Quite a few issues of safety, in the yachting world, come down to the preferences of the skipper and crew. There will never be universal agreement on how (or if) to use tethers, or on where a life raft should be kept, or on whether an extra EPIRB is a better investment than an AIS-B transponder upgrade.
We can, however, apply some general principles of risk analysis and risk mitigation at the design stage. The maritime world already has some ways of figuring this out, but for today, I think I'll shake things up a bit with some principles from a different field: ionizing radiation.
Much of my risk analysis background is from the field of radiation safety. This is, in Canada and the US, a pretty conservative field; you always- ALWAYS- err on the side of caution. We will generally accept compromises in the efficiency of the day-to-day workflow if it means that we're better prepared for an emergency. While this may not always be the case aboard ship, it's interesting to think about how the principles carry over.
In radiation work, this is an acronym for "As Low As Reasonably Achievable". It's usually used with respect to radiation dose, but can apply to any risk. The principle states that you should always keep a risk factor as low as reasonably achievable, taking economic and practical considerations into account.
For example, it may take a \$300,000 shielding structure to keep the radiation dose rate around a \$3 million machine low enough to comply with regulatory limits. Adding an extra 20 cm of concrete to this structure might reduce the dose rate to one-tenth of that, at an extra cost of \$40,000. According to the ALARA principle, the extra shielding- which adds about 1.2% to the cost of the whole facility- is a good idea, as it reduces both the risk to the workers and the risk of breaking regulations (and having to make expensive repairs) if the shield doesn't work quite as well as simulations had predicted.
Adding \$120,000 for three times the extra shielding, though, would be getting unreasonable; this investment would take you from 1/10 of what the regulators consider to be a "negligible" risk to 1/1000 of that. The money would be better spent elsewhere.
The same idea can apply in marine design. Consider a cruising sailboat, built of aluminum, whose hull plating is required by the scantling rules to be at least 6 mm thick. We could go to 9 mm plating, which is over three times stiffer and 50% more difficult to tear open. This would add about 250 kg to a 10-tonne boat, along with an extra \$1000 or so in raw materials and a dozen or two extra hours of labour (the thicker plate is harder to form into curves). Relative to the quarter-million-dollar price of the boat, and the risk of losing the vessel (or at the very least losing a few months of crusing) if she is holed on a rock or in a collision, the stronger plating is fairly easy to justify as long as we can accept the weight penalty. We should not, however, go overboard and add an extra tonne or two of armour to every boat. The compromises in performance would likely outweigh the increasingly marginal gains in safety as the risk of hull damage becomes small compared to the many other risks aboard ship.
A similar argument can be made in many aspects of cruising boat design. Because we can reasonably achieve a reduction in a certain risk by making a part stronger, or of a better material, we can justify the extra cost of the upgrade with the reduction in the odds that the part will fail and kill us in mid-ocean. We should not, however, pour resources into intense mitigation of one risk when there are other, more probable hazards that could be attacked more economically.
Defence In Depth
The concept of defence in depth is at the core of every nuclear safety program. Essentially, it says: Assume everything's gone to pot and all the other safeguards have failed. How do we continue to ensure safety?
The narrative, for a nuclear power plant, looks something like this:
Engineer 1: "So the primary core cooling pump fails. Now what?"
Engineer 2: "The backup pump is already on hot standby and takes over."
Engineer 1: "A rat chewed through the power cable and shorted out the backup pump. Now what?"
Engineer 2: "The reactor scrams (emergency shutdown)."
Engineer 1: "The control rods jam halfway down and the reaction's still going. Now what?"
Engineer 2: "We release pressurized gadolinium nitrate into the reactor to absorb the neutrons."
Engineer 1: "There's a leak in the pipe and the gadolinium sprays into the basement instead. Now what?"
And so on. For every possible thing that could break, you figure out what will pick up the slack to keep things safe and under control. Then you figure out what'll happen if all the backups fail. And the backups to the backups.
Applying this to a yacht, we might consider what happens after a collision.
The first layer of defence is a strong, sturdy hull that's able to survive many collisions.
The second is a watertight bulkhead to keep most of the boat dry and floating after the forepeak's been breached.
The third is a crash pump to clear out the water when the damage extends past the bulkhead.
The fourth is a crash mat or chunk of sailcloth the crew can wrap around the outside of the hole to hold off the incoming water.
The fifth layer is an axe, some plywood, screws and sealants that can be used to get to the inside of the hole and temporarily patch it up.
The sixth layer is a dinghy ready for quick launching.
The seventh is a properly packed, well-maintained life raft with a fully charged EPIRB and handheld VHF.
- Focus your resources on the biggest risks first.
- While the boat's on the drawing board, risk mitigations (eg. heavy plating, watertight bulkheads) can be added at very low marginal cost relative to their potential benefit.
- Always have a backup plan to the backup plan for every contingency.