Comparison of Modelling Methodologies for the

Formal Safety Assessment in Shipping

Transportation
Monica Konstantinidou
Department of Mathematics, University of the Aegean,
Samos, GREECE

Evangelos Mennis, Nikitas Nikitakos,

Department of Shipping Trading and Transportation, University of the Aegean,
Chios, GREECE

Agapios Platis
Department of Information and Communication Systems Engineering, University of
the Aegean,
Samos, GREECE

1 Introduction
In the last decades, in maritime transportation, there have been a number of very
serious accidents caused by different nature contributing factors. The consequences
of these accidents were mass casualties in terms of human lives or human injuries,
and in terms of environmental degradation, contributing to spoilage in local regional
economies. A specific process known as Formal Safety Assessment (FSA) has been
developed and applied to the International Marine Time Transportation (IMO) rule
making process, in order to help the evaluation of new regulations or to compare
proposed changes with existing standards.
The Formal Safety Assessment consists of five steps:

1. Identification of hazards.
2. Assessment of risks.
3. Risk control option.
4. Cost benefit assessment.
5. Recommendations for decision-making.

The application of the FSA facilitates a transparent decision making process and
provides a proactive mean enabling to avoid serious accidents by highlighting
potential hazards.
In this paper, we propose to improve the modelling techniques used for the FSA
by studying more elaborate ones, adapted for maritime safety, from statical models
such as event trees to dynamic models such as the Markov models. Furthermore,
Markov Reward Models can be used in order to evaluate different risk control
options and the cost benefit assessment whereas Non-Homogeneous Markov Models
can be utilized when the transition rates, based on the occurrence probability of
determined events, are varying and depend on external environmental parameters
such as weather.

2 Major Modeling Techniques used in Dependability

2.1 FMECA

A FMEA-the first step of system reliability study, becomes a failure mode, effects,
and criticality analysis (FMECA) if criticalities or priorities are assigned to the
failure mode effects. A FMECA provides a basis for recognizing component failure
modes identified in component and system prototype tests, and failure modes
developed from historical “lessons learned” in design requirements. It is used to
assess the safety of system components, and to identify design modifications and
corrective actions needed to mitigate the effects of a failure on the system. Also it is
used in planning system maintenance activities, subsystem design, and as a
framework for system failure detection and isolation. A FMECA can be done at any
level of design from the overall system level to the lowest component or piecepart
level depending on the information available and the needs of the program. The
lower the level of the counterfoil at which the analysis is done, the more detail
required in the analysis and the more failure modes that must be considered [2].
FMECA is one of the various approaches used for the whole process of hazards
identification which is the first step in FSA [11].

2.1 Fault Trees and Event Trees

Fault trees are amongst the most useful models for the description of system failure.
They make possible the reliability analysis of large and complex systems by means
of analytical or statistical methods. It has become a most useful method, and, with
supporting computer software, an extremely effective tool. A fault tree is a model
which graphically and logically represents how the various combinations of basic
events, both failures and normal operations of components, lead to the top-event
(failure of the system-the root of the tree). A fault tree is a finite directed graph
without directed circuits. There is only one top-event in the tree. A fault tree
describes the dynamic change of system states when components fail. The undesired
event (top-event), the probability of which is to be evaluated, represents system
failure [9].
The advantages are that they can help the analyst to see failure combinations that
would otherwise have gone unnoticed, provide a graphic aid to system managers.
They also highlight the important aspects of the system (according to the particular
top event) and precipitate either qualitative or quantitative analysis. Also, fault trees
allow the analyst to concentrate on one failure mode at time and give him/her a good
insight into system behavior.
On the other hand fault trees can be tedious and expensive to construct for
complex systems (but not necessarily more so than other techniques of organizing
the same knowledge), chosen to represent situations so complicated that oversights
and omissions are all too easy [6]. Also a major disadvantage of fault tree analysis is
the inability of standard fault tree models to capture sequence dependencies in the
system and still allow an analytic solution. Fault tree is broadly used in FSA as an
efficient tool in risk engineering used to analyze the frequency of system failure
either qualitative by the logical, structured hierarchy of failure events or quantitative
by the estimation of occurrence rate of top-event [8].
Event trees were constructed by considering a sequence of events to express the
escalation of an accident [8].

2.3 Markov Models

The state-space method is a useful method for system reliability evaluation. A

system is described by its states and by possible transitions between these states. The
system states and the possible transitions are illustrated by a state-space diagram,
which is also known as a Markov diagram. The various system states are defined by
the states of the components comprising the system. By the state-space method the
components are not restricted to having only two possible states. The components
may have a number of different states such as functioning, derated, in standby,
completely failed, and under maintenance. The various failure modes may also be
defined as states. The transitions between the states are caused by various
mechanisms and activities such as failures, repairs, replacements, and switching
operations. The state-space method is that not restricted to only two possible states
of the components. The method can be used to model rather complicated repair and
switching strategies. Common cause failures may also be modeled by the state-space
method. The number of system states, however, increases rapidly with the size and
complexity of the system. The state-space method therefore is suitable only for
relatively small systems [7]. Markov process theory is one of the most fruitful
branches of stochastic science. It is possible to compute the dynamics sequentially in
terms of the current state, the state transition rule (differential equation), and the
time increment in appropriate units. The theory of Markov processes is a high-level
mathematical discipline [5].
The use of the Markov techniques within the scope of FSA is intent to have
realistic, detailed probabilistic models available for further carrying out of
sensitivity study owing to these techniques:

• the repairs of components can be taken into account,

• the reliability and availability computations can be carried out,
• the normal/standby operating sequences and, more generally, all the changes in
the configuration of the system under study can be considered,
• multi-step system operating sequences (the system mission and/or configuration
vary with each step) can be taken into account.

In addition, the sequential computation of a graph allows the visualization of the

progress of alternate failures and repairs as time passes, leading to system failure,
and the computation of the probability of measures being taken before the complete
loss of the system. On the other hand, using Markov techniques is made uneasy due
to the complexity of the graphs to be processed in case of complex systems. The
techniques applied for state aggregation which aims to minimize the number of
states or sequential computations in order not to build the complete graph, general
permit the problem to be reduced to a reasonable size. The association of costs with
each state allows the access to performability modeling.

3 Formal safety assessment and proposed improvements

Formal safety assessment (FSA) is a formal, structured and systematic methodology,
aimed at enhancing maritime safety, including protection of life, property and
marine environment, by using risk and cost-benefit assessments. FSA based on risk
analysis is a new, advanced way of identifying and evaluating hazards associated
with shipping activities and of devising cost-effective risk control measures.
The modern risk assessment techniques have been applied to the nuclear and
offshore industry successfully, but the first proposal to apply the modern risk
assessment techniques to shipping industry was recommended by the UK
commitment in 1993 to the Maritime Safety Committee of the IMO. In doing so a
lot of concerns were focused on the proactive philosophy of FSA which is expected
to provide a means of enabling potential hazards to be considered before a serious
accident occurs. As the present system of regulation for the shipping industry is
generally recognized as being prescriptive in nature, the adoption of FSA for
shipping represents a fundamental cultural change, from an essentially reactive and
largely segmental approach to one which is integrated, proactive, and soundly based
upon the risk evaluation [8]. Thus the process of FSA would be useful for the IMO’s
future regulation review activities if it is applied to the rule-making process.
A ship is likely to be found at one of these three states (fig.1). It may be available,
that means that it is fully operational without malfunctions, under maintenance
which it accepts the scheduled maintenance in order to eliminate the possibility of
going down or to fail unexpectedly during the operational period.
In this case we examine two ships but this model can be more generic increasing
their number. Each ship may be available, under maintenance or with accident. The
time of restoring an unexpected failure varies, thus there is the possibility of
repairing a ship with accident faster than finishing the service. Therefore a transition
exists between the state of having a ship under maintenance and one ship with
accident and the state of having one ship available and one ship under maintenance.
There is also the possibility of having one ship under maintenance or with accident,
while the other is available, or two ships available after maintaining or repairing one
of them.
 •2 sh ip sw ith
accid en t

•1 sh ip
av ailab le
•1 sh ip with
accid en t

•1 sh ip
u nd er main ten an ce
•2 sh ip s •1 sh ip w ith
av ailab le accid en t

•1 sh ip
av ailab le
•1 sh ip u nd er
main ten an ce

•2 sh ip s
u nd er main ten an ce

Figure 1 Markov modelling for ships dependability

For each state, it is possible to associate an operational cost per unit of time:
Coper, a scheduled maintenance cost per unit of time: Cmain, the cost of an accident
per unit of time Cacc1 (which only includes the cost of the unscheduled stop of the
ship). For each couple of states, it is possible to define transitions costs, from a
maintenance state to an operational state or from an accident state to an operational
state, the repair cost per transition: Crepa. From an operational state to an accident
state, the accident cost per transition Cacc2 (which is the total cost of the consequence
of the accident).

Hazard rates Costs

Failure Repair Sojourn Cost per unit of time Transition Cost
rates rates
Option λ(A) µ(A) Coper(A) Cmain(A) Cacc1(A) Crepa(A) Cacc2(A)
A
Option λ(Β) µ(Β) Coper(B) Cmain(B) Cacc1(B) Crepa(B) Cacc2(B)
B

Table 1. Costs and hazard rates for each possible option

For each option, it is possible to compute the Total Cumulative Cost on an interval
of time, cf. [10]:

TCC (option ) = ∑ ∑ π(i, option ) p(i, j, option )C

k∈[ 0 , N −1] ( i , j )∈E
k (i, j , option )
where π(i,option) is the steady state probability distribution of the Markov graph of
the system with the hazard rates of the given option, p(i,j,option) is the transition
probability from state i to state j and for the given option and finally Ck(i,j,option) is
the time dependant (k) cost for each option. If i≠j, this cost is a transition cost from
state i to state j, and if i=j then it is a sojourn cost in state i.
For a given “expensive” option, the operational and maintenance costs may be
higher, however since the failures and repairs are less frequent, this may lead to an
overall more economic solution in comparison to another “cheaper” option where
failures are more frequent leading to “expensive” accident states more often. The
computation of the Total Cumulative Cost for each option integrating all the
different cost and the different frequency failures will give us the necessary elements
in order to decide about the most appropriate solution in the fifth step of the FSA
process.
As to summarize this first approach of the FSA improvement, the FMECA
methodology can be used for the first step, the fault-trees for the step 2 and finally a
performability modeling can be used for the last step of the FSA procedure.

References

1. Akers. S. B. Binary decision diagrams. IEEE Transactions on Computers, c-

27(6): 509-516, June 1978.
2. Bowles J. B, Bonnell D. R., Failure Mode, Effects, and Criticality Analysis
(What It Is and How To Use It)1997 RAMS IEEE Press.
3. Bryant R. E. Graph-based algorithms for Boolean function manipulation. IEEE
Transactions on Computers, c-35(8):677-691, August 1986.
4. Coudert O., Madre J. C., Fault tree analysis: 102 prime implicants and beyond. In
Proceedings of the Reliability and Maintainability Symposium, pages 240-245,
January, 1993.
5. Dugan J. B, Doyle S. A., New Results in Fault-Tree Analysis 1997 RAMS IEEE
Press
6. Evans R. A, Practical Reliability Engineering & Management. 1997 RAMS
IEEE Press
7. Hoyland A., Rausand M., System Reliability Theory Models and Statistical
Methods
8. IMO Interim guidelines for the application of FSA to the IMO rule-making
process. MEPC 40/16 (or MSC/Circ.829, MEPC/Circ.335), 1997.
9. Kovalenko I. N., Kuznetsov N. Y. Pegg P. A. Mathematical Theory of
Reliability of Time Dependent Systems with Practical Applications Willey
Series in Probability and Statistics.
10. Platis A An extension of the Performability Measure and Application in System
Reliability, International Journal of Computation and Numerical Analysis and
Applications 2002; 1: 87-101
11. Wang J., Foinikis P.. Formal safety assessment of containerships 2001, Marin
Policy, 143-157