SST.2012.5.2-5: Grant no. 314286 E-guided vessels: The 'autonomous' ship

Risk assessment of the unmanned ship

MUNIN Final Event June 10th 2015, Hamburg, Germany

Ørnulf Jan Rødseth, M. Sc. Senior Scientist

MARINTEK

http://www.unmanned-ship.org

Contents

Industrial autonomous systems

The design methodology

Risk assessment

Conclusion and further work

2

Industrial autonomous systems

Safe

Real world environment

Commercial value

Cost-effective

3

An autonomous vehicle that can operate safely and effectively in a real world environment while doing operations of direct

commercial value and which can be manufactured, maintained, deployed, operated and retrieved at an acceptable cost.

Examples of industrial autonomous systems

4

How to handle trade-off between complexity, capabilities and costs?

Modify system design.

Modify operational mode.

Modify operational scenarios.

5

What to do is dependent on the problem one wants to solve!

Development methodology objectives

Ensure an acceptable safety and security level for own and other ships

and the international shipping community in general.

Minimize uncertainty in the missions’ intended outcome as well as in

unintended side effects.

Develop a cost effective system that can compete at a level field in a

commercial operational environment.

6

Contents

Industrial autonomous systems

The design methodology

Risk assessment

Conclusion and further work

7

Methodology

Iterative method

Partly based on Unified Modelling Language (UML)

Partly based on Formal Safety Assessment (FSA)

8

Scenario building

Use casesHazId

Risk Control,

CBA

Hypothesis

test

Systems

description

Design

verification

Methodology

Select scenarios based on functional

divisions and voyage phases

Divide into use cases and describe

sequences of operations

9

Scenario building

Use casesHazId

Risk Control,

CBA

Hypothesis

test

Systems

description

Design

verification

Autonomous ship requested for SAR participation

Collision detection and deviation by ASC

Communication failure

Flooding detection

GNSS (GPS/GLONASS) breakdown

Manoeuvring mode with malfunctions

Manoeuvring mode without malfunctions

On board system failure and problem resolution

Periodic status updates from vessel to shore control

Periodic updates of navigational data

Pilot unavailable, remote control to confined waters

Piracy, boarding and ship retrieval

Release vessel FROM autonomous operation

Release vessel TO autonomous operation

Rope in propeller

Sea mode with malfunction

Sea mode without malfunctions

Small object detection

Weather routing

Methodology

Definition of SCC

Dividing

responsibilities

Defining

modules

10

Autonomous

Ship

Controller

ASC

Advanced sensor

module - ASM

Dedicated

LOS Com.

systems

AIS, GMDSS

Ship Automation

Systems

Shore Control

Centre

SCCIntegrated bridge

systemRendezvous

Control Unit

RCU

New

sensors

Other ships, recovery crew and shore infrastructure

Radar

Methodology

Identifying main hazards

Classify

Prioritize

Control

11

Hzd Risk control

1 Avoid heavy traffic

Object detection and classification

Deep sea navigation module

SCC and VHF communication with ships

2 Improved maintenance routines

Improved condition monitoring

Redundancy in propulsion (water jet)

3 Radar and AIS integrated in object detection

SCC notification when in doubt

4 Weather routing

SCC indirect control

5 FLIR camera and high resolution CCTV

SCC notification when in doubt

Methodology

Design all tests of functionality as

tests of hypothesis

Test both positively and the

negated assumption.

Only accept if both are true.

12

Main hypothesis W

Sub-hypotheses S1 to Sn

Design and conduct test for Si

S ˄ ¬ (¬S)

Test Si and ¬Si

next W not ok

noyes

for each i

Methodology

To some degree in other phases of

the design.

Ship must also be under a approval

regime similar to todays ships.

Not part of MUNIN.

13

Contents

Industrial autonomous systems

Impacts on reliability and complexity

The design methodology

Risk assessment

Conclusion and further work

14

Hazard identification

HazId workshops based on function

groups and scenarios.

Immediate analysis of "quick fix", based

on existing knowledge.

Conversion to risks and prioritization of

remaining hazards into non-acceptable,

ALARP and acceptable.

15

Function Group

Voyage

Sailing

Observations

Safety, emergencies

Security

Crew, passenger

Cargo, stability, strength

Technical

Special functions

Administration

Collision and grounding

Not able to follow COLREGS

16

Problem with position fix

Technical problems

Need for technical maintenance

and routine repair

17

Accidents or system breakdown

Hostile attacks

Terrorist hijack e.g.

by GPS spoofing

18

Pirate attack

Governmental

backdoor

"Autonomy assisted accidents"

19

First radar assisted collision: Andrea Doria and Stockholm off Nantucket in 1956

Maritime Accidents

New

Avoided

Some new accident types are probably unavoidable.

Non-acceptable risks

Five hazards were found in

this category

No obvious quick-fix

20

Main risk 1

Interaction with other ships, whether they follow COLREGS or not, is a

critical issue.

21

Main risk 2

Propulsion system breakdown will render the ship unable to move. This

can cause groundings and collisions or blocking fairways.

22

Main risk 3

Failure in object detection, particularly in low visibility, can cause

powered collisions.

23

Main risk 4

Very heavy weather may make it difficult to maneuver the ship safely.

24

Main risk 5

Errors in detection and classification of small to medium size objects is

critical as it may be wreckage, persons, life boats or other objects that

need to be reported to authorities.

25

Risk Control Options

Operational

Technical

Organizational

Modularization

Procedural

26

Hzd Risk control

1 Avoid heavy traffic

Object detection and classification

Deep sea navigation module

SCC and VHF communication with ships

2 Improved maintenance routines

Improved condition monitoring

Redundancy in propulsion (water jet)

3 Radar and AIS integrated in object detection

SCC notification when in doubt

4 Weather routing

SCC indirect control

5 FLIR camera and high resolution CCTV

SCC notification when in doubt

Contents

Industrial autonomous systems

Impacts on reliability and complexity

The design methodology

Risk assessment

Conclusion and further work

27

Conclusions

Identified hazards and risks seem to be controllable.

Hypothesis tests confirm this up to now.

"As low as reasonably practicable" (ALARP) have been analyzed to some

degree, but not fully.

Cost-benefit analysis remains

28

Work will continue on the design methodology

29

Iteratively look at the operational issues in the context of the system design and vice versa.

Risk reduction principle covering both operation and design.

Validation through hypothesis testing.

Thank you for your attention!

30