Worst final Crew Ship
measures/
concerned event consequence factors consequence Risk Risk
remarks
Level

Upon approval of the Risk classification, the Safety Experts produced all the
final Safety recommendations in order to give to technical experts a list of risk
control measures to be integrated into the design or the operating practice.

3.5 Risk control measures

After implementing the risk control measures, the risks associated to each hazard
are expected to fall within the acceptability area. If this is not possible to proof
(as often is the case, because of the paucity of data for the analyses and the
difficulty of constructing a proper risk model), or if no further risk control
measure is feasible, the Client may consent to a derogation, according to its
judgement.
In particular, for risk for which no viable reducing measure could be
proposed, the industries were asked to produce a ‘risk register’ which will be
analysed by the Client for a final decision.
In any case and when necessary, reduction measures are identified during the
process. However, it could be necessary to achieve a trade-off between solutions
to analyse the expected effectiveness of each alternatives. Mishap risk mitigation
is an iterative process that culminates when a residual risk has been reduced to a
level acceptable to the appropriate authority.
Two major reduction axes are available:
• Reduction (elimination) of the hazardous condition occurrence (i.e.
improvement of the failure tolerance whenever possible),
• Implementation of protective devices to reduce (eliminate) associated
consequences

Risk Analysis IV, C. A. Brebbia (Editor)

© 2004 WIT Press, www.witpress.com, ISBN 1-85312-736-1
806 Risk Analysis IV

Among the Safety solutions usually proposed as mitigation measures one or

more of the following could be selected: design hazards out, incorporate safety
devices, provide warning devices, develop procedures and training.
In order to complete the process, in some cases a verification of the
mitigation measure through appropriate analysis, testing or inspection may be
required to confirm the acceptability of the residual risk (see also Fig. 3).

Figure 3: Check list-example to assess the safety requirements into the

Design from Horizon Project.

3.6 Detailed relevant impact on design: safety cases

The safety cases will be dealt with starting from the safety-critical areas of
equipment/systems, identified by the safety management process that includes
the Laws and regulation activity and the Safety studies. Once identified the risk
mitigation measures, they will be included in the system specification, or in the
purchase specification if they are related to isolated pieces of equipment. Risk
mitigation measures may also consist of mere additional procedures to be
implemented by the crew. In the following table the Safety integration process
into design is summarised.

Risk Analysis IV, C. A. Brebbia (Editor)

© 2004 WIT Press, www.witpress.com, ISBN 1-85312-736-1
 Risk Analysis IV 807

Safety Integration Process

Identification and treatment of

Compliance with National potential risks
Health and Safety Laws &
Regulations
Study of different hazards

Safety Case A
Safety Cases
Safety Case B (for each equipment,
Safety implementation actions at

system and at WW
equipment/system/WW level

level) =
Safety Case C Acceptance evidence
(demonstration that
the Frigate and its
equipment/systems
are acceptably safe)
+
Tools for the mngmt
Safety Case X of Safety through its
in-service life
(in particular how to
Safety Case Y manage the residual
risks)
Safety Case Z

Legislation report Safety studies report

Safety Report
(Preliminary & First issue)

Figure 4: Safety cases.

4 Conclusions
The proposed paper is a short overview of the safety methodological approach
developed for the different design phases of a military ship.
The new generation frigates are going to integrate the results of all the
transwarship activities but however many fields of application should be
detected in more detail and related to the level of safety on board as for example
the fire propagation or the magazine detonation risk due to the non-secondary
effects of these basic events for the global survivability of the ship

References
[1] IMO MSC/Circ. 1023 and MEPC/Circ. 392, “Guidelines for FSA for the
Use in the IMO Rule-Making Process” (2002).
[2] Horizon International Project-Safety Acceptance process and Safety plan
(2001)

Risk Analysis IV, C. A. Brebbia (Editor)

© 2004 WIT Press, www.witpress.com, ISBN 1-85312-736-1