Click for next page ( 32

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 31
4 SYSTEM SAEl~lY ISSUES A major reason for the committee'sand the Coast Guard'sinterest in the safety of tourist submersibles is that when a surface vessel finds itself in trouble, as a last recourse its passengers can depart the ship and swim away. Because this mode of personal escape is impossible for the passengers of a submersible (in most accident scenarios, at least), submersibles must have an additional margin of safety. Achieving this level of safety for tourist submersibles is significantly more difficult since problems that are often troublesome for surface craft may be catastrophic for the tourist submersible and its crew and passengers. The goals of the Coast Guard and the passenger submersible operator are identical: the design, construction, maintenance, and operation of a safe system. Because it has been recognized that there are inherent safety risks associated with the operation of passenger submersibles, a safe system can be described as one in which the likelihood of occurrence of all identifiable hazardous events is maintained at an acceptable level as determined by the Coast Guard. To achieve this safety goal, the passenger submersible industry can benefit from an awareness of contemporary safety programs implemented by other federal agencies, such as the Departments of Defense and Transportation. NASA the Federn1 Avintion A A~;~;r~_~:~_ ~~ +=A ~_~_4 _ ~^ _ ~~ A_ - ~ . . . ~ 1 7 7 ~ ~"lllllll~`la~l~ll, allu `11~ wcparlm~n~ o1 Energy, for similar systems and Else concerns. These programs prescribe certain minimum standards for the procedures and practices that should be applied to identify, assess, and manage safety risks. In particular, these contemporary safety programs include objectives for the hazard analysis and safety review process that should be considered by the Coast Guard. SYSTEM SAFETY HAZARD ANALYSIS During 1988, a Passenger Submersible Safety Project was initiated by the Coast Guard with the Department of Transportation (DOT) Transportation System Center in Cambridge, Massachusetts. The purpose of this study was to assist the Coast Guard in identifying potential safety issues associated with tourist submersible operations. A preliminary hazard analysis of a representative tourist submersible system was performed, and fault tree analyses were developed for a selected list of undesired events (failure scenarios). A draft of the report, dated April 1989, and the final report, published in August 1989, were made available to the committee. The DOT report identified some serious safety issues, such as the need for a fire detection system and redundancy for several subsystems, for which the hazard control (i.e., recommended action) reference is given as TED (To Be Determined). The report indicated that these areas did not appear to be adequately covered by existing codes, standards, or regulations; in some cases the safety issues related to training, operations, maintenance, and documentation needs. These findings point to a need for the Coast Guard to establish specific requirements and criteria for these hazard controls, as recommended by the DOT report, for inclusion in the Coast Guard's circular (i.e., NVIC) on passenger-carrying submersibles.~3 The assessment of safety risks depends on the thoroughness and quality of the hazard analysis information. As is stated in the Transportation System Center's report: "Although a number of potential 31

OCR for page 31
32 hazards and causal effects were identified, this initial effort identified only a limited portion of the hazards that may exist." The DOT effort was a top-level generic systems review; an expanded and more detailed analysis would provide greater insight into additional hazards, causal factors, hazard control measures, and associated safety risks for a specific system design. As an example, the generic review identified an explosion hazard associated with the oxygen storage cylinder. For a specific submersible design, a hazard analysis should also address the explosion hazard associated with other components of the oxygen system and their physical location on the submersible. The hazard analysis should address specific hazards relating to the various valve designs, piping configurations, materials of construction, etc., considering factors such as the compatibility of metallic and soft materials (seals) with oxygen, contamination from fretting or galling of material. isolation of comnonent.c anti nhv~ir~] separation of parts intended to provide redundancy. The Coast Guard should require that the submersible designer perform a detailed hazard analysis to provide a more complete and accurate evaluation of safety risks associated with the specific design and operational plan. Implementation of the hazard analysis requirement would add a function not normally a component of the Coast Guard's certification process. However, this requirement would enable both the Coast Guard and designers to concentrate on resolving the most important problems for any given design. Single-point failure analysis should receive particular emphasis in analyzing for safety criticality. The objective should be the elimination of single-point failures that could lead to a catastrophic accident. If single-point failures cannot be eliminated, rigorous tests, inspections, and procedural controls should be required to ensure that an accident does not occur. A very close interface between reliability and safety exists in the prediction and monitoring of equipment failures, e.g., sensors, indicators, alarms, life support, and emergency systems. Detailed failure modes and effects analysis, criticality determinations, and subsystem hazard analysis may be warranted to establish requirements for backup and parallel redundancy and to ensure that redundant systems are truly redundant and do not have any common failure modes. In addition, reliability analysis has applicability in identifying life-limited items (such as acrylic viewports) in order to establish needs for spares and replacement schedules for continued safe operation. The hazard analysis process should be implemented during the design phase. The cost of alternative hazard controls can be expected to be significantly lower for submersibles in the design phase than for those that are already in operation. In the design phase the hazard analysis can provide an assessment of the safety of the design prior to construction, and design changes (if warranted) can be more easily incorporated. Since there are already operational vessels, hazard analysis applied after the fact should carefully guard against justifying and supporting the existing design. An objective approach is needed to weigh the acceptability of a level of safety in which procedures may be used to control the hazards and reduce risks, as compared with an approach that would eliminate the risk but require costly design changes. Finally, the certification review process should ensure that the criteria for hazard controls are built into the construction, operation, maintenance and survey plan, procedures, and activities. The development of inspection plans and criteria in large measure should be based on the hazard analysis results and an understanding of the safety-critical elements of the system. To provide continuing assurance that the hazard control measures have been implemented, the Coast Guard should be knowledgeable about the fabrication processes that can degrade designed-in safety and reliability, so that the appropriate inspections and tests can be performed or witnessed. The OCMI, in particular, should be apprised of the safety concerns of the submersible system that affect vessel operations and maintenance to verify that hazard control measures are still in place in failure reports, maintenance documentation, and vessel operation. The OCMI should schedule periodic visits to the operational site and monitor the operations under way for early indications of problems. Equipment failures should be reviewed as to their cause and resolution and to determine if they have exceeded an unacceptable failure rate. False alarms with sensors and indicators for safety systems are particularly important areas for the Coast Guard to review, because operators could become complacent about emergency warnings if too many false alarms, from OCMI or another office, occur. In order for this to be accomplished, a trouble and failure reporting system (T&FRS) must be in place. The establishment and operation of a TUFTS need not be a burden if it is applied selectively to the critical systems identified in the hazard analysis. _, ~ ~ ~ ~ ~ ~ ~

OCR for page 31
33 SAFETY REVIEW Separately from the hazard analysis performed by the builder, Coast Guard review, approval, and certification should constitute an independent safety review to improve the identification, analysis, and elimination or control of hazards. The Coast Guard approval process should provide for a thorough evaluation of safety risks to ensure that there are no significant residual risks. From the viewpoint of the customer (the tourist), certification of the tourist submersible by the Coast Guard provides assurance that the dive will be completely safe. One operator's brochure indicates that the Vessel is equipped with redundant U.S.C.G. approved safety features throughout." Coast Guard safety review and certification procedures for tourist submersibles must warrant this public trust. The level of safety risk acceptable for tourist submersibles is currently indicated by the Coast Guard as "safety at least equivalent to that required for a surface craft of similar size and service.~4 The documentation indicates that this equivalence may be achieved in part through a combination of design requirements and operational procedures. Since there are various design and operational tradeoffs, there needs to be a consistent approach for determining the resultant safety level. Further, the approach would need to be consistent in its comparison of the safety level of the submersible with that for surface craft. It is not clear how that safety level and measure of equivalency will be demonstrated because procedures do not currently exist for accomplishing such an assessment. It may be necessary to express a risk acceptability objective that provides criteria that could be more easily measurede.g., "No single-point failure or human error shall result in a catastrophic hazard." The accomplishment of this objective can be validated by documenting a formal hazard analysis. The committee noted (see Chapter 3) that some submersibles were operating with variances to ABS rules and Coast Guard guidelinesincluding, for example, the use of a rebreather instead of an emergency breathing system, and use of inflatable personal flotation devices that were not Coast Guard approved. No documentation could be provided that addressed the rationale for these variances, their safety impact, or the formal approval of the variances by the Coast Guard. In approving the submersible design and operations, there will be some difficult safety decisions that the Coast Guard will need to make in approving variances to design and operational safety requirements and in reviewing other aspects of the system for which there are no requirements; the approach to making these decisions needs to be consistent and documented. It is to be expected that situations will arise where requirements do not exist and, because there is no known precedent, a determination on acceptability will need to be based on professional judgment. Safety problems could arise here because, since the system is new and unique, the OCMI approves the design and operation and the variances to requirements without having the proper background information. In the case of variances and situations where there are no requirements, there should be a formal procedure describing when the OCMI or the District Office should contact Coast Guard Headquarters for review and approval. As it stands now, it is possible for the Headquarters to be unaware of a safety issue unless it is brought to Headquarters' attention through an appeal route. This issue impacts directly on the inspection process, and it was therefore addressed in Chapter 3 as well (see Inspection. Tourist submersibles are new and unique in their design, operation, and hazard scenarios. They affect such large potential populations and are subject to so many facets of the industry practice that should be in the certification review that the Coast Guard needs to strengthen its resources and utilize its existing capability within Headquarters to ensure consistency in the certification review and approval. Greater Headquarters involvement in tourist submersibles, as compared to surface vessel certification, has already been initiated with the requirement that Headquarters conduct a system concept review before detailed design review is carried out by the Marine Safety Center (MSC). This approach should be extended to cover the entire scope of safety policy setting, review, approval, and oversight responsibility and to focus on continued efforts to enhance tourist submersible safety. In addition, MSC technical personnel provide one source of Headquarters expertise that the Coast Guard could use to participate in construction inspections and support annual surveys and recertification inspections. Safety is a pervasive concern from concept to scrapping. In addition, the concept of System safety" goes beyond the vessel itself to encompass all the elements of the business that are actively engaged in

OCR for page 31
34 support or operation of the submersible where customers are involved. The discussion in this chapter has focused primarily on the submersible itself; however, the committee examined the question of safety as a whole-system problem. Aspects of safen,r apart from the submersible are addressed in Appendix C. Aside from safety criteria that are applicable to the design and operation of tourist submersibles, there are other concerns relating to programmatic procedures and practices. Program elements such as quality assurance, configuration management, and procedure change control are essential to the entire safeW assurance process. Other aspects of operational readiness that are important elements of safetr assurance include personnel qualifications, maintenance, calibration, and failure reporting and resolution. With regard to equipment maintenance and calibration, it may be necessary to specify minimum standards for personnel and the workplace to ensure that work is performed properly. For each of these areas, industry standards could be imposed by the Coast Guard on the tourist submersible operator, where appropriate, to ensure that the safety envisioned for the operational life of the system during initial design and operation planning is achieved and maintained. RECOMMENDATIONS REGARDING SYSTEM SAFETY The Coast Guard should pursue the establishment of safety requirements and criteria for hazard controls in areas posing serious safety implications (as recommended by the DOT report, "Passenger Carrying Submersibles: System Safety Ana~sis~) where there presently are none. The Coast Guard should require a formal hazard analysis and implement a process to provide for: early identification and evaluation of hazards associated with each specific tourist submersible confguranon and operation (especially, single-point failures); the time) incorporation of risk reduction measures to ensure an acceptable level of risk; and continued emphasis on hazard control serif cation during fabrication' operation and maintenance. The Coast Guard should establish a formal procedure for approval of variances to its regulations, including its NVIC guidelines. Field inspectors and OCMIs must be given guidance on which items in the regulations or circular (NVIC) or rules are subject to judgment and require Headquarters' concurrence and which are truly "go/no-go." Responsibility for tourist submersible certification is now focused on a limited staff at Coast Guard Headquarters. The Coast Guard should strengthen this focus and consolidate it organizational), within one office and within responsibilities under specif ed billets in that office. This focus is required to ensure consistency in the implementation of requirements, application of engineering judgment' evaluation of safety tradeoffs and approval of variances, and also to enable a focus on areas of safety enhancements. Hazard analysis, safety review, and review of operational safety should be extended to all aspects of the system that affect tourist safety, including the design of all facilities associated with the operation of the business as a marine system. Standards and guidelines should be set or established by the Coast Guard for use by the tourist submersible organization for quality assurance, configuration management, procedure change control, maintenance, calibration, and training to ensure that the safety reviewed for the initial design and operation planning is achieved and maintained. In order to provide basic information to Coast Guard inspectors, a trouble and failure reporting system (T&FRS), adn~inis~ered by the operator, should be established and cover critical systems as agreed upon between the Coast Guard and the operators as a result of the outcome of a hazards analysis.