MSc in Safety Critical Systems Engineering
Certificate in System Safety
Hazard and Risk Assessment (HRA)
This assessment contains 3 questions. You should answer all parts of all three
Question 1 [16 marks]
NB: Although this question refers to a genuine development proposal, please do NOT
contact Clydefast, Stagecoach Ltd., or any of the individuals named in the background
material. You should tackle this question using the information provided in the
question, and in publicly-available reference sources.
The two articles reproduced below appeared in the Scotsman and on the BBC web
site in March 2008. They describe proposals for a hovercraft ferry service on the river
Published Date: 11 March 2008
Source: The Scotsman
Businessman's dream of Clyde hovercraft service goes on trial
By ALASTAIR DALTON
HOPES of returning hovercraft to the Clyde after a gap of 35 years were raised yesterday
with the start of a three-day trial.
Alistair Macleod, a businessman, saw his long-held dream of running fast maritime
transport into Glasgow city centre take a step forward when the 12-seat craft began private
The chief executive of Clydefast hopes to launch an hourly, 130-seat hovercraft link
between Dunoon and Glasgow within two years. He said the service was expected to take
52 minutes – 20 minutes faster than by ferry and train. It would also be extended to
Rothesay on Bute, adding an extra 15 minutes.
He said a 38-minute trip from Greenock to Glasgow may even be possible, compared with
30-42 minutes by train. A trial run yesterday between Port Glasgow and the Clyde Arc – the
so-called squinty bridge – near the Scottish Exhibition and Conference Centre in Glasgow,
took 30 minutes.
Page 1 of 10
The hovercraft could not travel further towards its planned final destination at the
Broomielaw in the city centre because of bridge repairs. It is expected to operate at about
45mph in the lower Clyde and about 30mph in Glasgow.
However, sceptics doubted there would be sufficient demand and said trains offered faster,
cheaper and more frequent journeys.
Mr Macleod masterminded last year's Kirkcaldy-Edinburgh hovercraft trial for Stagecoach.
He is using the smaller craft the transport firm hired for further tests in the Forth last month
for the non-passenger Clyde trials.
Like Brian Souter, Stagecoach's chief executive, Mr Macleod has turned to hovercraft after
experiencing delays with original plans to operate fast ferries in the Forth and Clyde
However, both still face funding challenges, with public subsidy likely to be required for
them to take to the water.
While Mr Souter halted preparatory work on a cross-Forth link last month in a row over
funding uncertainties, Mr Macleod has also still to secure financial backing for his venture.
He said talks were continuing with the public-private co-ordinating body Strathclyde
Partnership for Transport (SPT). He said of the trial: "It will, hopefully, demonstrate the
potential for a permanent hovercraft operation to be brought to the Clyde."
However, Neil Kay, an economics professor at Strathclyde University, doubted a hovercraft
could fit under the Clyde Arc bridge. Prof Kay is also convinced such a service is not
commercially feasible, as it would have to compete with parallel roads and railways. He
said trains offered commuters a far more attractive and flexible service.
Ron Culley, the chief executive of SPT, said: "Development of the Clyde as an additional
transport channel helps the ongoing regeneration of the area."
Hovercraft last operated on the Clyde in 1972, when the Caledonian Steam Packet Co, a
forerunner of CalMac, scrapped a service between Largs and Cumbrae after two years due
to mechanical problems and passenger discomfort.
A previous service between the main Clyde resorts was operated in 1965-66 by Clyde
Hover Ferries, but it lost money heavily, and blamed bad weather.
Last Updated: Monday, 10 March 2008, 09:20 GMT
Clyde hovercraft trial under way
Hovercraft trials on the River Clyde in Glasgow could see some journeys being cut by up to
20 minutes, operators claim.
A permanent service would involve hovercraft with a capacity of up to 130 passengers,
which could travel in the open seas at speeds of up to 40 knots.
The three-day trial, by Clydefast Ltd, will involve a Griffon 2000TD 12-passenger
Hovercraft were last seen in regular use on the Clyde in the late 1960's.
Two trips per day will run between the SECC pontoon in Glasgow, Braehead, East India
Harbour in Greenock and Dunoon.
It will allow the Clydeport Harbourmaster the chance to assess the potential impact of a
regularly operated service.
Page 2 of 10
It will also give investors and local authorities the chance to experience for themselves
what a hovercraft can offer in terms of alternative transport.
Alistair Macleod, chief executive of Clydefast, said: "It will hopefully demonstrate the
potential for a permanent hovercraft operation to be brought to the Clyde.
"The service will be fast. A service from Dunoon to Glasgow will reach the city centre in 52
minutes, over 20 minutes quicker than the present journey time of an hour and a quarter."
He added that Rothesay would be included in a permanent operation which would add a
further 15 minutes to the journey.
Another bonus in using the hovercraft would be its ability to navigate through bridges which
do not open, according to Mr Macleod.
Some of the current Clyde bridges restrict catamaran ferries getting directly to the city
Councillor George Ryan, of Glasgow City Council, said he "welcomed the opportunity to
demonstrate how the river can be utilised for regular passenger services".
Ron Culley, chief executive SPT, said the trial and the development of the Clyde as an
additional transport channel helps the ongoing regeneration of the area.
He said: "By encouraging varied and fun ways to travel along the river, we can continue to
make Glasgow a vibrant location for people to visit."
A hovercraft which was trialled across the Firth of Forth was used by more than 8,000 in
less than a week last summer.
(i) [6 marks]
Using tables like those below, define hazard severity and probability categories
suitable for assessing the risks of the proposed hovercraft ferries. You do not
have to define five categories of severity and probability; if you think it is
appropriate to define more (or fewer) categories, then you should do so. You
may also change the titles of the categories if you believe that those suggested
below are inappropriate in this context.
Explain and justify your categories, taking particular care to show that you have
given appropriate consideration to the range of people who might be exposed to
hazards from the hovercraft operations.
Severity Category Definition
Probability Category Definition
Page 3 of 10
Using the hazard risk classifications
A – Intolerable
B – Undesirable, and tolerable only where the costs of reduction are
grossly disproportionate to the improvement gained
C – Tolerable if the cost of reduction would exceed the improvement
D – Broadly acceptable
and a table like the one below, complete a Hazard Risk Matrix for the proposed
hovercraft ferry services, using the severity and probability categories you have
defined. Obviously, if you have changed the number of probability or severity
categories, you will need to change the size of the matrix.
Again, explain and justify your Hazard Risk Matrix, describing the factors you
Catastrophic Critical Major Minor Negligible
Do you think any of your tables are likely to change if the suggested extended
route to Rothesay is implemented, or if additional routes are added in future
years? If so, what do you expect to change and why? If not, why not?
(ii) [3 marks]
Using one of the hazard identification methods presented in the module, identify
potential hazards posed by the hovercraft ferry operations. Ensure that you state
clearly who is at risk from each hazard.
(iii) [3 marks]
Use the tables you developed in part (i) to assess the hazards you identified in
part (ii). Can you produce a complete assessment? If not, why not? What
additional information would be required? How could the tables be used most
effectively at this very early stage of the lifecycle?
(iv) [4 marks]
How do the tables you have developed in parts (i) and (ii) relate to ALARP
principles? How should tables like these be used as part of an ALARP safety
Page 4 of 10
Question 2 [18 marks]
Figure 1 shows a schematic of a domestic rainwater harvesting system. The system
captures, filters and stores rainwater, which is used without further processing for
flushing toilets, the washing machine and garden taps; an ultra-violet treatment unit
provides sterilised water for drinking, cooking and personal washing. The operation of
the system, and the functions of the components, are as follows:
Rainwater is collected from the roof, and flows via the gutters and downspouts (1) to
the WISY vortex filter (2). The WISY filter removes impurities such as moss, leaves
and bird droppings; approximately 10% of the water is used to wash the impurities
away to waste, and the remaining clean water flows into the storage tank (3), which it
enters via the smoothing inlet (4) to ensure that it does not stir up any settled
sediments in the tank. The tank itself is a plastic tank, set underground so that it is
protected from extremes of temperature and not subjected to sunlight, and encased in
reinforced concrete for mechanical protection. It has an access (6), so that the
householder can clean out the tank and maintain the pump. If the tank is already full
when rain falls, the overflow (5) is directed to waste via a trap with an air gap so that
backflow from the drains cannot contaminate the stored clean water.
Water from the underground tank is moved into the house by the submersible pump
(7). The pump’s floating intake filter (8) also helps to ensure that any sediment in the
tank is not disturbed, and a float switch (9) prevents the pump operating if the tank is
empty. The pressure hose (10) enters the house via an underground duct (11), which
also carries the power supply to the pump. The supply from the pump is fitted with a
non-return valve (13).
In the house, the supply is taken to the header tank (14). The level of water in this tank
is monitored by the electrical float switch (15), which signals the pump to turn on via
the control panel (12) if the level of water in the header tank is too low.
Water from the header tank may be used directly for applications where absolute
purity is not required, such as flushing toilets (16), for garden taps or in washing
machines. For drinking and personal washing, water from the header tank is first
passed through a fine filter (17) and an ultra-violet steriliser (18) before being supplied
to kitchen taps (19), baths and showers. The householder must change the fine filter
every 3 months, and the lamp in the UV steriliser must be changed every 6 months.
Page 5 of 10
Figure 1 – Domestic Rainwater Harvesting System
10 To w
Page 6 of 10
(i) [2 marks]
Using one of the PHI checklists provided in the module notes, identify the
primary hazards of the rainwater harvesting system.
(ii) [6 marks]
Carry out a HAZOP study of the rainwater harvesting system. Ensure that your
study clearly identifies:
Which flow(s) are being considered
Potential deviations from correct behaviour
Effects of these deviations
Possible causes of these deviations
Which deviations are potentially hazardous
Existing features of the design of the system which will eliminate, control or
mitigate the potential hazards
Any recommendations you may have for further (safety-related)
improvements to the system design.
NB: This analysis clearly has the potential to become very large. In presenting
your answer, it is acceptable to select the most interesting results from your
analysis. However, you must clearly state that you have chosen to do this, and
summarise what you have omitted.
(iii) [5 marks]
Carry out a Functional Failure Analysis of the rainwater harvesting system.
You should use a standard FFA (i.e. consider “function not provided” / “function
provided when not required” / “function provided incorrectly”). You need not
consider possible causes of the functional failure conditions you identify, but
you must describe the effects of the failures, and clearly identify which (if any)
failure conditions are potentially hazardous, and note where hazard mitigation
already exists in the design of the system.
(iv) [2 marks]
Consider what results you would expect to obtain from a Naked Man analysis of
this system (i.e. by studying the behaviour of the system without the hazard
control and mitigation features you identified in parts (ii) and (iii)). There is no
need to carry out a full Naked Man analysis, though you should include a few
illustrative examples in your answer.
(v) [3 marks]
Discuss the relationship between the investigation and analysis techniques you
have applied in parts (i) to (iv). Your answer should include discussion of (at
The effectiveness of the techniques in improving your understanding of the
system, and in identifying hazards
How well the techniques integrated with each other (or didn’t!)
The time and effort involved
Which technique (or combination of techniques) you would recommend for
analysis of similar systems in future.
Page 7 of 10
Question 3 [16 marks]
NB: Although this question refers to a real visitor attraction, please do NOT contact
Kelly Tarlton’s Antarctic Encounter and Underwater World. You should tackle this
question using the information provided in the question, and in publicly-available
reference sources. Also note that some information in this question has been changed
to make it more suitable for the purposes of this assessment; in case of conflict, use
the information provided here.
Kelly Tarlton’s Antarctic Encounter and Underwater World
(http://www.kellytarltons.co.nz) is a popular visitor attraction in Auckland, New
“Underwater World” is a very large seawater aquarium, containing sharks and many
other marine species, which visitors view from underwater from an acrylic tunnel.
“Antarctic Encounter” is a recreation of an Antarctic environment, inhabited by large
colonies of King and Gentoo penguins. To allow visitors to observe the penguins at
close quarters without disturbing them or risking introducing disease, visitors observe
the penguins from “snow-cat” vehicles, which are automatically guided on a track
around the perimeter of the exhibit.
The plan on the following page adds extra detail to the visitor sketch plan provided on
the Kelly Tarlton web site, and should be used as the basis for this question.
Imagine that, rather than actually existing, the information you have available
describes a proposed new attraction.
(i) [2 marks]
Define a Zonal Hazard Analysis (ZHA) procedure appropriate to the
Underwater World / Antarctic Encounter visitor attraction.
(ii) [6 marks]
Apply the ZHA procedure you defined in part (i) to the Underwater World /
Antarctic Encounter attraction as described in the plan on the following page.
(iii) [4 marks]
Based on your analysis in part (ii), make recommendations for safety features
to be included in the design of the attraction, and in its operational procedures.
(iv) [4 marks]
Select two of your design recommendations, and outline how you would use
them in an ALARP argument for the new attraction.
Page 8 of 10
1 Entrance via ramp and stairs from Tamaki
2 Penguin viewing area
3 Ticket office / general office
5 Antarctic (penguin) exhibit. Refrigerated
environment. Artificial island, surrounded by 5
pool. Refrigeration plant room under island.
Visitors access exhibit in electrically-powered 1
snow-cat vehicles, which travel on guided
tracks around perimeter of exhibit. Cold air 8 7
retained by plastic flaps over all doors when
6 Garage/workshop for snow-cat vehicles
7 Scott’s Hut walk-through exhibit
8 Staff room 11
9 Queue/boarding area for snow-cat ride
10 Catering kiosk
11 Interactive (children’s play) area 4
12 Stingray bay exhibit. Open seawater tank with
acrylic viewing windows in sides.
13 Plant room, containing air conditioning and 14
heating for public areas, filtration and pumping
equipment for seawater tanks
14 Ramp down
15 “Theatre”. Open area used for talks and
16 Underwater world. Underwater acrylic tunnel
through seawater tanks containing sharks and
other exhibits. Slow-moving electrically 16
powered moving walkway along centre of
tunnel; visitors can step off walkway onto static
floor at any point.
17 Fish alley. Large collection of aquaria
containing freshwater and tropical fish species
19 Cinema, mainly used for showing films of
20 Plant room containing heating and air
conditioning equipment for fish alley, 4
classroom, cinema and gift shop
21 Gift shop
22 Exit via ramp and stairs to car park 21
Page 9 of 10
1. The marking criteria at http://www.cs.york.ac.uk/MSc/SCSE/assessments/marking-
criteria.html will be applied to this assessment.
2. There is an overall page limit of 20 sides of A4, including any tables or figures you
choose to include. Excess pages will be ignored in marking. Contents pages and
bibliography are counted in this limit. If you find you have generated too much
material, you should present the most interesting results, and summarise the
material you do not have room to submit.
3. This assessment is intended to take 35 hours to complete. You should use the
marks allocated to each question as a guide to how much time to spend / space to
use on each part.
4. To answer the questions fully, you may need to undertake some additional reading
research. It is important to include with your answer a bibliography listing your
sources and, when quoting, to make clear what is being quoted and cite the
5. Queries about the interpretation of questions in this assessment should be emailed
to David.Pumfrey@cs.york.ac.uk. NO guidance will be provided on the expected
answers to questions. The last date for such queries is Friday 19 th December, and
no queries will be answered after this date.
6. Candidates are advised to visit the course web page
(http://www-course.cs.york.ac.uk/hra/) regularly. All queries which are answered
will be posted on this web page. The assessment paper itself is also available
online on the same web page.
7. In addition to studying the queries and responses on the course web page,
candidates are advised to look at the Assessment FAQ
there are a number of useful questions and answers on general examination
8. This paper contains diagrams which may be of use in your answer. You are
welcome to copy and modify (either by photocopying or electronically) figures etc.
from the paper. The figures were drawn in Visio 2002.
This paper will be made available (in Word 2003 .doc and .pdf formats) at:
Candidates who do not have access to the internet may request copies of the
paper on CD or memory stick from David Pumfrey immediately after the course
finishes on Friday 21st November.
Page 10 of 10