14 April 2015
In many instances the safety of individual equipment or systems can be assured relatively easily, but particular challenges arise wherever systems, equipment, and/or organisations interface. Julian Woolley, Leading Consultant at BMT Isis, a system safety and risk management consultancy and subsidiary of BMT Group, discusses some of the interface issues which can become particularly problematic following equipment modification or replacement, during organisational change or when defining new platform, system or equipment requirements and specifications.
Escape and/or rescue from a submarine is an activity undertaken only rarely, sometimes in case of emergency and is by its nature, very hazardous. In undertaking an escape and rescue mission the focus is on preventing injury or loss of life amongst those being rescued, but it is also important to recognise that such a mission must not unduly endanger the rescuers either. Consequently, effective safety management of the entire escape and rescue mission is essential.
Achieving this can be somewhat complex given the extensive range of equipment required for the rescue system. Often a dedicated Mother-ship (MOSHIP) is required to transport the rescue vehicle with its launch and recovery equipment and associated mission support equipment, in order to provide a suitable platform for rescue operations. In order to help manage the process, the major elements of the capability are expected to have a validated design and to be manufactured and maintained in accordance with a classification society’s rules, thereby providing an element of assurance of the inherent safety of their design.
Operating authorities responsible for the safe deployment of their capability must not only assure themselves that their rescue system is tolerably safe to operate, but they must satisfy others affected by their operations, including interfacing operating authorities. There are a number of internationally recognised policies and standards for the management of equipment safety in the naval domain, including: the UK Joint Service Publication (JSP) 430 – Management of Ship Safety and Environmental Protection and Defence Standard 00-56 – Safety Management Requirements for Defence Systems; US MIL-STD-882 – US Department of Defence Standard Practice: System Safety and the Australian ABR 6303 – Navy Safety Systems Manual.
Across these various titles, the underlying objectives remain consistent where the operating authorities are expected to provide assurance in the form of an authorised operating Safety Case. The Safety Case should demonstrate that the capability does not present an unacceptable level of risk to its operators or others that may be affected by their activities. It’s true to say that there can never be a 100% guarantee of safety, therefore authorities must analyse the associated risks and introduce control measures through design or procedure, to prevent those risks from happening or at least reduce their impact. Boundaries should also be clearly stated within the Safety Case so that equipment users understand the safe physical and environmental constraints of the capability, such as maximum safe operating depth.
Individual equipment or systems will be expected to have their own Safety Case with manufacturers and suppliers often required to provide this as part of their contract of supply to support use. Safety hazards which are intrinsic to the individual system components will be identified through this Safety Case and will be valid for a defined set of boundary conditions and assumptions. However, overall submarine escape and rescue capabilities are likely to include a collection of individual assets and systems which have to work together, therefore the defined individual systems’ boundary conditions and assumptions may not be valid, leading to specific safety hazards which occur when the different systems interact. These hazards can be categorised (as shown in Fig. 1) according to the nature of this interaction as either:
Interface issues can include cultural differences as a result of joint international operations for example, as well as manning. Sufficient numbers of trained personnel may be available to operate individual equipment and systems, but when they are being operated concurrently over a prolonged period or periods of increased operational tempo, manning levels and fatigue may become major issues. Furthermore, when operating a rescue system from a vessel of opportunity, there may be differences in ship handling terminology between those in charge of the rescue operation and the crew manoeuvring the vessel. Therefore, ship handling trials are necessary to allow these issues to be identified and resolved prior to rescue operations being conducted.
Such interface issues can also become problematic if equipment modification or replacement is required; it could be that a particular pump is no longer available from an equipment manufacturer. The operating authority may source a replacement but it may not have the same physical dimensions or have the same capacity as the original; it may have different fixings or require more power – all of which are factors which must be considered in relation to its interaction with other equipment and systems within the submarine escape and rescue capability. At face value, replacing such a minor component may not seem such a laborious task, but when it interfaces with other systems, it can, in fact, have a significant impact.
Many approaches are taken to ensure the safety of the equipment interfaces, however these tend not to consider the concept of a ‘system of systems’. This holistic, risk-based approach ensures that all elements of the submarine rescue system are considered. It allows for the interfaces between the different organisations, equipment and systems that make up the submarine escape and rescue capability to be clearly identified, risk assessed and managed. This was the approach undertaken by BMT Isis for the NATO Submarine Rescue System (NSRS) in order to provide the necessary independent assurance in support of the decision to declare Full Operating Capability (FOC). BMT Isis undertook an Independent Safety Review of the NSRS with support from James Fisher Defence who provided an insight into the operation of submarine rescue operations based on their extensive, operational experience of the United Kingdom Submarine Rescue Service (UKSRS).
The safety review was undertaken using a Claims-Arguments-Evidence (CAE) based methodology to identify a series of claims and arguments against which the existing NSRS Safety Case could be tested. BMT Isis conducted a number of workshops to develop a set of claims that the NSRS were able to satisfy and in turn, substantiate the overall claim that the level of risk (to personnel/assets/environment) was As Low As Reasonably Practicable (ALARP) and broadly acceptable or tolerable.
By developing an independent series of claims, it was possible to test the NSRS Safety Case and assess its robustness. This resulted in the required assurance being gained. During the conduct of the Independent Safety Review, the CAE process was used to tease out issues in a complex system that may otherwise have been missed. This technique was further used to assess the level of compliance of UK Submarine Escape and Surface Abandonment arrangements with capability requirements and is used by the Submarine Support Management Group (SSMG) to record the Whole Submarine and Platform Safety Cases, for which the NSRS is an Emergency and Contingency arrangement.
Conducting independent studies such as this provides an effective way of highlighting safety issues to operating authorities, prior to introduction into service or deployment and to assess the level of compliance with the submarine escape and rescue capability requirements. Working collaboratively with the operating authority and key stakeholders in a practical and pragmatic way ensures that the capability is delivered in the safest possible way.