Conference PaperPDF Available

Comparison of diesel-electric with hybrid-electric propulsion system safety using System-Theoretic Process Analysis

Authors:

Abstract and Figures

Cruise ship industry is rapidly developing, with both the vessels size and number constantly growing up, which renders ensuring passengers, crew and ship safety a paramount necessity. Collision, grounding and fire are among the most frequent accidents on cruise ships with high consequences. In this study, a hazard analysis of diesel-electric and hybrid-electric propulsion system is undertaken using System-Theoretic Process Analysis (STPA). The results demonstrate significant increase in potential hazardous scenarios due to failures in automation and control systems, leading to fire and a higher number of scenarios leading to propulsion and power loss in hybrid-electric propulsion systems than on a conventional cruise-ship propulsion system. Results also demonstrate that STPA enhancement is required to compare the risk of two propulsion systems.
Content may be subject to copyright.
Power & Propulsion Alternatives for Ships, 23rd January 2019, London, UK
© 2019: The Royal Institution of Naval Architects
Comparison of diesel-electric with hybrid-electric propulsion system safety using System-Theoretic Process
Analysis
V Bolbot, G Theotokatos, E Boulougouris, D Vassalos, Maritime Safety Research Centre, The University of
Strathclyde, UK
SUMMARY
Cruise ship industry is rapidly developing, with both the vessels size and number constantly growing up, which renders
ensuring passengers, crew and ship safety a paramount necessity. Collision, grounding and fire are among the most
frequent accidents on cruise ships with high consequences. In this study, a hazard analysis of diesel-electric and hybrid-
electric propulsion system is undertaken using System-Theoretic Process Analysis (STPA). The results demonstrate
significant increase in potential hazardous scenarios due to failures in automation and control systems, leading to fire and
a higher number of scenarios leading to propulsion and power loss in hybrid-electric propulsion systems than on a
conventional cruise-ship propulsion system. Results also demonstrate that STPA enhancement is required to compare the
risk of two propulsion systems.
1. INTRODUCTION
Developments over the recent past have driven the
maritime industry towards reducing exhaust gas emissions
and fuel consumption. Specific areas have been
designated, the so-called Emission Control Areas (ECAs),
where stringent limits for NOx and SOx emissions are
applied [1]. At the same time, considerable reduction in
the attained Energy Efficiency Design Index (EEDI),
which is used to depict the vessel CO2 emissions, is
required by the International Maritime Organisation
(IMO) from new built vessels [1]. In addition, the
maritime industry is going through periods of high fuel
prices, resulting in high operating costs. Furthermore, in
2018, Norway has adopted a resolution to achieve zero-
emissions in world heritage fjords the latest by 2026 with
application to cruise ships and ferry vessels [2]. The above
render attractive the use of alternative fuels and propulsion
systems, including Hybrid-Electric Propulsion (HEP) with
hybrid power supply, where diesel-generators and
batteries are used to ship power needs, and pure electrical
propulsion, where batteries are used to store the energy
required for ship functions, to meet the regulatory
requirements in a cost-effective way.
Hybrid-electric and pure electric propulsion systems have
already been applied on a number of existing vessels,
while new vessels with HEP are under development. MV
Viking Lady, an offshore supply vessel equipped with 500
kWh battery system has been in operation since 2013 [3].
MV Ampere is the world’s first fully electric battery
powered ferry vessel with battery capacity of 1,040 kWh
deployed on a route in Norway [4]. MV Hallaig, MV
Lochinvar and MV Catriona ferries, three sister vessels
with 700 kWh battery capacity on each, are currently in
operation in Scotland [5]. Two cruise ships with HEP
system, allowing ship sailing by using batteries for 30
minutes are expected to be delivered in 2019 [6]. A
hybrid-electric icebreaker cruise ship is under
development by PONANT, Stirling Design International,
Aker Arctic and VARD with scheduled ship delivery in
2021 [7]. Considering that battery technology is being
constantly developed, with increasing energy density and
decreasing procurement cost [8], it can be expected that
use of batteries will be extended to larger size cruise ships
in the near future.
The HEP achieves energy efficiency improvement by
running D/G sets at optimum load by peak load shaving
and functioning as spinning reserve [8-10].
Implementation of HEP leads to D/G sets downsizing,
which also supports D/G sets operation at their most
efficient load ranges [8]. Other advantages include higher
redundancy in system and lower emissions due to
charging of batteries from local grid in harbour [8, 10].
Disadvantages include relatively high cost of batteries
procurement [8, 10], large batteries size and weight [9],
limited number of recharging cycles [9] and addition of
new hazardous scenarios to the system [8].
On cruise ships though, with passenger number equivalent
to a number of inhabitants of a town, ensuring safety of
propulsion system is paramount as any malfunctions may
lead to propulsion loss and, in turn, to collision, contact or
grounding, which may end up in significant human loss
[11-13]. In addition, the introduction of batteries can lead
to an increased risk of fire, explosion and crew
intoxication [8]. A fire on hybrid-electric tugboat occurred
due to malfunction of Battery Management System[14],
whilst a number of similar events have occurred in other
industries. In this respect, it is crucial to ensure that all
these scenarios are identified and properly addressed
during the system design.
The primary reference for designing safe systems is the
IMO regulations [15] and classification society rules [16].
However, additional hazard and risk assessment studies
may be required to ensure safe design and class approval
[15, 16]. The only available and known safety study on
HEP system is given in [3], which is a high level study.
Other studies have referred to potential safety issues on
HEP systems but did not follow a hazard identification
method for their analysis [14]. Pertinent literature reveals
the research gap, which is a hazard analysis of HEP system
Power & Propulsion Alternatives for Ships, 22nd – 23rd January 2019, London, UK
© 2019: The Royal Institution of Naval Architects
using well-established or novel methods and comparison
with the standard diesel-electric propulsion. The research
gap leads to the aim of this study, which is to analyse the
safety of HEP system using System-Theoretic Process
Analysis and to compare it with standard Diesel-Electric
Propulsion (DEP) in terms of the developed hazards,
number of potential hazardous scenarios and causal
factors.
This paper is organised as following. In section two, the
selected method and the rationale behind the method are
presented. In section three, a short description of the
system and system functionalities is provided. In section
four, the analysis results and safety recommendations are
given. In section five, the main findings of this study are
summarised.
2. METHODOLOGY
Hazard identification and analysis is the process of
defining all possible scenarios or sequences of events,
which can lead to a hazard realisation [17]. A number of
traditional methods can be used for analysis of power
propulsion systems including Preliminary Hazard
Analysis (PHA), HAZard and Operability studies
(HAZOP) and Failure Modes and Effects Analysis
(FMEA) [17]. However, these methods have been
criticised for not addressing properly the automation
functions in the system [17-20]. Control and automation
though has an important role for power generation on
cruise ships using either standard or diesel-electric or
hybrid-electric propulsion system [21]. For this reason, the
System-Theoretic Process Analysis (STPA) method has
been selected for hazard identification. Another advantage
of STPA is that it can be implemented on functional level,
not requiring the exact details of the system and vessel. In
this way the identified hazardous scenarios will have
applicability to other ship types and similar propulsion
systems. The method steps are presented in Figure 1 and
described in more detail in the following.
STPA defines the accident as: “an undesired and
unplanned event that results in loss, including loss of
human life or human injury, property damage,
environmental pollution, mission loss, financial loss, etc.”
[22]. The hazards in the STPA framework are understood
as: “system states or set of conditions that together with a
worst-case set of environmental conditions, will lead to an
accident” [22]. The hazards in STPA are viewed on a
system level, so they go beyond the single failures that
may occur in the system and should be referred to a
specific state of the system. Sub hazards are considered
states in a worst-case scenario leading to hazard
realisation. Generic requirements can be specified, based
on the hazards and sub hazards.
The development of a functional control structure is one
of the differentiating points of the STPA analysis,
compared with the other methods [22]. Usually, it starts
with a high-level abstraction of the system and proceeds
to a more detailed system description. The initial control
structure consists of the high-level controller, the human
operator and the controlled process with the basic control,
feedback and communication links. A more detailed
description would incorporate a hierarchy of controllers.
Both high-level and detailed control structure can be used
for the safety analysis at different system design stages.
After the development of the basic control structure, the
next step is its refinement. The required actions include
the identification a) of each controller responsibilities; b)
of the process model with process variables and potential
process variable values; c) of the control actions; d) the
behaviour of the actuators; e) the information from the
sensors; f) the information from the other controllers.
The actual hazards identification starts by finding the
Unsafe Control Actions (UCAs). The possible ways to
proceed are either by using the control actions types as
initially proposed for the STPA [23] or by using the
context tables as proposed in [18]. Herein, the second of
the two approaches has been selected. According to both
approaches, the possible UCAs can be of the following
seven types [22]:
Not providing the action leads to a hazard.
Providing of a UCA that leads to a hazard.
Providing the control action too late.
Providing the control action too early.
Providing the control action out of sequence.
Control action is stopped too soon
Control action is applied for too long.
According to the STPA, there is also another type of UCA,
when the safe control action is provided but is not
followed. This type of failure mode is addressed during
the identification of causal factors in the second step of the
method. Similarly, with the system hazards, safety
constraints can be derived for the UCAs, aiding the
identification of possible safety barriers.
Figure 1 STPA steps.
Power & Propulsion Alternatives for Ships, 23rd January 2019, London, UK
© 2019: The Royal Institution of Naval Architects
The second step in the hazard identification of the STPA
has the purpose of determining all the scenarios and causal
factors leading to the UCAs. This is done by examining
the hazardous scenarios including software and physical
failures as well as design errors. There are several ways to
organize the results of the hazardous scenarios by using
tables or lists. In this work, the process was augmented by
a checklist, developed on the basis of previous studies [24,
25]. The main categories of causal factors are:
Inappropriate control input
Hardware failure
Software faulty implementation
Software faulty design
Erroneous or missing input
Inadequate control command transmission
Flawed execution due to faults in actuator or
physical process
Conflicting control actions
3. SYSTEMS DESCRIPTION
The conventional diesel-electric and hybrid-electric
propulsion system single line diagram is presented in
Figure 3 whilst functional control structure for both
systems is given in Figure 2. Two switchboards and
engine rooms are available to comply with Safe Return to
Port rules requirements [26]. The power network is of the
Alternate Current type. It has been also assumed that DEP
plant operates with the bus-tie circuit breaker connected.
Power Management System (PMS) starts/stops the
engines based on ship consumers electric load demand.
Switchover between the plant Diesel Generators (D/G) is
implemented based on the D/G sets running hours. The
PMS can implement a fast-electrical load reduction for the
propulsion motors and bow thrusters as well as
preferential tripping functions (fast load reduction) by
tripping Heat Ventilation Air Conditioning (HVAC) units.
Figure 2 Functional control structure.
Figure 3 Single line diagram of conventional and hybrid power network.
Power & Propulsion Alternatives for Ships, 22nd – 23rd January 2019, London, UK
© 2019: The Royal Institution of Naval Architects
The D/G sets operate in the droop mode and their power
output is regulated by speed governor and Automatic
Voltage Regulator (AVR). Several safety systems are used
to trip D/G sets and propulsion motors if a fault had been
observed. The DEP control network is also considered to
be isolated from other networks, so no hazardous
scenarios are developed in the system because of cyber-
attacks. It is also considered that the human operator
neither reduces nor introduces new hazards.
In the investigated HEP system, in addition to the
components present in conventional DEP, one battery
pack per switchboard with current converter is considered.
The battery output and condition are controlled by a
dedicated Battery Management System (BMS) which
monitors the actual battery health state and the battery and
cell capacity and controls the battery cells charge status,
the discharging/charging rate, the converters power output
and the battery auxiliary systems. The BMS
communicates with PMS to determine the actual power
status and power demand implementing in this way the
Energy Management System functions. The BMS also
communicates with fire-fighting systems to determine the
battery operating status. Battery capacity is considered
adequate to cover the whole ship power demand for a
limited period. The battery has been considered of Li-Ion
type.
4. RESULTS AND DISCUSSION
Based on previous Formal Safety Assessment studies, the
following causality scenarios can be considered as
accidents [27]:
Collision [A-1]
Contact [A-2]
Grounding [A-3]
Fire [A-4]
Explosion [A-5]
Machinery damage [A-6]
Foundering [A-7]
Operating personnel injury or death [A-8]
These accidents are not fully disjoint, as a fire can lead to
collision and vice versa [28]. In addition, numerous
hazards can be connected to the accidents on a cruise ship
and there can be interactions between different hazards.
Herein, the most important and those related to the system
under analysis are referred to [11, 27]:
Propulsion loss [H-1] leading to collision,
contact and grounding accidents. The propulsion
loss can be further developed into the following
sub hazards:
o D/G sets overload [H-1-1].
o Transients [H-1-2].
o Imbalanced power generation [H-1-3]
o D/G sets unavailability [H-1-4]
o Batteries unavailability [H-1-5]
o Propulsion motors unavailability [H-1-
6]
Flammable liquid on hot surfaces in the engine
room and other conditions leading to [H-2] fire
in engine room.
Uncontrolled electrical faults in equipment
leading to [H-3] fire and explosions in system
components or blackout (propulsion loss).
Toxic/flammable atmosphere in battery room
leading to crew intoxication or fire [H-4].
Anomalous conditions in batteries leading to fire
and thermal runaway [H-5].
Arson – deliberate act resulting in fire [H-6].
Human erroneous operation [H-7]
Cyber-attack leading to any of previous hazards
[H-8].
Water ingress [H-9]
Although, it is acknowledged that there is contribution
from hazards [H-6]-[H-9] to the overall system risk, these
hazards can be considered as external to the system
presented in Figure 3 and Figure 2 and thus their analysis
has been omitted.
The developed control structure has been already provided
in Figure 2. The difference between the two propulsion
systems can be found in the presence of Battery
Management System and additional interactions between
the fire-fighting system and the propulsion system. The
description of responsibilities of each controller and their
control actions, although necessary for the analysis have
been omitted for brevity purposes.
In total, 160 and 228 potential UCAs have been identified
in DEP and HEP system, respectively. The increase in
UCAs number can be attributed to the increase in the
number of control actions implemented by BMS.
However, as it can be viewed, it leads to a significant
increase in the number of potential UCAs (more than
40%). The distribution of UCAs per hazards is given in
Figure 5. As it can be seen from this figure, the number of
hazardous scenarios other than propulsion loss, leading to
fire or crew intoxication is significantly higher in the
investigated HEP system in comparison with the DEP
system. The number of scenarios leading to propulsion
loss is also significantly higher. These results do not
necessary imply that the risk level is higher in the
investigated hybrid-electric system than the risk in
conventional DEP system, rather that there are much more
paths to the accident in hybrid-electric systems than in
DEP, which must be carefully controlled. This also
indicates that a successful cyber-attack on a hybrid-
electric vessel will lead to more hazardous scenarios than
in conventional cruise ship vessels.
Power & Propulsion Alternatives for Ships, 23rd January 2019, London, UK
© 2019: The Royal Institution of Naval Architects
The distribution of UCAs failure modes for the
investigated HEP system is given in Figure 6. The results
for the DEP are similar to HEP system. As it can be
observed from Figure 6, the primary failure modes are
related either to failure to implement the intended control
action or to implement the intended action in time or
commission errors. These types of control actions as well
as actions applied in wrong order are related to the
designed safety functions or automated control actions in
the investigated system. Stopped too late, stopped too
soon and applied too early were related mostly to control
actions implemented by the investigated system PID
controllers.
In total, 2,225 and 1,523 causal factors have been
identified for the hybrid-electric and the conventional
diesel-electric propulsion systems. The causal factors
distribution for the HEP system is given in Figure 4. The
results for the conventional DEP are similar. As it can be
observed, most scenarios are dependent on installed
control software errors, either controller design or
implementation errors. Errors in sensors have also been
identified as potential causal factors.
Based on the conducted analysis and the derived results
comparison, the following safety recommendations can be
made:
In HEP systems, adequate means must be
provided to prevent and mitigate scenarios
leading to fire to ensure that the hazardous
scenarios leading to fire do not lead to higher risk
in hybrid-electric system than in the conventional
system. This includes systems responsible for
batteries temperature management and fire-
fighting and proper selection of location for
batteries.
System operational conditions must be
thoroughly understood and addressed in system
design. This includes the batteries and actuators
degradation mechanisms, potential modifications
in the systems and software updates during
operation and maintenance.
Rigorous testing of the system control actions
must be implemented for ensuring their
functionality during the design, development and
trial phase according to hazardous identification
process in both diesel-electric and hybrid-electric
system. The development and test cost in hybrid-
electric system will be higher since the number
of scenarios to be addressed is also higher.
From the STPA application to the conventional diesel-
electric and HEP system an extensive list of safety
requirements for the employed control systems has been
derived. However, some of the STPA restrictions have
been revealed during the analysis. Potentially, more
scenarios could be identified if more refined system
representation was used. In addition, STPA is applied for
scenarios development, but did not allow risk estimation
and scenarios ranking, so the only discussion about
potential safety implications can be in terms of hazardous
scenarios.
5. CONCLUSIONS
In this study, the STPA has been applied for hazard
identification and analysis of a diesel-electric and hybrid-
electric propulsion systems. Through its application,
hazardous scenarios in automation and control system
have been identified and compared.
The main findings can be summarised as follows:
Figure 5 UCAs distribution per hazards.
72
%
5%
4%
7% 12
%
HEP
H-1
H-2
H-3
H-4
H-5 86
%
8%
6%
0%
0%
DEP
H-1
H-2
H-3
H-4
H-5
3%
2%
22%
26%
37%
7%
3% HEP
Applied in wrong order
Applied too early
Applied too late
Not providing causes hazards
Providing causes hazards
Stopped too late (applied too
long)
Stopped too soon
Figure 6 Failure modes distribution.
1%
5% 11%
29%
29%
6%
17%
2%
HEP
Inappropriate control input
Hardware failure
Software faulty implementation
Software faulty design
Erroneous or missing input
Inadequate control command
transmission
Flawed execution due to faults
in actuator or physical process
Conflicting control actions
Figure 4 Distribution of causal factors.
Power & Propulsion Alternatives for Ships, 22nd – 23rd January 2019, London, UK
© 2019: The Royal Institution of Naval Architects
Hazardous scenarios leading to fire accidents are
significantly more in HEP systems, thus they
must be carefully controlled.
Scenarios number leading to propulsion loss and
potential collision, contact, grounding is also
higher in HEP systems than in conventional DEP
systems.
Failure modes and potential causal factors
distributions are similar in hybrid-electric and
diesel-electric propulsion systems.
Special attention must be paid to software design,
software testing, sensors redundancy and
batteries location in hybrid propulsion system.
An improvement in STPA method must be
considered to allow ranking of different
scenarios and estimating risk.
In summary, the results indicate the high importance of
proper operation of control and automation systems for
diesel-electric and hybrid-electric systems safety. A
potential future work could investigate the risk level in
more detail by improving the STPA method.
6. ACKNOWLEDGMENTS
The work presented in this paper was partially supported
by the “NEXUS Towards Game-changer Service
Operation Vessels for Offshore Windfarms” project that
was funded from the European Union's Horizon 2020
research and innovation action under grant agreement N°
774519. The authors are grateful to Dr Romanas Puisa
from Maritime Safety Research Centre to Dr George
Psarros, Dr Ole Christian Astrup, Dr Rainer Hamann, Dr
Pierre C Sames from DNV GL AS and Kevin Douglas
from Royal Caribbean for their valuable comments and
support. The opinions expressed herein are those of the
authors and should not be construed to reflect the views of
European Commission or the acknowledged individuals
and their associated organisations.
7. REFERENCES
1. International Maritime Organization.
Regulations for the prevention of air pollution
from ships and NOx technical code 2008.
Organization IM, editor. United Kingdom,
London: IMO publishing; 2009.
2. GREENPORT. Norway adopts zero-emissions
regulations in world heritgate fjords 2018
[Available from:
https://www.greenport.com/news101/Regulation
-and-Policy/norway-adopts-zero-emissions-
regulations-in-world-heritage-fjords.
3. Jeong B, Oguz E, Wang H, Zhou P. Multi-criteria
decision-making for marine propulsion: Hybrid,
diesel electric and diesel mechanical systems
from cost-environment-risk perspectives.
Applied Energy. 2018;230:1065-81.
4. Corvus-Energy. World's first all-electric car ferry
2016 [Available from:
https://corvusenergy.com/marine-project/mf-
ampere-ferry/.
5. Ltd CMA. History of our hybrid ferries 2013
[Available from:
http://www.cmassets.co.uk/project/hybrid-
ferries-project/.
6. Hurtigruten. Hurtigruten names hybrid explorer
ships 2018 [Available from:
https://www.hurtigruten.co.uk/about-
us/news/new-hybrid-explorer-ships/.
7. Dhanvijay N. Vard to build hybrid LNG cruise
vessel for Ponant: Electrans; 2017 [Available
from: https://www.electrans.co.uk/vard-to-build-
hybrid-lng-cruise-vessel-for-ponant/.
8. Brandsaeter A, Valoen LO, Mollestad E,
Haugom GP. In focus – the future is hybrid. DNV
GL. 2015.
9. Räsänen J-E. Current and future scale limitation
for alternative marine power and propulsion
solutions. Power & Propulsion Alternatives for
Ships; Rotterdam, Netherlands: The Royal
Institution of Naval Architects; 2017.
10. Geertsma RD, Negenborn RR, Visser K,
Hopman JJ. Design and control of hybrid power
and propulsion systems for smart ships: A review
of developments. Applied Energy. 2017;194:30-
54.
11. Bolbot V, Theotokatos G, Vassalos D. Using
system-theoretic process analysis and event tree
analysis for creation of a fault tree of blackout in
the Diesel-Electric Propulsion system of a cruise
ship. Marine Design XIII, Volume 2: CRC Press;
2018. p. 691-9.
12. Nilsen OV. FSA for Cruise Ships - Task 4.1.1 -
Hazid identification. 2005.
13. MAIB. Report on the investigation of the
catastrophic failure of a capacitor in the aft
harmonic filter room on board RMS Queen Mary
2 while approaching Barcelona 23 September
2010. United Kingdom, Southampton; 2011.
14. Hill DM, Agarwal A, Gully B. A review of
engineering and safety considerations for hybrid
power (Lithium-Ion) systems in offshore
applications. Oil and Gas facilities. 2015;June
2015:68-77.
15. International Maritime Organization. SOLAS:
consolidated text of the International Convention
of Safety of Life at Sea, 1974, as amended. 6th
consolidated edition ed: International Maritime
Organization; 2014. 420 p.
16. DNV GL. Additional class notations: Battery
power-Part 6 Chapter 2 Section 1 2018.
17. Bolbot V, Theotokatos G, Bujorianu LM,
Boulougouris E, Vassalos D. Vulnerabilities and
safety assurance methods in Cyber-Physical
Systems: A comprehensive review. Reliability
Engineering & System Safety. 2019;182:179-93.
Power & Propulsion Alternatives for Ships, 23rd January 2019, London, UK
© 2019: The Royal Institution of Naval Architects
18. Thomas J. Extending and automating a systems-
theoretic hazard analysis for requirements
generation and analysis: Massachusetts Institute
of Technology; 2013.
19. Rokseth B, Utne IB, Vinnem JE. A systems
approach to risk analysis of maritime operations.
Proceedings of the Institution of Mechanical
Engineers, Part O: Journal of Risk and
Reliability. 2017;231(1):53-68.
20. Sulaman SM, Beer A, Felderer M, Höst M.
Comparison of the FMEA and STPA safety
analysis methods–a case study. Software Quality
Journal. 2017:1-39.
21. UK P&I CLUB. Risk Focus: Loss of power.
2015.
22. Leveson N, Thomas J. An STPA Primer. 2015.
23. Leveson N. Engineering a safer world: Systems
thinking applied to safety: MIT press; 2011.
24. Blandine A. System theoretic hazard analysis
applied to the risk review of complex systems: an
example from the medical device industry.
Cambridge, MA, USA Massachusetts Institute
of Technology; 2013.
25. Becker C, Van Eikema Hommes Q.
Transportation systems safety hazard analysis
tool (SafetyHAT) user guide (version 1.0). John
A. Volpe National Transportation Systems
Center; 2014.
26. DNVGL. Guidance for safe return to port
projects. DNVGL-CG-00042016.
27. IMO. Formal Safety Assessment - Cruise ships.
2008.
28. Hamann R, Papanikolaou A, Eliopoulou E,
Golyshev P. Assessment of safety performance
of container ships. Proceedings of the IDFS.
2013:18-26.
8. AUTHORS BIOGRAPHY
Victor Bolbot is a third year PhD student at Naval
Architecture, Ocean and Marine Engineering Department
of University of Strathclyde, Glasgow. As a PhD student
he is conducting research on the safety of complex and
Cyber-Physical Systems with focus on power generation
systems. His recent research output include publications
on safety assessment of power systems on cruise ships,
dual-fuel engines and safety assurance methods in Cyber-
Physical Systems.
Gerasimos Theotokatos is DNV GL Reader of Safety of
Marine Systems at the University of Strathclyde,
Department of Naval Architecture Ocean and Marine
Engineering. His research focuses on the modelling
methods, optimisation and experimental analysis of
marine systems and ship energy systems pursuing life-
cycle efficiency improvement, their environmental
footprint reduction and their safety enhancement.
Evangelos Boulougouris is RCCL Reader of Safety of
Marine Operations at the University of Strathclyde,
Department of Naval Architecture Ocean and Marine
Engineering and Director of the Maritime Safety Research
Centre. His main research interests are focused on ships
safety and marine design optimisation. He has produced
more than 70 publications in journals and international
peer-reviewed conferences and 2 chapters in books.
Dracos Vassalos is a Professor of Maritime Safety in the
Department of Naval Architecture, Ocean and Marine
Engineering at the University of Strathclyde in Glasgow,
UK. Professor Vassalos pursued over a 40-year career in
industry and academia, promoting the use of scientific
approaches in maritime safety and risk, including
environmental risk. Professor Vassalos received a Life
Achievement Award from the Royal Academy of
Engineering in 2011, the Froude Medal from RINA in
2012, the David Taylor Medal from SNAME and a DSC
from Strathclyde in 2016 for his life-long contribution to
maritime safety.
... Whilst the temporal relations of the investigated system were incorporated in [20], no importance analysis was implemented due to computational limitations. The STPA results ranking was applied based on an approximate estimation of the considered safety metrics [34,[36][37][38], whilst the study in [35] did not consider the system interactions in detail. ...
... The CASA method incorporates a wider system context, considers the software failures, thus addressing the CPSs software-intensive character of CPSs, and incorporates the system temporal behaviour in the Fault Tree thanks to the inclusion of the ESI approach. The incorporation of the system temporal aspects is an advantage compared to other studies using FMEA [29], FTA [30,31], Bayesian Networks [32], and STPA [34][35][36][37][38]. ...
... Another advantage of the CASA method is the quantification of the impact on the system safety of adding advanced software-based functions, which was not demonstrated in STPA based approaches [34,[36][37][38], and only approximated in [35,38]. This is an advantage compared to a number of model-based approaches. ...
Article
Full-text available
Cyber-Physical Systems (CPSs) represent a systems category developed and promoted in the maritime industry to automate functions and system operations. In this study, a novel Combinatorial Approach for Safety Analysis is presented, which addresses the traditional safety methods’ limitations by integrating System Theoretic Process Analysis (STPA), Events Sequence Identification (ETI) and Fault Tree Analysis (FTA). The developed method results in the development of a detailed Fault Tree that captures the effects of both the physical components/subsystems and the software functions’ failures. The quantitative step of the method employs the components’ failure rates to calculate the top event failure rate along with importance metrics for identifying the most critical components/functions. This method is implemented for an exhaust gas open loop scrubber system safety analysis to estimate its failure rate and identify critical failures considering the baseline system configuration as well as various alternatives with advanced functions for monitoring and diagnostics. The results demonstrate that configurations with SOx sensor continuous monitoring or scrubber unit failure diagnosis/prognosis lead to significantly lower failure rate. Based on the analysis results, the advantages/disadvantages of the novel method are also discussed. This study also provides insights for better safety analysis of the CPSs.
... According to the International Maritime Organisation (IMO), a modified version of the Failure Modes and Effects Analysis (FMEA) is required for the availability assessment of the propulsion and other systems on the cruise ships following a flooding or fire accident to ensure the vessel's safe return to port (Safe Return to Port regulations) [6]. Other studies for ensuring the safety of cruise ship power plants involved dynamic simulations [7,8], Reliability Block Diagrams [9][10][11], FMEA [12][13][14], Fault Tree Analysis (FTA) [15][16][17], FTA and FMEA [18], the HiP-HOPS method [19,20], System-Theoretic Process Analysis (STPA) [21][22][23][24], FTA and FMEA [18], the HiP-HOPS method [19,20], System-Theoretic Process Analysis (STPA) [21][22][23][24], combinatory methods [25], accident investigation data [26], reachability analysis [27], and Markov chains [28]. ...
... According to the International Maritime Organisation (IMO), a modified version of the Failure Modes and Effects Analysis (FMEA) is required for the availability assessment of the propulsion and other systems on the cruise ships following a flooding or fire accident to ensure the vessel's safe return to port (Safe Return to Port regulations) [6]. Other studies for ensuring the safety of cruise ship power plants involved dynamic simulations [7,8], Reliability Block Diagrams [9][10][11], FMEA [12][13][14], Fault Tree Analysis (FTA) [15][16][17], FTA and FMEA [18], the HiP-HOPS method [19,20], System-Theoretic Process Analysis (STPA) [21][22][23][24], FTA and FMEA [18], the HiP-HOPS method [19,20], System-Theoretic Process Analysis (STPA) [21][22][23][24], combinatory methods [25], accident investigation data [26], reachability analysis [27], and Markov chains [28]. ...
Article
Full-text available
Diesel–Electric Propulsion (DEP) has been widely used for the propulsion of various ship types including cruise ships. Considering the potential consequences of blackouts, especially on cruise ships, it is essential to design and operate the ships’ power plants for avoiding and preventing such events. This study aims at implementing a comprehensive safety analysis for a cruise ship Diesel– Electric Propulsion (DEP) plant focusing on blackout events. The Combinatorial Approach to Safety Analysis (CASA) method is used to develop Fault Trees considering the blackout as the top event, and subsequently estimate the blackout frequency as well as implement importance analysis. The derived results demonstrate that the overall blackout frequency is close to corresponding values reported in the pertinent literature as well as estimations based on available accident investigations. This study deduces that the blackout frequency depends on the number of operating Diesel Generator (DG) sets, the DG set’s loading profile, the amount of electrical load that can be tripped during overload conditions and the plant operation phase. In addition, failures of the engine auxiliary systems and the fast-electrical load reduction functions, as well as the power generation control components, are identified as important. This study demonstrates the applicability of the CASA method to complex marine systems and reveals the parameters influencing the investigated system blackout frequency, thus providing better insights for these systems’ safety analysis and enhancement.
Article
Recently, the safety issue of maritime autonomous surface ships (MASS) has become a hot topic. Preliminary hazard analysis of MASS can assist autonomous ship design and ensure safe and reliable operation. However, since MASS technology is still at its early stage, there are not enough data for comprehensive hazard analysis. Hence, this paper attempts to combine conventional ship data and MASS experiments to conduct a preliminary hazard analysis for autonomy level III MASS using the hybrid causal logic (HCL) method. Firstly, the hazardous scenario of autonomy level III MASS is developed using the event sequence diagram (ESD). Furthermore, the fault tree (FT) method is utilized to analyze mechanical events in ESD. The events involving human factors and related to MASS in the ESD are analyzed using Bayesian Belief Network (BBN). Finally, the accident probability of autonomy level III MASS is calculated in practice through historical data and a test ship with both an autonomous and a remote navigation mode in Wuhan and Nanjing, China. Moreover, the key influence factors are found, and the accident-causing event chains are identified, thus providing a reference for MASS design and safety assessment process. This process is applied to the preliminary hazard analysis of the test ship.
Conference Paper
Full-text available
As windfarms are moving further offshore, their maintenance has to be supported by the new generation Service Operation Vessels (SOV) with Dynamic Positioning capabilities. For the SOV safe operations it is crucial that any hazardous scenario is properly controlled. Whilst international regulations require the implementation of Failure Modes and Effects Analysis (FMEA) for SOV power systems, FMEA has been criticised for not addressing properly failures in control systems. In this study, System-Theoretic Process Analysis (STPA) is employed for identifying the hazardous scenarios in terms of Unsafe Control Actions (UCAs) in Direct Current (DC) and DC with batteries power systems. Then the identified UCAs are ranked based on their risk. The results demonstrate that the number of hazardous scenarios derived by the STPA increases in a power system with batteries in comparison to a conventional DC power system, thus depicting higher complexity of this system. However, the increase in overall risk is small and within acceptable limits, whilst the risk reduces for a number of UCAs leading to Diesel Generator overload sub-hazard.
Article
Full-text available
As Cyber-Physical Systems (CPSs) are a class of systems advancing in a number of safety critical application areas, it is crucial to ensure that they operate without causing any harm to people, environment and assets. The complexity of CPSs though, render them vulnerable and accident-prone. In this study, the sources of complexity are meticulously examined and the state-of-the-art and novel methods that are used for the safety assurance of CPSs are reviewed. Furthermore, the identified safety assurance methods are assessed for their compatibility with the technical processes during the system design phase and the methods effectiveness on addressing the different CPSs sources of complexity is investigated. Advantages and disadvantages of the different safety assurance methods are also presented. Based on the results of this review, directions for the safety enhancement of CPSs and topics for future research in the area of CPSs safety are provided.
Article
Full-text available
As our society becomes more and more dependent on IT systems, failures of these systems can harm more and more people and organizations. Diligently performing risk and hazard analysis helps to minimize the potential harm of IT system failures on the society and increases the probability of their undisturbed operation. Risk and hazard analysis is an important activity for the development and operation of critical software intensive systems, but the increased complexity and size puts additional requirements on the effectiveness of risk and hazard analysis methods. This paper presents a qualitative comparison of two hazard analysis methods, failure mode and effect analysis (FMEA) and system theoretic process analysis (STPA), using case study research methodology. Both methods have been applied on the same forward collision avoidance system to compare the effectiveness of the methods and to investigate what are the main differences between them. Furthermore, this study also evaluates the analysis process of both methods by using a qualitative criteria derived from the technology acceptance model (TAM). The results of the FMEA analysis were compared to the results of the STPA analysis, which were presented in a previous study. Both analyses were conducted on the same forward collision avoidance system. The comparison shows that FMEA and STPA deliver similar analysis results.
Article
Full-text available
The recent trend to design more efficient and versatile ships has increased the variety in hybrid propulsion and power supply architectures. In order to improve performance with these architectures, intelligent control strategies are required, while mostly conventional control strategies are applied currently. First, this paper classifies ship propulsion topologies into mechanical, electrical and hybrid propulsion, and power supply topologies into combustion, electrochemical, stored and hybrid power supply. Then, we review developments in propulsion and power supply systems and their control strategies, to subsequently discuss opportunities and challenges for these systems and the associated control. We conclude that hybrid architectures with advanced control strategies can reduce fuel consumption and emissions up to 10–35%, while improving noise, maintainability, manoeuvrability and comfort. Subsequently, the paper summarises the benefits and drawbacks, and trends in application of propulsion and power supply technologies, and it reviews the applicability and benefits of promising advanced control strategies. Finally, the paper analyses which control strategies can improve performance of hybrid systems for future smart and autonomous ships and concludes that a combination of torque, angle of attack, and Model Predictive Control with dynamic settings could improve performance of future smart and more autonomous ships.
Article
Full-text available
Technological innovations and new areas of application introduce new challenges related to safety and control of risk in the maritime industry. Dynamically positioned systems are increasingly used, contributing to a higher level of autonomy and complexity aboard maritime vessels. Currently, risk assessment and verification of dynamically positioned systems are focused on technical reliability, and the main effort is centered on design and demonstration of redundancy in order to protect against component failures. In this article, we argue that factors, such as software-requirement errors, human errors, including unsafe or too late decision-making, and inadequate coordination between decision makers, also should be considered in the risk assessments. Hence, we investigate the feasibility of using a systems approach to analyzing risk in dynamically positioned systems and present an adapted version of the system-theoretic process analysis. A case study where the system-theoretic process analysis is applied to a dynamically positioned system is conducted to assess whether this method significantly expands the current view on safety of dynamically positioned systems. The results indicate that the reliability-centered approaches, such as the failure mode and effect analysis, sea trials, and hardware-in-the-loop testing, are insufficient and that their view on safety is too narrow. This article shows that safety constraints can be violated in a number of manners other than component failures for dynamically positioned systems, and hence, system-theoretic process analysis complements the currently applied methods.
Article
Full-text available
From prior experience in the automotive sector, and now the maritime sector, hybridization of power systems is known to increase energy efficiency and reduce emissions, with lower fuel consumption. With impending emissions-control areas in the US continental shelf, and nitrogen oxide enforcement mechanisms in the North Sea, emissions reduction in oil and gas exploration-and-production operations is increasingly relevant. Hybrid-power systems can address some of these issues with batteries to offset peak loads, thereby reducing size requirements for the total system. The challenge that the oil and gas industry faces is to decide when and where hybrid-power systems provide the most value for operations, how they should be implemented, what technologies are acceptable, what safety considerations there may be, and how these technologies can improve the bottom line. There is a wealth of information on lithium-ion batteries, though it is not all consistent--cost data are unclear, lifetime and energy density considerations vary under different conditions, and ruggedness and application to harsh environments constitute a large uncertainty. A review of these technologies is provided to serve as a selection guide.
Article
The paper introduces a new decision-making process which is used to compare the performance of a ship with either diesel electric hybrid propulsion or conventional propulsion systems. A case study was carried out to compare the performance of both propulsions from cost, environmental and risk perspectives. This paper also overviews the modern approaches of multi-criteria decision-making and highlights some of their shortcomings in particular the fact that these approaches often rely on different criteria such as financial, environmental or risk. This paper aims to overcome this shortcoming by enhancing the process of multi-criteria decision analysis. The key process in this research was to convert all incomparable values into monetary values, thereby enabling the impacts of each criterion to be compared and integrated in a straightforward manner. Results of the case study showed that the use of a hybrid propulsion system could reduce annual operational costs by $ 300,000 (2% total cost) compared with a diesel electric system and almost $ 1 million (7%) compared to a diesel mechanical propulsion system. In order to investigate the optimal use of the hybrid propulsion system, various operational scenarios were identified and applied to the proposed decision-making process. The results showed that operating the ship in hybrid mode during manoeuvring and berthing is more desirable as the holistic cost can reduce in almost $ 1 million. The advantages of the proposed decision making process was illustrated by comparing the results obtained from a conventional decision-making process using the analytical hierarchical method. It is believed that the research findings not only present general understanding of the possible advantages of hybrid propulsion for stakeholders, but provide them with an insight into the enhanced approach into the multi-criteria decision analysis.
Article
Traditional methods to identify and document hazards, and the corresponding safety constraints, are lacking in their ability to account for human, software and sub-system interactions in highly technical systems. STAMP, a systems-theoretic accident causality model, was created to overcome these limitations. The application of STAMP hazard analysis method STPA to five sub-systems of the Paul Scherrer Institute's experimental PROSCAN proton therapy system demonstrated how STPA can augment design and risk review of existing complex systems. Two of the five human controllers active in treatment delivery, two of the four process attributes controlled by the PROSCAN facility, and one of the four control loops that control the beam to target alignment attribute were analyzed. In doing so, the following contributions were made: - Analyzed the regulations currently in place in the US and Europe for the marketing of external beam radiotherapy devices and, more generally, medical devices that do not contain radioactive materials, concluding that STPA would be acceptable in both regulatory systems; - Provided experience in applying STPA to a complex device. Information on efficacy was derived by comparing STPA results with an existing safety assessment but a more formal counterpart is needed for stronger evidence. Information on learnability and usability was obtained when an informal workshop showed that system designers, in the course of one day, could be taught to use STPA to push their thinking about yet to be designed system elements; - Demonstrated the applicability of STPA to an experimental radiotherapy facility and, through this feasibility check, potentially influenced the state of the art in hazard analysis of medical devices and health care delivery; - Advanced the STPA methodology by creating notations and a process to document, query and visualize the possibly large number of hazardous scenarios identified by STPA analyses, with the goal of facilitating their review and use by their intended audience; Showed how STPA is complementary to more traditional hazard analysis techniques such as fault and event trees. Their respective strengths can be summoned when STPA is used to identify areas on which to focus the investigation lens of traditional hazard analysis techniques. Keywords: STAMP, STPA, hazard analysis, risk analysis, risk management, proton therapy, medical devices, safety, certification
Article
Systems Theoretic Process Analysis (STPA) is a powerful new hazard analysis method designed to go beyond traditional safety techniques - such as Fault Tree Analysis (FTA) - that overlook important causes of accidents like flawed requirements, dysfunctional component interactions, and software errors. While proving to be very effective on real systems, no formal structure has been defined for STPA and its application has been ad-hoc with no rigorous procedures or model-based design tools. This report defines a formal mathematical structure underlying STPA and describes a procedure for systematically performing an STPA analysis based on that structure. A method for using the results of the hazard analysis to generate formal safety-critical, model-based system and software requirements is also presented. Techniques to automate both the analysis and the requirements generation are introduced, as well as a method to detect conflicts between the safety and other functional model-based requirements during early development of the system.
World's first all-electric car ferry
  • Corvus-Energy
Corvus-Energy. World's first all-electric car ferry 2016 [Available from: https://corvusenergy.com/marine-project/mfampere-ferry/.