Use of STAMP/STPA to Model Organizational Risk and Safety Management at Cruise and Ferry Companies

Recent well-publicized cruise and ferry ship accidents have been a wake-up call to the shipping industry. These events raise the need for ship owners to use more advanced risk management approaches. Enterprise Risk Management (ERM) has become an integral part of modern corporations, especially in safety critical industries where unsafe operations can lead to catastrophic accidents that result in loss of life, huge financial losses and the potential demise of the corporation. This paper presents the current findings of an on-going research to determine the best implementation of a Risk Management System (RMS) integrated with the Safety Management System (SMS) at cruise and ferry operating companies. The hypothesis is that ship management companies with better enterprise risk management will have better safety records and stronger financial performance. The paper presents the results of the application of Systems-Theoretic Accident Model and Processes (STAMP)/Systems Theoretic Process and Analysis (STPA) to a ferry operator to analyse the organizational performance of their risk and safety management systems. Initial results from the analysis showed gaps in communication paths, lack of tracking of risks and limited involvement of senior management in the risk process. A preliminary approach to deriving key indicators is presented.


INTRODUCTION
The International Maritime Organization (IMO), part of the United Nations, provides overarching guidance for risk and safety management for all ship operating companies in its International Safety Management Code (IMO, 2018). The initial SMS framework was established approximately twenty years ago in the initial version of this Code. In order to put the maritime approach in context, the railway and airline industries were analysed to determine their current state-of-the-art regarding risk and safety management. The literature reviewed indicates that many airlines and the United Kingdom's railways have adopted Enterprise Risk Management (ERM) as their preferred approach to risk management (Missura, 2015;Hunter-Jones, 2016). The International Civil Aviation Organization (ICAO), part of the United Nations, has developed a mature structure for their Safety Management System standard, with a clear integration of risk and safety, along with performance monitoring (Ioannu, Harris & Dahlstrom, 2017). A similar integration appears lacking in the current ship operations regulations.
One of the continuing difficulties for risk management practitioners in the marine domain is the lack of a standard set of definitions, for even the most basic elements of a risk program. For proper risk management, risk has a specific definition from maritime law (Mandaraka-Shepard, 2014): "It is understood as the is the possibility of harm or loss associated with an activity, or the likelihood of an incident happening that may result in danger to life, property or the environment, or may lead to commercial disputes and litigation." The Committee of Sponsoring Organizations of the Treadway Commission (COSO) created the ERM Integrated Framework (COSO, 2004). Over time it has become an accepted definition of ERM: "Enterprise Risk Management is a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risks to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives." In the STPA Handbook, Leveson and Thomas (2018) offer another definition of risk associated with safety management: "STAMP implies a broader or at least different definition of risk. Risk has traditionally been defined as the severity and likelihood of hazards or accidents occurring. In contrast, in STAMP: Risk is defined in terms of the effectiveness of the controls used to enforce safe system, i.e., the design and operation of the safety control structure. Note that this definition does not require the determination of the likelihood of the events occurring, but rather an evaluation of the effectiveness of the controls being used to prevent them." In the maritime world, the International Safety Management Code (IMO, 2018), as amended, sets the corner-stone for the risk management process for companies that operate ships; Paragraph 1.2.2 states: "Safety management objectives of the company should, inter alia; (1) Provide for safe practices in ship operations and safe working environment; (2) Assess all identified risks to its ship, personnel, and the environment, and establish appropriate safeguards; and (3) Continuously improve safety management skills of personnel ashore and aboard ships." Part (2) underlined above is the only specific mention of risk management in the regulation, which therefore gives a very broad avenue for interpretation by each ship operator.
Research on the use of ERM by airlines (Misiura, 2015) indicates that ERM is in use by 7 of 10 airlines surveyed, although no determination of the maturity level of ERM was made. One method of determining the risk maturity of companies was created by the Risk and Insurance Management Society (Minksy, 2008). Their five-level method to assess corporate enterprise risk management maturity according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004) is presented in Table 1. Each ship operator's maturity was assessed by reviewing the artefacts related to each level in Table 1, through a serious of interviews at the ferry company. The documents included internal risk management plans, risk policy, risk registers and tracking of the flow of risk assessments throughout the organization. Corporation understands its risk tolerance/appetite, risk is part of the day to day management of the organization with a strategic focus The ISM Code provides an outline of what ship operating company's Safety Management System (SMS) must address. Figure 1 contains the outline of the information required. It can be noticed that the maritime implementation of the requirements for a SMS is not organized by functional areas, and certain key elements like hazard analysis and risk management are missing.   The strength of the guidance in Figure 2 is that it organizes the various functions required for a strong safety management system. Each airline must establish clear safety polices, establish a visible integrated risk approach, measure how well the safety system is working and then train and communicate safety and risk information throughout the company. These high-level functional categories provide a critical and firm foundation to guide the long-term implementation of safety management in any safety critical industry.
Using the ICAO framework as a guide, a proposed generic SMS for ship operations was developed ( Figure 3) which integrates the best ideas of the marine ISM requirements with the clearer guidance from the airline industry. A crucial aspect is the integration of risk management and safety assurance as part of the requirements. The author used this framework to create the template for the STAMP analysis of the ferry and cruise ship companies being analysed. This comprehensive framework helped guide the STAMP process and ensured that all elements of the control structure in the company were assessed.   Figure 3 is the author's proposed merging of the IMS Code's SMS components into a framework based upon the airline's ICAO format. This new generic format for a maritime SMS should be a significant improvement due to the integration of risk into the SMS, and improved safety assurance and safety promotion.

SMS
The STAMP definition earlier in this section states that "Risk is defined in terms of the effectiveness of the controls used to enforce safe system, i.e., the design and operation of the safety control structure provides the guidance on the proper use of risk in safety critical industries", which supports the integration of risk into the SMS. The ICAO's separate section on Risk Management reflects the elevation of hazard identification and risk assessment and mitigation into the core of the SMS. A recent extensive review of SMS literature (Li & Guldenmund, 2017) shows a similar set of factors, including risk, created by looking across a large number of industries. Their analysis using a Plan-Do-Check-Act approach supports the high level set of functions in the ICAO guidance.

METHODOLOGY
The overall methodology is to study two cruise ship companies and two ferry ship operator's safety and risk management approaches by using STAMP. STAMP treats safety as a dynamic control problem. The author uses STAMP to create a model of the safety and risk management structure of each company. This model is constructed from organizational information, ship operations directives, the SMS and RMS implementation documentation and various reporting information, like risk and audit information flowing between layers of the organization.
STPA is a tool that can be used to analyse organizational structures, like safety management, by tracing from potential accidents, to hazards and then generating a set of requirements for safe operations and a corresponding set of performance indicators. The recent past accident, incident and near miss statistics are then analysed to establish a baseline case. A future step in the process is for the company to fix the gaps and to implement and track a set of indicators generated by the STAMP analysis. Over a time period the impact of these changes can be assessed by looking at the accident and incident data.
The maturity of the ERM approach will be determined using the five-level assessment described earlier (Table 1). Then, when multiple company's worth of information is available, an analysis will be performed to ascertain whether companies with more mature risk management exhibit a better safety record. If all companies analysed exhibit similar levels of risk maturity, then either additional companies must be analysed, or if all the companies have low risk maturity levels, then an alternative is to track their performance over time to determine whether or not improving their risk management yields improved safety performance.
It is clear that the interweaving of risk and safety in the airline's SMS Regulation, as indicated by the inclusion of a separate area focused on Risk Management creates an environment where hazards and risks are integral drivers in identifying where potential unsafe operations may occur. The recent paper of  uses STAMP to analyse the maturity of SMS for airline companies. That paper addresses a process for individual companies to self-assess the maturity of the SMS of their organization by measuring the institutionalization, capability and effectiveness of their SMS implementation. This work provides a tool to the airline industry to help understand the maturity of the operation of their SMS. The author used the assessment of the airline's SMS's accidents and hazards to guide the development of these factors for ship operations.
An important concept is that ERM integrates across the various corporate silos reflected in the various organizational elements. Without this integrating function, risks will not be shared amongst parts of an organization and lessons learned in one area will not benefit the whole organization. The understanding gained from analysing a range of ship operating companies will help in driving the development of an idealized risk management approach. For cruise and ferry operators this would include integration of hazard and risk analysis into all areas of ship operations. The resulting information generated on hazards and risks could then be captured as part of the SMS to provide a dashboard type display of the current risk profile of either an individual ship, or the fleet as a whole. Ideally risk will be integrated into the day to day operations of every ship in the cruise or ferry company's fleets.
The STPA process was implemented for analysing this first ferry operator's safety and risk management approach by following the guidance in the recent STPA Handbook (Leveson and Thomas, 2018). Figure 4, from the Handbook, provides the framework for applying the STAMP/STPA process to an organization.  (Leveson and Thomas, 2018) Requirements and constraints of the ferry company's safety control structure and risk management process were developed from fundamental safety-related documents, operation manuals, management policies and interviews with company staff.
The STPA process starts by identifying the accidents and hazards that the SMS and RMS system are designed to prevent.

Accidents:
System accidents: SA-1 Ship is lost, or sustains major damage. SA-2 Loss of life on a ship, at a port facility, or on a shore excursion. SA-3 Ship release of hazardous materials causes damage to environment Safety Management System (SMS) accidents: SMSA-1 SMS fails an audit, implying a weak safety process (i.e. the type of findings that indicate poor SMS design and implementation and can lead to suspension of operating licensee) SMSA-2 SMS fails to identify risks. Requirements: System Level Requirements: ` SR1: Ship shall maintain safe distance from other moving or stationary objects. SR2: Ship shall not be operated in areas that could lead to grounding. SR3: Ship design and operation shall prevent fires. SR4: Ship design and operation shall prevent crew and passenger injuries at sea, in port or shore. SR5: Ship design and operation shall prevent toxins being released to the environment at sea and in port.
SMS Requirements: SMSR1: SMS shall be designed according to standards SMSR2: RMS shall be implemented in accordance with company policy and risk management plan SMSR3: The SMS and RMS shall be well integrated SMSR4: The SMS and RMS shall be suitable for the organization SMSR5: The SMS and RMS shall be effective.
The next step is to develop the organizational control structure. Figure 5 shows a simplification of the detailed control structure created for this ferry company. In the detailed control structure diagram, the roles and responsibilities were captured based on the type of documentation flowing between the various entities. Figure 5 models the controllers, the controlled process and the control flow between them (as control actions and feedback). The safety and risk control actions and feedback typically manifest in the form of documents such as standards, manuals, reports, etc The first outcome was to identify the gap areas where the elements in the generic SMS were void of any control flow or feedback documentation. Following that, the set of system and safety requirements that were the most probable to occur were analysed. This subset of requirements and safety indicators was used to create a set of requirements and proposed indicators for each controller within the structure. Each controller was then asked to rank the set of requirements and indicators as to their importance. This is a work in progress. When such a large number of UCAs were generated, the author met with the Risk Manager at the company to discuss how to review this amount of information. The Risk Manager took the time to review the entire package and used his understanding of the organization to recommend a subset of the findings. The author conducted a similar review. These results were combined and are currently being provided to all the various controllers to have them verify the priority based on their experience. Over time the expectation is that they will review which additional indicators should be added and tracked. The thought is this "experiment" will be a learning process over the next two to three years. The results of the complete STAMP analysis are available in a data base for each controller, so no information is lost. The completion of this work is really a question of work load as to how many things can be tracked.
From the author's perspective this is not much different than the airline SMS's maturity tool using company personnel to rate the maturity of a particular area being assessed from 0% to 100%. Both approaches rely on company Subject Matter Experts (SMEs) to provide the insight into each area. In the author's situation, no UCAs are being deleted, they are still available to be reviewed and used, but the company must help determine which ones are critical and which ones are important.
The final step in the process was to analyse the accident, incident and near miss data to determine possible linkage to a specific control function in the generic SMS, and establish the base rate of accidents to measure future improvements.

ANALYSIS
The company analysed was a moderate size ferry operator. An assessment of the ERM maturity was made by analysing the risk management documentation and process currently being used against the COSO maturity levels. No formal tool was used. The Risk, Audit and Shore staff were interviewed to determine which elements of the COSO maturity level artefacts were being generated and used by the various control levels in the company. This led to a determination that the organization was at a maturity level of approximately Level 2.5.
The control structure of the organization was created via interviews and by reviewing corporate documentation. Eleven different controllers located through the various layers of the company were interviewed to verify the control actions taken and the feedback provided. The STPA analysis generated 103 control actions performed by 27 controllers, with a corresponding 376 Unsafe Control Actions (UCAs) that generated 1128 requirements and indicators. Considering the sheer number of UCAs, a Microsoft Access data base was created to track the interactions between the controllers. Further, in a meeting with the company it was decided to qualitatively prioritize the large number of UCAs by looking at each case generated and determining the likelihood of that case actually occurring. This was done by having each of the eleven controllers review their list of UCAs and assess their likelihood of occurrence from 1 to N. Based on this approach, a total of 114 requirements and 121 indicators were developed and presented to the company.
The existing company safety and risk policies, ship operations manuals, operational reports and status briefing materials were used to generate the control actions taking place between the various controllers in the control structure. By using the generic SMS control framework for the STPA analysis, one of the immediate results was to see certain gaps in the current company's safety and risk processes. Examples of these are the weakness in the risk process, the lack of a methodology to measure and improve the safety assurance of the SMS and the lack of review by senior management.
The company's accident, incident and near miss data was reviewed based from the records for 2014 to 2018. Almost 3000 entries were reviewed. Figure 6 illustrates an analysis of the 322 accidents that took place during one year. These incidents point to certain weaknesses in the control structure, which are highlighted with a red connecting line in the generic control structure shown in Figure 5. Further analysis of all the accident, incident and near miss data is underway; the plan is to analyse all five years' worth of accident and near miss data to determine a linkage to leading type indicators. The goal of this analysis is to map the indicators identified through the STPA procedure to create a set of key performance indicators that can be used to improve the safe operation of the fleet and reduce the accidents, incidents and near misses. The ferry operator will then modify their current key performance indicators and determine whether the accident and near miss events decrease over time.

CONCLUSION
STPA provides a structured framework to ensure all elements of a robust SMS are in place for safe ship operations. Using STPA on an existing ferry operator's safety and risk management process revealed a number of gaps in their current approach, and generated a detailed set of requirements and indicators for each controller in the process to review. By comparing these requirements and indicators, that are linked to known hazards, the current set of policies and safety management procedures can be compared to a more structured, idealized methodology, then updated accordingly.
The proposed generic SMS provides a strong framework for the STPA model to assess the risk and safety management at ship operating companies. When the STPA results are combined with an assessment of the maturity of the risk management in place, a clear understanding of the current safety and risk culture is generated.
The recent paper  used STAMP to create a tool for airlines to measure the maturity of their SMS. STAMP was used in both this reference paper and here to analyse the SMS system of a safety critical transportation industry.  used the STAMP analysis to create a tool to determine the maturity level of the SMS at any airline. In this study, STAMP is used by the author to assess the SMS of cruise and ferry operators and determine a comprehensive set of requirements and performance indicators should be tracked to improve the safe operation of each company. Both approaches used a similar set of SMS accidents and hazards, but the  paper generates a numerical maturity assessment, whereas the author's approach in this paper generates requirements and performance indicators. The next step in this work is to finish reviewing all the accident information to try and establish a tight link to the STPA set of requirements and indicators. The goal is to create a focused set of key performance indicators that can be used by the company to achieve safer ship operations. This initial work establishes one data point for the safety and risk management of one ferry operator. The plan is to apply this same process to three more ship operation companies, then applied the updated set of indicators and take data to see if the hypothesis is proven that better, more mature risk management produces a better safety record. Additional future work is planned to look at the financial performance of the companies analysed to see if better risk management helps improve the financial performance of ship operations.
One of the strengths of using the STPA process is that a very complete set of CAs and corresponding UCAs are created. In the case of this moderate sized ferry operator, the total number of loss scenarios, system requirements and system indicators were over 1,000. Additional work is needed to assess which of these scenarios and corresponding requirements and indicators are the critical or key ones for the company to track and try to use to improve the safe operation of its fleet. There is recent work trying to address this issue by Karanikas & Chatzimichalidou (2018). Their paper proposes the use of continuous values for the behaviour of system components along with a weighing of each component relative to its hierarchical level in the organization. It also considers the outgoing connections of each component with other system components. Karanikas (2018) looked at the level and type of assumptions being made during the STPA analysis. In future work, these approaches can provide guidance as to how to interpret the results from the STPA analysis. For this initial assessment of the ferry company, the author used feedback from the various controllers to make the first determination of what factors to track, but this resulted in a low percentage of the controller's actions being used. Investigations of the impact of where in the organization the controlling action occurs should be further assessed to determine if a weighting scheme should be applied. This is an area where additional work needs to be accomplished so that seemingly lower priority factors that can potentially create unsafe conditions are not ignored.