A comparison of engineering processes related to safety between the offshore and railway sectors

(1)

IN

DEGREE PROJECT

MECHANICAL ENGINEERING,

SECOND CYCLE, 30 CREDITS

,

STOCKHOLM SWEDEN 2016

A comparison of engineering

processes related to safety

between the offshore and railway

sectors

MORTEN JARVIS WESTERGÅRD

(2)

Preface

(3)

Abstract

After a period of high activity within the offshore sector in Norway, they now experience a decrease in activity. At the same time, the railway sector is experiencing high activity and new investments. This leads to a shift in the need of engineering expertise. A relevant area of expertise is the design-and engineering processes related to safety. This is a study of such processes in the two industries, based on a comparison of the relevant industry standards, and supported by impressions collected in interviews. The purpose of this study is to investigate into the agility of transfer of safety engineers from the offshore industry and into the railway industry. The study shows that the principles of safety engineering are built on the same grounds. There is however a difference in management approach, and in the use of certain tools and methods. The offshore industry has a more developed quantitative approach, while the railway industry relies more solely on qualitative methods. The offshore industry seems to be more narrow and specialized in their approaches, while the railway industry rely on a broader concept of safety engineering. The study shows that safety engineers are not very dependent of deep technical knowledge, but they need to be able to control the processes in a manner that utilize the knowledge of other experts, to analyse the systems under consideration. Even if the technical skills might not be crucial, it seems evident that being able to communicate on the premises of the industry is vital. This seems like an area relevant for specific training, for new safety engineers entering the railway industry. Railway RAMS1_{management has been implemented during the last decade, where}

quantitative methods are gradually being introduced. Safety engineering has historically been based on the experience of the engineers in the railway industry. The new approach, with an increased focus on reliability and availability, can be a good chance for offshore engineers to bring their expertise to use within a new field of engineering. Even if the overall concept of the industry applications is somewhat different, this study shows that the structure and working methods are similar enough for an agile transfer between the industries.

(4)

Acknowledgements

I wish to give my gratitude to those who have contributed to this thesis. I am very grateful for the collaboration between the departments of Naval Architecture and Industrial Economics and Manage-ment. This had not been possible without the willingness from Anders Ros´en, Pernilla Ulfvengren and Bo Karlson.

I would give my thanks to Bjørn Axel Gran at Safetec Nordic AS, for proposing an interesting and relevant task. It gave me the opportunity to specialise into a subject highlighting my specialisation within management at the Master Programme in Naval Architecture. Discussions throughout this project has been invaluable.

A special thanks also goes to Pernilla Ulfvengren and Matthew Stogsdill from the Department of Industrial Management and Economics. You have been beyond helpful in the supervision of my work, and given the thesis the right academic layout.

(5)

Abbreviations and definitions

JBV - Jernbaneverket (Norwegian government’s agency for railway services) NOG - Norsk Olje & Gass (Norwegian oil & gas association)

Ptil - Petroleumstilsynet (Petroleum Safety Authority Norway) RAMS - Reliability, Availability, Maintainability, Safety (acronym) SIL - Safety Integrity Level

SIS - Safety Instrumented System

(9)

Chapter 1

Introduction

1.1 Background

The need for safety is necessary in all technical systems. A safe system is a system where the risks for hazards are controlled or eliminated, to obtain a level of risk that is considered safe. Safety engineering is about using engineering and the scientific methods to ensure that technical systems are designed to avoid failures in connection with potential hazardous events. It is an interdisciplinary field, where the safety engineer needs to be able to gather knowledge from other specialists in order to identify hazards, develop effective measures for them, and make safe operations possible. While a safety engineer cannot be an expert in all engineering fields within a technical system, he or she should be able to address the safety issues of these fields - in order to control or eliminate the relevant hazards (Spellmann, 2004).

Safety engineering is predominantly about managing risk. The term risk is ambiguous, but in engi-neering it is in most cases linked to uncertainties about future events or activities, and the possible negative consequences of them. The risk management process is a vital part to construct a safe and reliable system. A successful risk management process should neither be underestimated as a posi-tive contributor for the overall business performance of an engineering project. Increased design life and reduced life cycle costs are some positive effects of a successful risk management process (Verma, 2010).

According to Verma (2010) the following factors are some of the contributors to why risk engineering is of importance in a modern technical system;

• Increased product complexity. • Accelerated growth of technology.

• Public awareness and customer requirements. • Modern safety and liability laws.

• Competition in the market. • Past system failures.

• The cost of failure, damage and warranty.

(10)

The Norwegian offshore oil and gas industry has developed an extensive knowledge of risk assessment and prevention of accidents through design. Production within confined spaces forces the use of effec-tive safety barrier systems within the design. This also includes prevention of human errors through design of work places. A central tool in the design of inherent safety measures is the quantitative risk analysis. The industry has developed a community of technical experts with extensive knowledge of safety barrier systems. This is a result of the heavy investments, and commitment to safety in the offshore industry over the last decades (Kjell´en, 2007).

RAMS1_{engineering in the railway industry is closely connected to the goal of the railway system (i.e}

providing a defined safe level of railway traffic within a certain time) (Cenelec, 2006). Risk analy-ses in the railway industry raised more attention during the 1990’s. This was driven by organiza-tional changes and increased technical complexity in the railway operations (Rausand, 2011, p.532). European safety directives are mainly driven by the increased commitment to the ERTMS2 _{and the}

collaboration with the rest of the European continent. In Norway, Jernbaneverket3_{(JBV) are}

increas-ingly putting its commitments into RAMS management, which drives forward the focus on the RAM parameters in line with safety.

After a period of high activity within the offshore sector, they now experience a decrease in activity. At the same time, the railway sector is experiencing high activity and new investments. This leads to a shift in the need of engineering expertise. A proposed strategy is to readjust personnel from the offshore to the railway sector. The success of such a strategy depends upon the agility of the transfer between the sectors. A relevant area of expertise is the design- and engineering processes related to risk and safety. How well do the Safety Management Systems compare? Are the industry specific design processes related to risk and safety comparable? The aim of the analysis is to answer questions like these. The analysis will provide a basis for the comparison of competence requirements between the sectors. However, it is outside the scope of this work to provide the competence analysis itself.

(11)

1.2 Objectives

The aim of this study is to deliver a comparison analysis of the safety engineering principles of the railway and offshore sectors. The study will more specifically provide;

1. A background on safety engineering.

2. A brief summary of the safety engineering applications within the railway and offshore indus-tries.

3. A comparison of;

(a) the industry standards of the generic applications of safety engineering, (b) the practices and impressions through a series of interviews with specialists.

1.2.1 Research questions

The following main research questions will provide as a base for the study.

• Are the engineering processes related to safety comparable within the two industries?

• How does the industry applications of safety engineering affect the approach to technical safety? • What are the strengths and weaknesses of an offshore safety engineer moving into the railway

industry?

1.3 Limitations

This is a thesis in collaboration with the Norwegian company Safetec Nordic AS (Safetec). The analysis is performed with the focus on the Norwegian offshore and railway industries. This requires the use of standards, theory and other data collection taking base in the Norwegian industry. The analysis aims at being as generic in its claims as possible, however it is inevitable to avoid the influence of this company and its partners providing background material for this study.

The study focus on the generic picture of the safety processes. This is based on the choice of industry standards studied, provided by Safetec. Even if this study focuses on the generic applications of EN 50126 (Cenelec, 2006) and IEC 61508 (IEC, 2010), it is worth mentioning that these standards are closely related to several other safety specific standards with applications within both industries. The study can be exemplified with a toolbox. The intention is to present the tools and in which context they are used, but not necessarily state explicitly how they are used. This is anchored in the background of the study, and the possible use of it from a human resources perspective.

(12)

Chapter 2

Safety Engineering At A Glance

2.1 Introduction of the theoretical background of the study

This chapter will be devoted to the theoretical background of the safety engineering concepts presented in this study. Concepts from the generic safety standards of IEC 61508 and EN 50126 forms this baseline. The chapter will also include a further explanation of the risk analysis process, as it is a cornerstone of the risk assessment inherent in safety engineering. The chapter will also briefly account for relevant concepts, and the theory behind the comparison of the industry applications.

To provide a base for understanding, and to prevent confusion related to other meanings of the terms, the following section provides definitions of some of the basic terms the thesis will deal with. Terms like risk and safety are ambiguous and hugely varies in relation to the context they are used in. Risk can have a positive meaning (as in economics), but in risk engineering it is strictly connected to unwanted outcomes from hazardous events.

This theory chapter is as mentioned based on a background study of the industry standards of IEC 61508 and EN 50126. The background study is in its entirety given in appendix A-C. A reference is made to the appendices for a separated view on the industry practices.

2.2 Basic Terms of safety engineering

Some of the terms related to risk and safety engineering are commonly used in everyday conversation. It can therefore be useful to define some basic terms, so that the reader and writer share the same perception of the words in this context. The definitions are inspired or cited directly from Rausand (2011).

A major accident is by Jersin (2003) defined as a suddenly unwanted event satisfying one of the following criteria;

• Five or more casualties.

• Material damages of 30 million NOK (based on currency value 2003). • Great environmental damages.

(13)

A Hazard can be defined as ”a source of danger that may cause harm to an asset” (Rausand, 2011, p.66). The connection to the release of energy or the exposure to dangerous materials springs easily to mind, but it also relates to other potential causes of harm such as degradation of materials, stability problems or simply the lack of safety culture. An initiating event can disturb the normal operation of a system, and can further lead to an hazardous events, that if not controlled, may lead to some undesired consequence.

Risk is the probability for an unwanted event with the potential to cause harm.

Safety is defined as ”a state where the risk has been reduced to a level that is as low as reasonably

practicable (ALARP) and where the remaining risk is generally accepted (Rausand, 2011, p.61). An Accident is an unplanned event with an undesirable outcome. A sequence of events from a initi-ating event to an end event are called an accident scenario.

RAMS is an acronym of the parameters reliability, availability, maintenance and safety.

Safety integrity is the likelihood of a system satisfactorily performing the required safety functions

under all the stated conditions within a stated period of time (Cenelec, 2006).

Equipment under control (EUC) is a definition of a part of a technical system. It makes it possible

to distinguish between different parts of the system from a safety point of view.

A failure can be defined as ”the termination of a required function”, and a failure mode as ”the effect by which a failure is observed on a failed item”. A failure mode describes how the failure happen and the impact it has on the operation.

2.3 Some important safety engineering concepts

This section provides a brief description of some important concepts central within safety engineering. They are presented here to give a theoretical basis before they are presented within their applications. The extraction of these elements is also a suggestion of their importance within the subject.

2.3.1 RAMS

Introduction to RAMS

This summary of RAMS is based on the work of Stapelberg (2009). The concept of RAMS in the field of safety engineering is driven by modern applications demanding near 100% availability. Both the public and regulatory views of safety have changed, and the tolerance for accidents in modern applications are decreasing (Bagia, 2012).

In the design and construction of large engineering systems, the engineering integrity is an important attribute. Increasing complexity due to both technology and integration of many systems leads to a need for the determination of the design integrity of the system. The integrity relates to the reliability, availability, maintainability and safety of the system.

(14)

Reliability is ”the probability of successful operation or performance of systems and their related equip-ment, with minimum risk of loss or disaster, or of system failure”. Reliability is closely connected to the effects of failures of the system, and this is a naturally part of the analyses when designing with reliability in mind.

Availability is ”that aspect of system reliability that takes equipment maintainability into account”. Reviewing the availability of the design concerns with looking at ”the consequences of unsuccessful operation or performance of the integrated systems and the critical requirements necessary to restore operation or performance to design expectations”.

Maintainability relates to the downtime of the systems. ”Designing for maintainability requires an evaluation of the accessibility and ’repairability’ of the inherent systems and their related equipment in the event of failure, as well as of integrated systems shut-down procedures during planned mainte-nance”.

Safety can according to Stapelberg (2009) be divided into three categories related to the three main assets, i.e persons, equipment and the environment. To avoid including several definitions of safety, a reference to the definition from Rausand (2011) is made; ”Safety is a state where the risk has been reduced to a level that is as low as reasonably practicable (ALARP), and where the remaining risk is generally accepted.

Measuring RAMS

The empirical understanding of the RAMS parameters can be linked up to different aspects of prob-ability theory and statistical techniques. To give a quantitative measure of the parameters, one is dependent of obtaining data from past experience or observations.

You can interpret reliability as ”the probability for performing successfully”. The assessment of it can be related to data of the success or failure of the intended function of systems or equipment. Such a measure is typically connected with an estimate of the significance of the data obtained, i.e. the confi-dence level of the results - which depends upon the amount of data obtained for the estimate.

Availability and maintainability is based upon time-dependent phenomena with a probability distribu-tion ranging from zero to one (Stapelberg, 2009). Availability (mostly related to systems) is a ”measure of total performance effectiveness”. It deals with the two separate events of failure and repair. A Monte Carlo simulation can be employed based on the time-to-failure and time-to-repair distributions, which often takes the form of Weibull and Poisson for time-to-failure, and a log-normal for time-to-repair. Maintainability (mostly related to equipment) is ”a measure of effectiveness of performance during the period of restoration to service”. It deals with the same difficulty as reliability, i.e. only relying on one random variable leading to one type of event. The trustworthiness of it is hence relying much on the confidence level of the data.

(15)

Designing for RAMS

The safety analysis process is considered to be covered in an earlier part of the thesis. This section is therefore devoted to the concepts of reliability, availability and maintainability.

The reliability of a system is related to the ability to perform within the required performance levels. The reliability can consist of several performance variables. These variables should typically be spec-ified with prescribed levels of performance. The design solution with the highest safety margin with respect to these performance levels, will hence be the the most reliable design. Reliability needs to be considered at several levels and in different phases of the design process. When designing on a sys-tems level in the preliminary phase, one needs to look on the assemblies of components - focusing on eliminating weak links (Stapelberg, 2009). Later on in the detailed design phase, when requirements at component-level are identified, one can evaluate the implications of this on the assembly-level. This means a collective evaluation of the components after assembly.

Availability in design relates to the ”item’s capability of being used over a certain time”. In other words, it relates to the usage of the system or equipment over a specified period of time. A system component is available as long as it is able to perform within specification requirements in a certain period of time. The concept relates to reliability and maintainability in terms of mean time estimates between failures (MTBF), mean downtime (MDT) or mean time to repair (MTTR).

Maintainability is defined as ”the probability that a failed item can be restored to an operational effec-tive condition within a given period of time”. Designing for maintainability implies taking operational requirements into consideration for failures of the system. MTTR is also a measure relevant for this concept as it is for the availability. What distinguish it from availability is that it looks at the restora-tion process of failed equipment, and not solely on the performance as is the case when considering the availability.

2.3.2 Barriers

A feature in a technical system that is introduced to abrupt a specified harmful event sequence is often called a safety barrier. These barriers have various forms of occurrence and intention. One distinction is the one between proactive and reactive barriers exemplified in Figure 2.7. A proactive barrier aims at preventing, while a reactive barrier aims at reducing the effects of an hazardous event.

An important attribute of a safety barrier is that it should act independently of other barriers. This means that it should obtain its function regardless of the failure of another barrier. More important, it should be unaffected by the condition that caused the other barrier to fail.

Rausand (2011) presents several other names used about this concept. Names that appears a number of times in this study are,

• safety functions/systems,

• safety critical functions/systems and, • layers of protection.

Other also includes names such as, • countermeasures,

• defence measures, • lines of defence, and • safeguards.

(16)

a safety instrumented system is presented in the next subsection. The layers of protection becomes relevant in connection with a LOPA analysis, but is basically the same as a safety barrier. This becomes evident in section 2.7.5 about LOPA.

Safety Instrumented System (SIS)

A certain kind of active safety barrier system is the safety instrumented system. It consist of input elements, e.g. in form of sensors that connects to logic solvers to interpret the acquired information from the sensors. The logic solver is in turn connected to the actuating elements which performs the safety function itself. This actuating element can typically be a valve (e.g in the process industry), or a similar mechanical element. A schematic presentation can be viewed in Figure 2.1. Relevant industry examples are dynamic positioning systems (DP) for floating offshore structures and automatic train stop (ATS) for railway systems.

Figure 2.1: SIS model as described in Rausand, 2011, p.372.

A SIS has a designated function, which aims at controlling a hazardous system, i.e. a deviation in the equipment under control (EUC). The deviations can be of high (e.g. dynamic positioning or low demand (e.g. automatic train stop). This mode of operation has an influence when evaluating the reliability of the SIS. The IEC 61508 standards are specifically devoted to such systems.

2.3.3 Common cause failures

The failures of system components can not always be distinguished as independent events. When one component failure affects the possibility of another component failure, they are said to be dependent. Dependencies can be of the sort that the status of one component is affected by the status of another. This is the case for spare components that are designed into the system to take over if the main component fails (i.e. redundant systems). External factors such as environmental impact can also cause several components to fail simultaneously. A common cause failure (CCF) is said to be the simultaneous failure of two or more components from a shared cause. The root cause is the most basic cause, which if prevented will stop the failure from happen. Besides the root cause, a number of factors such as same design, location, maintenance etc., may contribute to a CCF event (Rausand, 2011).

(17)

2.4 Management of safety

2.4.1 Management of functional safety in the offshore industry

The standards enforced in the offshore industry, IEC 61508 and IEC 61511, have a strong focus on functional safety and safety instrumented systems (SIS). A safety instrumented system is an active

system, that functional safety relies upon. IEC (2016) summarises the meaning of functional safety

in two bullets;

• Functional safety is the part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.

• Functional safety is the detection of a potentially dangerous condition resulting in the activation of a protective or corrective device or mechanism to prevent hazardous events arising or providing mitigation to reduce the fight consequence of the hazardous event. (IEC, 2016)

The objective of the management of functional safety is to ensure that the safety integrity level is the cornerstone of the entire life cycle. The implementation of it in the design phase is hence a crucial activity.

Risk assessment is a vital part of developing functional safety requirements. Through hazard analysis, the required safety functions can be identified, and the risk quantification yields the safety integrity requirements (RockwellAutomation, 2016). The functional safety is a major contributor to the overall safety, but there are other aspects the contribute to build the total risk reducing picture. Besides the SIS, both other safety related technology systems and external risk reduction facilities contributes to the total risk reduction.

Design phase related to SIS

IEC 61511 takes base in the life cycle of the SIS. Even if the IEC standards focuses on E/E/PE-systems, the framework is similar to other safety related systems, and the overall project safety life cycle. A typical description of the early life cycle phases of an offshore project can according to IEC (2002, app. E) be divided into,

• Investment studies

– The feasibility Phase – The Concept Phase

– The Pre-execution Phase (PDO-phase)

• Investment project execution

– Detail engineering and construction phase – The Final commissioning and start-up phase

The SIS life cycle activities can be put into context with these overall life cycle phases. The risk analysis and safety barrier design (protection layer) reaches from the concept phase into the detail engineering phase. An ”as built” report is typically established and used as an living document even after the design phase of the life cycle.

(18)

The SIS design phase consist of the upper five boxes according to the overall safety life cycle presented in Figure 2.2. The different phases are defined by its input, output and verification activities.

Figure 2.2: Overall safety life cycle with the design phase as the upper five boxes. IEC (2010).

2.4.2 Management of railway RAMS

Management of safety in the railway industry relates to the management of the RAMS parameters as a whole. There is a certain separation between the RAM parameters and Safety, but in general they are managed together in a railway system. RAMS management takes base in controlling the factors influencing RAMS requirements. These factors are given by Figure 5 in EN 50126.

(19)

availabil-ity and maintainabilavailabil-ity. They can be useful when categorizing the requirements and specifications connected to faults and findings of the system. The parameters are by EN 50126 linked together like in Figure 2.3. By using what can be interpret as a broader concept of safety engineering, the concept of RAMS might make it easier to address the risk issue more specific. Classifying a risk as an availability problem rather than a direct safety problem can be a way to handle the issue more efficiently, by utiliz-ing the best suited parameters of the system to obtain the requested risk level (Winther, 2012).

Figure 2.3: The RAMS-parameters inter-linked as in EN 50126 (Cenelec, 2006).

This can be shown with an example from (QGEN50126). Suppose we have a train approved for opera-tion, but there are still some errors existing. The error can be categorized as an reliability issue, which not necessarily is a safety problem. However, the availability issue it causes might still affect the rail-way RAMS and its requirements. Looking at the connection between reliability and maintainability, it might be possible to increase the maintenance to compensate for the reliability issue. This could lead to the effect that the RAMS requirements still gets fulfilled.

The management of railway RAMS in projects has a close connection to other general project compo-nents. The life cycle layout covers a general framework for the overall project execution, which also includes the RAMS activities. This is evident in the life cycle process described underneath, which highlights RAMS tasks related to a design phase description. The life cycle is in general a framework for the management of all aspects related to a railway system, and the RAMS tasks fits in as one of the component of this management system.

Design phase of RAMS activities

The life cycle design phase is divided into parts, where EN 50126 puts RAMS related tasks into context with general project tasks. The layout of the design phase can be evaluated in Figure 2.4. The following sections presents shortly the scope of each phase and the relating RAMS tasks.

(20)

Figure 2.4: Design phase according to EN 50126.

Concept

The concept phase aims at establishing the scope and purpose of the railway project. A management structure should be formed in order to be able to realize the project. Feasibility studies and financial analysis are important measures to support the foundation of the project.

RAMS-related tasks in this phase covers;

• Review of previously achieved RAMS performance. • Consider RAMS implications of project.

• Review safety policy and safety targets.

System definition and application conditions

(21)

system definition. The system mission profile indicates the application of the system in order to cover the need it is intended to.

RAMS-related tasks in this phase covers; • Review past experience data. • Establish safety plan.

• Identify influence on safety of existing infrastructure constraints.

Risk analysis

A part of the project solely dedicated to RAMS activities is the risk analysis. The main risk analysis include identification of hazards, risks, events leading to hazards, and establish process for ongoing risk management. This analysis process might need to be covered at several phases of the project. The hazard log is an example of a ”living” document related to the risk assessment, that must be maintained through the entire life cycle of the system.

System requirements

A requirement analysis is performed, i.e. determining the needs and conditions for all stakeholder requirements in the project. The system demonstration gives a rough example to show the feasibility of the product. The overall acceptance criteria, i.e. the deliverables needed to deliver the required system, must also be stated in this phase. The organisation and quality management should be established together with a validation plan and change control procedure.

RAMS-related tasks in this phase covers ; • Define overall RAMS requirements. • Define overall RAMS acceptance criteria. • Establish RAMS programme and management.

Apportionment of system requirements

This phase should specify sub-systems and component requirements and define its acceptance crite-ria.

RAMS-related tasks in this phase covers ;

• Establish sub-system safety requirements and acceptance criteria. • Update system safety plan.

Design and implementation

After the system has been clearly defined in the earlier stages of the project, this phase should cover the execution of the planning for the design and development of the system. It also includes performing verification and validation processes.

(22)

– Risk analysis. – RAM parameters.

– Prepare generic safety case.

2.5 Measuring and evaluation of risk

The intention with a risk assessment is to provide input into a decision-making process. This decision may relate to the introduction of new technology or new applications of a system, especially related to the safety of it. Important steps in the process consist of defining what to measure and how to evaluate it. The measurement and evaluation of risk will in the end determine what information we can extract from the risk analysis process.

Risk is somewhat the ”unit” that is to be handled, and a measure of it can indicate the performance of the applied safety management and technology. Measuring risk is not a straight forward process. There exist no tangible measuring device, e.g. like when measuring the concentration of lactate in a clinical exercise test. To be able to do this, it is necessary to provide a quantity (i.e. an indicator) that can say something about the level of risk. Note the distinction between a risk indicator (say-ing someth(say-ing about future events) and a safety performance indicator (say(say-ing someth(say-ing about past events).

The safety of people is as mentioned earlier the highest priority in a safety engineering process. Risk to people can according to Rausand (2011) be divided into two main categories, i.e individual risk and group risk. Individual risk is related to the statistical life of a person that has some specified relationship to a hazard, or an especially critical position in relation to a technical system. This could for example be a train driver. Group risk (often called societal risk), considers the risk for a group as a whole (for instance the passengers of a train). Potential loss of lives is a commonly used measure of group risk. This measure does not distinguish between one major accident, and many small accidents with the same loss of lives.

The risk acceptance criteria is a measure used to compare the outcome of a risk analysis. It can be defined in both a quantitative and qualitative way. Example of a qualitative criteria is the ALARP principle, while quantitative criteria are often given in different probability rates.

Safety integrity is by Rausand (2011, p.380) defined as; ”the probability of a safety related system sat-isfactory performing the required safety functions under all the stated conditions within a specified period of time”. The safety integrity is by IEC 61508 defined in four levels of probability of failure on demand (PFD) and the probability of dangerous failures per hour (PFH). Together with the quantita-tive measures of PFD and PHD, qualitaquantita-tive requirements are also set out to align with them. They relate to qualitative requirements for system design and life-cycle phases and activities. Together they determine at which SIL a safety system finds itself at.

2.6 Verification, Validation and Assessment

Activities related to verification, validation and assessment of safety can be interpreted somewhat different between organizations within the industries. It can therefore be convenient to clarify this, in order to understand the roles related to such activities in the offshore industry. The ISO and the Petroleum State Authority have their interpretation, while IEC has a different approach. Figure 2.5 from NOG (2004) clarifies these interpretations. However, this comparison is mainly based on IEC 61508/61511 compared to EN 50126, so IEC’s definition will be used further in this analysis.

(23)

Figure 2.5: Interpretations of verification, validation and assessment according to IEC and ISO. (NOG, 2004).

requirement and objective of the system. The verification plan should include the following items based on the recommendation in NOG (2004) and IEC (2002);

• Items to be verified.

• Procedures to be used for the verification. • When the verification should take place.

• The responsible for the verification including their independence. • The requirements that the verification should be done against. • How non-conformities and deviations should be handled.

Validation is by IEC 61508 and 61511 defined quite similar to verification. The difference lies in that validation is more connected to the overall confirmation of the system over several phases in the life cycle. Related to the design phase specifically, a SIS requirement validation is to be performed after the design phase. The design should be checked against the Safety Requirement Specification. This is a validation after all the sub-phases of the design phase is accomplished. A similar validation is done after the installation and completion of the system.

Functional safety assessment (FSA) is the activity of performing independent audits at predefined stages during the life cycle. The level of dependability for the assessment personnel is stated in IEC (2010, p.52), and does in practice mean that the personnel performing it should not be of the ones designing what is to be assessed. The extent of the FSA are connected to size and complexity, duration, SIL, consequences and standardisation of design features used. IEC 61511 states two stages where the FSA should be performed during the design phase;

(24)

2. After the safety instrumented systems (SIS) has been designed.

It is the functional safety assessment that is ensuring the quality of the safety requirement specifica-tion (SRS). The SRS is a document established in the design phase of a system and maintained thor-ough its life cycle. It is hence an important and central evidence to evaluate in a FSA process.

2.7 The Risk Analysis Process

Safety engineering deals with the challenge of foreseeing and discovering what that might go wrong with a technical system in the future, so that actions can be taken to prevent or mitigate the potential hazards and consequences of an unwanted event.

The core activity of the work done in a safety engineering process is the risk analysis. An important key in safety engineering is that all analysis should be made in relation to some decision-making. Unless the analysis and decision-making are linked, the analysis just stands as some separate less produc-tive work. Risk management is the continuous process of identifying, evaluating and implementing measures to ensure that risks are controlled in a manner that assure the safety of assets, e.g. people, material or the environment. An overview of the relations between these tasks can be viewed in Figure 2.6.

Figure 2.6: Risk management overview. Source: Adapted from Rausand (2011).

The risk analysis process is about investigating what can interrupt the normal operation of a techni-cal system. It aims at identifying hazards which can initiate accident scenarios with the potential of release of energy, which in turn can lead to severe consequences involving casualties, environmental impacts or material damage. The wanted outcome of a risk analysis is to establish a risk picture, i.e. the possible hazardous events and the relating consequences and probabilities of them to happen-ing.

(25)

the event line. A complete route from an initiating event to the consequences in the end illustrates an accident scenario.

Figure 2.7: bow tie diagram. Source: Adapted from Rausand (2011).

2.7.1 Hazard Identification

The first step in a risk analysis is to identify possible hazards and hazardous events that is of relevance to the system. Hazards should be described in a manner that their form, quantity and occurrence are obvious. Conditions leading to occurrence of the identified hazards should also be in focus, so actions can be taken to prevent them from happening.

There are various approaches to hazard identification. One approach is to identify failure modes through a Failure Modes, Effects and Criticality Analysis (FMECA) and assess the effects of the fail-ure modes on the system. The process is performed by going component by component to identify the failure modes of defined system nodes, and the resulting effects on the complete system.

An Hazard and Operability Study (HAZOP) is a brainstorming process performed by a group of se-lected professionals who aims at detecting possible system deviations, which may prevent the system from performing its required functions. The process is performed in meetings where guide-words are used as beacons to identify possible deviations in the system.

(26)

2.7.2 Causal Analysis

The objective of a causal analysis is to connect the hazardous events with the causes behind them. This provides a base for saying something about the possibility for the occurrence of an hazardous event, i.e. its frequency. To efficiently evaluate every hazardous event, a description of cause-categories and sub-categories should be established. The causes and effects of an event can typically be structured in a fish-bone diagram. Establishing this diagram has a value in itself by increasing knowledge about the extent of the system, and its causes for failures. When progressing in the causal analysis it can be useful to make use of logic diagrams and other graphical tools. Some of these tools are described in section 2.7.5.

2.7.3 Accident Scenarios

When the hazard(s) have been identified and their frequencies determined, it is time to sum up the work, i.e. establishing the risk picture and consequence spectrum. An accident scenario can be seen as a pathway from a hazard to an asset via a hazardous event. When the sequence of events has been established, options for safety barriers can be taken into consideration. This is to stop or mitigate the undesired consequences from happening. An event tree representation is one of the most common ways of developing accident scenarios, and to analyse the effects of influence from barriers or actions taken along the way.

Consequence modelling is about quantifying the effects of end events, to see what kind of impact they may have on the assets. It can be beneficial to be able to categorize the end events, or determine mode of transmission to the assets, which a modelling technique like this will be capable of.

2.7.4 Accident models

Rausand (2011) states that ”Accident models are simplified representations of accidents that have al-ready occurred or might occur in real life”. The simplest models takes base in pure technical failures. Modern and advanced accident models includes both individual (human), societal, organisational and environmental factors in addition to the technology side of it.

There are a vast number of different types of accident models linked to different causal factors. The two most prominent for this study is the energy and barrier models and event sequence models. Char-acteristics of these types of models will be presented briefly in this section. Analysis approaches like LOPA, event tree and fault tree will be described further in section 2.7.5.

The energy and barrier models focuses on dangerous energy, and how it can be separated from the as-sets it has the potential to hurt. They have a simple basic idea based around the three elements listed below, and how the pathways between them influence their relationships. These elements are;

• Energy sources • Barriers • Assets

A barrier analysis is closely connected to such a modelling scheme, identifying the effects of safety measures included in the models. These kind of analyses includes;

• Energy flow and barrier analysis (EFBA) • Layer of protection analysis (LOPA)

(27)

The event sequence models describes accidents as a sequence of detached events happening in a partic-ular order. These models are characterized by their simplistic graphical representations and includes analysis like the event tree and fault tree. The LOPA analysis is also relevant to these kind of mod-els.

2.7.5 Relevant methods for analysis of technical systems

This section will present a number of central analysis methods and graphical tools, which are often referred to as common or recommended practices in the analysis of safety aspects of technical systems. They represent different approaches to producing system brake down structures, so that system nodes and the relationship between them can be analysed.

FMECA

The failure modes, effects and criticality analysis (FMECA) is a systematic approach for the failure analysis of a technical system. The method has a simplistic approach carried out by investigating failure modes and the causes and effects of them on the system. The method is highly relevant in pure safety risk analysis as well as in reliability analysis, which is its original application (Rausand, 2011). An FMECA can typically be arranged according to a FMECA worksheet with the following main content;

• Description of unit (including function and operational mode). • Description of failure (failure mode, cause and detection of failure). • Effect of failure (on sub-systems and their function).

• Risk picture (frequency, severity, detectability, RPN, risk reducing measure).

Central in the FMECA is the system breakdown structure, which divide the system into sub-systems and components. Central in this work is also the descriptions of system functions, operational modes and interrelations between systems. The FMECA is typically performed on component level (i.e. items at the lowest level), but is also applicable on sub-system level (Rausand, 2011).

The FMECA is typically performed by a study team, hence depending on the experience of the team performing it. It gives a comprehensive review of the system, and is adaptable with respect to the depth of different system parts. As its focus is on single faults, the method is weak in finding common cause failures.

Layer of protection analysis (LOPA)

Layer of protection analysis (LOPA) is a semi-quantitative method for deciding whether existing safety barriers are adequate, or if additional barriers needs to be implemented. It is typically used for alloca-tion of SIL requirements to safety instrumented funcalloca-tions.

(28)

Fault tree analysis

A fault tree diagram describes a top event (what, when and where), and the relation between it and a set of basic events. It is a binary tool where the events either do occur or not. The relationships between the events are typically represented by logic AND- and OR-gates. An example can be viewed in Figure 2.8.

(29)

Event tree

The event tree, as in Figure 2.9, is a typical way to describe the development of an accident scenario. Going from an initiating hazardous event, a number of following events describes how the system will react. The sequence will turn out in a number of end events, describing the whole range of identi-fied outcomes, based on the outcome of each intermediate event. The intermediate events represents a statement of a situation that might occur in the system. A well designed system has identified suitable barriers at each critical event in order to stop and mitigate the accident scenario from devel-oping.

The split in the event tree at each critical event represents a true or false statement. Knowing the probability of the outcome of each intermediate event, the probability for each accident scenario, i.e. the pathway through the event tree, is known. The statement of the event is as a rule always defined as a negative statement, i.e. ”the component fails”.

Figure 2.9: A simple example of an event tree diagram. Source: Adapted from Rausand (2011).

Bayesian network

A Bayesian network is a graphical description of risk influencing factors (RIF) that affects the system, which may turn out in a hazardous event. The main objective of a Bayesian network is to describe the relationship between factors of different types and how they their networks influences the hazardous event. The network is build up by nodes and relations between them indicates the direct influences. The nodes describes a state or a condition. A technical system can e.g. be influenced by organisational, technical and human factors represented by the nodes. See Figure 2.10 for a simplistic example. The nodes can represent a numerous type of variables from a numerical quantity to a hypothesis. It can also be represented by a random variable with a distribution. The value of the random variable is called the state of the factor it is representing. The more states a random variable can take, the more complex the computation will be.

(30)

Figure 2.10: A simple example of a Bayesian network. Source: Adapted from Rausand (2011).

(31)

Chapter 3

Applications in the industries

3.1 About the industry applications

This chapter will provide a brief overview of some of the technology present in the two industries and try to address the applications of safety engineering. The risk assessment process is addressed thoroughly in other chapters of this study. The main objective here is to look closer into some of the technology and concepts which are important to understand in a safety context. A brief description of hazards and other safety related challenges will also be presented.

3.2 Offshore technology and safety applications

Offshore oil and gas production has the potential to cause severe damages to the environment and to operational personnel. Large quantities of energy in confined spaces handled at remote locations, with challenging evacuation possibilities, are the reality in the offshore industry (Kjell´en, 2007). Transport from shore to facilities, production in close connection to living quarters, and the significant weather impact, are other specific challenges related to the safety of the industry.

The development of risk and safety management have been closely related to major accidents within the industry. Risk assessments in the offshore oil and gas industry were first used in the Norwegian sector of the North Sea after the Bravo blow-out at the Ekofisk Field in 1977 and the capsizing of the semi-submersible platform Alexander Kielland in 1980 (Rausand, 2011, p. 526). The offshore industry has since then been an important contributor to risk assessment theory.

3.2.1 Offshore technical system

Offshore oil and gas systems can according to PetroWiki (2015) be divided into three main areas relat-ing to the operations that is;

• drilling, • production, • and disposal.

(32)

A production situation tends to be a more steady state environment. The offshore oil and gas pro-duction have many similarities with the process industry onshore. What differs is that the process is somehow simpler, and consist mainly of the separation of oil and gas from water and unwanted particles.

Pipelines sub seas are the most common practice when it comes to transportation of crude oil and gas from offshore installations to onshore facilities - if the field is not too remote. Pipelines are an expensive part of offshore infrastructure, but is often the safest and most economical way of transporting oil and gas to shore. A pipeline dramatically increase the geographical scope of an offshore facility, and safety concerns related to seismic risks, corrosion and interference with other marine activities are obvious concerns (NRA, 1994).

3.2.2 Offshore hazards

The process of extracting oil and gas under high pressure involves hazards related to fire and explosion, with major accident potential. The control of the process hazards is therefore the major concern in the offshore industry. Another important aspect related to major-accident prevention is the offshore struc-ture stability and the risk for capsizing, maybe most famously exemplified by the Alexander Kielland Accident in 1980. A list of typical offshore-related major accidents are given in Table 3.1.

Table 3.1: Examples of offshore major accidents. Source: given by Table 1 in Wintle (2008)

Major hazard Consequence

Hydrocarbon (HC) leaks Shut down, loss of production, fire and/or explosion, asphyxiaton. Fire and explosion (as

aconse-quence of HC leak)

Reduced safety of personnel, damage to equipment, loss of production, structural failure, collapse, escalation.

Dropped objects Rupture of vessels and pipework leading to HC leaks etc., endangering personnel. Damage to safety critical systems. Structural collapse of topsides

or topside equipment

Damage to safety critical systems, pipe rupture, HC leaks, loss of escape and rescue capability and routes.

Failure of evacuation, escape and rescue (EER) systems

Risk to safety of personnel following an event.

Human factors (eg. In man-agament, operations or main-tenance)

Increased risk of other major hazards.

Besides the hazards related to major-accidents, the occupational hazards related to the workplace is a major contributor to the risk picture offshore. Vinnem (2007) mentions persons being hit or crushed by moving objects and helicopter accidents related to both transportation and maintenance offshore, as the most prominent causes of fatalities. Looking at the Norwegian Continental Shelf, occupational accidents have happen regularly over the years, while the last fatal accident related to the release of hydrocarbon happened in 1985 (Vinnem, 2007). Sutton (2014) summarises the following list of offshore safety issues, which have the potential of causing severe accidents offshore;

(33)

• Helicopter operations • Ship collisions

An offshore platform is a congested facility, hence leading to problems with escaping easily from haz-ardous areas, and in an event of ignition it is difficult to isolate the source. The workers on an offshore platform need to both work and live on the facility, making them exposed to potential hazards at all times when on duty. The remote location of an offshore platform naturally leads to traffic to the fa-cility, where both helicopter operations and the presence of ships are potential hazards. The offshore environment can be harsh, making the weather a prominent source of danger with capsizing of the platform as probably the most severe case of accident. Danger in form of large waves have also lead to fatal outcomes, as recent as in December 2015 at COSLInnovator on the Troll-field in the North Sea.

One of the more recent, and in fact one of the worst offshore disasters of all time, is the Deepwater Horizon accident. The disaster exemplifies the potential catastrophic environmental effects of an off-shore oil and gas accident. Fire and explosions (fed by hydrocarbons from the well) made the rig sink after 36 hours. This resulted in the loss of 11 lives. The uncontrolled flow of hydrocarbons through the wellbore and malfunctioning blow-out preventer continued for 87 days causing the worst oil spill in offshore history (BP, 2010). A total of 3.19 million barrel equivalents of oil leaked into the Gulf of Mexico leading to severe damages to the ecosystem. Over 1000 miles of shore between Texas and Florida were impacted (OceanPortal, 2016).

3.2.3 Use of safety barrier concept

Ptil (2013) points out that the correct interpretations of the terms of safety barriers, elements and func-tions are important for the understanding of the regulatory framework connected to the management and the requirements of them. They state that;

• ”A safety barrier is a technical, operational or organisational element that shall reduce the possi-bility for the occurrence of specific failures, hazards and accidents. ”

• ”A safety barrier element is a technical, operational or organisational measure or solution included in the realisation of a safety barrier function. ”

• ”A safety barrier function refers to the task of the safety barrier, i.e. prevent an ignition, reduce the fire load, or secure an allowable evacuation. ”

One of the requirements related to safety barrier elements is that they should be able to connect to certain performance requirements, which should be possible to verify. Measures which are not possible to put verifiable requirements on is thus not safety barrier elements. Measures related to safety culture can be an example of this.

3.2.4 Development leading to new challenges in the offshore industry

The future of the offshore oil and gas industry is filled with challenges. Finding new and unexplored reservoirs leads to new challenges and risks. Remote areas and complex reservoirs makes the future production more complicated. Explorations in sensitive areas also expands the risks that needs to be assessed and managed (DNV-GL, 2015).

(34)

complicated, and will also lead to longer response times. This will affect different safety systems (e.g. blow-out prevention equipment).

On the other side of future challenges you find the ageing process of offshore installations. This is highly relevant on the Norwegian Continental Shelf where several fixed platforms are reaching their design life. Many of these platforms experience life extensions, which includes certain processes and criteria to keep the safety integrity at a required level (Wintle, 2008).

3.3 Railway technology and safety applications

The railway system is, by the nature of its function, a system that is closely connected with the com-munity. It operates close to people and is part of the logistics chain. Safety and reliability are two attributes that are central for the system and its desired function. The goal of the railway system is to offer safe and reliable transportation of people and goods.

Railway safety has always been of interest for the public, but the active risk assessment in the indus-try is relatively young (Rausand, 2011, p.532). Safety has always been a major driver for the railway industry, but the holistic application of RAMS is relatively new in Norway. The booklet ”Slik fun-gerer jernbanen” JBV (2012) is recommended for a comprehensive guide on how the railway system in Norway works.

3.3.1 Technical system

The railway system comprises of five main elements. They can be divided into electro-technical and infrastructural sub-systems. • Electro-technical systems – signalling – Telecommunication – Power supply • Infrastructural systems – Superstructure – Substructure

The quality of the railway system is naturally dependent on all its components, including track stan-dard, the performance of the rolling stock and last but not least the quality of the electro-technical architecture.

The signalling system ensures a safe train operation and an optimized utilization of the capacity of the railway, by providing a train control function (Froidh, 2011). The signalling system will be further explained in the next section.

The telecommunication system ensures necessary communication for the train operation and all tech-nical architecture related to it. The mobile GSM-R network is an essential part of it, providing full coverage of the railway network, also including tunnels. Related to the signalling system, it provides communication of the centralized traffic control, making it possible to remotely operate the signalling system.

(35)

the trains. The contact wire is constructed in a zig-zag pattern to allow for an even wear and to main-tain good dynamic characteristics. The electrical architecture is constantly watched by an automatic protection relay to avoid failures and electrical shorting.

The substructure is the foundation providing a stable platform for the superstructure (i.e. track, sleep-ers and connectors), to obtain the required track performance. The geo-technical properties such as bal-last, drainage and frost are also important elements in the safety considerations for the railway.

Signalling system

The signalling system is the sub system which has the strictest safety requirements. It is a fail-safe system, where the signals shows stop if a failure is detected (which implies for train stop as well). The most important task of the signalling system is to ensure a safe train operation. Apart from that it makes the maximum capacity of the railway possible to utilize. To support and supplement the main control system, both automatic train control (ATC) and centralized train control (CTC) are used to enhance the control and safety of the system.

The consequence of the railway being a track-bound system makes it necessary with a train control function, permitting the crossing or passing of trains on the same line simultaneously. This means that every train movement needs to be controlled and planned. The supervision and control of this is the main task of the signalling system. The principle of the train control system is that the track is organised into so called blocks, where the dispatching of trains is entirely controlled by the signalling system. The blocks are adapted to fit the traffic conditions, meaning shorter blocks close to stations, and longer at undisturbed lines.

A traditional signalling system consists physically of optical signals, track circuits and manual switches along the track - allowing for several levels of the control of the trains moving through the blocks. In addition you have automatic control systems reacting if the driver of the train omits any errors in the train operation. Signals are sent through balises along the track, transmitting information regarding allowable speeds, and whether the train can move into a new block.

The future sees an increased collaboration across borderlines, with the introduction of the European Rail Traffic Management System (ERTMS) as a central element. This is a system were basically optical signals are substituted by a system on board the trains giving all information needed regarding train control. The introduction of this new system needs to happen gradually, making it possible to operate the old system integrated with the new one.

3.3.2 Hazards and use of barrier concept

Train operation and capacity are two important concepts putting restrictions to the safety and avail-ability of the railway product. These will briefly be put into context in this section. An important safety barrier principle is the principle that no single fault should cause an accident. This is an important principle ensuring that the safety barriers provides the necessary depth in defence for the safety of the system.

The capacity of a railway line depends on a number of elements. The number of tracks and the sig-nalling system are elements of the infrastructure which are dimensioning, along with the performance of the rolling stock and the train service provided by the operators.

Traffic control and production planning is essential for the train operation. The nature of a track-bound transport system leads to a need of a train control function to allow for an effective and safe train operation. It is the signalling system that provides this function to the railway.

(36)

of collisions the most prominent safety issue. This is reflected in the top events stated by JBV, where avoidance of collisions is one of the main events to avoid and control.

A recent accident exemplifying a front to front collision is the Bad Aibling Accident in Germany. A total of 150 passengers were involved in the single track accident where 12 people died and 24 were seriously injured . The preliminary conclusions points towards seriously human error at several levels. A train dispatcher (a responsible person giving trains allowance to enter a rail block) is accused of giving incorrect orders, and after realizing the error also doing wrong in the emergency procedure (Wikipedia, 2016b).

SJT (2014) defines a safety barrier as ”an technical, operational, organisational or other planned mea-sure with the intention to interrupt an identified undesirable event sequence”. The single-fault principle is a central concept applied in the Norwegian railway industry. This implies that a single fault in the system shall not lead to an accident. The concept is closely tied to independence between barriers and the use of redundant systems. According to SJT (2014) the lack of systematic thinking and deficient clarity of safety barriers are tendencies reported in connection with the deficient use of them.

Jernbaneverket (JBV) takes basis in a set of defined top events when doing hazard identification in the risk analysis of a railway system. The top events are connected to basic events, as a main structure for the hazard identification. Other categorizations are also possible, but the top events stated in Table 3.2 are the ones given in the Safety Handbook of JBV.

Table 3.2: The stated top events for use in risk assessment. Source: Adapted from Erichsen (2015).

Top events Covers the following single events

Derailment Failure of rolling stock, superstructure, substructure, land-slide, overspeed, derailment of dangerous goods

Collisions train-train Collision train against train or other rolling stock

Collision train-object Collision of different objects on open track or in tunnels: land-slide, animals, larger rocks, buffer stops, road vehicles acci-dently on track

Fire Fire in train, along the track, in tunnel equipment, and other

with importance for passengers and personal

Passangers harmed at platform Passengers harmed boarding or disembarking at straight or curved platforms, crossing of track to mid platform. Also in-cludes persons falling out of doors in speed or harmed in the train.

Persons harmed at transition point In collision with trains or road vehicles at transition points Persons harmed at track Persons hit by train along the track, or in contact with power

supply system

3.3.3 Development leading to new challenges

(37)

future development projects. The integration between new and old technology, and the interference of new and old lines are some of the obstacles.

The European Rail Traffic System (ERTMS) is the new European signal system with one of the main objectives to ensure a fast and efficient train operation across borders in Europe. The basic idea is that the optical signals along the railway line is replaced by systems on board the trains, containing all relevant information, like line permissions and speeds.

Another development area is high speed train operations. This puts new demands to all railway sub-systems. When the speed increases to levels above 250 kph it introduces stricter demands to infras-tructural elements like;

• the pathway of the line (i.e. curvature and incline) • stability of substructure

• power supply (more power and better transmission) • signal system etc.

(38)

Chapter 4

Method of comparison

4.1 Introduction to the method

This chapter will describe the method of comparison and steps used to address the research questions. The intention is to describe the general structure of the comparison study and give explanation of the different parts specifically. The structure of the argumentation follows from a item-by-item argumen-tation according to Walk (1998).

The introductory chapters puts a theoretical framework for the comparison. The standards of EN 50126 an IEC 61508, for the generic safety processes, forms the theoretical background. Being the regulatory framework, they have low practical use. With this in mind, the guidelines and handbooks from JBV and NOG were used as support to help the understanding of the implementations of the standards within the industries. Chapter 2 is devoted to a generalised view of the theory. For a separated and comprehensive view on the industry standards, see Appendix A-C.

The comparison study is two-folded. The first part relates to the study of the industry standards. A summation of the item-by-item comparison of the standards can be viewed in Chapter 5. The second part is a series of interviews conducted to tie the standards closer to the practical use of them. They were done with specialists out in the field, to support and better position the actual practices within the industries. An account of the impressions from these interviews can be seen in Chapter 6. The study aims at weighting the industries in an equal way, but a certain direction is made from the offshore industry towards the railway industry, due to the background for the study.

A set of items were chosen to allow for a comparison of what is considered as some of the most promi-nent aspects of the safety engineering processes. The items from the standards and interviews will be slightly different. They are to a certain extent overlapping, while some items will try to compliment each other. This is done to form a wider presentation of the different aspects of safety engineering in the industries. The following sub sections will further describe the content for the comparison analysis. The structure of this method chapter is inspired by Rudestam and Newton (2007).

A comparison of engineering processes related to safety between the offshore and railway sectors

IN

DEGREE PROJECT

MECHANICAL ENGINEERING,

SECOND CYCLE, 30 CREDITS

,

STOCKHOLM SWEDEN 2016

A comparison of engineering

processes related to safety

between the offshore and railway

sectors

MORTEN JARVIS WESTERGÅRD

Preface

Abstract

Acknowledgements

Contents

Abbreviations and definitions

Chapter 1

Introduction

1.1

Background

1.2

Objectives

1.2.1

Research questions

1.3

Limitations

Chapter 2

Safety Engineering At A Glance

2.1

Introduction of the theoretical background of the study

2.2

Basic Terms of safety engineering

2.3

Some important safety engineering concepts

2.3.1

RAMS

2.3.2

Barriers

2.3.3

Common cause failures

2.4

Management of safety

2.4.1

Management of functional safety in the offshore industry

2.4.2

Management of railway RAMS

2.5

Measuring and evaluation of risk

2.6

Verification, Validation and Assessment

2.7

The Risk Analysis Process

2.7.1

Hazard Identification

2.7.2

Causal Analysis

2.7.3

Accident Scenarios

2.7.4

Accident models

2.7.5

Relevant methods for analysis of technical systems

Chapter 3

Applications in the industries

3.1

About the industry applications

3.2

Offshore technology and safety applications

3.2.1

Offshore technical system

3.2.2

Offshore hazards

3.2.3

Use of safety barrier concept

3.2.4

Development leading to new challenges in the offshore industry

3.3

Railway technology and safety applications

3.3.1