357

1 INTRODUCTION

TheMUNINproject

 isdevelopingaconceptforan

unmanneddrybulkshipofaround50000tonsdead

weight. The starting point is a conventional bulker

with a single engine and propeller and otherwise

normalon‐boardequipment.Topreparethisshipfor

unmanned operation, the concept proposes new

sensor systems, new technical operation and

maintenance procedures, aut

onomous navigation

functions, a new shore control centre and other

componentsasdescribedinBurmeisteretal.(2014b).

 TheMUNIN(Maritimeunmannedshipsthroughintelli‐

genceinnetworks)projecthasreceivedfundingunderthe

EuropeanUnion’s7thFrameworkProgrammethroughthe

agreementSCP2‐GA‐2012‐314286.Seewww.unmanned‐

ship.org.

Astheprojectisaconceptstudy,noactualtrials

will take place. However, to show the feasibility of

the concept, it has been important to identify the

most critical technological, operational and

legislative factors that may be obstacles to the

conceptʹs realization and to demonstrate that these

factorscanbema

nagedsufficientlywelltomakethe

realization of the MUNIN ship likely. Furthermore,

theprocessofidentifyingandanalysingthesefactors

hastobedoneinastructuredwaysothattheprocess

and results can be documented and to substantiate

theclaimthat all significant factors have been dealt

with.

Toachievethese goals, the projecthas startedto

developarisk‐ba

sedmethodfordesignandanalysis

of “industrial autonomous systems”. An industrial

autonomous system is defined as an autonomous

vehicle that can operate safely and effectively in a

real world environment while doing operations of

Risk Assessment for an Unmanned Merchant Ship

Ø.J.Rødseth

NorskMarintekniskForskningsinstituttAS(MARINTEK),Trondheim,Norway

H.‐C.Burmeister

FraunhoferCentreforMaritimeLogistics(CML),Hamburg,Germany

ABSTRACT: The MUNIN project is doing a feasibility study on an unmanned bulk carrier on an

intercontinental voyage. To develop the technical and operational concepts, MUNIN has used a risk‐based

designmethod,basedontheFormalSafetyAnalysismethodwhichisalsorecommendedbytheInternational

Mari‐ti

meOrganization.Scenario analysis has beenusedtoidentifyrisks andto simplify operational scope.

Systematic hazard identification has been used to find criticalsafety andsecurity risks and how to address

these. Technology and operational concept testing is using a hypothesis‐based test method, where the

hypotheseshavebeencreatedasaresultoftheriskassessment.Finally,thecost‐benefitassessmentwillalso

use results from the risk assessment. This pa

per describes the risk assessment method, some of the most

important results and also describes how the results havebeen or will be used in the different pa

rts of the

project.

http://www.transnav.eu

the International Journal

on Marine Navigation

and Safety of Sea Transportation

Volume 9

Number 3

September 2015

DOI:10.12716/1001.09.03.08

358

direct commercial value and which can be

manufactured, maintained, deployed, operated and

retrieved at an acceptable cost. The corresponding

definitionofautonomyisanautomatedsystem that

has the capability of making independent sensor

baseddecisionsbeyondordinaryclosedloopcontrol.

This paper presents some of the results of using



thenewdesignandanalysismethodintheMUNIN

projectaswellassomeofthe experiences thathave

beengainedthroughthisprocess.

Chapter 2 gives an overview of some published

workonriskbaseddesignforautonomousvehicles.

Chapter3givesabriefoverviewofthedevelopment

method

and following chapters discuss the main

partsofthemethod:Scenariodevelopments(Ch. 4),

system modularization and operational issues (Ch.

5), hazard identification and risk control (Ch. 6),

hypothesis formulation and tests (Ch. 7) as well as

design verification (Ch. 8). A few comments on the

coming cost‐benefit analysis can

 be found in

chapter9. This paper concludes with chapter 10,

summarizing the conclusions and experiencesmade

sofarintheproject.

2 AUTONOMYANDRISKBASEDDESIGN

An industrial autonomous system must be a cost

effective solution for the intended tasks. “The first

question any potential customer is going

to ask is:

Can the [vehicle] do the job, and if so, at a lower

cost?” (Stokey et al. 1999). This certainly applies to

industrial autonomous systems, but even for

scientific missions this becomes more and more an

issue.Whilesciencemaybemorelaxrelativetocost‐

effectiveness than commercial

 industry, they may

stillhavetopayfore.g.insuranceorreplacementof

lostvehicles(Griffithsetal.2007).However,thisis

not often a subject of scientific dissertation and

papersonrisk‐baseddesigncriteriaforautonomous

vehiclesarestillrelativelyrare.

Somepapersarepublished,mostlyinthe

domain

ofautonomousunderwatervehicles(AUV).Onewas

referenced above (Stokey et al. 1999) and it is an

interesting account of what can go wrong with an

AUV. The details are not of general interest in the

MUNIN scope as application area and operation

paradigms are quite different. However, some

general

observationscanbemade:

1 Human error is the most common source of

problems. This also includes problems with the

softwaredesigninthecontrolstations.

2 Non‐complex hardware errors, such as

connectors,batteryandcalibrationofsensorsand

algorithms,arealsoamajorcauseofproblems.

Thereis

noreasontobelievethatthispatternwill

be much different for other types of vehicles so it

confirms the idea that a risk‐based design process

maybeagoodchoice,but also emphasizes thatthe

riskanalysishastofocusasmuchonʺtrivialʺhazards

as on the more

 complex and intellectually

challenging hazards related to the autonomy of the

system.

Another paper, (Griffiths et al. 2003) focuses on

risk‐based design, but still with an AUV as case. It

presents a pragmatic approach to safety, focusing

partlyonproblemsthatareknownbyexperienceto

have a high

probability and partly on simplifying

physical designs and programs to keep complexity

under control. Some of the main risks identified

were:

1 Humanerror,directlyorindirectly,accountsfora

highpercentageofproblems.

2 Relatively trivial physical problems (electronics,

GPS receiver, mechanical, power, leaks etc.) also

causealargegroup

offailures.

3 Other significant problems are environmental

disturbances (for acoustic transmissions) and

softwareerrors.

Thepaperclassifiesfaultsintoimpactclassesand

performs a more complete risk assessment, taking

consequencesofthe faults intoconsideration.While

this is of limited use to MUNIN, as the technical

domainisvery

different,itshouldbequitevaluable

to other AUV designers. One should also note that

statisticalmodelsareproposedforsomeofthefault

classes which could be used for more quantitative

assessments of expected reliability. Finally, part of

the conclusion is that “This paper has shown that by

good

design and thorough testing of the ‘significant few’

systemsthatcouldposehighrisktothevehicle,theoverall

reliability of the autonomous vehicle is not dominated by

thecomplexassembliesneededtoprovidethatautonomy”.

Thisisalsoencouragingtootherautonomoussystem

designs as this has applications not

only to AUVs,

but can be viewed as a general statement about

industrialautonomoussystems.

Another fault analysis is done by Podder et al.

(2004). This focuses on technical failures and

determination of statistical data for quantitative

assessmentofrisk.Theobservationfromthispaperis

also that most faults are

 “trivial” in the sense that

they do not occur in the more complex sensing,

controlanddecisionmakingsoftwaremodulesofthe

vehicle.

In (Brito et al. 2010), an operational risk

management process model is described. This is

partly a quantitative approach where expert

judgementsarepartofthedecision

makingdataset.

It defines an acceptable risk level and tries to

determineifthe risks derived from a givenmission

exceed this level. Itis alsotargeted atoperations in

high risk environments,i.e. an AUV operating near

and under ice, and is not so relevant to MUNIN’s

operational planning.

 However, the principles and

methods discussed are more quantitative in nature

thanintheMUNINprojectanditwillbeinvestigated

ifvariantsofthemethodologycanbeusedalsointhe

designphaseforindustrialautonomoussystems.

3 THEMUNINAPPROACH

The high‐level objectives of the MUNIN design

processare:

1 Ensureanacceptablesafetyandsecuritylevelfor

own and other ships and the international

shippingcommunityingeneral.

2 Minimize uncertainty in the missions’ intended

outcomeaswellasinunintendedsideeffects.

359

3 Developacosteffectivesystemthatcancompete

at a level field in a commercial operational

environment.

Onekeycontributiontothesethreeobjectivesisto

keep the system complexity as low as possible.

Higher complexity generally means more hidden

errors, more development work and higher cost.

Higher complexity

 also implies less deterministic

mission outcomes, partly because the autonomous

decisionmakingprocessbecomesmorecomplexand

partly because unintended system errors may

interfere with the process in unexpected ways. To

reducesystemcomplexity,wehavefoundthatavery

effectiveapproachistosimplifythemissionandthe

environmental

constraints as much as possible

through a careful scenario analysis. This will be

returnedtoinchapter4.

Therisk‐baseddesignapproachusedinMUNIN

isbasedontheFormalSafetyAnalysis(FSA)method

fromIMO(2007).ThestructureofFSAisillustrated

in Figure 1. This is the internationally

 accepted

method for doing cost‐benefit analysis in the

International Maritime Organizationʹs (IMO) rule

making process. Thus, it makes senseto use this as

baseline as the legislative issues are an important

partofthesystemrequirementsforunmannedships.

FSA is also emphasizing the identification of cost

effective

measurestoensureanʺoptimalʺsafetylevel,

whichisanimportantobjectiveforMUNIN.



Figure1.TheFSAProcess(IMO2007)

Asdiscussedin(Rødseth&Tjora2014),MUNIN

putspartsoftheFSAmethodologyintoaframework

as shown in Figure 2. We refer the reader to that

paper for a discussion of the background and

principlesofthemethodandtheframework.



Figure2.MUNINDesignprocess

Inthispaperwediscusssome of the results and

experiencesfromtheuseofthemethodology.Eachof

the following chapters discusses one or two of the

steps.

4 SCENARIOBUILDING

The first step undertaken in the analysis of the

unmanned ship is to develop a number of

operational scenarios in the form of UML (Unified

ModellingLanguage)usecases.

Theintentionofthisexerciseistodevelopabetter

understanding of the challenges that an unmanned

shipwouldbeexposedto,whatsupportfunctionsit

needs and how the operational procedures would

have to be implemented to support unmanned

operation. This is an iterative process where also a

draft physical architecture is developed and the

operational principles are laid down. The main

scenariosdevelopedarelistedinTable1.Theycover

normaloperation(1to8–unshaded)aswellaswhat

was considered to be problems that the system



wouldneedtobeabletohandle(9to18–shaded).

Table1.MUNINinitialscenarios



_______________________________________________

1 Openseamodewithoutmalfunctions

2 Smallobjectdetection

3 Weatherrouting

4 Collisiondetectionanddeviation

5 Periodicstatusupdatestoshorecontrol

6 Periodicupdatesofnavigationaldata

7 Releasevesselfrom/toautonomousoperation

8 Manoeuvringmode‐normal

9 Floodingdetected

10 GNSS(GPS/GLONASS)malfunction

11 Manoeuvringmodewithmalfunctions

12 Communicationfailure

13 On‐boardsystemfailureandresolution

14 Pilotunavailable:Remotecontroltosafety

15 Piracy,boardingandshipretrieval

16 Ropeinpropeller

17 Openseamodewithmalfunction

18 Unmannedshipinsearchandrescue(SAR)

_______________________________________________



By detailing and discussing the scenarios it was

possible to identify challenges that could not easily

be solved and which could lead to the final system

solution not being safe or cost‐effective. These

challenges were henceforth used to adjust the

operationalcapabilityoftheshiptoavoidorlimitthe



impactoftheproblems.Sometypicalexamplesare:

1 Use of a continuously manned shore control

center(SCC):Thisavoidsexcessiveandexpensive

levels of autonomy while also providing

immediate backup in cases where onboard

systems fail or are unable to solve problems

satisfactorily.

2 Limitunmannedoperationtodeep

seaareasand

place crew onboard for port departure and

approach:Thisavoidslegalproblems in the port

and coastal state waters as well as avoiding

complex autonomous navigation in heavy traffic

areas.

3 Add redundancy in communication systemsand

addanindependentrendezvouscontrolunit:This

avoidsseveralcriticaland

highprobabilitysingle

pointoffailurecases.



2 DetailedUMLdiagramsareavailablefromhttp://www.mits‐forum.org/munin/index.htm

(January2015).

360

Thescenariobuildingexercisedevelopstheinitial

system and user requirements as well as identifies

critical issues that have significant impact on

operational constraints and high level

modularization.

5 SYSTEMDESCRIPTIONS

The system description consists of the system

modularization and the specification of the

operationalprinciplesfortheunmannedship.



5.1 Modularization

The general system modularization is shown in

Figure3.



Figure3.TheMUNINmodules(Rødsethetal.2013)

The new modules and components needed to

implement autonomy are shaded. Existing modules

arewhite.TheLOScommunicationblockconsistsof

standard systems intended for direct line of sight

(LOS) ship to shipor ship to shore communication.

This includes the automatic identification system

(AIS), global maritime distress and safety systems



(GMDSS) as well as a proposed future VHF data

exchangeservice (VDES) as discussedinRødseth et

al. (2013). The radar, integrated bridge and

automation systems are other existing ship control

systems.

The RCU module is mainly used during port

approach and departure when the port operations

crewisboarding,

butitdoesalsoplayaspecialrole

inrecoveryofunmannedshipsthatcannototherwise

becontrolled.TheRCUisoperationallyindependent

from all other autonomous system components and

representspartofthefailtosafebackupprocedures

for ship recovery, even when normal satellite

communicationorautonomouscontrolsystems

fail.

NewsensorsconsistofacombinedCCTVandfar

infrared(IR)camerathatworkstogetherwithmainly

AIS and radar to detect andclassify nearby objects.

TheIR camera is of the ForwardLooking IR(FLIR)

type. The sensor fusionfunctions are located in the

ASM(Bruhnetal.

2014).

Theautonomousshipcontroller(ASC)consistsof

various sub‐modules for autonomous navigation,

engine control, engine condition monitoring and

energy efficiency management (Burmeister et al.

2014a, Walter et al. 2014). The shore control center

(SCC)isaremotecontrolcenterwithseveralcontrol

stationsandfunctions(Porathe2014).

Communication between

 ship and SCC is done

over a standard commercial satellitelink with a

capacity of preferably at least 1500 kilobits per

second (kbps), but which will work down to 125

kilobits per second (Rødseth et al. 2013). Another,

normally lower capacity satellite link, e.g. Inmarsat

or Iridium is used as

backup. In addition, the

unmanned ship will be able to communicate with

othershipsthroughtheLOSmodule.

5.2 Operationalprinciples

The operational principles are characterized by a

conservative approach to using “intelligent control”

intheship.TheinclusionoftheSCCremovesmany

complexity increasing factors from the operational

scenarios.

 This means that it is only necessary to

implementarelativelylimiteddegreeofautonomyin

the ship. This also makes it easier to ensure

determinism in mission execution. The operational

modesareshowninFigure4.



Figure4.Theoperationalmodes(Rødsethetal.2013)

Autonomous execution corresponds roughly to

autopilot operation. It performs navigational and

lookout tasks fully automatically as long as more

advanced reasoning and decision making is not

necessary.Thisisdonewithoutguidancefromshore,

butwithperiodicandbriefstatusreportssenttothe

shore operators. Autonomous control is a mode



where the ship, within defined operational limits,

performs actions on own initiative to avoid

dangerous or unwanted situations. The typical

example is avoidance maneuvers when other ships

areinthevicinity.Remotecontrolcanbedirectwith

continuous and real time control from the SCC or

indirect which is when

the SCC only outputs high

levelcommands,e.g.waypoints,totheshipwithout

controlling other operational parameters directly.

Failtosafeisthestatetheshipcontrollerwillgo to

whenitisunabletocontinueautonomousoperations

without SCC assistance and SCC responses are

missing or delayed. The specifications of

 the fail to

safemodearebasedonpre‐programmedinstructions

from SCC and will normally be updated from the

SCCasthevoyageproceeds.Thespecificfailtosafe

mode will depend on what problem the ship

encounters and other environmental or ship

parameters(Burmeisteretal.2014b).

5.3

Operationaldomain

The final part of the system description is the

definitionoftheoperationaldomainoftheship.The

MUNIN ship is a dry bulk carrier of medium size

361

and the voyage foreseen is iron ore transport

betweenSouthAmericaandEurope.

During analysis of the use case scenarios, it was

also decided to limit the voyage to the deep sea

passageand not include transit in congested waters

or port approach or departure. There are two main

reasons

forthat:

1 Operationindeepseaareasaremainlyunderthe

jurisdiction of the flagstate which simplifies the

regulatoryissuessignificantly.Thereisnoneedto

consider different port or costal states’ legal

regimes.

2 Traffic density and complexity of operation is

very much simplified by operating only

in deep

sea areas. Also, the probability that an error

resultsinadangerousconsequenceislower.

Ontheotherhand, this willalsohave animpact

on cost effectiveness as one needs to have crew

onboard for port approach and departure. This

meansthatsomeaccommodationfacilitiesmayhave

 be available. These measures will increase both

capital and operational costs and may have an

impactonthecost‐effectivenessofthewholeconcept.

6 HAZARDIDENTIFICATIONANDRISK

CONTROL

The hazard identification was done in a workshop

guided by certain semantic components from the

MiTS architecture (Rødseth 2011), mainly

the ship

functional breakdown together with voyage phases

andtheoperationalmodes.

Atotalof 65mainhazards were identified. Each

of the hazards was then classified according to its

consequence if the event should happen and the

probability that it will happen. The risk was then

graded in three levels:

 Acceptable (low probability

and/or low consequence); Unacceptable (high

consequenceand/orhighfrequency);andALARP:As

lowasreasonablypracticable.

Therewereseveralhazardsthatwereclassifiedas

unacceptableintheinitialshipconfiguration:

1 Interactionwithotherships,whethertheyfollow

COLREGS or not, is a critical issue. Navigation

and

anti‐collision software must be thoroughly

tested.

2 Errors in detection and classification of small to

medium size objects is critical as it may be

wreckage,persons,lifeboatsorotherobjectsthat

need to be reported to authorities. This function

mustbecarefullytested.

3 Failure in object detection, particularly

 in low

visibility, can cause powered collisions. The

advanced sensor module must be verified to be

able to do all relevant types of object detection,

alsoinadverseweather.

4 Propulsion system breakdown will render the

shipunabletomove.Itisnecessarytohaveavery

good condition monitoring

and forecasting

systemto reduce suchincidents to an acceptable

minimum.

5 Very heavy weather may make it difficult to

manoeuvretheshipsafely.Itisnecessarytoavoid

excessive weather and it is also required to

investigateimprovedmethodsforremotecontrol

ifsuchconditionsshouldbeencountered.

TheALARP

groupofrisksrepresentsissuesthat

have to be considered on a cost‐benefit basis. One

shouldaimtoremoveorreducetheserisksaslongas

costisnotprohibitivelylarge.

Amongthelatterwerethevarioussecurityrelated

hazards, including stowaways, pirate attacks and

terrorism.Whilethescenario

ofaterroristusingthe

unmanned ships as a remotely controlled weapon

may be seen as a very high risk scenario,

investigationsintoalreadydefinedtechnicalbarriers

showedthatitwasunlikelythatterroristswouldbe

able to take control of the ship as long as

communication systems, position sensing and

 on‐

board control systems were designed properly

(Rødsethetal.2013).

Theidentifiedriskcontroloptionsassociatedwith

theaboveunacceptablerisksarelistedinTable2.

Table2.Majorriskcontroloptions

_______________________________________________

Hzd Riskcontrol

_______________________________________________

1  Avoidheavytraffic

Objectdetectionandclassification

Deepseanavigationmodule

SCCandVHFcommunicationwithships

2  Improvedmaintenanceroutines

Improvedconditionmonitoring

Redundancyinpropulsion(waterjet)

3  RadarandAISintegratedinobjectdetection

SCCnotificationwhenindoubt

4  Weatherrouting

SCC

indirectcontrol

5  FLIRcameraandhighresolutionCCTV

SCCnotificationwhenindoubt

_______________________________________________



Theriskcontrolsaregenerallyfirsttotrytoavoid

thedangeroussituation,secondlyhandlingitaswell

aspossibleonboardandthirdly,usetheSCCassoon

asthereisanydoubtaboutoutcome.Therewillalso

befailtosafeactionsformanyofthesecases

thatare

notlistedhere.

Thedefinedacceptablesafetylevelistobeatleast

as good as on normal manned ships, which means

thatsomeoftheconventionaltechnologycanbeused

to achieve the same safety level. This will as an

example apply to the use of radar and

 AIS in low

visibility.

For the propulsion system breakdown, one

proposal is to install a water jet that can be driven

from the auxiliary generators so that it is

independentofallmainpropulsioncomponents.The

ideaistogiveatypeof“limphome”functionality.

Theobjectdetectionsystem

consistsofanumber

of sensors that should give at least and normally

better detection capabilities than a human lookout.

Amongthesensorsisradar,CCTV,forwardlooking

infrared(FLIR)andAIS.

362

7 HYPOTHESISFORMULATIONANDTESTS

Achallengefordesignersofautonomoussystemsis

toconvince users that the systemis safeand thatit

will do what it is intended to do. Even by

demonstrating a certain function, it can be argued

thatalthoughitworkedonce,itdoesnot

meanthatit

willworkeverytime.InMUNINwehavedecidedto

addressthisproblemthroughhypothesistesting.

Oxford dictionary defines a hypothesis as “a

suppositionorproposed explanation madeon the basisof

limited evidence as a starting point for further

investigation”. Thus, MUNIN’s main hypothesis for

the

feasibilitytestisthatunmannedshipsystemscan

autonomously sail on an intercontinental voyage at

leastassafeandefficientasmannedships.However,

a scientific approach requires the hypothesis to be

testedtovalidateit.AsMUNIN’smainhypothesisW

is rather broad, testable sub‐hypotheses S

ij for each

module are derived that are directly dependent on

the main hypothesis. Of course, even if all S

ij are

valid,thisdoesnotmeanthatWholds,butatleasta

falsification is possible by this approach due to

contraposition:

(WS

ij)(SijW) (1)

The S

ij are derived from the identified hazards.

Afterwards,appropriatescientifictestscanbefound

and conducted to attempt to falsify the main

hypothesis. Thus, the principal test approach of

MUNINissummarizedinFigure5.

Main hypothesis W

Sub-hypotheses S

to S

Design and conduct test for S

S ˄ ¬ (¬S)

Test S

and ¬S

next W not ok

noyes

for each i



Figure5.Hypothesisderivationandtests

Table3.Extractofderivedhypothesis(Krüger,ed.2014)

_______________________________________________

Number Hypothesis

_______________________________________________

WUnmannedshipsystemscanautonomouslysail

onanintercontinentalvoyageatleastassafe

andefficientasmannedships.

S

1  ASCcanautonomouslynavigateashipsafely

andefficientlyalongapredefinedvoyageplan

withrespecttoweatherandtrafficconditions.

 S

11 ASCcanidentifytheCOLREG‐obligationofthe

shiptowardsallobjectsinthevicinityin

unrestrictedwaters.

 S

12 ASCcancalculatepossible,COLREG‐compliant

deviationmeasuresforagiventrafficsituation

inunrestrictedwatersthatminimizethe

necessarytrackdeviation.

S

2  ASMcansensesufficientweatherandtraffic

datatoensurenavigationandplanningfunction

onautonomousvesselsandenablesituation

awarenessinanoperationroom.

 S

21 ASMiscapabletodetectafloatingobjectof

standardcontainersizeinarangeofatleast4.0

NM.

 S

22 ASMiscapabletodetectaliferaftinarangeof

atleast3.0NM.

_______________________________________________



WhilethisisnotafullproofthatWistrue,itisa

muchmoreconvincingargument, particularly ifthe

sub‐hypothesis and tests are well designed.

However,itisachallengetodesigngoodtestsforthe

negationofS.

As an example, Table 3 gives an overview

of a

smallpartofMUNIN’ssub‐hypothesiswithregards

to collision avoidance and object detection hazards

describedinchapter6.

Basedonthishypothesistree,individualtestsare

designed and conducted. These tests might differ

dependingontheconcretecircumstances.Whilee.g.

21andS22canbeeasilytestedbyconductinganin‐

situ‐testofthesystemunderdifferentenvironmental

conditions, S

11 can e.g. be verified by checking the

compliance of obligations derived from S

11 with

situationspre‐evaluatedbynauticalexpertsorcourt

decisions.Incontrast, S

12 can be tested byhistorical

tracksavailablefromAIS‐Dataproviders.

Thehypothesistestswillalsoserveaspartofthe

generalsoftwareandsystemtesting.However,asthe

hypotheses normally focus on sub‐systems and

specific functions, other and more system oriented

tests are also necessary. This will be

part of the

constructionandtestphaseandwillnotbediscussed

furtherhere.

8 DESIGNVERIFICATION

Fornormalships,theprocessofgettingtherequired

flag state and class certificates is the final design

verification. During the certification process,

independent third parties examine the technical

solutions and issue certificates as

 proof of safety,

securityandfunctionality.

One will need a similar regime for unmanned

ships.Tobeabletosail,the shipmustbe approved

andcertifiedbyaflagstateandforinsuranceandfor

acceptance by the cargo owners as well as other

commercial parties, it will also

have to have class

approval.

One can assume that the approval and

certification process for unmanned or reduced

manningshipswillbesimilarinstructuretothatfor

manned ships. The problem is to define the

acceptance criteria and to a lesser degree to test

compliance. Another significant problem is that



many of the existing international regulations

stipulatethatthereisacrewonboardandthatmany

rules deal with what work processes and what

routines are required by this crew to ensure a safe

voyage. An obvious example here is the

“InternationalConventiononStandardsofTraining,

Certification and Watchkeeping

for Seafarers”

(STCW)whichisobviouslynotpossibletofulfillfor

anunmannedvessel.Thisandothercodeswillhave

tobereassessedorreformulatedtoaddresstheuseof

automatedlookoutsandhelmsmen.

363

TherearealreadymechanismsinplaceintheIMO

regulatoryframeworktoallowflagstateandclassto

develop new methods for defining requirements to

andfortestingsystemstocertainsafetygoalsrather

than to technical standards. The concept of “Goal

BasedStandards”(GBS)wasintroducedbytheIMO



Council in 2002. This may be a significant help in

adaptingatleastsomeoftherelevantregulationsto

unmannedships.TheuseoftheFSAmethodologyis

animportantpartofthisandisthereasonwhyFSA

was selected as baseline for the MUNIN

methodology.Theuseof

FSA‐basedmethodsalready

in the concept studies will presumably make it

possibletoreusemanyoftheanalysisresultsalsoin

theinternationallyregulatoryprocesses.

The legal problemis lower whenoperating only

in international waters, where the jurisdiction is

almost exclusively that of the flag state. When

entering into

 national waters, the port and coastal

states’ jurisdiction willcome into playas well. This

createsamuchmorecomplexpictureandwillinthe

longtermrequirenewinternationalregulationsand

conventions developed through IMO and possibly

other organizations. The MUNIN project has

provided some analysis of these issues,

but more

work is needed to find efficient solutions to the

identifiedproblems(Sage‐Fuller,ed.2013a,2013b).

Thehypothesistestswilltosomedegreealsoact

as verification criteria, although a hypothesis

typically only addresses factor from the hazard

identification and system modularization

individually.Thus,theywillnotaddressthe

system

asawhole.

Inthiscontextonealsohastolookatthein‐house

design verification. This is a normal part of the

system development process and is typically

undertaken during module tests, integration tests

and commissioning of the system. This will be an

add‐on and a

necessary step also to the third party

verificationrelatedtoissuanceofcertificates.

DesignverificationwillnotbedoneinMUNINas

theprojectislimitedtoaconceptstudy.Thefinaltest

stage in MUNIN will be the hypothesis tests and,

following those, the high level cost‐benefit analysis.

Thus,

 system verification criteria have not been

developed and will not be addressed to any

significantextentinthisproject.

9 COST‐BENEFITANALYSIS

The cost‐benefit analysis (CBA) for the MUNIN

concept has notstarted yetand will be done in the

first half of 2015. Also here the results

of the risk‐

basedapproachareexpectedtohavesomeimpacts.

Weexpectthattheoperationalsimplificationsthat

cameoutofthescenarioanalysiswillhaveapositive

impactascostswillbereducedwhencomplexityof

thetechnologydecreases.Thepossibleexceptionhere

is the need for having crew onboard

 during port

approachanddeparture.Unlessthisishandledina

way that reduces the need for life support systems

onboard,itmayoffsetmanyofthepotentialgainsin

having ships optimized for unmanned operations,

e.g. without accommodation areas, less life support

systemsandusingnewsuperstructureconcepts.

The

risk control options that were identified as

necessary in the hazard identification and risk

control activities will normally have a negative

impactasmostriskcontrolsrequiremoreadvanced

software or other technology. However, the

structured approach of FSA should guarantee that

theseriskcontrolsarereallynecessaryandthatthey



giveactualbenefitstotheshipandshipowners.

For the risk controls that were defined as

unnecessary or as ALARP, the FSA‐based

methodology should be expected to optimize the

cost‐benefits trade off and as such have a positive

contribution.

10 CONCLUSIONS

The experiences with the risk‐based

approach to

designhave been very good sofar.Ithas defined a

necessaryand efficient structure tothe analysis and

designactivitiesandhasmadeitpossibletopresenta

consistent and well documented argument for the

safetyandsecurityoftheunmannedship.Ithasalso

givenvaluableinput

totheinitialcost‐benefitwork.

The project team’s impression so far is that the

conceptofanunmannedshipisviable,althoughnot

necessarilyasaretro‐fittoexistingbulkcarriers.

The risk based method has in particular been

useful in structuring the Hazard Identification

processasthat

ishighlycriticalindefiningthemain

challengesandwheredevelopmenteffortsneedtobe

focused.Inouropinion,itisnotpossibletoarguefor

the safety and security of unmanned ships without

thistypeofstructuredproblemanalysis.

The early scenario description and analysis

exercise has also proven very

 effective in balancing

operationalcomplexitywithtechnicalsimplifications.

This is a critical part of defining the industrial

autonomous system’s operational scope as a too

flexible or too extensive scope can have very high

impact on technical complexity and, hence on cost

andreliability.

Wehavenotyetusedthecost‐

benefitpartofthe

FSAmethodology, but this will be addressed in the

remaining half year of the project and reported on

later.However,theFSAmethod hasbeenused ina

numberofotherIMOstudiesandwedoexpectthat

alsothispartwillworkwell.

REFERENCES

Brito, M. P., Griffiths, G., & Challenor, P. 2010. Risk

analysisforautonomousunderwatervehicleoperations

in extreme environments. Risk Analysis, 30(12), 1771‐

1788.

Bruhn,W.C.,Burmeister,H.C.,Long,M.T.,&Moræus,J.

A.2014.Conductinglook‐outonan unmanned vessel:

Introduction to the advanced sensor

 module for

MUNIN’s autonomous dry bulk carrier. In Proceedings

of International Symposium Information on Ships—ISIS

2014(pp.04‐05).

364

Burmeister H.‐C. & Bruhn W.C. 2014a, Designing an

autonomous collision avoidance controller respecting

COLREG, In Maritime‐Port Technology and Development

2014,Taylor&FrancisGroup,London(2014),pp.83‐88

Burmeister H.C., Bruhn W., Rødseth Ø.J. & Porathe T.

2014bAutonomousUnmannedMerchantVesselandits

Contribution towards the

e‐Navigation

Implementation: The MUNIN Perspective, in

International Journal of e‐Navigation and Maritime

Economy1(2014)1–13.

Griffiths,G.,Millard,N.W.,McPhail,S.D.,Stevenson,P.,

& Challenor, P. G. 2003. On the reliability of the

Autosub autonomous underwater vehicle. Underwater

Technology: International  Journal of the Society

 for

UnderwaterTechnology,25(4),175‐184.

Griffiths,G.,Bose,N.,Ferguson,J.,&Blidberg,D.R.2007.

Insurance for autonomous underwater vehicles.

UnderwaterTechnology,27(2),43‐48.

IMO 2007.MSC 83/INF.2, Formal Safety Assessment:

Consolidated text of the Guidelines for Formal Safety

Assessment(FSA) foruse in the

IMO rule‐makingprocess.

May14,2007

Krüger C. M. (ed.) 2014, MUNIN Deliverable D8.1, Test

environment set‐up description, November 2014

(AvailablefromMUNINprojectonrequest).

Podder,T.K.,Sibenac,M.,Thomas,H.,Kirkwood,W.J.,&

Bellingham, J. G. 2004. Reliability growth of

autonomous underwater vehicle‐Dorado.

 In

OCEANSʹ04. MTTS/IEEE TECHNO‐OCEANʹ04 (Vol. 2,

pp.856‐862).IEEE.

Porathe, T. 2014. Remote Monitoring and Control of

UnmannedVessels–TheMUNINShoreControlCentre.

In Proceedings of the 13

 International Conference on

Computer Applications and Information Technology in the

MaritimeIndustries(COMPIT‘14)(pp.460‐467).

Rødseth Ø.J. 2011, A Maritime ITS Architecture for e‐

Navigation and e‐Maritime: Supporting Environment

Friendly Ship Transport, in Proceedings of IEEE ITSC

2011,Washington,USA,2011.

Rødseth Ø.J & Burmeister, H.‐C.

 2012. Developments

toward the unmanned ship, in Proceedings of

InternationalSymposiumInformationonShips–ISIS2012,

Hamburg,Germany,August30‐31,2012.

Rødseth,Ø.J.,Kvamstad,B.,Porathe,T.,&Burmeister,H.‐

C.2013.Communicationarchitectureforanunmanned

merchant ship. In Proceedings of IEEE Oceans 2013.

Bergen,

Norway.

Rødseth,Ø.J&Tjora,Å.2014.Ariskbasedapproachtothe

designofunmannedshipcontrolsystems.InMaritime‐

Port Technology and Development2014. Taylor &

FrancisGroup,London(2014).

Sage‐FullerB.(ed.)2013a.MUNINDeliverableD5.1,Legal

Analysis and Liability for the Autonomous Navigation

Systems,

March2013(AvailablefromMUNINprojecton

request).

Sage‐FullerB.(ed.)2013b.MUNINDeliverableD7.2,Legal

Analysis and Liability for the Remote Controlled Vessels,

August2013(Availablefromwww.unmanned‐ship.org

January2015orfromtheMUNINprojectonrequest).

Stokey,R.,Austin,T.,VonAlt,C.,Purcell,M.,Forrester,N.,



Goldsborough, R., & Allen, B. 1999. AUV Bloopers or

WhyMurphyMusthavebeenanOptimist:APractical

Look at Achieving Mission Level Reliability in an

Autonomous Underwater Vehicle. In Proceedings of the

Eleventh International Symposium on Unmanned

UntetheredSubmersibleTechnology(pp.32‐40).

Walther,L.,Burmeister,H.‐C.&

Bruhn,W.2014,Safeand

efficient autonomous navigation with regards to

weather,In:Proceedings of COMPIT ʹ14,Redworth, UK,

12‐14May2014,p.303‐317.

