Systemic hazard analysis of offshore service operations

As windfarms are moving further offshore, logistical concepts increasingly include service operation vessels (SOV) 6 as the prime means of service delivery. However, given the complexity of SOV operations in hostile environments, their safety 7 management is challenging. The objective of this paper is to bring awareness of hazards that may have been overlooked in 8 earlier assessments, and allow for a preliminary comparison of various operational stages. To this end, we use a systems 9 approach to identify and analyse hazards arising during the SOV transit and manoeuvre within a windfarm and interfaces with 10 turbines and daughter crafts. The hazard analysis is performed by systemic method STPA, allowing to explore hazardous 11 scenarios caused by flawed interactions between system components and, to a lesser extent, by component failures. The results 12 comprise 23 operational hazards arising during the three stages of SOV operation and 1,270 hazardous scenarios (pathways) 13 leading to the hazards. The preliminary comparison of SOV operations shows that approaching and departing from turbines in 14 auto and manual modes is potentially the riskiest stage of SOV operation. The lowest risk is of the SOV interface with daughter 15 crafts. The paper discusses the analysis results and explains how they can be used to inform new and existing safety 16 management systems of SOV. 17


Introduction 18
Offshore wind is becoming a major source of renewable energy in many countries (GWEC, 2019). As wind farms are moving 19 further offshore, significant innovations in the infrastructure and services are required to maintain the judicious trend. One of 20 such innovations is the specialised service vessels, or service operation vessels (SOVs), which are offering new logistical 21 concepts for servicing windfarms further offshore. They enable an extended stay of technicians (typically for two weeks) in 22 the vicinity of a windfarm, thereby replacing the logistical concept of transferring technician from shore by crew transfer 23 vessels (CTVs). The latter becomes unreasonable due to prolonged sailing times and increased risk of seasickness. 24 SOVs are akin to offshore supply vessels and are typically around 80 meters in length, can endure severe environmental 25 conditions and offer a wide array of services. They are highly automated ships (e.g., position and course can be kept 26 automatically by the Dynamic Positioning (DP) system), hosting dozens of technicians, support (daughter) crafts, and heavy 27 equipment. Daughter crafts (DCs) are medium size boats (under 20 meters) which are carried by the SOV and used to transport 28 lighter equipment to turbines in moderate environmental conditions (< 1.8m significant wave height). DCs are loaded with 29 Rokseth et al. applied the STPA method to hazard analysis of marine operations, particularly the operations of offshore supply 94 vessels using the DP system (Rokseth et al., 2017). The authors analysed the following system and sub-system level hazards: 95 vessel motion is not controlled according to the motion-control objectives, the motion-control objectives are not in line with 96 the operational function of the vessel, thrusters are not controlled in a manner that satisfies the control objectives, adequate 97 amount of power is unavailable for thrusters. The study did not consider interactions between the vessel and other systems and 98 was limited to the DP operation-from the design standpoint-only. The authors did not provide any ranking of hazards either. 99 The guidelines on offshore wind health and safety highlight key activities and safety hazards that are likely to arise over the 100 lifecycle of a turbine (SgurrEnergy, 2014). The guidelines cover, inter alia, such operational stages as the personnel transfer 101 between a SOV and turbine (incl., the use of gangways), vessel to vessel transfers (incl., launch and recovery of daughter 102 crafts), davit or crane operations, marine coordination, vessel navigation (incl., the use of DP and other systems), and vessel 103 selection. Hazards are extracted from various safety rules and regulation. Example hazards: falling from height, entrapment 104 between vessels or vessel and the ladder, failure of lifting equipment (mechanical and software), navigation in close proximity 105 to other vessels, loss of control (e.g., blackout, mishandling), drift-off and drive-off towards turbines or other vessels, collisions 106 of floating turbines, and inadequate vessel's capabilities. The document discussed how the hazards should be assessed (e.g., 107 using the HAZOP method) and managed for specific cases. No causal analysis or ranking of the hazards was addressed. 108

Safety management practice 109
As any safety critical system, SOVs comply with international and national safety standards during vessel design, construction 110 and operation (Grace and Lee, 2017). The latter is "managed by vessel operators as part of their safety management system" 111 (IMCA, 2015). The key element of safety management is a risk assessment (IMCA, 2014;Bromby, 1995), i.e. the identification 112 of safety hazards to ships, personnel and the environment and establishment of appropriate controls. This also constitutes one 113 of the objectives of the International Safety Management (ISM) Code (IMO, 2018). Risk Assessment Method Statements 114 (RAMS) are documents that OEMs (e.g., of davit system, daughter crafts) create after they conduct individual risk assessments. 115 RAMS contain details on identified hazards as well as a step-by-step safe working guide that crew, contractors (technicians), 116 and others should follow to avoid and adequately respond to hazards. The hazards inform training, briefing notes and 117 operational procedures. Notably, RAMS are used interchangeably with safety procedures and manuals. 118 As SOV operations use diverse systems (davits, gangways, daughter crafts, drones) that interact, individual RAMS are used 119 for each interaction, with a bridging document to state the overall emergency protocol and document primacy (cf. Figure 1). 120 In other words, the overall safety management system (SMS), or safety governance, onboard of a SOV is comprised of multiple 121 RAMS, depending on the type of systems in interaction. 122 https://doi.org/10.5194/wes-2020-15 Preprint. Discussion started: 12 February 2020 c Author(s) 2020. CC BY 4.0 License.

Figure 1: Illustration of current safety governance 124
For example, for a typical 14-day SOV operation in the UK, the safety governance may involve over five regulators 125 simultaneously when alongside a turbine (Table 1). This ad-hoc or case-by-case safety management, however, happens 126 sufficiently rare is that the developed SMS could often be timed for longer periods. This is a result of evolutionary process 127 where a limited "bolt on" capacity was mobilised to a vessel which did not warrant a rework of the vessel safety systems. 128 When faced with the multitude of internal RAMS (procedures), the opportunity for confusion and hazardous surprises arises. 129 This is because the knowledge of all individual safety procedures is often outside of what is normally expected of seafarers. 130 Also, RAMS are developed in isolation and their amalgamation into one system can create conflicts between safety procedures 131 or create unintended consequences. Therefore, safety management is heavily reliant on operator's general competence and 132 familiarity with operations.

Phases of operation 144
The hazard analysis focuses on several operational phases: 145 • Transit and manoeuvre within a wind farm. In this case, dynamic positioning (DP) system (in automatic and manual 146 modes) is used. 147 • Interface between SOV and turbine (approach, station keeping, and departure). In this case the DP and motion-148 compensated gangway systems (for technician transfer from SOV to/from turbine) are jointly used. 149 • Interface between SOV and daughter crafts (DC) with a conventional davit system. The DC would be vertically 150 attached to the davit via a lifting line (vertical) and the painter line to keep the DC aligned with SOV. Both lines are 151 typically connected and disconnected manually by DC deck crew. DCs are loaded with technicians and equipment, 152 and launched from a SOV deck by the davit (typically 3-5 times per day) and then recover (lift up) DCs from the 153 water the same way. During the DC launch and recovery, SOV uses the DP system to maintain the position and 154 heading. 155 https://doi.org/10.5194/wes-2020-15 Preprint. Discussion started: 12 February 2020 c Author(s) 2020. CC BY 4.0 License.
These modes of operation are safety critical and there are different safety hazards to watch for (next section). For instance, 156 during a transit or manoeuvring, the vessel might collide with turbines or other vessels, e.g. when the vessel deviates from a 157 correct trajectory or inadequately performs collision avoidance. 158

Hazard analysis 159
The prime focus of system safety is the management of hazards: their identification, evaluation, elimination, and control 160 through analysis, design and management procedures (Roland and Moriarty, 1990;Leveson, 2003). A hazard is a system state 161 that will lead to an incident or accident given certain environmental conditions beyond the control of system designer. The 162 system in question can be a safety management system (SMS) which is designed according to the ISM Code or amalgamated 163 from different RAMS. Incidents and accidents are defined as follows (Rausand, 2013). An incident is a materialised hazard 164 with insignificant consequences. Incidents do not necessary interrupt the prime function (delivery of payload). Accident are 165 incidents with significant consequences (some loss or damage). Accidents would normally interrupt the prime function. There are many methods for hazard analysis (Bahr, 2014). We use the STPA method based the systemic accident model 169 STAMP. The key assumption behind STAMP is that safety is a dynamic control problem and incidents (or accidents) occur 170 when safety constraints are wrong, not enforced, or inadequately enforced (Leveson, 2004). This can happen not only due to 171 technical failures or human errors, but primarily due to dysfunctional interactions between system components. Figure 2  172 illustrates the STPA process applied in this work. 173 The analysis begins by defining the system and its boundaries. This allow to clarify what accidents (unwanted losses) and 174 system-level hazards (conditions for incidents) should be considered in the analysis. For instance, during the SOV interface 175 with the turbine via a gangway, the assumed accidents corresponded to the deviation from the interfacing objective, i.e. 176 https://doi.org/10.5194/wes-2020-15 Preprint. Discussion started: 12 February 2020 c Author(s) 2020. CC BY 4.0 License.
occurrence of injuries and life losses, and damages to SOV, gangway, or turbine. Sample system-level hazards-recalling that 177 incidents occur at the system level-that can lead to these incidents were: 178 1. Vessel does not keep a min safe distance to turbine or its blades (approaching/staying at turbine when it is in motion); 179 2. SOV does not keep position/heading within target limits for a predefined time; 180 3. SOV does not operate on DP class 2 or above; 181 4. SOV transfers technicians when the gangway is disconnected or dysfunctional (e.g., not motion compensated). 182 The system-level hazards are typically found in safety rules and regulations. The hazards can be further decomposed into (or 183 described through) sub-system and component-level hazards, which are often more helpful during the analysis. The important 184 aspect is that sub-system hazards are linked to system-level hazards. For instance, the second hazard is equivalent to a situation 185 when DP operational requirements do not request a DP operator to enable DP class 2 before starting the transfer. 186 The system definition further involves its modelling as a hierarchical control diagram. It is a natural way to represent many 187 systems, including safety governance, that involve feedback loops. Figure  The fourth and fifth steps of the hazard analysis are outside the scope of this paper. However, we provide an example analysis 210 result which also includes proposed functional requirements. Thus, Table 2 contains sample hazardous scenarios and safety 211 requirements for the control action "stop turbine rotation" by SOV controller (cf. Figure 3). The arrows indicate the scenario 212 as a pathway from basis causal factors to system-level hazards: causal factors cause unsafe control actions, which, in turn, lead 213 to hazards. The shaded cells illustrate a specific scenario, which is preventable by implementing the three functional safety 214 requirements. These requirements are complementary, representing organisational and design controls. 215

Ranking and classification 218
Hazard analyses can produce hundreds, and even thousands, hazardous scenarios for a handful of hazards. To make use of the 219 results in practice, the prioritisation of hazards is necessary and the availability of hazardous scenarios helps achieve this 220 objective. 221 Normally, hazards are ranked based on their likelihood and potential consequences. Risk matrices are used to combine these 222 two qualities and decide which hazards are more and less important (Bahr, 2014 https://doi.org/10.5194/wes-2020-15 Preprint. Discussion started: 12 February 2020 c Author(s) 2020. CC BY 4.0 License.
As for Q1, we use the number of hazardous scenarios as the degree of exposure to the hazard (hazard exposure). The greater 229 the exposure is, the more opportunities for the hazard to materialise. The hazard exposure can be regarded as a proxy for 230 operational risk. Surely, some (or all) such opportunities can be addressed in design or safety procedures, but, as discussed in 231 Section 6, gaps can exist and hazard exposure remains a useful measure of the hazard likelihood. 232 The answer to question Q2, i.e. the progression from hazardous states to incidents, goes beyond the hazard analysis by STPA. 233 However, we provide a short discussion as a basis for future work. As indicated above, a hazard is a system state that can lead

4.4
Comparison by relative exposure to hazard 253 Given hazards and their exposure (the number of scenarios to hazard) for each stage of SOV operation, the stages can be 254 compared in terms of their relative exposure to hazards. The relative exposure to a hazard is the ratio between its exposure to 255 the total exposure across all hazards and operational stages. As hazards can be grouped by operational stage, so can be relative 256 exposures. We use a box plot to show the relative exposures across the three operational stages. Hence, medians, and other 257 quartiles, can be used to guide the comparison. The comparison is, nevertheless, preliminary and should be used as a preface 258 for a more detail, potentially quantitative, comparison. 259

5
Results 260 This section outlines the results of hazard analysis by STPA, covering the three stages of SOV operation (Section 4.1). Table  261 3 to Table 5 outlines the considered hazards, the number of identified scenarios that lead to them, along with example scenarios 262 meant to clarify the meaning of the hazards. Based on this tables, Figure 6 shows the relative exposures to hazards (Section 263

4.4) per stage of SOV operation in a box plot. The median values indicate that the transit and manoeuvring stage of operation 264
has, potentially, the highest relative exposure to hazards. The lowest exposure is of the SOV interface with daughter crafts. 265 However, when comparing the lower quartiles, the SOV interface with turbine via gangway can be riskiest in some cases. 266 Table 6   New operational objectives (e.g. move to another position, heading, waypoint) are inadequately (clearly, accurately and timely) communicated and the DP operator does not update the setpoints. 3 Operation does not comply with the required IMO DP class 11 When operational objective/circumstances change, operator unwittingly mismatch the DP class to given operational circumstances and does not receive any indicator of the error.  Distance to turbine is not queried when vessel is settling at or keeping the target position as operator does not switch on the distance querying to turbine. 3 Vessel does not keep a minimum safe distance to the turbine or its blades 70 When the DP/auto mode of approach to turbine is used, manually entered position/heading at the turbine violates the safe distance: typo, wrongly communicated or determined, etc.

4
Technicians are transferred when the gangway is improperly connected or dysfunctional (e.g., motion compensation is faulty or cannot compensate)

53
Deployment of gangway when gangway alarms are active (high oil temp, low oil level, etc.). Given previous experience and management/time pressure, the vessel or gangway operator wrongly assumes that gangway limits are too conservative and alarms are false and it is possible to safely perform the transfer in given env. conditions. 5 Personnel hands or legs caught between gangway moving parts or between gangway and wind turbine 50 The gangway transfer is carried out during bad visibility or external disturbances (e.g., sudden wind, rain, snow).

6
Gangway is retracted when technicians are being transferred 26 Gangway operator reacts mechanically when gangway alarms unexpectedly go off (gangway suddenly reaches the operability limits). 7 Vessel does not supply required power to gangway continuously 17 The vessel operator (and gangway operator) does not check the available power before deploying the gangway. This can happen due to time pressure or inadequate training. 8 Vessel does not operate on DP class 2 or above 9 Vessel operator switches on DP2/3 and assumes it is on. However, DP2/3 is not activated due graceful faults or unavailable redundancy (e.g., insufficient power). Meanwhile, operator is busy with other tasks and does not notice.  Technicians are crossing from SOV ladder to/from the daughter craft (DC) when a gap between SOV and DC is too big or increasing (DC is not pushing against SOV).

12
Technician steps over without waiting (immediately) until DC starts pushing against SOV. This can happen because the crossing process is not coordinated by a safety officer or coordinated inadequately.
10 Horizontal centre-of-gravity of the daughter craft (DC) is significantly misaligned with respect to the lifting hook line.

11
Correctness of DC loading is inadequately checked before launching DC, because david operator (or other crew) does not have adequate skills/knowledge or checking was impeded.
11 Technicians are crossing from the SOV ladder to the daughter craft (DC) too slowly 7 Technician are unaware that crossing should be instant: unfamiliar with safety instructions or the crossing is inadequately coordinated.  and which one of them are potentially more likely-judging by exposure to hazard-than others. The exposure is controlled 296 by safety measures applied to hazardous scenarios (by eliminating or isolating the opportunities to hazards) or hazards 297 https://doi.org/10.5194/wes-2020-15 Preprint. Discussion started: 12 February 2020 c Author(s) 2020. CC BY 4.0 License. themselves (by restoring the system into a safe state). Safety measures are imposed by safety rules and regulations, as well as 298 safety practices. 299 We expect that the majority of the analysed hazards should be already covered, partly or completely, by existing safety rules 300 or regulations. For instance, the example scenario for the hazard in Table 4 "Vessel does not keep a minimum safe distance to 301 the turbine or its blades" is addressed by class rules which require the DP system to perform self-check routines and bring the 302 system to a stop if necessary (DNVGL, 2015). However, the presence of safety requirements does not automatically guarantee 303 they will be or can be followed in practice. Even for highly constrained task situations such as nuclear power operation, 304 modification of instructions is repeatedly found (Fujita, 1991) and the operators' violations of rules appear to be quite rational, 305 given the actual work load and timing constraints (Rasmussen and Suedung, 2000). Thus, the violation of safety requirements 306 and O&M procedures when running and maintaining equipment is often necessary for maintaining safety per se, given 307 continuous changes to equipment (e.g., aging) and its operational context (Besnard and Hollnagel, 2014). 308 The partial coverage of hazards means that some hazardous scenarios, which are perfectly plausible, are not addressed by 309 regulations. This could be because they were not revealed during hazard analysis at the time, or were identified but considered 310 unlikely by expert opinion or calculations. It is known that expert opinions can be skewed by cognitive biases (Kahneman and 311 Klein, 2009;Skjong and Wentworth, 2001), whereas the probabilistic risk assessment is prone to precarious assumptions and 312 oversimplifications that can discard risky scenarios (Rae et al., 2012). Hence, the partial coverage should be expected, meaning 313 that the pertinent hazards can materialise via overlooked and discarded pathways. 314 There is also a historical perspective to the analysed hazards. Some of the hazardous scenarios have been featured in past 315 incidents and accidents. Thus, one can assume that appropriate measures were taken to avoid them in the future. However, 316 looking at the earlier discussed accident with Vos Stone (BSU, 2019), improving only operational procedures to avoid similar 317 scenario in the future may not be enough. Essentially, the investigation recommended to increase reliability of the operational 318 procedures. However, wider causal factors behind the deviation from these procedures were not analysed, given that people 319 do not err purposely but do their best and success most of the time (Dekker, 2014). The ignorance of underlying causes creates 320 the possibility for the new procedures to be equally violated and incidents to happen (Perrow, 1984). Additionally, recalling 321 the hierarchy of hazard control, organisational measures are less reliable than engineering controls (NASA, 1993; Books, 1997). 322 Therefore, to avoid this and similar scenario in the future, changes in vessel design could also be considered. For instance, a 323 notification (or interlock) on the control panel that would alarm against (or not allow) certain actions when the vessel is too 324 close to a turbine or any other object. The combined data from already used proximity sensors, measurements of environmental 325 forces and thrust could be used to trigger the safety function. This was actually one of the safety requirements that came out 326 of the hazard analysis of which results are presented in this paper. 327 Notably, the analysis focused only on hazards that can lead to incidents, i.e. unwanted and expected events. That is, we did not 328 consider the subsequent events that, if not adequately controlled, would lead to losses or accidents. The focus on incident prevention well aligns with the business objective of keeping operation uninterrupted. If this can be achieved cost-effectively, 330 that would be the best investment in safety. A similar reasoning is used in other safety critical industries like rail, where 331 collision avoidance is the main safety focus (Holmberg, 2017, p. 49). 332

333
The question is how to apply the analysis results in practice? The following can be considered: 334 • The results can be used to update risk assessments, RAMS (or hazard logs) and training. The hazards should be 335 compared against the RAMS (or hazard logs) to verify if they are already prevented, or mitigated, by specific risk 336 controls (safety barriers). Regardless if the controls are in place, the hazards of high priority (high degree of exposure) 337 should be subjected to detailed risk assessments which considers specifics of the operations. Such specifics were 338 obviously not captured in this study. 339 • The results can be used to improve awareness of hazards through training. The hazards should be discussed with 340 technicians and SOV crew as part of safety briefings and other risk awareness activities. 341 7 Conclusions 342 The paper has presented the results of systemic hazard analysis of service offshore vessel's (SOV) operations. The work is 343 predicated on the premise that SOV operations are complex, while risk assessments are done piecemeal and potentially lacking 344 completeness when integrated into one system. This means that various hazards and their scenarios may have been overlooked 345 in earlier risk assessments. Therefore, this work aims to bring awareness about potentially overlooked hazards. The analysis 346 also offers a preliminary comparison of the analysed stages of SOV operation. 347 We have specifically analysed 23 operational hazards arising during the three stages of SOV operation: (1) transit and 348 manoeuvre within a windfarm and interfaces with (2) turbines and (3) daughter crafts. The hazards are mostly related to flawed 349 interactions between people and technology, as opposed to individual failures (e.g., human errors, random failures of 350 equipment) that are addressed conventionally. During the hazard analysis, we identified 1,270 hazardous scenarios that explain 351 how hazards can materialise. We used the hazardous scenarios to prioritise the hazards, assuming that the number of scenarios 352 reflects the degree of exposure to the hazard, indicating its likelihood. 353 In addition to the description and ranking of hazards for each stage of SOV operation, the study has found that all analysed 354 stages of operation are exposed to a similar number of hazardous scenarios, with the interface between SOV and turbine having 355 the largest exposure. The common causal factors behind these scenarios were flaws in communication and control 356 (responsibilities, skills, and procedures). However, when comparing median values of relative hazard exposures, the transit 357 and manoeuvring stage of operation has, potentially, the highest relative exposure to hazards. That is, approaching and 358 departing from turbines in auto and manual modes is potentially the riskiest stage of SOV operation (recall the case of Vos 359 Stone from Section 1). The lowest exposure is of the SOV interface with daughter crafts.