You are on page 1of 40

Risk Assessment Guidelines

October 2009













Estimation and
assessment of risks
leading to identified
hazards

Hazard
Identification

Nippon Kaiji Kyokai




































Copyright 2009 ClassNK
All rights reserved

Risk Assessment Guidelines
Introduction

Terms including the word risk, such as risk assessment, risk analysis, risk management, etc.,
are frequently seen in all kinds of information. For instance, if you browse or search newspapers,
magazines and the Internet, you will find a large amount of related information. Frankly
speaking, risk refers to an undesirable situation. The purpose of risk assessment and risk
management is to predict an unfavorable situation that may occur in the future, to set the order of
priority according to its level of undesirability and importance, to formulate measures
beforehand, to implement them, and to avoid adverse effects and the occurrence of undesirable
situations or restrict any losses.
In the shipbuilding and maritime field, a rule making process using a risk assessment technique
called Formal Safety Assessment (FSA) has been developed by the International Maritime
Organization (IMO). FSA standards have been revised, established and proposed based on a vast
amount of practical experience. In addition to the FSA, the Oil Companies International Marine
Forum (OCIMF) has developed the Tanker Management and Self Assessment (TMSA)
Guidelines for the self assessment of the management systems of tanker management
companies. Risk assessment methods have already been realized and are currently in widespread
use; even in these guidelines, risk assessment is stated as a major elemental technology.
Moreover, risk assessment methods are also being used in the development and assessment of
new types of ships, and in risk-based inspections and risk-based maintenance, etc..
In view of this background, ClassNK has summarized its findings obtained after implementing
risk assessment and studies related to risk assessment methods, and has developed an
introduction to risk assessment titled Risk Assessment Guidelines.
These guidelines include the following: Overview of risk; Basic concepts of risk assessment; and
Risk assessment methods. Also, since the Formal Safety Assessment method mentioned above is
being used systematically and prospectively as a method to formulate standards related to safety
of ships, an overview and comprehensive usage examples of this method are given in Chapter 4.
Furthermore, various methods used in risk assessment, explanations related to Individual Risk
and Societal Risk, which are indices of risk assessment, and the basic math (probability) used in
risk assessment are given in the Appendix.
It would be our great pleasure if the guidelines could become a useful reference for
implementing the risk assessment of systems, management systems, inspection methods, etc.,
and in the construction of safer and more rational systems based on the same, thereby
contributing to concerned personnel in the shipbuiding and maritime fields.

Risk Assessment Guidelines
Risk Assessment Guidelines
CONTENTS
Chapter 1 OVERVIEW 1
1.1 Safety and Risk1
1.2 Risk Management and Risk Assessment1
1.3 Need for Risk Management and Risk Assessment2
1.4 Application Examples of Risk Assessment in The Shipbuilding and Maritime Fields3
1.5 Terms and Definitions3

Chapter 2 BASIC CONCEPTS 6
2.1 What is Risk?6
2.2 Approach Based on Risk7
2.3 Evaluation of Risk8
2.4 Is The Risk Acceptable?8

Chapter 3 EXPLANATIONS ON RISK ASSESSMENT 9
3.1 What is Risk Assessment?9
3.2 Risk Analysis9
3.3 Estimation of Risk11
3.4 Assessment of The Magnitude of Risk and whether Such Risk is Acceptable11
3.5 Risk Control Option12
3.6 Cost Benefits13
3.7 Risk Communications13
3.8 Examples of Risk Assessment: The Risk Assessment of A Nuclear Power Station 14

Chapter 4 FORMAL SAFETY ASSESSMENT (FSA) 15
4.1 Overview of FSA15
4.2 Background15
4.3 Objectives and Characteristics of FSA 15
4.4 Definition of The Problem16
4.5 Step 1: Hazard Identification17
4.6 Step 2: Risk Analysis18
4.7 Step 3: Study of Risk Control Options (RCO)18
4.8 Step 4: Cost Benefit Assessments of Risk Control Options (RCO)20
4.9 Step 5: Recommendations for Decision-making21
4.10 Examples of FSA in The Shipbuilding and Maritime Fields22


Risk Assessment Guidelines
Appendix A Various Techniques that can be used in Risk Assessment 24
A.1 ETA: Event Tree Analysis24
A.2 FTA: Fault Tree Analysis24
A.3 FMEA: Failure Modes and Effects Analysis25
A.4 FMECA: Failure Modes, Effects, and Criticality Analysis26
A.5 HAZOP: Hazard and Operability Study27
A.6 SWIFT: Structured What-if Technique28
A.7 Delphi method29

Appendix B Individual Risk and Societal Risk 30

Appendix C Basic Math Used in Risk Assessment 31
C.1 Venn Diagram and Set Operations31
C.2 Frequency and Probability32
C.3 Number of Ways33
C.4 Conditional Probability33

Risk Assessment Guidelines
Risk Assessment Guidelines

Chapter 1 OVERVIEW
1.1 Safety and Risk
-1. The word risk is used in various contexts depending on the viewpoint, field, scope, and so
on, of its application. For this reason, the word risk used in these guidelines needs to be clearly
defined. For instance, in the field of finance, risk is considered as uncertainty that affects profit and
loss and is taken as an element that includes both positive and negative aspects. However, in these
guidelines, risk is considered to mainly affect safety.
-2. Safety refers to non-occurrence of harm, damage or loss. It is a state of security with no
danger. The opposite of this word is danger. This implies a dangerous state where the loss of
life or bodily injury, accident or disaster may occur or such a state. Risk refers to unpredicted
danger" or possibility of loss, as in insurance as defined in a dictionary. According to the ISO/IEC
Guide51 (1999), which is an international standard, safety is defined as no unacceptable risk.
-3. Risk may sometimes be used synonymously with danger; it can be considered as the
possibility of occurrence of loss of life or bodily injury, accident or disaster. However, if the
spotlight is only on possibility, the variation in the level of damage of loss of life or bodily
injury, accident or disaster cannot be distinguished. For this reason, these guidelines define risk as
Possibility of occurrence of loss of life or bodily injury, accident or disaster and combination of
levels of damage of the same.
1.2 Risk Management and Risk Assessment
-1. Risk management is similar to risk in that it is used differently depending on the usage, field,
scope, etc.. For instance, the dictionary explains risk management in two different ways: a
management activity that checks various kinds of dangers accompanying sales activities to
minimize expenditure and management technique (including prohibition) that restricts danger
levels to below a fixed value, based on the results of risk assessment. Broadly speaking, it refers to
risk management present in the social system, risks in general, and the use and control of radiation,
chemical substances, etc., it is the management of the degree of hazard.
-2. The definition of risk management used in the field of safety of systems and machinery is used
in these guidelines. That is to say, risk management refers to the prediction of risks at the current
state in an entity (organization, system, or human activity, etc.), the study and implementation of
effective measures required to restrict risk levels below allowable levels, confirmation of the effects
of measures, and the continual implementation of new measures, if deemed necessary.
-3. Risk management can be fitted to the PDCA cycle (see Fig. 1.1). By doing so, risk
management refers to implementing the following cycle continually: formulate guidelines and plans
(measures to restrict risk to acceptable levels) taking the magnitude of predicted risk as a criterion,
implement measures, assess the effect of risk control options, and make improvements if the risk
level does not reach the planned level.
-4. Risk assessment refers to predicting the magnitude of the risk, and can be considered a tool to
formulate measures to restrict risk to an acceptable level from within the framework of risk
management.

- 1 -
Risk Assessment Guidelines


Fig. 1.1 Conceptual Diagram of The PDCA Cycle

1.3 Need for Risk Management and Risk Assessment
-1. The effects and damage of an accident can reach extremely high levels. Examples include the
breakdown of the stock trading system, delay of trains, and oil spills from tankers in the shipping
field. The effects may extend to various fields including the health of human beings, property, and
the environment. If such effects are judged as socially unacceptable then, rather than re-active
measures to prevent recurrence after the accident has occurred, pro-active measures need to be
implemented to prevent such an accident beforehand. Risk management and risk assessment are
the tools necessary to implement such pro-active measures. (See Fig. 1.2)
-2. To formulate and implement pro-active measures, not only measures to prevent recurrence
based on accidents or near misses experienced in the past, but also the magnitude of the risk for all
anticipated accident scenarios must be predicted, preventive measures formulated if necessary, and
an order of priority must be assigned if multiple measures have been formulated. A series of flows
constitutes risk assessment, and it comes under the PDCA cycle shown in Fig. 1.1.


Fig. 1.2 Re-active and Pro-active Measures
- 2 -
Risk Assessment Guidelines
1.4 Application Examples of Risk Assessment in The Shipbuilding and Maritime Fields
-1. Application examples of risk management and risk assessment pertaining to the shipbuilding
and maritime field include the Tanker Management and Self Assessment (TMSA) Guidelines
which are guidelines for tanker operators issued in 2004 by the Oil Companies International Marine
Forum (OCIMF). These guidelines are likely to become industry standards and requirements for
charterers.
-2. The International Maritime Organization (IMO) has used risk assessment for preparing
standards, and has issued the Formal Safety Assessment (FSA) Guidelines in 2001 for preparing
IMO standards. The FSA is being practically used in the IMO, and its procedure and examples are
given in Chapter 4.
1.5 Terms and Definitions
-1. Harm
This term refers to bodily injury or health threats and includes loss of life, or damage to property or
environment. It also includes loss and other unanticipated results. It generally suggests only injury
to human beings.
-2. Accident
Accident refers to an unanticipated event leading to harm.
-3. Hazard
Hazard is a factor leading to harm to life, health, property or environment. It is also referred to as
hazard factor
-4. Risk
When some harm can occur because of some hazard in a system, multiplying the magnitude of the
harm by the probability of the occurrence of such harm is called risk. When multiple hazards are
considered, the sum total of the risks corresponding to all hazards becomes the system risk. Risk is
distinguished according to the type of harm; it is generally categorized into life risk, environmental
risk, and property risk. Risk may also be of two kinds; Individual Risk and Societal Risk. (See
Appendix B)
-5. Accident Scenario
When a series of stages up to harm is assumed from the initial condition in which the potential for
hazard exists, its description is called a scenario.
-6. Hazard Identification
This refers to identifying a hazard or its process from the systematic use of information such as
statistical data or by brainstorming about the system to be subjected to risk assessment.
-7. Risk Analysis
Risk analysis refers to the process of creating an accident scenario from the identified hazard,
constructing a risk model, analyzing the occurrence frequency and severity, and estimating the risk.
Sometimes it is also called the process for identifying a hazard in the system to be subjected to risk
assessment and calculating the qualitative risk from the occurrence frequency of harm and severity
of harm.
-8. Assessment of Magnitude of Risk
This is the process for assessing whether the magnitude of risk (level of risk or risk level) obtained
from the results of risk analysis is allowable.
-9. Risk Control Options (RCO)
Refers to the measures implemented for reducing risk. RCO includes avoiding hazards, reducing the
magnitude of harm, and restricting the ease of occurrence of harm.
-10. Risk Assessment (see Fig. 1.3)
- 3 -
Risk Assessment Guidelines
Risk assessment refers to a series of processes consisting of hazard identification and risk analysis,
assessing the magnitude of risk, and risk control option. In the narrow sense, risk assessment
sometimes refers to a series of processes consisting only of hazard identification, risk analysis and
assessing the magnitude of risk. To appropriately operate a system in a machine or an organization
over the long term, the risk assessment implemented beforehand or during the operation consists of
hazard identification considered in system such as a machine or an organization, risk extraction and
estimation of its magnitude (hazard identification and risk analysis), assessment on whether risk is
acceptable or not (assessment of magnitude of risk), and formulation and implementation of
measures to suit the magnitude of risk (risk control option).
-11. Residual Risk
Risk that remains even after adopting risk measures is called residual risk.
-12. Acceptable Risk
Acceptable risk refers to a risk that can be accepted under assigned conditions based on the value
system of the society at that particular time. Generally, it is difficult to establish acceptable uniform
standards that apply everywhere; therefore, standards considered appropriate for each field and
individual system are established. For instance, if the risk of a nuclear reactor accident compared to
the risk of carcinogenesis from natural radiation is adequately small (about one-tenth), it is
acceptable, and a standard specifying the same has been established. On the other hand, the risk of
fatality from an automobile accident is extremely high compared to the risk of fatality from a
nuclear reactor accident, but considering its convenience and the economics, society may accept
this risk naturally.
-13. ALARP (As Low As Reasonably Practicable) Region
Depending on its magnitude, risk may be categorized into three levels: unacceptable level, widely
acceptable level and intermediate level between these two levels. Risk between two risk levels is
called a risk in the ALARP region. Risk in the ALARP region is considered acceptable if it is in the
as low as reasonably practicable condition in the rational and executable range. Here rational is
judged considering the cost benefits of risk control option, the convenience, and the existing
technical level.
-14. HAZID (Hazard Identification) Conference
This is a meeting of experts to obtain information required for risk assessment (hazard, accident
scenario, etc.) from the findings of knowledgeable persons.
-15. Formal Safety Assessment (FSA)
FSA is one risk assessment method, and it includes studies on the cost benefits of the risk control
option added to the risk assessment of 1.5 -4. It is used as a standard (risk control option)
development tool of the International Maritime Organization (IMO).
-16. Interested Parties
Interested parties refer to individuals, groups, organizations, with stakes in the performance and
success of the organization. Risk generating entities (designers, operators, etc., of machines) and
risk sufferers (laborers, users of machinery, persons residing near nuclear power stations, etc.), are
typical examples of interested parties.
-17. Stakeholder
Stakeholder refers to an individual, group or organization that may influence or receive the
influence of risk management. Decision makers, administrative personnel, experts, and mass media
persons are stakeholders. Interested parties are also included in stakeholder, which has a broad
meaning.
- 4 -
Risk Assessment Guidelines

Step 0
Preparations for Risk Assessment
Step 1
Hazard Identificationcreating Accident Scenario
Risk Analysis
Step 2
Risk Estimation
Step 3
Develop Risk Control Operation
Step 4
Study & Assessment of Risk Control Operations
Step 5
Summarize Risk Assessment
No
Risk Assessment
Yes
Is the risk acceptable?





















Fig.1.3 General Flow of Risk Assessment

- 5 -
Risk Assessment Guidelines
Chapter 2 BASIC CONCEPTS

2.1 What is Risk?
-1. Risk is generally used in the context of danger, but, in these guidelines, risk is treated as
having technical significance, as a hazard that has occurred due to some reason in a system; the
level of the hazard and its effects are studied in these guidelines.
-2. The magnitude of the risk is widely used in the engineering field and is defined as follows:
(See Fig. 2.1)
Magnitude of risk = Level of harm (damage) x occurrence frequency of harm (probability)




-3. Some of the risks considered are: the risk of harm suffered by humans (life risk); the risk of
harm suffered by property (property risk); and the risk of harm suffered by the environment
(environmental risk). Sometimes, when various kinds of harm are envisaged in one system, the total
sum of the each individual risk has to be considered.
-4. The factor that leads to harm is the cause that triggers an event generating damage, such as an
accident. For instance, in the case of a residential fire that breaks out when the curtain in a room has
caught fire due to an electric stove, the existence of the electric stove and the existence of a
curtain near the electric stove are factors that lead to harm. Such a factor is called a hazard. As
shown in Fig. 2.2, part of a hazard may appear in the form of an accident, and cause damage to life,
environment and property. A hazard may include potential causes. In the residential fire mentioned
earlier, if there is nobody present in the room, then the continuously ON electric stove also
becomes a hazard.
Fig. 2.1 Magnitude of Risk

)
(

Occurrence
Frequent
Sometimes
Rare
Level of Harm
Small Intermediate Great
High Risk
Intermediate Risk
LowRisk
Frequency
of Harm
(Probability)
- 6 -
Risk Assessment Guidelines


2.2 Approach Based on Risk
-1. In general, hazards exist in every system. A hazard contains risk in that it can actualize and
lead to harm. Over a long period of time, people have practically observed harm that has actualized,
and have adopted measures by modifying the mechanism of the system so that the same harm does
not occur again. Rules related to the safety of a system have been prepared similarly from the view
point of satisfying technical requirements, and these rules have been maintained. However, this
method requires revision of the system and the rules each time a new problem occurs. Additionally,
rules compatible with technology at the time of their preparation need to be continually revised
together with the progress of the relevant technology.
-2. Instead of making efforts to prevent harm that has actualized from individual technical
requirements, the concept now is to understand the risk contained in the system and to make efforts
to maintain such risk below a specific level.
This is the approach based on risk, that is to say, the concept of risk assessment.
-3. The advantages of the approach based on risk are as given below:
(1) Even if the harm has not yet actualized, if it can be anticipated during risk assessment, its risk
can be assigned a value, and the relevant harm can be dealt with.
(2) Even if comprehensive technical rules to suit technical advancements have not been
established, consistent rules for safety can be established by taking risk level as an indicator or
index.
(3) If an effect proportional to the reduction in risk level can be obtained, then other choices also
become available, and the degree of freedom of design can be enhanced.

Harm
Life
Hazard
Accident
Environment

Property
Fig. 2.2 Hazard, Accident & Harm

- 7 -
Risk Assessment Guidelines
2.3 Evaluation of Risk
-1. To assess the risk in a system, the risk level has to be expressed by some method. That is to
say, items that are lost, such as human life, and the environment or property, such as goods, need to
be quantified. Even in the case of human life, environment or goods, value cannot be correctly
easily expressed by a single index; therefore, for the sake of convenience, monetary index, and the
like are used. Indices that are often used in practice are the number of lives lost due to a risk,
compensation amounts corresponding to the lost property, expenses (amount) necessary to restore
the environment to its original state, and so on.
-2. To calculate such indices, it is necessary to consider the following: What kind of hazard will
yield what kind of result through which stages? For this reason, the factors that can be assigned to
the harm existing in system, that is to say, the hazards, must be detected; the series of events that
could cause the hazard, that is to say, the accident scenario must be sketched out; the probability of
the occurrence and magnitude of harm obtained as a result must be determined, and the risk must be
quantitatively estimated.
2.4 Is the Risk Acceptable?
-1. After quantitatively estimating the risk, it needs to be judged whether such a risk is acceptable.
If the assessed risk is judged to be high, either the use of the system needs to be stopped or
resources such as funds, time, and labor must be expended on the system to improve it so as to
reduce such risk.
-2. The judgment on the acceptability of the risk is made by comparing the conveniences that can
be obtained by using the system and the magnitude of the risk. For instance, even if an item has a
comparatively high risk level, but the item is very convenient, and if the conclusion is it cant be
helped; let us tolerate it then the risk can be considered acceptable. The level at which the risk "can
be tolerated varies from person to person, but in all activities, various kinds of risk exist in part of
society. Each person balances the risk with the benefits that can be obtained from activities. Based
on this policy, the magnitude of the risk to be aimed for is called the safety target.
- 8 -
Risk Assessment Guidelines
Chapter 3 EXPLANATIONS ON RISK ASSESSMENT
3.1 What is Risk Assessment?
-1. When introducing a new system, it is important to study whether it can be safely operated
continuously while utilizing its anticipated performance. Even for an existing system, the study to
determine whether the system can be operated safely over a long period without problems is
important.
-2. Risk assessment is a series of processes consisting of risk analyses, assessment of magnitude
of risk, judgment on whether the risk is acceptable or unacceptable, and creating and assessing risk
control options, to attain this goal. That is to say, detect the hazard in the system, determine the
probability of occurrence and magnitude of harm, estimate the risk, assess the results of the
estimation, and then propose and assess risk control options based on assessed results. Risk
assessment will play an important role when the part related to the risk within decisions made by an
organization is to be rationally implemented.
3.2 Risk Analysis
-1. Risk assessment starts from hazard identification. The hazards considered for a system, that is
to say, all matters with a possibility of causing harm, are listed up in the steps of hazard
identification and risk analysis. This task is called hazard identification. Sometimes hazard
identification followed by estimation of risk, are together called risk analysis.
-2. The output of this step is the harm brought about by the identified hazard, the transition of the
condition from the initial event that becomes the starting point to the condition when such harm
occurs, that is to say, the accident scenario.
-3. To implement hazard identification, wide-ranging professional knowledge related to the
relevant system is required. When just one expert is inadequate, a meeting of several experts or a
questionnaire survey may be carried out. A system for collecting relevant information, such as an
organization, may be set up to gather as much information as possible. Such information becomes
reference materials that can be used.
-4. Meetings of experts with the aim of hazard identification are sometimes called HAZID
(Hazard Identification) conferences. Hazard identification methods include SWIFT (Structured
What If Technique)FMEA (Failure Modes and Effects Analysis)FMECA (Failure Mode, Effects
and Criticality Analysis) and HAZOP (Hazard And Operability Study). (See Appendix A)
-5. A HAZID conference by the SWIFT method consists of experts of the relevant system
(generally 7 to 10 persons) and a facilitator (steering committee). The conference is meant for
hazard identification, in which the topic generally is the deviation from normal conditions. The
experts are required to offer their opinions one after another on the events that could occur due to
the anticipated deviation. Since it is important to extract hazards as far as possible without missing
any, the facilitator needs to ensure that the conference is purely a brainstorming conference, and
take adequate care to ensure that there is no indecision as far as possible in offering opinions or
information among the experts.
-6. The Delphi method used for questionnaire surveys is available as a method for complementing
specific problems (deciding the date of holding events) that exist at the meeting of experts. This
method consists of doing questionnaire surveys several times for the same expert group, but the
survey results from the previous survey are included in the list of questions each time, so the
opinions tend to get focused and concentrated.
- 9 -
Risk Assessment Guidelines
-7. To judge whether detailed analysis for the identified hazard is necessary, or to select a hazard
for which detailed analysis is necessary, the approximate risk from each hazard is estimated. If the
required data has already been collected, there is no problem. However, it is convenient to collect
data related to the magnitude and occurrence frequency of harm at the time of hazard identification.
At this stage, accurate quantitative data for the risk of the relevant system is not required. For
instance, qualitative methods may be used for substituting and expressing the severity in terms of
the Severity Index (SI) value shown in Table 3.1, or the frequency in terms of the Frequency Index
(FI) value shown in Table 3.2.
Table 3.1 Examples of Severity Index
SI

value
Qualitative expression Effect on human beings
Conversion
to death toll
1 Minor effect Single casualty or multiple persons with slight injuries 0.01
2 Large effect Multiple casualties or severely wounded persons 0.1
3 Severe effect Single fatality or many severely wounded persons 1
4 Catastrophic effect Multiple fatalities 10

Table 3.2 Examples of Frequency Index
FI
Value
Qualitative
expression
Definition
One-system,
per year
7 Frequent Occurs about once a month in one system 10
5 Sometimes
Occurs about once a year in ten systems
Several times in the course of operation over a period of
20 to 30 years of one system
0.1
3 Rarely
About once a year in one thousand systems; about once in
several similar systems over a period of operation of
20 to 30 years
0.001
1
Extremely
rare
Assuming 5000 systems, occurs about once over a period of
operation of 20 to 30 years of all the systems
0.00001


-8. The general method of expressing risk is to plot the occurrence of harm on the vertical axis,
the magnitude of harm on the horizontal axis, and enter the relevant position for each identified
harm. If the risk indicators corresponding to FI and SI are taken such that they lead to the risk index
(RI), the obtained hazard can be ranked.
-9. The method of using a risk matrix is introduced here as an example of the method for
determining RI from FI and SI. In Table 3.3, FI is taken along the rows, SI along the columns, and
the sum of FI and SI is entered at the intersection. This value is the RI. The risk of the system under
study can be expressed as the total sum of RI at all the hazards obtained by hazard identification.
When hazards for performing detailed analyses are to be selected, the RI of each hazard is
determined, and the order of priority is assigned starting from the largest hazard. With respect to the
use of RI, the Severity Index and the Frequency Index are sensory indices through qualitative
expressions. It should be noted with care they these are not to be used as accurate quantitative
information.

- 10 -
Risk Assessment Guidelines
Table 3.3 Example of Risk Matrix
Severity Index (SI)
1 2 3 4
7 8 9 10 11
6 7 8 9 10
5 6 7 8 9
4 5 6 7 8
3 4 5 6 7
2 3 4 5 6
Frequency
Index (FI)
1 2 3 4 5

3.3 Estimation of Risk
-1. In this step, each simplified accident scenario obtained by hazard identification is assessed in
detail, and the risk value is estimated for each refined scenario. To obtain the risk value, the
accident scenario must be expressed as a risk model. Methods for expressing the risk model include
the Fault Tree (FT), the Event Tree (ET), and the like. The relationship between anticipated events
is expressed as FT and ET models; the methods of analysis are called Fault Tree Analysis (FTA) and
Event Tree Analysis (ETA) respectively. (See Appendix A)
-2. In this way, the magnitude of the risk in all the accident scenarios to be considered can be
estimated, and the total sum gives the risk of the system under study.

3.4 Assessment of The Magnitude of Risk and whether such Risk is Acceptable
-1. The risk values of a system under study obtained from work to date are judged referring to the
risk assessment standards; a decision is made on whether the risk is acceptable, and whether risk
control options should be studied.
-2. Sometimes social safety targets, that is to say, the magnitude of acceptable risks may be
stipulated in the form of rules, etc., but the standards for judging the magnitude of risk for each
system relevant to risk assessment should be studied. An example from England is introduced here.
(1) The Health and Safety Executive (HSE) of England issued guidelines applicable to the
framework of Tolerability of Risk (TOR) in 1988. These guidelines focused on widely
acceptable area, tolerable area, and unacceptable area rather than categorizing the
magnitude of risk as safe or unsafe.
(2) Can be tolerated means the lifestyle associated with the risk is acceptable for acquiring
certain conveniences with the assurance that risk is appropriately controlled. Tolerable area
means an area that is acceptable when the risk is as low as reasonably practicable (ALARP).
For this reason, this area is called the ALARP area.
(3) The standards for categorizing into areas are set to suit the background and characteristics of
the individual or industry. For instance, in the case of a nuclear power facility, with Individual
Risk for the residents, the widely acceptable area is less than 1/1,000,000 per year (10
-6
/year);
the tolerable area is taken as less than 1/10,000 (10
-4
/year) corresponding to existing nuclear
power facility; for persons working in the radiation industry, the widely acceptable area is
taken as less than 1/1,000,000 per year (10
-6
/year) and the tolerable area is taken as 1/1,000
(10
-3
/ year). For the upper limit of the tolerable area corresponding to Societal Risk , the
chance of occurrence of a major accident accompanied by fatalities above 50 persons is taken
as 1/1,000 (10
-3
/year); but is proposed to be taken as 1/5,000 (2*10
-4
/year), if possible.
-3. Fig. 3.1 shows the conceptual sketch related to risk areas. The dark colored part is the
unacceptable area, the light colored part is the so-called tolerable area (ALARP area), and the part
- 11 -
Risk Assessment Guidelines
without color is the widely acceptable area. The examples from England was shown above, but the
maximum acceptable criteria demarcating the unacceptable area, and the criteria that can be
ignored demarcating the widely acceptable area, are set with numerical values that can be agreed
upon from the social value system and technical level at that time.



ALARP area
Unacceptable area
Max. acceptable area
Criteria that can be ignored
Widely acceptable area

Acceptable area if the risk is as
low as reasonably practical
Fig. 3.1 Examples of Setting Risk Areas
3.5 Risk Control Option
3.5.1 General
-1. A risk judged as being in the unacceptable area must be avoided. Moreover, risk control
options are considered unnecessary for a risk judged as being in the widely acceptable area. In the
intermediate ALARP area, a rational and executable risk control options need to be implemented.
Here rational is judged considering the cost benefits and convenience, and the existing technical
level. Cost benefits are judged by comparing the cost required for risk control options and the
effects due to such measures.
-2. To avoid unacceptable risk, or to reduce the risk in the ALARP area, the means that can be
selected are the risk control options. Verified safety technology in which risk reducing effects are
theoretically clear is desirable for such risk control options.
-3. A three-step method is available as an approach to implementing risk measures for machine
safety. This three-step method establishes an approach to reducing risk and its procedures to be
implemented during the risk control options for machine safety. The three steps are namely,
measures by intrinsic safety design, measures by safeguards and additional protection and
measures by information on usage. These steps are to be implemented in that specific order.
3.5.2 Measures by Intrinsic Safety Design
-1. Risk considered to be in the unacceptable area is dealt with during the design stage by
eliminating the hazard related to said risk, reducing the ease with which harm occurs, reducing the
magnitude of the harm, etc. This is a basic method for eliminating hazards by changing the design
and characteristics of a machine rather than by using guards or protective devices. For instance, the
use of an item with a rounded tip rather than a sharp tip, designing an item such that it can be
inserted only in the correct direction, use of redundant equipment so that if one breaks down, its
functions can continue to be offered by spare equipment: these are some of the examples. Intrinsic
safety design refers to design that should first study measures to reduce risk.
- 12 -
Risk Assessment Guidelines
3.5.3 Measures by Safeguards and Additional Protection
-1. These measures are for reducing the residual risk that still remains in the unacceptable area
after performing an intrinsic safety design. Firstly, risk can be reduced by keeping out the residual
hazard or by isolating through safeguards. For instance, a door on a railway platform corresponds to
this measure.
-2. Sometimes a hazard that has been isolated by safeguards has to be approached for some reason,
or the reduction of risk by safeguards may not be adequate. A measure that may be provided in such
cases is additional protection. For instance, the emergency stopping device of a rotating door is an
example of additional protection. If such additional protection is installed, it does not mean that
other safeguards need not be used; that is to say, it must be borne in mind that providing additional
protection is not a substitute.
3.5.4 Measures by Usage Information
-1. After implementing intrinsic safety design, safeguards, and additional protection, all risks
must be at an acceptable level. Usage information refers to providing notification of how and in
what form any residual acceptable risk remains. This information may be transmitted by words,
indicators, warnings or in writing.
-2. It must be carefully noted that risk cannot be reduced by only providing usage information.
When such information is given to the user, and it is translated into action by the user, the risk
reduction measure becomes effective. More specifically, the formulation of training and safety work
procedures, the introduction of supervisors, etc., and if necessary, appropriate organizational
management of risk at the site level should be implemented. Response to the user should be
considered separately from the risk reduction measures to be adopted, but usage information
needs to be used to effectively reduce risk.
3.6 Cost Benefits
-1. Measures to avoid unacceptable risk and to reduce risk in the ALARP area are implemented
during the steps of the risk control option. Judgment criteria are not clear in the case of risk in the
ALARP area, although risk is required to be reduced to as low as reasonably practicable. One of the
methods proposed for this purpose is the cost benefits approach. Cost benefit refers to the value
obtained by dividing the effect of reducing risk by risk control options by the costs incurred for
introducing such measures. The study on cost benefits is included in the process in the case of the
FSA of the IMO. (Refer to Chapter 4)
3.7 Risk Communications
-1. Decision making based on risk must be implemented while sharing awareness and agreement
related to risk among stakeholders at every step. Risk communication is a process by which
information related to risk is shared among decision makers and other stakeholders, and is an
activity for forming an agreement. It is a mutual and bidirectional process. The information related
to risk mentioned here includes various kinds of information related to risk such as the existence
and properties of risk, the possibility of acceptance of risk, risk measures, and residual risk.
Decisions made without considering the opinions of stakeholders does not bring about anticipated
results.
-2. The stakeholders considered here are individuals or organizations that are directly or indirectly
affected by the cost benefits of the new rules and regulations that have been proposed or by
accidents.
-3. For instance, the five items below may be considered in the shipbuilding and maritime fields:
- 13 -
Risk Assessment Guidelines
(1) Entities related to the occurrence of risk (designers and operators of ships)
(2) Individuals or organizations that bear the risk (crew members, cargo owners, local residents,
etc.)
(3) Risk rule-making organizations (mainly administrative organizations, coastal states, flag states,
classification societies, etc.)
(4) Risk experts (academics)
(5) Mass media
-4. When risk communication is to be made, the entity deciding the installation and operation of
the relevant system must adequately transmit understandable information related to the results of
risk assessment. At the same time, the opinions of various stakeholders, individuals, groups and
public organizations having different sense of values, must be accepted.
-5. The formalities above may be simply summarized as given below.
(1) Hazard identification; that is to say, list up all possibilities that can cause harm
(2) Estimation of risk; that is to say, estimate the occurrence frequency of harm and the magnitude
of harm
(3) Judgment of risk; that is to say, assess the level of danger
(4) Risk control options; that is to say, make a list of the preventive procedures related to
dangerous items
(5) Regarding residual risk after the risk control options, repeat (1) to (3) above, check the
existence of new hazards and if necessary, reconsider risk measures.
(6) Implementation of risk communication, that is to say, form an agreement with the stakeholders
related to risk (hazard, risk assessment, risk control options and their cost benefits, existence
of residual risk, etc.), and make the shift to realizing the risk measures.
3.8 Examples of Risk Assessment: The Risk Assessment of A Nuclear Power Station
-1. In the past, accidents in nuclear power stations in the past, especially the one at the Three Mile
Island Nuclear Power Station in the US in 1979 when the reactor core melted, and the Chernobyl
Nuclear Power Station accident in the Republic of Ukraine (the former Soviet Union) in 1986 when
the reactor core melted, are quite well known. In Japan too, accidents with fatalities have occurred
at nuclear power stations several times.
-2. The US Nuclear Regulatory Commission (USNRC) implemented risk assessment for major
accidents in five of the existing nuclear power stations in 1989. The objectives were:
(1) To clarify plant design with enhanced risk sensitivity and operational characteristics and start
an appropriate control program
(2) To compare the safety targets of the USNRC and the system risks of each plant
A calculation of system risks was implemented mainly for risks of radiation leaks and public safety,
such as reactor core damage, chain of accidents, radiation containment, and effects on locations
other than power stations, and so on. Methods of probabilistic safety assessment using ETA and
FTA were used in the analyses. The effects of damage to machinery and equipment, internal events
such as errors by operators, external events such as fires in control room, earthquakes, and so on,
were considered in the probabilistic safety assessment. The frequency of reactor core damage
frequency and the risk of other events were expressed by probability distributions. From these
analyses, the main cause of reactor damage risk was determined to be human error. Information
related to the level of influence of radiation leaks outside power stations was also included in
probabilistic safety assessment, and public risk assessment of internal events was implemented. It
was found that the risk was adequately small in all the nuclear power stations that were studied.
However, at the same time, appropriate design changes and recommendations to the control
program were implemented to reduce the risk further.
- 14 -
Risk Assessment Guidelines
Chapter 4 FORMAL SAFETY ASSESSMENT (FSA)
4.1 Overview of FSA
-1. Formal Safety Assessment (FSA) is also translated as integrated safety assessment and is a
risk assessment method. It is used as a rule-making process by the International Maritime
Organization (IMO), a professional organization of the United Nations. FSA is a procedure
consisting of five steps: hazard identification, risk analysis, study of risk control option (RCO), cost
benefit assessments of risk control options, and proposals for making decisions. (See Fig. 4.1)

Decision making entity

FSA Procedure

Step 1
Hazard identification
Step 2
Risk Analysis
Step 5
Proposal for making a
decision




Step 3
Study of risk control options



Step 4
Assessment of cost benefits of
risk control options


Fig. 4.1 Steps for Implementing FSA

4.2 Background
-1. The International Convention for the Safety of Life and Sea (SOLAS Convention) was agreed
upon in 1929 by various states to establish rules in order to ensure safety of ships under the IMO.
Since that time, various revisions and amendments have been made to keep up with technological
innovations and respond to major accidents. However, since the wishes of each country had to be
taken into consideration when revising international rules, the process for decision making also had
strong political overtones, and doubts began to grow on the rationality of the system.
-2. Risk assessment using probabilistic safety assessment methods was implemented in oil drilling
rigs, chemical plants, nuclear power plants and so on, and rational measures were adopted based on
the results of the assessment.
-3. In view of the background in -1. and -2., England also proposed an FSA consisting of a
five-step analysis procedure in 1993 at the IMO.
4.3 Objectives and Characteristics of The FSA
-1. The most important objective of the FSA is to systematically and with foresight implement
criteria formulating processes of the IMO. That is to say, to adopt rational measures based on risk
assessment and not by criteria to respond to accidents as was done in the past. The FSA includes
procedures to consider the cost benefit, and also has the feature that processes at each step are
clearly established. Accordingly, if FSA procedures are followed, reasonable safety criteria with
higher transparency than in the past can be formulated.
-2. FSA starts with the decision-making entity defining all relevant boundary conditions and
restrictions together with the definition of the problem to be assessed. These form part of the
- 15 -
Risk Assessment Guidelines
common understanding in the group of decision makers implementing the FSA. In general, these
boundary conditions and restrictions are changed from time to time as the study proceeds. Work
may need to be implemented again based on the results of such changes, but proposals are made
again as necessary and the process for the group to arrive at a common understanding is repeated.
To implement the FSA, experts possessing the appropriate qualifications and experience matching
the scope of characteristics of the problems to be handled and their effects are required.
-3. An overview of the problem definition of FSA and the five-stage analysis process is given in
the sections below. For details of the procedure, please refer to FSA Training Course Materials of
IACS (see Fig. 4.2), FSA Guidelines of IMO (IMO MSC83/INF.2 of Reference 6, and its revised
version), etc.


Definition of Goals, Systems, Operations
Hazard Identification
Cause and
Frequency Analysis
Consequence
Analysis
Risk Summation
Risk
Controlled?
Options to decrease
Frequencies
Options to mitigate
Consequences
Cost Benefit Assessment
Reporting
No No
Yes
Scenario definition
Fig. 4.2 FSA Flow Chart (From FSA Course Materials of IACS)


























4.4 Definition of The Problem
-1. The purpose is to define the problem in consideration of its relationship with the review or
criteria to be newly formulated for the problem for which analysis is to be started henceforth. To
define the problem, all related items must be considered. The items below are listed in the IMOs
FSA Guidelines as items considered relevant to ships.
(1) Ship Categories (for instance, ship type, range of length and/or gross tonnage, newly built ship
or existing ship categories, type of cargo)
(2) Ship Operation (for instance, maneuvering in port and/or maneuvering during voyage)
(3) External Influences on Ship (for instance, Ship Traffic System, Weather Prediction, Warning,
and Route Selection)
(4) Accident Category (for instance, Collision, Explosion, Fire)
(5) Risk related to results such as injuries or fatalities to passengers and crew members,
environmental effects, damage to ship and harbor equipment, or impact on business
-2. Ships have features that vary from ship to ship. In general, problems related to ships can be
- 16 -
Risk Assessment Guidelines
distinguished by many functions; therefore, FSA aims to extract typical functions and attributes of
problems to be solved, defines the mutual interaction between elements, and makes use of a
generalized model to solve problems. In such cases, the generalized model may be considered a
collection of systems having common functions defined beforehand, including those related to
organization, management, operation, personnel and hardware. The functions and systems must be
subdivided into appropriate levels to match the problems to be solved.
-3. The mutual interactions between elements surrounding a ship are to be comprehensively
considered with a focus on physical laws and the engineering systems of the ship, including
passengers and crew, organizational base and management base of ship, operation of ships and
convoys, and even maintenance and management.
-4. The clarification of the problem, settings of boundary conditions and the preparation of the
generalized model can be obtained as outputs by defining the problem.

4.5 Step 1: Hazard Identification
4.5.1 Overview
-1. A series of hazards in the problem being studied, and the scenario from each hazard until harm,
depending on the risk level, are identified in this step. Hazard identification can be realized by
standard methods; screening can be realized by utilizing expert opinions and available data. The
order of priority of hazard is ranked, with hazards of low importance not handled in subsequent
steps.
4.5.2 Method
4.5.2.1 Potential Hazard Identification
-1. The objective in step 1 is to identify all relevant hazards with creative techniques and
analytical techniques. For this reason, not only existing hazards, but potential hazards are also
required to be extracted with foresight. To realize this, in addition to past information and data,
findings gathered from professional organizations extending over various fields should be compiled.
For collecting the findings of professionals and experts, please refer to Sec. 3.2.
4.5.2.2 Fixing The Order of Priority
-1. Once the hazards are identified, they are to be ranked in the order of priority. Scenarios judged
to have low importance are to be discarded, and further studies need not be carried out. The order of
priority is set after using the available data on the scenario and judging such data. The classification
of frequency and importance (or severity) used in the risk matrix should be clarified beforehand.
For details of risk matrix, refer to Sec. 3.2. Tables 4.1 and 4.2 give examples of severity index and
frequency index for ships.
4.5.3 Output
-1. The output of step 1 is as follows:
(1) Scenarios ranked in order by hazard list and risk levels according to priority
(2) Description of cause and effects
- 17 -
Risk Assessment Guidelines
Table 4.1 Example of Severity Index (SI) in The Case of Ships
SI
Qualitative
expression
Effect on Human Beings Effect on Ships
Conversion
to Death Toll
1 Minor Effect
Single casualty or multiple persons
with slight injuries
Local damage 0.01
2 Large Effect
Multiple casualties or severely
wounded persons
No severe effects 0.1
3 Severe Effect
Single fatality or many severely
wounded persons
Severe effect 1
4
Catastrophic
Effect
Multiple fatalities Total lost 10

Table 4.2 Example of Frequency Index (FI) in Case of Ships
FI Frequency Definitions Per Ship Year
7 Frequent Could occur once a month per ship 10
5 Sometimes
Could occur once a year in a convoy of 10 ships
Several times in the lifetime of one ship
0.1
3 Rarely
Once a year in a convoy of 1000 ships
May or may not occur in the lifetime of several similar ships
0.001
1
Extremely
Rare
If a convoy of 5000 ships exists in the whole world, a one-time
occurrence in the lifetime of all these ships
0.00001
4.6 Step 2: Risk Analysis
4.6.1 Overview
-1. In step 2, the causes and results of important scenarios identified in step 1 are studied in
greater depth. More specifically, a risk model is constructed and handled in greater detail; locations
of high risk areas and the factors that have effect on the risk level are clarified. The level of each
risk is judged in this step.
-2. Appropriate Type of Risk (for instance, Risk to Life, Environment or Property) is used to
match the problem being studied.
4.6.2 Method
-1. The Fault Tree and the Event Tree methods are available as standard methods for
quantification and assessment of risk, and construction of the risk model. If appropriate, other
established modeling methods may be used, such as the Bayesian network. If usable data of past
accidents and breakdowns and other information sources (depending on the analysis level) exist,
they are to be used and quantified. Another effective quantification method is the collection of
expert opinions. Calculation and simulation are available as usable substitute methods to such data
and methods mentioned above.
4.6.3 Output
-1. The output of step 2 is the identification of the problems of the high risk area to be analyzed.
4.7 Step 3: Study of Risk Control Option (RCO)
4.7.1 Overview
-1. After the high risk area to be analyzed is identified, risk measures are to be studied. Measures
to control single elements of risk are called Risk Control Measures (RCM); while a set of RCM is
- 18 -
Risk Assessment Guidelines
called Risk Control Options (RCO). The objective of step 3 is to propose effective and practical
RCO for problems in the identified high risk area. RCO consists of mainly the four following
stages:
(1) Selection of risk fields necessary for control
(2) Identification of potential RCM
(3) Assessment of effectiveness in reducing the risk of RCM by re-assessing step 2
(4) Grouping as practicable regulatory options of RCM
-2. The RCO considered here is not only the existing risk countermeasure method, but also if
necessary, the creation of RCO by new methods of operation and control or new technology may be
included. Currently, an RCO that covers a wide range must be created after studying new mutual
risk measures.
4.7.2 Method
4.7.2.1 Deciding Fields for which Control is Necessary
-1. A study is to be carried out with the focus on the high risk areas extracted in step 2 as the
fields for which control is most necessary. The following items are to be examined at this stage:
(1) Examine accidents with risk levels that are difficult to accept, and also examine the occurrence
frequency and the severity of consequences.
(2) Unrelated to the severity of consequences, identify the risk model having the highest
occurrence frequency, and examine its ease of occurrence.
(3) Unrelated to the ease of occurrence, identify the part of the risk model that contributes to the
severest consequence, and examine its severity.
(4) Identify the risk of the risk model and the part in which considerable uncertainty exists in the
severity or ease of occurrence, and examine the reliability.
4.7.2.2 Identification of RCM
-1. Recognize risk that cannot be adequately controlled with existing measures. To identify
potential RCM, a systematic examination method needs to be employed. Clarify the
cause-and-effect relationship, and analyze what processes the initial events undergo through
accidents and breakdowns to arrive at the final consequences. It is important to understand how the
RCM can control the risk. RCM generally has more than one of the objectives below.
(1) To reduce inadequate frequency
(2) To mitigate inadequate effects
(3) To mitigate the environment that generates inadequacy
(4) To mitigate the consequences of accidents
-2. When the RCM has been extracted, return to step 2 and assess the risk reduction effects. The
assessment should include action that could newly arise from the introduction of the RCM.
4.7.2.3 Composition of RCO
-1. To study a RCM that can be applied to practical problems, the practicable regulatory options
extracted after adequately considering the number of limited RCM must be divided into groups. The
identification of interested parties is important when preparing the RCO. The two methods listed
below may be considered for dividing RCO into groups.
(1) General approach: Control risk by controlling the ease with which an accident could occur
(2) Dispersive approach: Control the possibility of the effect on the stepwise expansion of the
accident.
4.7.3 Output
-1. The output of step 3 is as follows:
(1) Assessment of a series of RCO and its effects on reducing risk
- 19 -
Risk Assessment Guidelines
(2) List of interested parties affected by RCO
(3) List related to interdependence among RCO.
4.8 Step 4: Cost Benefit Assessments of Risk Control Options (RCO)
4.8.1 Overview
-1. The objective of step 4 is to assess the cost benefit of implementing each identified and defined
RCO in step 3 and to compare them. The assessment of cost benefits is a feature of the FSA.
4.8.2 Method
-1. Appropriately estimate the cost of all of the RCO as well as their effects; then assess the cost
benefits. The cost per unit risk reduction is found by dividing the cost by the risk reduction attained
by implementing the RCO, the cost benefit of each RCO are estimated and compared. The RCO is
ranked for the convenience of the recommendations of step 5.
-2. Costs are to be indicated in the lifecycle cost, and include costs such as initial cost, operating
cost, training cost, inspection cost, ship scrapping cost, etc.
-3. Fatalities, injured persons, marine casualties, environmental pollution, clean-up measures,
reduction in third party liability, and the extension of the average life of the ship are considered
from the viewpoint of effects.
-4. Various indices that indicate the cost benefits related to the safety of life, such as Gross Cost
of Averting a Fatality (GCAF) and Net Cost of Averting a Fatality (NCAF), are available when
calculating cost benefits. For assessing the cost benefits related to the problems of property and the
environment, separate indices based on damage and effects can be used. The cost benefit of the
RCO is compared using such indices. GCAF and NCAF are indices of cost benefits used by the
IMO and are defined below.
R
C
GCAF

=

R
B C
NCAF


=

Here:
R: Risk reduced by introducing a RCO
C: Additional cost of introducing a RCO (including the RCO price, training cost, carry-over
loss, etc.)
B: Economic benefits of introducing a RCO
-5. GCAF refers to the cost required to reduce unit risk (one person per ship per year for life risk,
but when the risk reduction value over a ships lifetime is considered, this becomes 1 person per
ship). The denominator is the same for NCAF, but the numerator is the value obtained by deducting
the profit from the cost and refers to the net cost when profit is obtained by introducing a RCO.
However, the use of NCAF as an index value of the cost benefit is also viewed unfavorably since
arbitrariness may be prominently reflected during the prior estimation of economic profits by
introducing a RCO. The approximation given by the IMO for both GCAF and NCAF is a
substantial sum of about US $3,000,000.
-6. The assessment of cost benefits needs to be implemented for interested parties most affected
by the application of its RCO. As mentioned above, the assessment of cost benefits for a RCO
enables various assessment indices to be used, and the measures also are many. The assessment
indices and measures must be appropriately selected to suit the problems and the interested parties.
- 20 -
Risk Assessment Guidelines
4.8.3 Output
-1. The output of step 4 is as follows:
(1) Cost benefit for each RCO identified in step 3
(2) Cost benefit for the interested parties most affected by the problem under study
(3) Cost benefit indicated by appropriate indices according to the objective
4.9 Step 5: Recommendations for Decision-making
4.9.1 Overview
-1. The objective of step 5 is to decide recommendations that can be implemented with audit and
tracking methods for the relevant decision makers. Recommendations should be based on the
comparison and ranking of all the hazards and causes in the background, comparison and ranking of
risk control options associated with accompanying cost benefits, and the judgment of risk control
options that restrain risk rationally and substantially to low levels.
-2. Ideally, the criteria for these comparisons must be considered such that all interested parties
receive the effects equally. On the other hand, the treatment of the problem should preferably be as
simple and practical as possible, at least in the initial stage.
4.9.2 Method
-1. Recommendations should be displayed in a form understandable to all related persons
regardless of experience in the cost benefit assessment for a RCO and risk assessment, and the
application of relevant methods. The supplementary documents related to the results of the FSA
process should be accessible to anybody anytime, and consideration should be given to offering the
mechanism and reasonable chances to incorporate comments.
4.9.3 Output
-1. The output of step 5 is as follows:
(1) Objective comparison of substitute options based on the possibilities of risk reduction and cost
benefits in the problem being studied
(2) Feedback information for examining the results obtained in all the steps
(3) Display of results
-2. Each FSA report must satisfy the requirements given below to encourage the use and common
understanding of the FSA in the IMO rule-making process.
(1) Final recommendations are ranked so that their audit and tracking are available, and their basis
is also clearly described.
(2) The cost benefits of important hazards, risks and RCO identified in the assessment stage are
listed up.
(3) The basis for important assumptions, limitations, uncertainties, data models, methodology,
inferences which are used or taken as conditions in the cost benefit assessment of a RCO and
risk control options of interest in the decision-making process, results of assessments,
recommendations, hazard identification, and risk analysis, is explained and references are
attached.
(4) The causes, scope and magnitude of excessive uncertainty related to assessments and
recommendations are described.
(5) The configuration and the expertise of the group that implemented the FSA process are
described.

- 21 -
Risk Assessment Guidelines
4.10 Examples of FSA in The Shipbuilding and Maritime Fields
Example 1 Proposal for Various Kinds of RCO to Enhance Bulk Carrier Safety
-1. This is an example of a case of the largest scale which had the greatest international effect on
the FSA deliberation in the IMO. When the bulk carrier (bulk carrier: ship in which dry cargo such
as iron ore, coal, etc., is directly loaded into cargo holds in a pulverized condition without
processing and transported) Derbyshire of British registry encountered rough weather due to
typhoon in Japanese coastal waters, the hatch covers collapsed due to waves, flooding occurred and
the ship sank, England proposed an investigation of comprehensive RCO of bulk carriers by the
FSA to the IMO at the 70
th
meeting of the Maritime Safety Committee (MSC70).
-2. England started a joint project with other European states, and tried to enforce several RCOs
for enhancing bulk carrier safety. The Shipbuilding Research Association of Japan (currently, the
Japan Ship Technology Research Association) set up a committee of experts belonging to
classification societies, shipbuilding companies, etc., assessed the RCO enforced until that time, and
studied the RCO for enhancing bulk carrier safety.
-3. England and Japan made use of accident data given by Lloyds Register Fairplay (LRFP) in
the risk assessment of existing bulk carriers of step 2, and both arrived at the common result that the
risk of bulk carriers exceeded the allowable range. However, the bulk carriers generally sank within
a short time during accidents, many lives were lost; and, in a large number of cases, the cause of the
accident was unknown. Moreover, many lives were also lost because the causes of the accident
were not known. England emphasized that accidents with unknown causes were all due to collapse
of the hatch covers due to waves or separation of the hatch cover from the hatch, followed by
flooding and sinking of the ships. The basis behind this reasoning was that the number of fatalities
per accident due to hatch cover was evidently large, and resembled the features of accidents of
unknown causes.
-4. Conversely, Japan emphasized that since accidents due to side damage were mostly accidents
due to causes that were evident, accidents of unknown cause were generally due to side damage.
Moreover, Japan studied in detail nearly 300 examples of accidents obtained from LRFP marine
casualty data. Although the instances of major damage due to hatch covers were many, the collapse
of hatch covers, that is to say, instances due to inadequate hatch cover strength were few in number.
Japan stressed that hatch cover securing fittings were damaged because of lateral loads due to
waves, and the hatch covers worked loose due to the waves, causing accidents. Firstly, there was the
opinion that the probability distribution of the number of accidents due to each cause estimated
from probabilistic methods to identify the unknown causes of accident from instances with known
cause, showed that all the causes of the accidents lay in the hatch covers. This opinion was
overturned. Finally, the RCO for strengthening the hatch covers became applicable only to newly
built ships because of the conclusions above.
-5. Furthermore, England and other European nations emphasized the strengthening of several
safety measures such as the installation of flood monitoring systems, double side hull structures,
and the provision of free-fall lifeboats and so on, as RCO in addition to the strengthening of hatch
covers. However, Greece later reviewed these FSA proposals, emphasized that the cost benefits of a
RCO of double side hull structure were too small, and this was approved at the IMO. Thus, the
mandatory application of double side hull structures was not implemented.

- 22 -
Risk Assessment Guidelines
Example 2 Strengthening of ECDIS
-1. Norway proposed an assessment by the FSA pointing out that the Electronic Chart Display
and Information System (ECDIS) was effective in preventing collisions and other accidents for
large passenger ships at the 51
st
meeting of the Safety of Navigation Sub-committee (NAV51) in
2005. Furthermore, at the MSC81 in 2006, the method implemented in NAV51 was extended to
cover cargo ships. Norway emphasized that investigations be made for the mandatory provision of
ECDIS on all ships plying on international voyages since it was effective in preventing collisions
and other accidents.
-2. Norway used the Bayesian network for implementing its risk assessment of ECDIS, which is
being used recently in various fields. The ECDIS makes use of the Electric Navigational Chart
(ENC). This is a device that lightens the work load of the navigator, namely the work of checking
the ships own position. Accordingly, if an ENC is not provided, the effectiveness in avoiding
grounding of the ship is non-existent. However, Norway had prepared the model using the
assumption that an ENC can be used in all sea areas. The reason for this is the idea that if ECDIS is
provided on ships, the preparation of an ENC even for sea areas for which an ENC does not
currently exist because some day due to progress such sea areas will be able to handle ENC..
-3. ECDIS is an expensive piece of equipment costing more than US $60,000; therefore, there is
apprehension that it may not be possible to formally enforce the provision of this equipment on
ships plying in areas for which ENC is not available. Japan carefully scrutinized Norways method,
introduced a construction system of the Bayesian network and re-constructed the risk model of
ECDIS proposed by Norway, and also added the model of the maintenance status of ENC, which is
essential for ECDIS, and re-assessed the ECDIS effect.
-4. Based on the results of various technical investigations, an amendment to the SOLAS
Convention was adopted making the provision of ECDIS mandatory at the 86
th
meeting of the
Maritime Safety Committee (MSC86) of the IMO in May 2009. The scope of the application and
period vary according to cost benefits, that is to say, according to ship type, size of ship (gross
tonnage), and whether newly built or existing ship.
- 23 -
Risk Assessment Guidelines
Appendix A Various Techniques that can be used in Risk Assessment
A.1 ETA: Event Tree Analysis
-1. The method used is as follows: the stages from the initial event that becomes the origin of an
accident to the final event after passing through several intermediate events are expressed as a time
series, the problems in each intermediate event and probability of divergence are estimated, and the
probability of reaching the final event is estimated. Bringing to light each event, extracting problem
points, and estimating the probability are performed by organizing a team of experts, and by
collecting the experience and findings of such experts and other knowledgeable persons. The
occurrence probability of the final harm from the occurrence probability of each event can be
quantitatively determined. If the events progress in a time series then this is a particularly excellent
method to understand how a small-scale problem spreads. Fig. A.1 shows an example of an event
tree. The risk can be calculated by assigning the probability each time a divergence occurs and by
multiplication.

Initial event
Reactor
shutdown
Emergency
coolant from
Pump A
Emergency
coolant from
Pump B
Release of
decay heat
Result
A B C D E


Success Success Success

1. A
Failure

2. AE Plant damage
Failure Success Success

3. AC
Failure

4. ACE Plant damage
Failure

5. ACD Plant damage
Failure

6. AB Plant damage

Fig. A.1 Example of An Event Tree

A.2 FTA: Fault Tree Analysis
-1. The method is as follows: the ultimate harm that could occur is taken as the top event, and its
cause is extracted top down, a fault tree is sketched and prepared until the bottom event, the
probability of occurrence of each event is estimated, and finally the probability of arriving at the top
event is estimated. Fig. A.2 shows an example of a fault tree. Similar to the event tree, every event
is brought to light, problem points are extracted, and the experience of many knowledgeable
persons is brought together for estimating probability. This is an excellent method for investigating
beforehand the factors that significantly affect probability leading to harm in a large-scale and
complex system.
- 24 -
Risk Assessment Guidelines

Continuous release
2.2510
-4







Inappropriate stopper for previous release
0.1
Open valve
2.2510
-3






Valve left open
1.2510
-3
Valve damaged in open position
110
-3





Open valve
0.01
Valve closed operating error
0.25
Valve closed confirmation error
OR
AND
AND
0.5


Fig. A.2 Example of A Fault Tree

A.3 FMEA: Failure Modes and Effects Analysis
-1. FMEA is the abbreviation for Failure Modes and Effects Analysis. It is a reliable analysis
method often used to pick out fault factors. It is a technique wherein a system placed under a certain
environment is focused upon, and an assessment from the quality improvement perspective to
prevent faults and to reduce them is performed by a team of experts. FMEA was developed for use
by the US military; and it has been used for a long period for space development by NASA.
Currently, it is being applied to various fields. The IMO has stipulated FMEA as the safety
assessment method to be implemented when constructing high speed vessels.
-2. When equipment constituting a system suffers a breakdown, the effects on the system are
analyzed using a FEMA worksheet as shown in Fig. A.3. The original functions of each piece of
equipment, the failure mode that could occur and the causes, effects, failure detection method,
corrective actions and so on, need to be studied. To avoid missing items, a systematic procedure is
established to examine the system.
-3. An overview of the FMEA procedure is given below.
(1) Collection of necessary data (design information, related data)
(2) Work by a team of experts
(3) Selection of components
(4) Identification of the functions of the components
(5) Identification of the kinds of failures that could occur in the components (failure mode)
(6) Local effects occurring due to failure (local effect)
(7) Effects on the entire system due to failure (final effect)
(8) Method of protecting the system from failure (failure detection method, corrective action)
-4. The components are selected sequentially one by one and studied. Accordingly, if several
pieces of equipment fail at one time due to different causes, these will be excluded from the study;
however, if the failure of one piece of equipment leads to the failure of other equipment, and if
several pieces of equipment fail becomes of one cause, then a study or investigation is necessary.
- 25 -
Risk Assessment Guidelines

System: Date:
Level: Sheet No.:
Reference diagram: Editor:
Role: Approver:

Failure effect
ID
No.
Object Function
Failure
mode and
cause
Usage
objective
Local
effect
Upper
level effect
Final effect
Investigate
method
Corrective
action
Maximum
failure
impact
Note













Fig. A.3 Example of an FMEA Worksheet

A.4 FMECA: Failure Mode, Effects, and Criticality Analysis
-1. This is an analysis method wherein Criticality Analysis for a quantitative assessment is
performed taking the effect of the failure mode on the system as the failure grade, in addition to the
FMEA. With regard to the failure mode of components, the system and the effects on safety of
persons are assessed and quantified. Criticality is assigned to functions such as level of effect of
failure, occurrence frequency of failure and so on. From the obtained values, risk is estimated.
-2. Two methods to analyze criticality are available: quantitative analysis and qualitative analysis.
-3. To perform quantitative criticality analysis, the items to be implemented by the analysis team
are as follows:
(1) Define the reliability and unreliability of each part under the given operating conditions
(2) Identify the potential failure mode of the unreliable part of the item
(3) Determine the percentage of loss or severity due to the occurrence of each failure mode
(4) Calculate the criticality by multiplying the three elements.
Criticality of mode = Unreliability G Unreliability factor G Probability of loss
(5) Calculate the criticality of a part as the sum of various failure modes associated with the
criticality of each part.
Criticality of a part = Sum of the criticality of the modes
-4. Analyze the essential criticality by assessing the risk and ranking the order of priority of
avoidance actions. To do this, the analysis team should perform the following actions:
(1) Estimate the level of severity of the potential effects of failure.
(2) Estimate the ease of occurrence of each potential failure mode.
(3) Compare the Criticality Matrix of the failure mode. This is a plot of the severity on the
horizontal axis and frequency on the vertical axis.

- 26 -
Risk Assessment Guidelines
A.5 HAZOP: Hazard and Operability
-1. HAZOP is a technique by which causes and effects that could occur are determined, by
starting with failures called deviations and proceeding with the analysis of each of these from the
aspects of effects and causes. It was developed to handle failures due to multiple independent events
that are entwined in a complex manner in a chemical process. The illustration of the analysis flow is
as shown in Fig. A.4.


()

Starting Point (deviation)


Analysis direction Analysis direction
Effect Cause

Fig. A.4 Illustration of HAZOP Analysis

-2. This technique is mainly used to check the two points mentioned below.
(1) Potential dangers in a process plant
(2) Problems that particularly occur when operation that deviates from design specifications and
operability of plant is performed.
-3. HAZOP may be classified as an analysis technique for danger scenarios. US Federal Law and
laws of several states require HAZOP to be used as the method for analysis of hazards in processes.
-4. Guide words are set as questions, and answers are received in HAZOP. For this reason,
dangerous scenarios can be easily and systematically grasped. The questions are mainly for hazards
that occur during operation which deviate from design specifications (for instance, temperature,
pressure, pH, stirring, reaction) and the causes of such hazards. For instance,
(1) Where and what are the deviations?
(2) What is the hazard due to the deviation?
(3) What are the causes of deviation? What are the problems in the operation?
(4) What are the protective functions preventing development from each cause to the dangerous
event?
(5) What are the measures to be improved?
-5. An overview of the HAZOP procedures is given below.
(1) Set the scope of process to be analyzed and formulate the objectives of analysis.
(2) Select the members (several).
* Leader with abundant experience in the process
* Chemical, Science, Mechanical and Instrumentation engineers to participate in design and
operation
* Safety supervisor, etc.
(3) Collect basic data (Information and data such as PI diagrams)
(4) Select guide words
(5) Prepare questions (assuming deviation from design specifications using guide words)
(6) Prepare worksheets
(7) Matrix table consisting of items in each design specification, offset, causes, hazards, protective
functions, measures, etc.
(8) Potential hazards due to deviation, problems in operation, study of measures
(9) Questions by leader, answers by all members, conclusions arrived at through group
discussions
(10) Description of analysis results on worksheet
- 27 -
Risk Assessment Guidelines
A.6 SWIFT: Structured What-if Technique
-1. The What-if analysis method is an appropriate hazard-specific method used in hazard-specific
conferences. Generally, the leader of managers, record keeping person, and several persons with
experience in the topics being studied are carefully selected, and these persons participate in the
conference. Usually, this method is implemented by a group of 7 to 10 persons. Here, the SWIFT
method, a kind of What-If analysis method, is explained.
-2. SWIFT is a systematic technique for identifying hazards implemented by a team of experts.
Although this is one technique that has the objective of identifying hazards in a chemical process
plant, it can also be applied to other fields. SWIFT identifies systems and procedures at a high level
(HAZOP and FMEA are methods that identify process flow and hardware at a detailed level).
-3. SWIFT makes use of brainstorming such as considering the deviation from usual operation by
what if was ...?, how could occur? and so on. To avoid overlooking hazards, check lists
are used.
-4. SWIFT is generally used as follows:
(1) Used merely to identify hazards. (For subsequent quantitative assessment)
(2) Used to frame recommended defensive measures (When a procedure to assess hazard
qualitatively does not exist, etc.)
-5. No standard method has been established in the case of SWIFT. The advantage is its
flexibility; changes for the better can be made for various applications, but a fixed policy may be
necessary.
-6. Procedure for holding discussions on SWIFT by experts
(1) Define the system and process to be analyzed.
(2) Consider the order of priority of each item (leader to structure the discussion)
(3) Brainstorm hazards that could occur. This may be written down, but discussions are not to be
held yet.
(4) The listed-up hazards are to be re-arranged in the logical order so that they can be discussed.
Start with the important items and fix the sequence.
(5) Consider each hazard sequentially.
(6) Study the probable causes of each event.
(7) If an event occurs, predict the results that could occur.
(8) To protect against the occurrence of the event, study the safety measures, and validity of the
safety measures already included in the system.
(9) Record these discussions on the SWIFT record sheet.
(10) Again check that a hazard has not been missed. Using a checklist, refer to previous accident
records if available, and aim for completion.
-7. Hazards extracted by the SWIFT method are summarized in a worksheet; an example of the
same is shown in Fig. A.6.For this research, the worksheet below is used.
- 28 -
Risk Assessment Guidelines

Hazard ID No.
Hazard definition Brief description of Hazard

Cause List all causes that come to mind




Result List all results that come to mind




Protective
measures currently
expected
List protective measures currently found in the system




Recommendation List desirable measures to be taken to prevent hazard




Risk Information SI (Severity Index) FI (Frequency Index)


Note


Fig. A.6 Example of SWIFT Worksheet

A.7 Delphi Method
-1. This is a method used by the experts to arrive at an agreement. A list of questions to extract
potential risks is circulated among the experts, and comments are sequentially added. Although the
participating experts are known to all, the comments made are anonymous. By circulating the
comments and circulars several times, an agreement is formed on the risks in the overall project, the
ease with which they could occur, the results, and the ranking of the elements. Preconceptions and
excessive influences of specific experts are easily eliminated by the Delphi method; thus, it is an
effective method for risk assessment.
-2. The Delphi method demonstrates its power when predictions with no bias are required and
opinions are to be received from as many experts as possible. In this case, agreement is reached
using the steps given below.
(1) First, many experts are made to participate in the questionnaire survey. (In general, the
respondents are anonymous.)
(2) When replies have been collected, the same questionnaire is circulated again, with the
collected results displayed this time.
(3) All respondents answer the questions again after seeing the distribution of results of answers
by others and comparing them with ones own answers.
(4) When this process is repeated several times, the collected replies are used as questionnaire
survey results.
-3. The key point in this method is that all experts participating in the questionnaire survey must be
made thoroughly familiar with the method of the questionnaire survey. It is especially important for
them to be aware that in this method the survey is repetitive; ones answers are revised referring to
the opinions of other respondents.

- 29 -
Risk Assessment Guidelines
Appendix B Individual Risk and Societal Risk
The main indices used in risk assessment are Individual Risk and Societal Risk.
Individual Risk is an index that shows the degree of harm to an individual when exposed to dangers
during a certain period such as while the individual is using transportation facilities or working in
factory, etc. That is to say, it indicates the magnitude of frequency of fatalities. As an expression of
Individual Risk, the number of fatalities in a fixed time (Fatal Accident Rate; FAR) is often used
assuming that the number of fatalities per year for assessment (units: person/person year = 1/year)
or a certain status (work, etc.) in the group being studied has continued. The latter makes use of the
number of fatalities per hundred million hours, and is determined by estimating it from the
continuous hours (annual work hours, etc.) of the status per year and the number of fatalities
annually.
Societal Risk (also called the group risk) is an index that indicates the level of damage to a group
during the period a group of people is exposed to danger. That is to say, the frequency of fatalities.
Such a group of people may include persons on a certain kind of transportation facility or persons
working in a factory. The Societal Risk of a certain group is the Individual Risk for that group
multiplied by the size of the group. The Potential Loss of Lives (PLL product of accident
occurrence frequency and magnitude of disaster during an accident) is taken as the index of Societal
Risk; for a ship, this is the number of fatalities per ship per year. If the number of passengers per
ship can be estimated, divide the index by this number to convert it to Individual Risk.
Even if the PLL value is the same, the greater the number of accidents with many fatalities per
accident, the more difficult it becomes to allow Societal Risk. The method of analysis using FN
curves (graph of the number of lives lost and accident occurrence frequency) is available for
analyzing this viewpoint.
For a ship, it is necessary to implement safety measures in ship units; therefore, for comparison of
ships, the analysis of Societal Risk that can assess risk (number of fatalities per ship year) in ship
units is important. On the other hand, Individual Risk indicates the frequency of fatalities for an
individual in a period bordering on the consideration such as the period in which the individual uses
transportation facilities; it is useful for comparing risks in transportation modes, or labor disasters.
- 30 -
Risk Assessment Guidelines
Appendix C Basic Mathematical Knowledge Related to Probability
Here, the basic mathematical knowledge related to probability which is required for risk
assessment is explained with appropriate examples.

C.1 Venn Diagram and Set Operations
The Venn diagram is a closed form representing elements of a set. It assists in probability
calculations. Fig. C.1 shows a set S having integers from 1 to 10 as elements. The subset consisting
of multiples of 2 is represented by E
1
, while the subset consisting of multiples of 3 is represented by
E
2
. The universal set S considered here is called the sample space (sample set).
Here, the elements of E
1
are expressed by:
} 10 , 8 , 6 , 4 , 2 { 1 = E

E
1
(multiple of 2) E
2
(multiple of 3)
1
2 3
4
5
6
7
10 9
8
Set (Integers 110)
Similarly, the elements of E
2
are expressed by:
} 9 , 6 , 3 { 2 = E

The set having elements that belong to E
1
as well as
to E
2
, is called the common part or the product and is
expressed by:
2 1 E E

In Fig. C.1,
} 6 { 2 1 = E E

Also, the set obtained by combining the elements of
E
1
and E
2
is called the sum of E
1
and E
2
, and is
expressed as:
2 1 E E

In Fig. C.1,
,9,10} {2,3,4,6,8 2 1 = E E

Moreover, the set obtained by subtracting the elements of set E
1
from the S is called the
complement of E
1
and is expressed as:
1 E

In Fig. C.1,
} 9 , 7 , 5 , 3 , 1 { 1 = E

The following relationship exists between a subset and its complement:
S E E = 1 1

= 1 1 E E

Here, is a set with no elements. That is to say, it is a symbol indicating a null set. In this way,
taking the product, sum and complement of a set is called set operation.
The following relationships are true for set operations:

Commutative law
1 2 2 1 E E E E =

1 2 2 1 E E E E =

Associative law
3 2 1 3 2 1 ) ( ) ( E E E E E E =

3 2 1 3 2 1 ) ( ) ( E E E E E E =

- 31 -
Risk Assessment Guidelines
Distributive law
) ( ) ( ) ( 3 1 2 1 3 2 1 E E E E E E E =

) ( ) ( ) ( 3 1 2 1 3 2 1 E E E E E E E =

de Morgan's law
2 1 2 1 E E E E =

2 1 2 1 E E E E =


C.2 Frequency and Probability
The words frequency and probability in these guidelines are used in the contexts given below.
Frequency refers to the number of times an event occurs in unit time or in a number of unit trials,
and it takes any value from 0 to infinity. It is used, for instance, as follows: breakdown frequency
per year of a machine; occurrence frequency per year of earthquake exceeding a specific seismic
intensity in a specific area; frequency with which a particular face of a die shows up when it is
thrown.
Probability refers to the percentage of a specific event from the total events that have occurred. For
instance, when a die with faces numbered from 1 to 6 is thrown, if the frequency with which each
face can turn up is assumed to be equal then the probability that a specific face of the die will turn
up can be taken as 1/6. Or, if a coin is tossed then the probability that heads will turn up may be
taken as 1/2. Probability takes a value between 0 and 1.
The appearance of any face of the die or the tails-side of a coin, etc., can be represented by the
equation for probability P(x) given below, if the frequency of occurrence of each such event is
considered to be equal.
N
x P
1
) ( =

1 ) ( =

x
x P

Here, P(x) represents the probability at which event x can occur, and the total number of events that
could occur is N.
For instance, in case of a die, N=6; x expresses symbolically an event, that is to say, the appearance
of one of the six faces from 1 to 6.
However, in all cases where probability is to be considered, the frequency of occurrence of each
event may not be equal such as in the cases the die and the coin. In other cases, such as the
breakdown frequency of machine, or the occurrence frequency of earthquake, as mentioned above,
the general method is to use statistical data obtained from fixed period observations and by carrying
out observations, and to estimate the probability of occurrence. In such cases, strictly speaking, the
limit of the value as the number of trials moves to infinity is defined as the probability P(x). That
is to say,
N
x n
x P
N
) (
lim ) (

=

Here, n(x) is the number of times the event x occurs out of N trials. In this case, N is not the total
number of events, but is the number of trials. In practice, however, an infinite number of trials is not
possible; this is the ideal case. In reality, the probability is considered assuming that if the number
of trials N is adequately large, then the outcome becomes adequately reliable.
- 32 -
Risk Assessment Guidelines
C.3 Number of Ways
Let us explain this term taking the case of the die. Let us consider the probability of the value of the
total obtained after throwing two dice. In this case, the total values of the turned up faces can be any
value from 2 to 12, that is to say, any one of 11 values. Here, assuming the value of total events N
as 11 is not correct. The numbers on the faces of each die are from 1 to 6, and their combination
becomes the total number of events; thus N becomes 36.
Let us take consider probability of the total of numbers on the two dice to become 4. The total of
the two dice to become four can be obtained in 3 ways: (1, 3), (2, 2) and (3, 1).Such a number of
combinations belonging to a certain event is called number of ways and in this case, the number
of ways by which the total value can become 4 is 3. Accordingly, the probability for the total of the
two dice to become 4 is:
12
1
36
3
) 4 ( = = P

C.4 Conditional Probability
Let us take an example of playing cards. Each pack of playing cards has four suits (spades, hearts,
diamonds, clubs), and each suit has 13 cards from ace to king (Ni=13). If we assume the pack has 1
joker, then the total number of cards N=53; let us select one card at random from this pack of 53
cards. That is to say, the sample space consists of all the events from which any of the 53 cards can
be selected. Let us take the sample space S as the subset, and A as the set consisting of events that
the selected card is spade. The probability of occurrence of event A is:
53
13
) ( = =
N
Ni
A P

Moreover, let us take the event that the selected card is an ace, jack, queen or king as the event B.
Since there are four suits each having an ace, jack, queen and king, n=4. Since there are 16 such
cards in the deck the probability of event B to occur becomes:
53
16 4
) ( = =
N
n
B P

Now let us consider the probability that the card selected is a spade and is also an ace, king, queen
or jack, that is to say, the probability that both event A and event B occur simultaneously. On the
premise that A (card is a spade) has occurred, the probability that event B occurs (card is either ace,
king, queen or jack) can be found since out of the suit of 13 spade cards, 4 cards may be ace, king,
queen or jack:
13
4
) | ( = =
Ni
n
A B P

Moreover, the probability that the selected card is both a spade and either an ace, king, queen or
jack can be found as follows considering that out of the total number of cards N=53, any of the four
cards may be selected from the suit of spades:
53
4
) ( = =
N
n
B A P

Theoretically, the probability P(A) that event A occurs multiplied by P(B|A) is likely to become
P(AB).Therefore, the relation below can be written among P(A)P(B|A)P(AB).
) (
) (
) | (
A P
B A P
A B P

=

P(B|A) is called the conditional probability of event B. That is to say, the probability under the
condition that event A has occurred.
- 33 -


























For information on this publication, please contact the following:

NIPPON KAIJ I KYOKAI
Development Department
8-3, Onodai 1 chome, Midori-ku, Chiba 267-0056, J apan
Phone: +81-43-294-6672
Fax: +81-43-294-6699
e-mail dvd@classnk.or.jp































NIPPON KAIJ I KYOKAI

You might also like