ArticlePDF Available

Risk Assessment for an Unmanned Merchant Ship

Authors:
Ørnulf Jan Rødseth at ITS Norway
Ørnulf Jan Rødseth
  • ITS Norway
Hans-Christoph Burmeister
Hans-Christoph Burmeister
Hans-Christoph Burmeister
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

The MUNIN project is doing a feasibility study on an unmanned bulk carrier on an intercontinental voyage. To develop the technical and operational concepts, MUNIN has used a risk-based design method, based on the Formal Safety Analysis method which is also recommended by the International Mari-time Organization. Scenario analysis has been used to identify risks and to simplify operational scope. Systematic hazard identification has been used to find critical safety and security risks and how to address these. Technology and operational concept testing is using a hypothesis-based test method, where the hypotheses have been created as a result of the risk assessment. Finally, the cost-benefit assessment will also use results from the risk assessment. This paper describes the risk assessment method, some of the most important results and also describes how the results have been or will be used in the different parts of the project.
Figures - uploaded by Ørnulf Jan Rødseth
Author content
All figure content in this area was uploaded by Ørnulf Jan Rødseth
Content may be subject to copyright.
Content uploaded by Ørnulf Jan Rødseth
Author content
All content in this area was uploaded by Ørnulf Jan Rødseth on Oct 07, 2016
Content may be subject to copyright.
357
1 INTRODUCTION
TheMUNINproject1isdevelopingaconceptforan
unmanneddrybulkshipofaround50000tonsdead
weight.Thestartingpointisaconventionalbulker
withasingleengineandpropellerandotherwise
normalonboardequipment.Topreparethisshipfor
unmannedoperation,theconceptproposesnew
sensorsystems,newtechnicaloperationand
maintenanceprocedures,autonomousnavigation
functions,anewshorecontrolcentreandother
componentsasdescribedinBurmeisteretal.(2014b).
1TheMUNIN(Maritimeunmannedshipsthroughintelli
genceinnetworks)projecthasreceivedfundingunderthe
EuropeanUnion’s7thFrameworkProgrammethroughthe
agreementSCP2GA2012314286.Seewww.unmanned
ship.org.
Astheprojectisaconceptstudy,noactualtrials
willtakeplace.However,toshowthefeasibilityof
theconcept,ithasbeenimportanttoidentifythe
mostcriticaltechnological,operationaland
legislativefactorsthatmaybeobstaclestothe
conceptʹsrealizationandtodemonstratethatthese
factorscanbemanagedsufficientlywelltomakethe
realizationoftheMUNINshiplikely.Furthermore,
theprocessofidentifyingandanalysingthesefactors
hastobedoneinastructuredwaysothattheprocess
andresultscanbedocumentedandtosubstantiate
theclaimthatallsignificantfactorshavebeendealt
with.
Toachievethesegoals,theprojecthasstartedto
developariskbasedmethodfordesignandanalysis
of“industrialautonomoussystems”.Anindustrial
autonomoussystemisdefinedasanautonomous
vehiclethatcanoperatesafelyandeffectivelyina
realworldenvironmentwhiledoingoperationsof
Risk Assessment for an Unmanned Merchant Ship
Ø.J.Rødseth
NorskMarintekniskForskningsinstituttAS(MARINTEK),Trondheim,Norway
H.C.Burmeister
FraunhoferCentreforMaritimeLogistics(CML),Hamburg,Germany
ABSTRACT:TheMUNINprojectisdoingafeasibilitystudyonanunmannedbulkcarrieronan
intercontinentalvoyage.Todevelopthetechnicalandoperationalconcepts,MUNINhasusedariskbased
designmethod,basedontheFormalSafetyAnalysismethodwhichisalsorecommendedbytheInternational
MaritimeOrganization.Scenarioanalysishasbeenusedtoidentifyrisksandtosimplifyoperationalscope.
Systematichazardidentificationhasbeenusedtofindcriticalsafetyandsecurityrisksandhowtoaddress
these.Technologyandoperationalconcepttestingisusingahypothesisbasedtestmethod,wherethe
hypotheseshavebeencreatedasaresultoftheriskassessment.Finally,thecostbenefitassessmentwillalso
useresultsfromtheriskassessment.Thispaperdescribestheriskassessmentmethod,someofthemost
importantresultsandalsodescribeshowtheresultshavebeenorwillbeusedinthedifferentpartsofthe
project.
http://www.transnav.eu
the International Journal
on Marine Navigation
and Safety of Sea Transportation
Volume 9
Number 3
September 2015
DOI:10.12716/1001.09.03.08
358
directcommercialvalueandwhichcanbe
manufactured,maintained,deployed,operatedand
retrievedatanacceptablecost.Thecorresponding
definitionofautonomyisanautomatedsystemthat
hasthecapabilityofmakingindependentsensor
baseddecisionsbeyondordinaryclosedloopcontrol.
Thispaperpresentssomeoftheresultsofusing
thenewdesignandanalysismethodintheMUNIN
projectaswellassomeoftheexperiencesthathave
beengainedthroughthisprocess.
Chapter2givesanoverviewofsomepublished
workonriskbaseddesignforautonomousvehicles.
Chapter3givesabriefoverviewofthedevelopment
methodandfollowingchaptersdiscussthemain
partsofthemethod:Scenariodevelopments(Ch.4),
systemmodularizationandoperationalissues(Ch.
5),hazardidentificationandriskcontrol(Ch.6),
hypothesisformulationandtests(Ch.7)aswellas
designverification(Ch.8).Afewcommentsonthe
comingcostbenefitanalysiscanbefoundin
chapter9.Thispaperconcludeswithchapter10,
summarizingtheconclusionsandexperiencesmade
sofarintheproject.
2 AUTONOMYANDRISKBASEDDESIGN
Anindustrialautonomoussystemmustbeacost
effectivesolutionfortheintendedtasks.“Thefirst
questionanypotentialcustomerisgoingtoaskis:
Canthe[vehicle]dothejob,andifso,atalower
cost?”(Stokeyetal.1999).Thiscertainlyappliesto
industrialautonomoussystems,butevenfor
scientificmissionsthisbecomesmoreandmorean
issue.Whilesciencemaybemorelaxrelativetocost
effectivenessthancommercialindustry,theymay
stillhavetopayfore.g.insuranceorreplacementof
lostvehicles(Griffithsetal.2007).However,thisis
notoftenasubjectofscientificdissertationand
papersonriskbaseddesigncriteriaforautonomous
vehiclesarestillrelativelyrare.
Somepapersarepublished,mostlyinthedomain
ofautonomousunderwatervehicles(AUV).Onewas
referencedabove(Stokeyetal.1999)anditisan
interestingaccountofwhatcangowrongwithan
AUV.Thedetailsarenotofgeneralinterestinthe
MUNINscopeasapplicationareaandoperation
paradigmsarequitedifferent.However,some
generalobservationscanbemade:
1 Humanerroristhemostcommonsourceof
problems.Thisalsoincludesproblemswiththe
softwaredesigninthecontrolstations.
2 Noncomplexhardwareerrors,suchas
connectors,batteryandcalibrationofsensorsand
algorithms,arealsoamajorcauseofproblems.
Thereisnoreasontobelievethatthispatternwill
bemuchdifferentforothertypesofvehiclessoit
confirmstheideathatariskbaseddesignprocess
maybeagoodchoice,butalsoemphasizesthatthe
riskanalysishastofocusasmuchonʺtrivialʺhazards
asonthemorecomplexandintellectually
challenginghazardsrelatedtotheautonomyofthe
system.
Anotherpaper,(Griffithsetal.2003)focuseson
riskbaseddesign,butstillwithanAUVascase.It
presentsapragmaticapproachtosafety,focusing
partlyonproblemsthatareknownbyexperienceto
haveahighprobabilityandpartlyonsimplifying
physicaldesignsandprogramstokeepcomplexity
undercontrol.Someofthemainrisksidentified
were:
1 Humanerror,directlyorindirectly,accountsfora
highpercentageofproblems.
2 Relativelytrivialphysicalproblems(electronics,
GPSreceiver,mechanical,power,leaksetc.)also
causealargegroupoffailures.
3 Othersignificantproblemsareenvironmental
disturbances(foracoustictransmissions)and
softwareerrors.
Thepaperclassifiesfaultsintoimpactclassesand
performsamorecompleteriskassessment,taking
consequencesofthefaultsintoconsideration.While
thisisoflimitedusetoMUNIN,asthetechnical
domainisverydifferent,itshouldbequitevaluable
tootherAUVdesigners.Oneshouldalsonotethat
statisticalmodelsareproposedforsomeofthefault
classeswhichcouldbeusedformorequantitative
assessmentsofexpectedreliability.Finally,partof
theconclusionisthatThispaperhasshownthatby
gooddesignandthoroughtestingofthe‘significantfew’
systemsthatcouldposehighrisktothevehicle,theoverall
reliabilityoftheautonomousvehicleisnotdominatedby
thecomplexassembliesneededtoprovidethatautonomy”.
Thisisalsoencouragingtootherautonomoussystem
designsasthishasapplicationsnotonlytoAUVs,
butcanbeviewedasageneralstatementabout
industrialautonomoussystems.
AnotherfaultanalysisisdonebyPodderetal.
(2004).Thisfocusesontechnicalfailuresand
determinationofstatisticaldataforquantitative
assessmentofrisk.Theobservationfromthispaperis
alsothatmostfaultsare“trivial”inthesensethat
theydonotoccurinthemorecomplexsensing,
controlanddecisionmakingsoftwaremodulesofthe
vehicle.
In(Britoetal.2010),anoperationalrisk
managementprocessmodelisdescribed.Thisis
partlyaquantitativeapproachwhereexpert
judgementsarepartofthedecisionmakingdataset.
Itdefinesanacceptablerisklevelandtriesto
determineiftherisksderivedfromagivenmission
exceedthislevel.Itisalsotargetedatoperationsin
highriskenvironments,i.e.anAUVoperatingnear
andunderice,andisnotsorelevanttoMUNIN’s
operationalplanning.However,theprinciplesand
methodsdiscussedaremorequantitativeinnature
thanintheMUNINprojectanditwillbeinvestigated
ifvariantsofthemethodologycanbeusedalsointhe
designphaseforindustrialautonomoussystems.
3 THEMUNINAPPROACH
ThehighlevelobjectivesoftheMUNINdesign
processare:
1 Ensureanacceptablesafetyandsecuritylevelfor
ownandothershipsandtheinternational
shippingcommunityingeneral.
2 Minimizeuncertaintyinthemissions’intended
outcomeaswellasinunintendedsideeffects.
359
3 Developacosteffectivesystemthatcancompete
atalevelfieldinacommercialoperational
environment.
Onekeycontributiontothesethreeobjectivesisto
keepthesystemcomplexityaslowaspossible.
Highercomplexitygenerallymeansmorehidden
errors,moredevelopmentworkandhighercost.
Highercomplexityalsoimplieslessdeterministic
missionoutcomes,partlybecausetheautonomous
decisionmakingprocessbecomesmorecomplexand
partlybecauseunintendedsystemerrorsmay
interferewiththeprocessinunexpectedways.To
reducesystemcomplexity,wehavefoundthatavery
effectiveapproachistosimplifythemissionandthe
environmentalconstraintsasmuchaspossible
throughacarefulscenarioanalysis.Thiswillbe
returnedtoinchapter4.
TheriskbaseddesignapproachusedinMUNIN
isbasedontheFormalSafetyAnalysis(FSA)method
fromIMO(2007).ThestructureofFSAisillustrated
inFigure1.Thisistheinternationallyaccepted
methodfordoingcostbenefitanalysisinthe
InternationalMaritimeOrganizationʹs(IMO)rule
makingprocess.Thus,itmakessensetousethisas
baselineasthelegislativeissuesareanimportant
partofthesystemrequirementsforunmannedships.
FSAisalsoemphasizingtheidentificationofcost
effectivemeasurestoensureanʺoptimalʺsafetylevel,
whichisanimportantobjectiveforMUNIN.
Figure1.TheFSAProcess(IMO2007)
Asdiscussedin(Rødseth&Tjora2014),MUNIN
putspartsoftheFSAmethodologyintoaframework
asshowninFigure2.Wereferthereadertothat
paperforadiscussionofthebackgroundand
principlesofthemethodandtheframework.
Figure2.MUNINDesignprocess
Inthispaperwediscusssomeoftheresultsand
experiencesfromtheuseofthemethodology.Eachof
thefollowingchaptersdiscussesoneortwoofthe
steps.
4 SCENARIOBUILDING
Thefirststepundertakenintheanalysisofthe
unmannedshipistodevelopanumberof
operationalscenariosintheformofUML(Unified
ModellingLanguage)usecases.
Theintentionofthisexerciseistodevelopabetter
understandingofthechallengesthatanunmanned
shipwouldbeexposedto,whatsupportfunctionsit
needsandhowtheoperationalprocedureswould
havetobeimplementedtosupportunmanned
operation.Thisisaniterativeprocesswherealsoa
draftphysicalarchitectureisdevelopedandthe
operationalprinciplesarelaiddown.Themain
scenariosdevelopedarelistedinTable1.Theycover
normaloperation(1to8unshaded)aswellaswhat
wasconsideredtobeproblemsthatthesystem
wouldneedtobeabletohandle(9to18shaded).
Table1.MUNINinitialscenarios2
_______________________________________________
1 Openseamodewithoutmalfunctions
2 Smallobjectdetection
3 Weatherrouting
4 Collisiondetectionanddeviation
5 Periodicstatusupdatestoshorecontrol
6 Periodicupdatesofnavigationaldata
7 Releasevesselfrom/toautonomousoperation
8 Manoeuvringmode‐normal
9 Floodingdetected
10 GNSS(GPS/GLONASS)malfunction
11 Manoeuvringmodewithmalfunctions
12 Communicationfailure
13 Onboardsystemfailureandresolution
14 Pilotunavailable:Remotecontroltosafety
15 Piracy,boardingandshipretrieval
16 Ropeinpropeller
17 Openseamodewithmalfunction
18 Unmannedshipinsearchandrescue(SAR)
_______________________________________________
Bydetailinganddiscussingthescenariositwas
possibletoidentifychallengesthatcouldnoteasily
besolvedandwhichcouldleadtothefinalsystem
solutionnotbeingsafeorcosteffective.These
challengeswerehenceforthusedtoadjustthe
operationalcapabilityoftheshiptoavoidorlimitthe
impactoftheproblems.Sometypicalexamplesare:
1 Useofacontinuouslymannedshorecontrol
center(SCC):Thisavoidsexcessiveandexpensive
levelsofautonomywhilealsoproviding
immediatebackupincaseswhereonboard
systemsfailorareunabletosolveproblems
satisfactorily.
2 Limitunmannedoperationtodeepseaareasand
placecrewonboardforportdepartureand
approach:Thisavoidslegalproblemsintheport
andcoastalstatewatersaswellasavoiding
complexautonomousnavigationinheavytraffic
areas.
3 Addredundancyincommunicationsystemsand
addanindependentrendezvouscontrolunit:This
avoidsseveralcriticalandhighprobabilitysingle
pointoffailurecases.

2DetailedUMLdiagramsareavailablefromhttp://www.mitsforum.org/munin/index.htm
(January2015).
360
Thescenariobuildingexercisedevelopstheinitial
systemanduserrequirementsaswellasidentifies
criticalissuesthathavesignificantimpacton
operationalconstraintsandhighlevel
modularization.
5 SYSTEMDESCRIPTIONS
Thesystemdescriptionconsistsofthesystem
modularizationandthespecificationofthe
operationalprinciplesfortheunmannedship.
5.1 Modularization
Thegeneralsystemmodularizationisshownin
Figure3.
Figure3.TheMUNINmodules(Rødsethetal.2013)
Thenewmodulesandcomponentsneededto
implementautonomyareshaded.Existingmodules
arewhite.TheLOScommunicationblockconsistsof
standardsystemsintendedfordirectlineofsight
(LOS)shiptoshiporshiptoshorecommunication.
Thisincludestheautomaticidentificationsystem
(AIS),globalmaritimedistressandsafetysystems
(GMDSS)aswellasaproposedfutureVHFdata
exchangeservice(VDES)asdiscussedinRødsethet
al.(2013).Theradar,integratedbridgeand
automationsystemsareotherexistingshipcontrol
systems.
TheRCUmoduleismainlyusedduringport
approachanddeparturewhentheportoperations
crewisboarding,butitdoesalsoplayaspecialrole
inrecoveryofunmannedshipsthatcannototherwise
becontrolled.TheRCUisoperationallyindependent
fromallotherautonomoussystemcomponentsand
representspartofthefailtosafebackupprocedures
forshiprecovery,evenwhennormalsatellite
communicationorautonomouscontrolsystemsfail.
NewsensorsconsistofacombinedCCTVandfar
infrared(IR)camerathatworkstogetherwithmainly
AISandradartodetectandclassifynearbyobjects.
TheIRcameraisoftheForwardLookingIR(FLIR)
type.Thesensorfusionfunctionsarelocatedinthe
ASM(Bruhnetal.2014).
Theautonomousshipcontroller(ASC)consistsof
varioussubmodulesforautonomousnavigation,
enginecontrol,engineconditionmonitoringand
energyefficiencymanagement(Burmeisteretal.
2014a,Walteretal.2014).Theshorecontrolcenter
(SCC)isaremotecontrolcenterwithseveralcontrol
stationsandfunctions(Porathe2014).
CommunicationbetweenshipandSCCisdone
overastandardcommercialsatellitelinkwitha
capacityofpreferablyatleast1500kilobitsper
second(kbps),butwhichwillworkdownto125
kilobitspersecond(Rødsethetal.2013).Another,
normallylowercapacitysatellitelink,e.g.Inmarsat
orIridiumisusedasbackup.Inaddition,the
unmannedshipwillbeabletocommunicatewith
othershipsthroughtheLOSmodule.
5.2 Operationalprinciples
Theoperationalprinciplesarecharacterizedbya
conservativeapproachtousing“intelligentcontrol”
intheship.TheinclusionoftheSCCremovesmany
complexityincreasingfactorsfromtheoperational
scenarios.Thismeansthatitisonlynecessaryto
implementarelativelylimiteddegreeofautonomyin
theship.Thisalsomakesiteasiertoensure
determinisminmissionexecution.Theoperational
modesareshowninFigure4.
Figure4.Theoperationalmodes(Rødsethetal.2013)
Autonomousexecutioncorrespondsroughlyto
autopilotoperation.Itperformsnavigationaland
lookouttasksfullyautomaticallyaslongasmore
advancedreasoninganddecisionmakingisnot
necessary.Thisisdonewithoutguidancefromshore,
butwithperiodicandbriefstatusreportssenttothe
shoreoperators.Autonomouscontrolisamode
wheretheship,withindefinedoperationallimits,
performsactionsonowninitiativetoavoid
dangerousorunwantedsituations.Thetypical
exampleisavoidancemaneuverswhenotherships
areinthevicinity.Remotecontrolcanbedirectwith
continuousandrealtimecontrolfromtheSCCor
indirectwhichiswhentheSCConlyoutputshigh
levelcommands,e.g.waypoints,totheshipwithout
controllingotheroperationalparametersdirectly.
Failtosafeisthestatetheshipcontrollerwillgoto
whenitisunabletocontinueautonomousoperations
withoutSCCassistanceandSCCresponsesare
missingordelayed.Thespecificationsofthefailto
safemodearebasedonpreprogrammedinstructions
fromSCCandwillnormallybeupdatedfromthe
SCCasthevoyageproceeds.Thespecificfailtosafe
modewilldependonwhatproblemtheship
encountersandotherenvironmentalorship
parameters(Burmeisteretal.2014b).
5.3 Operationaldomain
Thefinalpartofthesystemdescriptionisthe
definitionoftheoperationaldomainoftheship.The
MUNINshipisadrybulkcarrierofmediumsize
361
andthevoyageforeseenisironoretransport
betweenSouthAmericaandEurope.
Duringanalysisoftheusecasescenarios,itwas
alsodecidedtolimitthevoyagetothedeepsea
passageandnotincludetransitincongestedwaters
orportapproachordeparture.Therearetwomain
reasonsforthat:
1 Operationindeepseaareasaremainlyunderthe
jurisdictionoftheflagstatewhichsimplifiesthe
regulatoryissuessignificantly.Thereisnoneedto
considerdifferentportorcostalstates’legal
regimes.
2 Trafficdensityandcomplexityofoperationis
verymuchsimplifiedbyoperatingonlyindeep
seaareas.Also,theprobabilitythatanerror
resultsinadangerousconsequenceislower.
Ontheotherhand,thiswillalsohaveanimpact
oncosteffectivenessasoneneedstohavecrew
onboardforportapproachanddeparture.This
meansthatsomeaccommodationfacilitiesmayhave
tobeavailable.Thesemeasureswillincreaseboth
capitalandoperationalcostsandmayhavean
impactonthecosteffectivenessofthewholeconcept.
6 HAZARDIDENTIFICATIONANDRISK
CONTROL
Thehazardidentificationwasdoneinaworkshop
guidedbycertainsemanticcomponentsfromthe
MiTSarchitecture(Rødseth2011),mainlytheship
functionalbreakdowntogetherwithvoyagephases
andtheoperationalmodes.
Atotalof65mainhazardswereidentified.Each
ofthehazardswasthenclassifiedaccordingtoits
consequenceiftheeventshouldhappenandthe
probabilitythatitwillhappen.Theriskwasthen
gradedinthreelevels:Acceptable(lowprobability
and/orlowconsequence);Unacceptable(high
consequenceand/orhighfrequency);andALARP:As
lowasreasonablypracticable.
Therewereseveralhazardsthatwereclassifiedas
unacceptableintheinitialshipconfiguration:
1 Interactionwithotherships,whethertheyfollow
COLREGSornot,isacriticalissue.Navigation
andanticollisionsoftwaremustbethoroughly
tested.
2 Errorsindetectionandclassificationofsmallto
mediumsizeobjectsiscriticalasitmaybe
wreckage,persons,lifeboatsorotherobjectsthat
needtobereportedtoauthorities.Thisfunction
mustbecarefullytested.
3 Failureinobjectdetection,particularlyinlow
visibility,cancausepoweredcollisions.The
advancedsensormodulemustbeverifiedtobe
abletodoallrelevanttypesofobjectdetection,
alsoinadverseweather.
4 Propulsionsystembreakdownwillrenderthe
shipunabletomove.Itisnecessarytohaveavery
goodconditionmonitoringandforecasting
systemtoreducesuchincidentstoanacceptable
minimum.
5 Veryheavyweathermaymakeitdifficultto
manoeuvretheshipsafely.Itisnecessarytoavoid
excessiveweatheranditisalsorequiredto
investigateimprovedmethodsforremotecontrol
ifsuchconditionsshouldbeencountered.
TheALARPgroupofrisksrepresentsissuesthat
havetobeconsideredonacostbenefitbasis.One
shouldaimtoremoveorreducetheserisksaslongas
costisnotprohibitivelylarge.
Amongthelatterwerethevarioussecurityrelated
hazards,includingstowaways,pirateattacksand
terrorism.Whilethescenarioofaterroristusingthe
unmannedshipsasaremotelycontrolledweapon
maybeseenasaveryhighriskscenario,
investigationsintoalreadydefinedtechnicalbarriers
showedthatitwasunlikelythatterroristswouldbe
abletotakecontroloftheshipaslongas
communicationsystems,positionsensingandon
boardcontrolsystemsweredesignedproperly
(Rødsethetal.2013).
Theidentifiedriskcontroloptionsassociatedwith
theaboveunacceptablerisksarelistedinTable2.
Table2.Majorriskcontroloptions
_______________________________________________
Hzd Riskcontrol
_______________________________________________
1Avoidheavytraffic
Objectdetectionandclassification
Deepseanavigationmodule
SCCandVHFcommunicationwithships
2Improvedmaintenanceroutines
Improvedconditionmonitoring
Redundancyinpropulsion(waterjet)
3RadarandAISintegratedinobjectdetection
SCCnotificationwhenindoubt
4Weatherrouting
SCCindirectcontrol
5FLIRcameraandhighresolutionCCTV
SCCnotificationwhenindoubt
_______________________________________________
Theriskcontrolsaregenerallyfirsttotrytoavoid
thedangeroussituation,secondlyhandlingitaswell
aspossibleonboardandthirdly,usetheSCCassoon
asthereisanydoubtaboutoutcome.Therewillalso
befailtosafeactionsformanyofthesecasesthatare
notlistedhere.
Thedefinedacceptablesafetylevelistobeatleast
asgoodasonnormalmannedships,whichmeans
thatsomeoftheconventionaltechnologycanbeused
toachievethesamesafetylevel.Thiswillasan
exampleapplytotheuseofradarandAISinlow
visibility.
Forthepropulsionsystembreakdown,one
proposalistoinstallawaterjetthatcanbedriven
fromtheauxiliarygeneratorssothatitis
independentofallmainpropulsioncomponents.The
ideaistogiveatypeof“limphome”functionality.
Theobjectdetectionsystemconsistsofanumber
ofsensorsthatshouldgiveatleastandnormally
betterdetectioncapabilitiesthanahumanlookout.
Amongthesensorsisradar,CCTV,forwardlooking
infrared(FLIR)andAIS.
362
7 HYPOTHESISFORMULATIONANDTESTS
Achallengefordesignersofautonomoussystemsis
toconvinceusersthatthesystemissafeandthatit
willdowhatitisintendedtodo.Evenby
demonstratingacertainfunction,itcanbeargued
thatalthoughitworkedonce,itdoesnotmeanthatit
willworkeverytime.InMUNINwehavedecidedto
addressthisproblemthroughhypothesistesting.
Oxforddictionarydefinesahypothesisas“a
suppositionorproposedexplanationmadeonthebasisof
limitedevidenceasastartingpointforfurther
investigation”.Thus,MUNIN’smainhypothesisfor
thefeasibilitytestisthatunmannedshipsystemscan
autonomouslysailonanintercontinentalvoyageat
leastassafeandefficientasmannedships.However,
ascientificapproachrequiresthehypothesistobe
testedtovalidateit.AsMUNIN’smainhypothesisW
isratherbroad,testablesubhypothesesSijforeach
modulearederivedthataredirectlydependenton
themainhypothesis.Ofcourse,evenifallSijare
valid,thisdoesnotmeanthatWholds,butatleasta
falsificationispossiblebythisapproachdueto
contraposition:
(WSij)(SijW)(1)
TheSijarederivedfromtheidentifiedhazards.
Afterwards,appropriatescientifictestscanbefound
andconductedtoattempttofalsifythemain
hypothesis.Thus,theprincipaltestapproachof
MUNINissummarizedinFigure5.
Main hypothesis W
Sub-hypotheses S1to Sn
Design and conduct test for Si
S ˄ ¬ (¬S)
Test Siand ¬Si
next W not ok
noyes
for each i
Figure5.Hypothesisderivationandtests
Table3.Extractofderivedhypothesis(Krüger,ed.2014)
_______________________________________________
Number Hypothesis
_______________________________________________
WUnmannedshipsystemscanautonomouslysail
onanintercontinentalvoyageatleastassafe
andefficientasmannedships.
S1ASCcanautonomouslynavigateashipsafely
andefficientlyalongapredefinedvoyageplan
withrespecttoweatherandtrafficconditions.
S11 ASCcanidentifytheCOLREGobligationofthe
shiptowardsallobjectsinthevicinityin
unrestrictedwaters.
S12 ASCcancalculatepossible,COLREGcompliant
deviationmeasuresforagiventrafficsituation
inunrestrictedwatersthatminimizethe
necessarytrackdeviation.
S2ASMcansensesufficientweatherandtraffic
datatoensurenavigationandplanningfunction
onautonomousvesselsandenablesituation
awarenessinanoperationroom.
S21 ASMiscapabletodetectafloatingobjectof
standardcontainersizeinarangeofatleast4.0
NM.
S22 ASMiscapabletodetectaliferaftinarangeof
atleast3.0NM.
_______________________________________________
WhilethisisnotafullproofthatWistrue,itisa
muchmoreconvincingargument,particularlyifthe
subhypothesisandtestsarewelldesigned.
However,itisachallengetodesigngoodtestsforthe
negationofS.
Asanexample,Table3givesanoverviewofa
smallpartofMUNIN’ssubhypothesiswithregards
tocollisionavoidanceandobjectdetectionhazards
describedinchapter6.
Basedonthishypothesistree,individualtestsare
designedandconducted.Thesetestsmightdiffer
dependingontheconcretecircumstances.Whilee.g.
S21andS22canbeeasilytestedbyconductinganin
situtestofthesystemunderdifferentenvironmental
conditions,S11cane.g.beverifiedbycheckingthe
complianceofobligationsderivedfromS11with
situationspreevaluatedbynauticalexpertsorcourt
decisions.Incontrast,S12canbetestedbyhistorical
tracksavailablefromAISDataproviders.
Thehypothesistestswillalsoserveaspartofthe
generalsoftwareandsystemtesting.However,asthe
hypothesesnormallyfocusonsubsystemsand
specificfunctions,otherandmoresystemoriented
testsarealsonecessary.Thiswillbepartofthe
constructionandtestphaseandwillnotbediscussed
furtherhere.
8 DESIGNVERIFICATION
Fornormalships,theprocessofgettingtherequired
flagstateandclasscertificatesisthefinaldesign
verification.Duringthecertificationprocess,
independentthirdpartiesexaminethetechnical
solutionsandissuecertificatesasproofofsafety,
securityandfunctionality.
Onewillneedasimilarregimeforunmanned
ships.Tobeabletosail,theshipmustbeapproved
andcertifiedbyaflagstateandforinsuranceandfor
acceptancebythecargoownersaswellasother
commercialparties,itwillalsohavetohaveclass
approval.
Onecanassumethattheapprovaland
certificationprocessforunmannedorreduced
manningshipswillbesimilarinstructuretothatfor
mannedships.Theproblemistodefinethe
acceptancecriteriaandtoalesserdegreetotest
compliance.Anothersignificantproblemisthat
manyoftheexistinginternationalregulations
stipulatethatthereisacrewonboardandthatmany
rulesdealwithwhatworkprocessesandwhat
routinesarerequiredbythiscrewtoensureasafe
voyage.Anobviousexamplehereisthe
“InternationalConventiononStandardsofTraining,
CertificationandWatchkeepingforSeafarers”
(STCW)whichisobviouslynotpossibletofulfillfor
anunmannedvessel.Thisandothercodeswillhave
tobereassessedorreformulatedtoaddresstheuseof
automatedlookoutsandhelmsmen.
363
TherearealreadymechanismsinplaceintheIMO
regulatoryframeworktoallowflagstateandclassto
developnewmethodsfordefiningrequirementsto
andfortestingsystemstocertainsafetygoalsrather
thantotechnicalstandards.Theconceptof“Goal
BasedStandards”(GBS)wasintroducedbytheIMO
Councilin2002.Thismaybeasignificanthelpin
adaptingatleastsomeoftherelevantregulationsto
unmannedships.TheuseoftheFSAmethodologyis
animportantpartofthisandisthereasonwhyFSA
wasselectedasbaselinefortheMUNIN
methodology.TheuseofFSAbasedmethodsalready
intheconceptstudieswillpresumablymakeit
possibletoreusemanyoftheanalysisresultsalsoin
theinternationallyregulatoryprocesses.
Thelegalproblemislowerwhenoperatingonly
ininternationalwaters,wherethejurisdictionis
almostexclusivelythatoftheflagstate.When
enteringintonationalwaters,theportandcoastal
states’jurisdictionwillcomeintoplayaswell.This
createsamuchmorecomplexpictureandwillinthe
longtermrequirenewinternationalregulationsand
conventionsdevelopedthroughIMOandpossibly
otherorganizations.TheMUNINprojecthas
providedsomeanalysisoftheseissues,butmore
workisneededtofindefficientsolutionstothe
identifiedproblems(SageFuller,ed.2013a,2013b).
Thehypothesistestswilltosomedegreealsoact
asverificationcriteria,althoughahypothesis
typicallyonlyaddressesfactorfromthehazard
identificationandsystemmodularization
individually.Thus,theywillnotaddressthesystem
asawhole.
Inthiscontextonealsohastolookattheinhouse
designverification.Thisisanormalpartofthe
systemdevelopmentprocessandistypically
undertakenduringmoduletests,integrationtests
andcommissioningofthesystem.Thiswillbean
addonandanecessarystepalsotothethirdparty
verificationrelatedtoissuanceofcertificates.
DesignverificationwillnotbedoneinMUNINas
theprojectislimitedtoaconceptstudy.Thefinaltest
stageinMUNINwillbethehypothesistestsand,
followingthose,thehighlevelcostbenefitanalysis.
Thus,systemverificationcriteriahavenotbeen
developedandwillnotbeaddressedtoany
significantextentinthisproject.
9 COSTBENEFITANALYSIS
Thecostbenefitanalysis(CBA)fortheMUNIN
concepthasnotstartedyetandwillbedoneinthe
firsthalfof2015.Alsoheretheresultsoftherisk
basedapproachareexpectedtohavesomeimpacts.
Weexpectthattheoperationalsimplificationsthat
cameoutofthescenarioanalysiswillhaveapositive
impactascostswillbereducedwhencomplexityof
thetechnologydecreases.Thepossibleexceptionhere
istheneedforhavingcrewonboardduringport
approachanddeparture.Unlessthisishandledina
waythatreducestheneedforlifesupportsystems
onboard,itmayoffsetmanyofthepotentialgainsin
havingshipsoptimizedforunmannedoperations,
e.g.withoutaccommodationareas,lesslifesupport
systemsandusingnewsuperstructureconcepts.
Theriskcontroloptionsthatwereidentifiedas
necessaryinthehazardidentificationandrisk
controlactivitieswillnormallyhaveanegative
impactasmostriskcontrolsrequiremoreadvanced
softwareorothertechnology.However,the
structuredapproachofFSAshouldguaranteethat
theseriskcontrolsarereallynecessaryandthatthey
giveactualbenefitstotheshipandshipowners.
Fortheriskcontrolsthatweredefinedas
unnecessaryorasALARP,theFSAbased
methodologyshouldbeexpectedtooptimizethe
costbenefitstradeoffandassuchhaveapositive
contribution.
10 CONCLUSIONS
Theexperienceswiththeriskbasedapproachto
designhavebeenverygoodsofar.Ithasdefineda
necessaryandefficientstructuretotheanalysisand
designactivitiesandhasmadeitpossibletopresenta
consistentandwelldocumentedargumentforthe
safetyandsecurityoftheunmannedship.Ithasalso
givenvaluableinputtotheinitialcostbenefitwork.
Theprojectteam’simpressionsofaristhatthe
conceptofanunmannedshipisviable,althoughnot
necessarilyasaretrofittoexistingbulkcarriers.
Theriskbasedmethodhasinparticularbeen
usefulinstructuringtheHazardIdentification
processasthatishighlycriticalindefiningthemain
challengesandwheredevelopmenteffortsneedtobe
focused.Inouropinion,itisnotpossibletoarguefor
thesafetyandsecurityofunmannedshipswithout
thistypeofstructuredproblemanalysis.
Theearlyscenariodescriptionandanalysis
exercisehasalsoprovenveryeffectiveinbalancing
operationalcomplexitywithtechnicalsimplifications.
Thisisacriticalpartofdefiningtheindustrial
autonomoussystem’soperationalscopeasatoo
flexibleortooextensivescopecanhaveveryhigh
impactontechnicalcomplexityand,henceoncost
andreliability.
Wehavenotyetusedthecostbenefitpartofthe
FSAmethodology,butthiswillbeaddressedinthe
remaininghalfyearoftheprojectandreportedon
later.However,theFSAmethodhasbeenusedina
numberofotherIMOstudiesandwedoexpectthat
alsothispartwillworkwell.
REFERENCES
Brito,M.P.,Griffiths,G.,&Challenor,P.2010.Risk
analysisforautonomousunderwatervehicleoperations
inextremeenvironments.RiskAnalysis,30(12),1771
1788.
Bruhn,W.C.,Burmeister,H.C.,Long,M.T.,&Moræus,J.
A.2014.Conductinglookoutonanunmannedvessel:
Introductiontotheadvancedsensormodulefor
MUNIN’sautonomousdrybulkcarrier.InProceedings
ofInternationalSymposiumInformationonShips—ISIS
2014(pp.0405).
364
BurmeisterH.C.&BruhnW.C.2014a,Designingan
autonomouscollisionavoidancecontrollerrespecting
COLREG,InMaritimePortTechnologyandDevelopment
2014,Taylor&FrancisGroup,London(2014),pp.8388
BurmeisterH.C.,BruhnW.,RødsethØ.J.&PoratheT.
2014bAutonomousUnmannedMerchantVesselandits
ContributiontowardstheeNavigation
Implementation:TheMUNINPerspective,in
InternationalJournalofeNavigationandMaritime
Economy1(2014)113.
Griffiths,G.,Millard,N.W.,McPhail,S.D.,Stevenson,P.,
&Challenor,P.G.2003.Onthereliabilityofthe
Autosubautonomousunderwatervehicle.Underwater
Technology:InternationalJournaloftheSocietyfor
UnderwaterTechnology,25(4),175184.
Griffiths,G.,Bose,N.,Ferguson,J.,&Blidberg,D.R.2007.
Insuranceforautonomousunderwatervehicles.
UnderwaterTechnology,27(2),4348.
IMO2007.MSC83/INF.2,FormalSafetyAssessment:
ConsolidatedtextoftheGuidelinesforFormalSafety
Assessment(FSA)foruseintheIMOrulemakingprocess.
May14,2007
KrügerC.M.(ed.)2014,MUNINDeliverableD8.1,Test
environmentsetupdescription,November2014
(AvailablefromMUNINprojectonrequest).
Podder,T.K.,Sibenac,M.,Thomas,H.,Kirkwood,W.J.,&
Bellingham,J.G.2004.Reliabilitygrowthof
autonomousunderwatervehicleDorado.In
OCEANSʹ04.MTTS/IEEETECHNOOCEANʹ04(Vol.2,
pp.856862).IEEE.
Porathe,T.2014.RemoteMonitoringandControlof
UnmannedVessels–TheMUNINShoreControlCentre.
InProceedingsofthe13thInternationalConferenceon
ComputerApplicationsandInformationTechnologyinthe
MaritimeIndustries(COMPIT‘14)(pp.460467).
RødsethØ.J.2011,AMaritimeITSArchitecturefore
NavigationandeMaritime:SupportingEnvironment
FriendlyShipTransport,inProceedingsofIEEEITSC
2011,Washington,USA,2011.
RødsethØ.J&Burmeister,H.C.2012.Developments
towardtheunmannedship,inProceedingsof
InternationalSymposiumInformationonShipsISIS2012,
Hamburg,Germany,August3031,2012.
Rødseth,Ø.J.,Kvamstad,B.,Porathe,T.,&Burmeister,H.
C.2013.Communicationarchitectureforanunmanned
merchantship.InProceedingsofIEEEOceans2013.
Bergen,Norway.
Rødseth,Ø.J&Tjora,Å.2014.Ariskbasedapproachtothe
designofunmannedshipcontrolsystems.InMaritime
PortTechnologyandDevelopment2014.Taylor&
FrancisGroup,London(2014).
SageFullerB.(ed.)2013a.MUNINDeliverableD5.1,Legal
AnalysisandLiabilityfortheAutonomousNavigation
Systems,March2013(AvailablefromMUNINprojecton
request).
SageFullerB.(ed.)2013b.MUNINDeliverableD7.2,Legal
AnalysisandLiabilityfortheRemoteControlledVessels,
August2013(Availablefromwww.unmannedship.org
January2015orfromtheMUNINprojectonrequest).
Stokey,R.,Austin,T.,VonAlt,C.,Purcell,M.,Forrester,N.,
Goldsborough,R.,&Allen,B.1999.AUVBloopersor
WhyMurphyMusthavebeenanOptimist:APractical
LookatAchievingMissionLevelReliabilityinan
AutonomousUnderwaterVehicle.InProceedingsofthe
EleventhInternationalSymposiumonUnmanned
UntetheredSubmersibleTechnology(pp.3240).
Walther,L.,Burmeister,H.C.&Bruhn,W.2014,Safeand
efficientautonomousnavigationwithregardsto
weather,In:ProceedingsofCOMPITʹ14,Redworth,UK,
1214May2014,p.303317.
... The direct reference for the navigational safety of MASS is the traditional vessel. If MASS is to be used as a replacement for traditional vessels, the navigational safety requirements for MASS are higher than those for traditional vessels [32], and the minimum requirements should also be as safe as for traditional vessels [36]. Any collision avoidance and preventive measures that can be achieved by traditional vessels in vessel manoeuvring practice should also be achieved by MASS. ...
... International Convention for the Safety of Life at Sea (SOLAS) regulations V/11(1) and V/12(1) provide that the objectives of both vessel reporting and VTS are to assist vessels in their efforts to ensure the safety of life at sea, the safety and efficiency of navigation, and the protection of the marine environment. Under regulation 12(2) of the SOLAS, states have the right to establish VTS when they consider that the volume of traffic or the level of risk warrants the provision of such services, and the IMO Guidelines and Principles on Vessel Reporting and VTS imply that these systems are to be applied by the "seamen" or the "master" [4] [32]. At the same time, under SOLAS regulation V/10, the coastal state has the right to impose a mandatory vessel routing regime on foreign vessels, and there is a correlation between the TSS and COLREGs rule 10 traffic separation scheme. ...
View
... Z istniejącej literatury wynika, że z powodu ograniczeń w dostępie do fizycznych platform i braku jednolitych standardów metody oparte na wiedzy stopniowo zastępują metody oparte na doświadczeniu. Pierwsza zaproponowana metoda (Rødseth & Burmeister, 2015b) była oparta na Formalnej Analizie Bezpieczeństwa FSA (ang. Formal Safety Assessment) i sugerowała wymóg ustrukturyzowanej analizy problemów w celu zapewnienia bezpieczeństwa MASS. ...
Studium integracji mieszanej rzeczywistości w zdalnej kontroli morskich autonomicznych statków nawodnych (Study on the Integration of Mixed Reality in Remote Control of Maritime Autonomous Surface Ships)
Book
  • Feb 2025
Study on the Integration of Mixed Reality in Remote Control of Maritime Autonomous Surface Ships Study explores the integration of Mixed Reality (MR) technology in the remote control of Maritime Autonomous Surface Ships (MASS). As the maritime industry shifts toward automation and autonomy, the role of remote operators becomes increasingly crucial. By leveraging MR, remote operators can achieve enhanced situational awareness, improved decision-making, and a more intuitive interaction with ship control systems. This paper examines the technological framework, potential benefits, and challenges of MR implementation in the context of remote maritime operations.
View
... Hassel et al. [80] • Khan et al. [107] • Montewka et al. [126] • Mulyadi et al. [130] • Tvedt [173] • Zaman et al. [206] • • Rødseth and Tjora [150] • Rødseth and Tjora [151] • Ozkok [136] • Antão et al. [9] • Goerlandt and Montewka [73] • Jensen [94] • Khaled and Kawamura [105] • Przywarty et al. [142] • Zhang et al. [211] • Rødseth and Burmeister [152] • Nishijima et al. [132] • Soman et al. [161] • Tang et al. [166] • Kum and Sahin [111] • Copping et al. [40] • Ma et al. [118] • Mazaheri et al. [120] • Nilsen [131] • Haugen et al. [81] • Nivolianitou et al. [134] • Rekha et al. [147] • Senol and Sahin [155] • • Sotiralis et al. [163] • Wróbel et al. [195] • • Akyuz et al. [6] • Fu et al. [63] • Afenyo et al. [3] • Chai et al. [30] • Hassel [79] • Huang et al. [85] • Presencia and Shafiee [140] • Thieme and Utne [168] • Utne et al. [181] • Wróbel et al. [196] • Ahn et al. [4] • Wang et al. [189] • Jeong et al. [95] • Thieme and Utne [169] • Allal et al. [7] • • Khan et al. [106] • Wróbel et al. [197] • • • • • Vidmar and Perkovič [188] • Wang et al. [191] • Hoem [82] Zhou et al. [215] Veitch and Andreas Alsos [185] This Study ...
Toward a hybrid approach for the risk analysis of maritime autonomous surface ships: a systematic review
Article
Full-text available
  • Jan 2025
  • J MAR SCI TECH-JAPAN
As the demand for maritime autonomous surface ships (MASS) grows, appropriate risk analysis is essential for ensuring their safety. Several review papers have examined effective methods for MASS risk analysis, highlighting the benefits of qualitative approaches such as the systems-theoretic accident model and process/system-theoretic process analysis (STAMP/STPA). However, a comprehensive and objective analysis method for MASS has not yet been established. In addition, a systematic literature review of the available academic research studies on MASS risk analysis has not been previously conducted. Therefore, this study employed principles from the preferred reporting items for systematic reviews and meta-analysis (PRISMA) for conducting a systematic literature review on MASS risk analysis. Besides, to conduct the review considering various aspects of risk analysis, we developed the classification framework of risk analysis of MASS and conducted the review using the developed framework. We concluded that a hybrid approach, combining a quantitative analysis by the Bayesian network using qualitative STAMP/STPA results, may prove to be effective for MASS risk assessment. In addition, based on the analyzed literature, research directions for future studies considering the gaps between current research and the real-world implementation of MASS were identified.
View
... The safety issues in MASS are considered to be a barrier that should be addressed (through risk identification, analysis and management), and therefore they are widely addressed in recent literature and prototype projects, e.g. (AAWA, 2016;Ghaderi, 2020;Munim, 2019;MUNIN, 2016;Rødseth & Burmeister, 2015;Wrobel et al., 2016;Wróbel et al., 2017Wróbel et al., , 2018. ...
View
... Currently, a limited amount of information is available regarding the acceptable risk criteria for MASS. Rødseth and Burmeister (2015) defined an acceptable risk level for MASS as being no higher than that from a traditional ship. However, this definition is not a general standard that can be used for MASS risk management. ...
View
View
Control theory-based fuzzy Fine-Kinney risk assessment for boiler automation system from the maritime autonomous surface ships (MASS) perspective
Article
  • Apr 2025
  • OCEAN ENG
Vessel automation technologies are prevalent in today's industry, and Marine Autonomous Surface Ships (MASS) are being recognized as a potential future trend. Although certain commercial ships presently possess autonomous control capabilities, they are not designed for entirely unmanned operations. To effectively navigate this trajectory, a comprehensive analysis of complex ship systems, encompassing human, machine, and software components, is imperative for risk assessment. This study proposes an innovative approach that integrates control theory, Fine-Kinney, and fuzzy logic concepts to evaluate the risks of ship automation systems. The study focused on ship boilers with advanced automation, minimal human intervention, and potentially catastrophic risks for illustrative purposes. Initially, the ship boiler automation system was analyzed through the lens of control theory, followed by identification and expert scoring of system hazards. Subsequently, the fuzzy model was constructed to compute hazards within the system quantitatively and associated Fuzzy Risk Scores (FRS). Accordingly, EH1: Ignition burner electrode failure (2.280 Fuzzy Risk Score), FH1: HFO regulating valve failure (2.250), and FH7: HFO supply and booster pump failure (2.150) emerged as the most critical system hazards. The proposed methodology and findings offer a valuable blueprint for the future of automation within the shipping industry, facilitating safer, more efficient, and ultimately autonomous maritime operations.
View
View
View
View
Autonomous Unmanned Merchant Vessel and its Contribution towards the e-Navigation Implementation: The MUNIN Perspective1
Article
Full-text available
  • Dec 2014
While IMO's e-Navigation project's scope is to enhance safety of navigation by improved ship-to-shore-cooperation, the EU's FP7 project MUNIN's aim is to develop a concept for an autonomous dry bulk carrier, that is at least as safe as a manned vessel. As e-Navigation has a strong focus on improving the human element in shipping and MUNIN tends towards an unmanned bridge, a common baseline might look quite contradictory at first, but they share the need to ensure and enhance the safety of navigation. After an introduction into e-Navigation and the MUNIN project, this paper will demonstrate with two examples, how MUNIN's results address identified e-Navigation's gaps and addresses e-Navigation's user needs. Thus, MUNIN contributes to the development and implementation of the prioritized e-Navigation solutions.
View
On the Reliability of the Autosub Autonomous Underwater Vehicle
Article
Full-text available
  • Dec 2003
As autonomous underwater vehicles (AUVs) enter operational service an assessment of their reliability is timely. Using the Autosub AUV as an example, several design issues affecting reliability are discussed, followed by an analysis of recorded faults. Perhaps contrary to expectations, failures rarely involved the autonomous nature of the vehicle. Rather, faults were typical of those that occur with any complex item of marine electromechanical equipment. A statistical analysis showed that the failure rate decreased with distance travelled -an indicator that an AUV underway, submerged, is at less risk of a fault developing than during other phases of a mission.
View
Conducting look-out on an unmanned vessel: Introduction to the advanced sensor module for MUNIN’s autonomous dry bulk carrier
Conference Paper
Full-text available
  • Sep 2014
As a long-term sustainability approach to shipping, the European FP7 project MUNIN (Maritime Navigation through Intelligence in Networks) develops a concept for an unmanned and autonomous merchant vessels and investigates the feasibility to operate a dry bulk carrier completely unmanned during deep sea voyage. A core objective is to create a system, which allows autonomous ship navigation at least on the same safety level or comparable to conventional vessels, but preferably even higher. Due to an expected simultaneous operation of manned and unmanned vessels on the oceans, it must be considered that the autonomous system still has to fit into the existing international legal framework of shipping.
View
AUV Bloopers or Why Murphy Must have been an Optimist: A Practical Look at Achieving Mission Level Reliability in an Autonomous Underwater Vehicle
Article
Full-text available
  • Jan 1999
REMUS (Remote Environmental Measuring Units) are small low cost AUVs designed for coastal monitoring and survey operations. Un-modified, the REMUS vehicle is 52 inches long with a body diameter of 7.5 inches; however longer versions have been built for a variety of different instruments. When equipped with a sidescan sonar, ADCP (acoustic Doppler current profiler), OBS (optical backscatter), and CTD (conductivity-temperature-depth), it weighs just under 100 lbs. in air. This small size makes RE-MUS easy to ship, and easy to launch and re-cover from small vessels. Since it's first sea trials over 3 years ago, it has logged hundreds of missions. There are now over 10 REMUS vehicles in the field making a variety of scientific measurements. REMUS vehicles equipped with lead acid batteries routinely do 20-kilometer surveys while collecting ADCP, CTD, and Sidescan Sonar data. A vehicle equipped with lithium batteries has run several missions of over 50 kilometers and one of over 60 kilometers in the open ocean. It is a very suc-cessful and reliable AUV. However that success did not come without a number of miss-steps. There is an old aphorism that states that experience keeps you from mak-ing mistakes, and making mistakes is how you get experience. REMUS has had its share. How-ever, each REMUS failure was another lesson that the ocean had to teach us. After a failure, post mission analysis focused on the question: what can we do to keep the problem from hap-pening again. Ultimately, it is human error that causes the most problems. This paper focuses on the ingenious methods operators have found to prevent the vehicle from properly completing its mission and collecting data, and how the software and hard-ware of the vehicle has evolved to prevent op-erator blunders and to ensure mission comple-tion. Specific problems are described, as well as the techniques, applicable to any vehicle, used to prevent the problem from occurring in the future.
View
Insurance for autonomous underwater vehicles
Article
Full-text available
  • Jun 2007
The background and practice of insurance for autonomous underwater vehicles (AUVs) are examined. Key topics include: relationships between clients, brokers and underwriters; contract wording to provide appropriate coverage; and actions to take when an incident occurs. Factors that affect cost of insurance are discussed, including level of autonomy, team experience and operating environment. Four case studies from industry and academia illustrate how AUV insurance has worked in practice. The paper concludes by stressing the importance of effective dialogue between client, broker and underwriter to review, assess and reduce risk to the benefit of all parties.
View
View
A maritime ITS architecture for e-Navigation and e-Maritime: Supporting environment friendly ship transport
Conference Paper
  • Oct 2011
Ship transport can be said to be the original Intelligent Transport System and developments in this sector should be of interest for ITS research in other modes. This paper will investigate the requirements to a Maritime ITS architecture and describe elements of a possible solution. A driving force behind this architecture is the international nature of ship transport and the need to establish standards for information exchanges to further increase efficiency, reduce greenhouse gas (GHG) emissions and improve the security in the sector. Obviously, reduction of GHG emissions through operational measures can also reduce costs. This has been realized by the shipping community and the e-Navigation (by International Maritime Organization - IMO) and e-Maritime (by European Union - EU) initiatives testify to this. Both initiatives have identified the information architecture as critical for the future development of the ship transport area. The development of a maritime ITS architecture needs to consider legacy systems, the international nature of shipping, international legislation and standards as well as highly varying quality of service on available communication channels.
View
Communication architecture for an unmanned merchant ship
Conference Paper
  • Jun 2013
Unmanned ships is an interesting proposal to implement slow steaming and saving fuel while avoiding that the crew has to stay on board for very long deep-sea passages. To maintain efficiency and safety, autonomy has to be implemented to enable the ship to operate without requiring the SCC to continuously control the ship. Communication between ship and a shore control center (SCC) is therefore critical for the unmanned ship and proper safety and security precautions are required, including sufficient redundancy and backup solutions. Communication systems should be able to supply at least 4 Megabits/second for full remote control from SCC, but reduced operation can be maintained at down to 125 kilobits/second. In autonomous mode, the required communication bandwidth will be very low. For an autonomous ship the higher bandwidth requirements are from ship to shore which is the opposite of the situation for normal ships. Cost and availability of communication is an issue. The use of technical and functional indexes will enable the SCC to monitor the status of the ship at minimum load on operators and on the communication systems. The security and integrity of information transfers is crucial and appropriate means must be taken to ensure failure tolerance and fail to safe properties of the system.
View
Risk Analysis for Autonomous Underwater Vehicle Operations in Extreme Environments
Article
Autonomous underwater vehicles (AUVs) are used increasingly to explore hazardous marine environments. Risk assessment for such complex systems is based on subjective judgment and expert knowledge as much as on hard statistics. Here, we describe the use of a risk management process tailored to AUV operations, the implementation of which requires the elicitation of expert judgment. We conducted a formal judgment elicitation process where eight world experts in AUV design and operation were asked to assign a probability of AUV loss given the emergence of each fault or incident from the vehicle's life history of 63 faults and incidents. After discussing methods of aggregation and analysis, we show how the aggregated risk estimates obtained from the expert judgments were used to create a risk model. To estimate AUV survival with mission distance, we adopted a statistical survival function based on the nonparametric Kaplan-Meier estimator. We present theoretical formulations for the estimator, its variance, and confidence limits. We also present a numerical example where the approach is applied to estimate the probability that the Autosub3 AUV would survive a set of missions under Pine Island Glacier, Antarctica in January-March 2009.
View
Reliability growth of autonomous underwater vehicle-Dorado
Conference Paper
  • Dec 2004
Underwater environments are highly unstructured, uncertain, and dynamic. However, over the past three decades many autonomous underwater vehicles (AUVs) have been developed and successfully deployed for various oceanographic applications. There is a growing need for the AUVs to be reliable for collecting useful data and samples for their users. An AUV is a typical one-of-a-kind product for which it is difficult to derive a mathematical/statistical model for reliability prediction. The failure modes effects and criticality analysis (FMECA) can produce more effective results. However, the assessment of reliability growth of an AUV is very important for predicting its operational success in challenging underwater environments. In this paper, we present the identification of different types of failures that occurred during the past one and a half years of operation of MBARI's Dorado AUV, classification of those failures, and the reliability growth analysis for the vehicle. Reliability issues of various subsystems and operational procedure of the AUV have also been discussed. An extensive analysis of operational data and test results are presented in this paper.
View