357
1 INTRODUCTION
TheMUNINproject
1
isdevelopingaconceptforan
unmanneddrybulkshipofaround50000tonsdead
weight. The starting point is a conventional bulker
with a single engine and propeller and otherwise
normalonboardequipment.Topreparethisshipfor
unmanned operation, the concept proposes new
sensor systems, new technical operation and
maintenance procedures, aut
onomous navigation
functions, a new shore control centre and other
componentsasdescribedinBurmeisteretal.(2014b).
1
TheMUNIN(Maritimeunmannedshipsthroughintelli
genceinnetworks)projecthasreceivedfundingunderthe
EuropeanUnion’s7thFrameworkProgrammethroughthe
agreementSCP2GA2012314286.Seewww.unmanned
ship.org.
Astheprojectisaconceptstudy,noactualtrials
will take place. However, to show the feasibility of
the concept, it has been important to identify the
most critical technological, operational and
legislative factors that may be obstacles to the
conceptʹs realization and to demonstrate that these
factorscanbema
nagedsufficientlywelltomakethe
realization of the MUNIN ship likely. Furthermore,
theprocessofidentifyingandanalysingthesefactors
hastobedoneinastructuredwaysothattheprocess
and results can be documented and to substantiate
theclaimthat all significant factors have been dealt
with.
Toachievethese goals, the projecthas startedto
developariskba
sedmethodfordesignandanalysis
of “industrial autonomous systems”. An industrial
autonomous system is defined as an autonomous
vehicle that can operate safely and effectively in a
real world environment while doing operations of
Risk Assessment for an Unmanned Merchant Ship
Ø.J.Rødseth
NorskMarintekniskForskningsinstituttAS(MARINTEK),Trondheim,Norway
H.C.Burmeister
FraunhoferCentreforMaritimeLogistics(CML),Hamburg,Germany
ABSTRACT: The MUNIN project is doing a feasibility study on an unmanned bulk carrier on an
intercontinental voyage. To develop the technical and operational concepts, MUNIN has used a riskbased
designmethod,basedontheFormalSafetyAnalysismethodwhichisalsorecommendedbytheInternational
Mariti
meOrganization.Scenario analysis has beenusedtoidentifyrisks andto simplify operational scope.
Systematic hazard identification has been used to find criticalsafety andsecurity risks and how to address
these. Technology and operational concept testing is using a hypothesisbased test method, where the
hypotheseshavebeencreatedasaresultoftheriskassessment.Finally,thecostbenefitassessmentwillalso
use results from the risk assessment. This pa
per describes the risk assessment method, some of the most
important results and also describes how the results havebeen or will be used in the different pa
rts of the
project.
http://www.transnav.eu
the International Journal
on Marine Navigation
and Safety of Sea Transportation
Volume 9
Number 3
September 2015
DOI:10.12716/1001.09.03.08
358
direct commercial value and which can be
manufactured, maintained, deployed, operated and
retrieved at an acceptable cost. The corresponding
definitionofautonomyisanautomatedsystem that
has the capability of making independent sensor
baseddecisionsbeyondordinaryclosedloopcontrol.
This paper presents some of the results of using
thenewdesignandanalysismethodintheMUNIN
projectaswellassomeofthe experiences thathave
beengainedthroughthisprocess.
Chapter 2 gives an overview of some published
workonriskbaseddesignforautonomousvehicles.
Chapter3givesabriefoverviewofthedevelopment
method
and following chapters discuss the main
partsofthemethod:Scenariodevelopments(Ch. 4),
system modularization and operational issues (Ch.
5), hazard identification and risk control (Ch. 6),
hypothesis formulation and tests (Ch. 7) as well as
design verification (Ch. 8). A few comments on the
coming costbenefit analysis can
be found in
chapter9. This paper concludes with chapter 10,
summarizing the conclusions and experiencesmade
sofarintheproject.
2 AUTONOMYANDRISKBASEDDESIGN
An industrial autonomous system must be a cost
effective solution for the intended tasks. “The first
question any potential customer is going
to ask is:
Can the [vehicle] do the job, and if so, at a lower
cost?” (Stokey et al. 1999). This certainly applies to
industrial autonomous systems, but even for
scientific missions this becomes more and more an
issue.Whilesciencemaybemorelaxrelativetocost
effectiveness than commercial
industry, they may
stillhavetopayfore.g.insuranceorreplacementof
lostvehicles(Griffithsetal.2007).However,thisis
not often a subject of scientific dissertation and
papersonriskbaseddesigncriteriaforautonomous
vehiclesarestillrelativelyrare.
Somepapersarepublished,mostlyinthe
domain
ofautonomousunderwatervehicles(AUV).Onewas
referenced above (Stokey et al. 1999) and it is an
interesting account of what can go wrong with an
AUV. The details are not of general interest in the
MUNIN scope as application area and operation
paradigms are quite different. However, some
general
observationscanbemade:
1 Human error is the most common source of
problems. This also includes problems with the
softwaredesigninthecontrolstations.
2 Noncomplex hardware errors, such as
connectors,batteryandcalibrationofsensorsand
algorithms,arealsoamajorcauseofproblems.
Thereis
noreasontobelievethatthispatternwill
be much different for other types of vehicles so it
confirms the idea that a riskbased design process
maybeagoodchoice,but also emphasizes thatthe
riskanalysishastofocusasmuchonʺtrivialʺhazards
as on the more
complex and intellectually
challenging hazards related to the autonomy of the
system.
Another paper, (Griffiths et al. 2003) focuses on
riskbased design, but still with an AUV as case. It
presents a pragmatic approach to safety, focusing
partlyonproblemsthatareknownbyexperienceto
have a high
probability and partly on simplifying
physical designs and programs to keep complexity
under control. Some of the main risks identified
were:
1 Humanerror,directlyorindirectly,accountsfora
highpercentageofproblems.
2 Relatively trivial physical problems (electronics,
GPS receiver, mechanical, power, leaks etc.) also
causealargegroup
offailures.
3 Other significant problems are environmental
disturbances (for acoustic transmissions) and
softwareerrors.
Thepaperclassifiesfaultsintoimpactclassesand
performs a more complete risk assessment, taking
consequencesofthe faults intoconsideration.While
this is of limited use to MUNIN, as the technical
domainisvery
different,itshouldbequitevaluable
to other AUV designers. One should also note that
statisticalmodelsareproposedforsomeofthefault
classes which could be used for more quantitative
assessments of expected reliability. Finally, part of
the conclusion is that This paper has shown that by
good
design and thorough testing of the ‘significant few’
systemsthatcouldposehighrisktothevehicle,theoverall
reliability of the autonomous vehicle is not dominated by
thecomplexassembliesneededtoprovidethatautonomy”.
Thisisalsoencouragingtootherautonomoussystem
designs as this has applications not
only to AUVs,
but can be viewed as a general statement about
industrialautonomoussystems.
Another fault analysis is done by Podder et al.
(2004). This focuses on technical failures and
determination of statistical data for quantitative
assessmentofrisk.Theobservationfromthispaperis
also that most faults are
“trivial” in the sense that
they do not occur in the more complex sensing,
controlanddecisionmakingsoftwaremodulesofthe
vehicle.
In (Brito et al. 2010), an operational risk
management process model is described. This is
partly a quantitative approach where expert
judgementsarepartofthedecision
makingdataset.
It defines an acceptable risk level and tries to
determineifthe risks derived from a givenmission
exceed this level. Itis alsotargeted atoperations in
high risk environments,i.e. an AUV operating near
and under ice, and is not so relevant to MUNIN’s
operational planning.
However, the principles and
methods discussed are more quantitative in nature
thanintheMUNINprojectanditwillbeinvestigated
ifvariantsofthemethodologycanbeusedalsointhe
designphaseforindustrialautonomoussystems.
3 THEMUNINAPPROACH
The highlevel objectives of the MUNIN design
processare:
1 Ensureanacceptablesafetyandsecuritylevelfor
own and other ships and the international
shippingcommunityingeneral.
2 Minimize uncertainty in the missions’ intended
outcomeaswellasinunintendedsideeffects.
359
3 Developacosteffectivesystemthatcancompete
at a level field in a commercial operational
environment.
Onekeycontributiontothesethreeobjectivesisto
keep the system complexity as low as possible.
Higher complexity generally means more hidden
errors, more development work and higher cost.
Higher complexity
also implies less deterministic
mission outcomes, partly because the autonomous
decisionmakingprocessbecomesmorecomplexand
partly because unintended system errors may
interfere with the process in unexpected ways. To
reducesystemcomplexity,wehavefoundthatavery
effectiveapproachistosimplifythemissionandthe
environmental
constraints as much as possible
through a careful scenario analysis. This will be
returnedtoinchapter4.
TheriskbaseddesignapproachusedinMUNIN
isbasedontheFormalSafetyAnalysis(FSA)method
fromIMO(2007).ThestructureofFSAisillustrated
in Figure 1. This is the internationally
accepted
method for doing costbenefit analysis in the
International Maritime Organizationʹs (IMO) rule
making process. Thus, it makes senseto use this as
baseline as the legislative issues are an important
partofthesystemrequirementsforunmannedships.
FSA is also emphasizing the identification of cost
effective
measurestoensureanʺoptimalʺsafetylevel,
whichisanimportantobjectiveforMUNIN.
Figure1.TheFSAProcess(IMO2007)
Asdiscussedin(Rødseth&Tjora2014),MUNIN
putspartsoftheFSAmethodologyintoaframework
as shown in Figure 2. We refer the reader to that
paper for a discussion of the background and
principlesofthemethodandtheframework.
Figure2.MUNINDesignprocess
Inthispaperwediscusssome of the results and
experiencesfromtheuseofthemethodology.Eachof
the following chapters discusses one or two of the
steps.
4 SCENARIOBUILDING
The first step undertaken in the analysis of the
unmanned ship is to develop a number of
operational scenarios in the form of UML (Unified
ModellingLanguage)usecases.
Theintentionofthisexerciseistodevelopabetter
understanding of the challenges that an unmanned
shipwouldbeexposedto,whatsupportfunctionsit
needs and how the operational procedures would
have to be implemented to support unmanned
operation. This is an iterative process where also a
draft physical architecture is developed and the
operational principles are laid down. The main
scenariosdevelopedarelistedinTable1.Theycover
normaloperation(1to8unshaded)aswellaswhat
was considered to be problems that the system
wouldneedtobeabletohandle(9to18shaded).
Table1.MUNINinitialscenarios
2
_______________________________________________
1 Openseamodewithoutmalfunctions
2 Smallobjectdetection
3 Weatherrouting
4 Collisiondetectionanddeviation
5 Periodicstatusupdatestoshorecontrol
6 Periodicupdatesofnavigationaldata
7 Releasevesselfrom/toautonomousoperation
8 Manoeuvringmode‐normal
9 Floodingdetected
10 GNSS(GPS/GLONASS)malfunction
11 Manoeuvringmodewithmalfunctions
12 Communicationfailure
13 Onboardsystemfailureandresolution
14 Pilotunavailable:Remotecontroltosafety
15 Piracy,boardingandshipretrieval
16 Ropeinpropeller
17 Openseamodewithmalfunction
18 Unmannedshipinsearchandrescue(SAR)
_______________________________________________
By detailing and discussing the scenarios it was
possible to identify challenges that could not easily
be solved and which could lead to the final system
solution not being safe or costeffective. These
challenges were henceforth used to adjust the
operationalcapabilityoftheshiptoavoidorlimitthe
impactoftheproblems.Sometypicalexamplesare:
1 Use of a continuously manned shore control
center(SCC):Thisavoidsexcessiveandexpensive
levels of autonomy while also providing
immediate backup in cases where onboard
systems fail or are unable to solve problems
satisfactorily.
2 Limitunmannedoperationtodeep
seaareasand
place crew onboard for port departure and
approach:Thisavoidslegalproblems in the port
and coastal state waters as well as avoiding
complex autonomous navigation in heavy traffic
areas.
3 Add redundancy in communication systemsand
addanindependentrendezvouscontrolunit:This
avoidsseveralcriticaland
highprobabilitysingle
pointoffailurecases.

2 DetailedUMLdiagramsareavailablefromhttp://www.mitsforum.org/munin/index.htm
(January2015).
360
Thescenariobuildingexercisedevelopstheinitial
system and user requirements as well as identifies
critical issues that have significant impact on
operational constraints and high level
modularization.
5 SYSTEMDESCRIPTIONS
The system description consists of the system
modularization and the specification of the
operationalprinciplesfortheunmannedship.

5.1 Modularization
The general system modularization is shown in
Figure3.
Figure3.TheMUNINmodules(Rødsethetal.2013)
The new modules and components needed to
implement autonomy are shaded. Existing modules
arewhite.TheLOScommunicationblockconsistsof
standard systems intended for direct line of sight
(LOS) ship to shipor ship to shore communication.
This includes the automatic identification system
(AIS), global maritime distress and safety systems
(GMDSS) as well as a proposed future VHF data
exchangeservice (VDES) as discussedinRødseth et
al. (2013). The radar, integrated bridge and
automation systems are other existing ship control
systems.
The RCU module is mainly used during port
approach and departure when the port operations
crewisboarding,
butitdoesalsoplayaspecialrole
inrecoveryofunmannedshipsthatcannototherwise
becontrolled.TheRCUisoperationallyindependent
from all other autonomous system components and
representspartofthefailtosafebackupprocedures
for ship recovery, even when normal satellite
communicationorautonomouscontrolsystems
fail.
NewsensorsconsistofacombinedCCTVandfar
infrared(IR)camerathatworkstogetherwithmainly
AIS and radar to detect andclassify nearby objects.
TheIR camera is of the ForwardLooking IR(FLIR)
type. The sensor fusionfunctions are located in the
ASM(Bruhnetal.
2014).
Theautonomousshipcontroller(ASC)consistsof
various submodules for autonomous navigation,
engine control, engine condition monitoring and
energy efficiency management (Burmeister et al.
2014a, Walter et al. 2014). The shore control center
(SCC)isaremotecontrolcenterwithseveralcontrol
stationsandfunctions(Porathe2014).
Communication between
ship and SCC is done
over a standard commercial satellitelink with a
capacity of preferably at least 1500 kilobits per
second (kbps), but which will work down to 125
kilobits per second (Rødseth et al. 2013). Another,
normally lower capacity satellite link, e.g. Inmarsat
or Iridium is used as
backup. In addition, the
unmanned ship will be able to communicate with
othershipsthroughtheLOSmodule.
5.2 Operationalprinciples
The operational principles are characterized by a
conservative approach to using “intelligent control”