A system-theoretic approach to safety and security co-analysis of autonomous ships

Highlights

• Cyber-attacks have become one of the major challenges to ensure the system safety of autonomous ships.

• A novel extension to the STPA framework is proposed to address the interdependencies of safety and security, namely STPA-SynSS.

• The proposed method provides a comprehensive process for continuous tracking and closed-loop management of system hazards.

• A hierarchical control structure for hazard analysis of a remotely-controlled ship with seafarers onboard is presented.

• The outputs of causal factors and hazard control strategies can give a general reference for the developers of autonomous ships.

Abstract

The autonomous ship carrying valuable cargoes and passengers in a more effective and cost-saving manner will soon be state of the art technology, which most likely shall be introduced into the public horizon as the remote control mode within the foreseeable future. The highly connected intelligent systems though come at the cost of the increased system vulnerability to cyber-attacks. To smooth this innovative system can be released into actual context of operation, a novel STPA-based methodology is proposed that synthesizes safety and security, namely STPA-SynSS. In the novel method, a comprehensive process to identifying hazards and revealing causal factors is provided, hazard elimination/mitigation strategies are implemented into system design via system safety and security requirements, so that hazards can be continually tracked and closed-loop managed. The insight regards the operations of the method was demonstrated in a remotely-controlled ship with seafarers onboard, the analysis process focused on encountering ship-ship collision accidents and related security incidents. Results indicate that generated inadvertent/intentional causal factors and developed elimination/mitigation strategies can assist the processes of design and operational planning of the autonomous ships and its shore control centre. Further, the proposed method of this paper also has general relevance for other intelligent systems.

Introduction

Innovation nowadays has been affecting manufacturing processes, business development and corporate management. The emergence of the Internet of Things and cloud computing technologies has marked the new era of Industry 4.0. Improvements in information and communication technologies and enhancement in analytical capabilities have created revolutionary developing opportunities in various industry sectors. Not surprisingly, ship intelligence becomes an inevitable trend after ship automation in the development of the shipping industry. However, the current advanced technology and some intelligent tools do not fundamentally reduce the number of maritime accidents in the complex marine environment. Human factors still have been identified as the main cause of such accidents, even if ships need experienced seafarers to achieve safe driving. Based on such background, the concept of autonomous ship begins to step in popular consciousness. In 2012 and 2015, the funding of the “Maritime Unmanned Navigation through Intelligence in Networks (MUNIN)" project by the European Union (Burmeister et al., 2014) and Rolls-Royce led “Advanced Autonomous Waterborne Applications Initiative (AAWA)" (Jalonen et al., 2016) to outline the concept of autonomous ships and the vision of turning remote and autonomous shipping into a reality.

In March 2018, International Maritime Organization (IMO) takes first steps to address autonomous ships and has commenced work to investigate safe, secure and environmental-friendly Maritime Autonomous Surface Ships (MASS) operations in IMO instruments (MSC 100, 2018). Prior to this, IMO has already begun to encourage the Member States and international organizations to submit substantive proposals and comments on autonomous ships to Maritime Safety Committee (MSC) 99 (MSC 98, 2017a; MSC 98, 2017b). At the same time, many international organizations have also taken actions to strengthen the cooperation between users, researchers, authorities and others community who has interested in autonomous ships and their use, which promotes the development of autonomous ships. The results of such projects were encouraging, one remarkable outcome is proposing the concepts and models attempting to evaluate the safety of autonomous maritime navigation (Wróbel et al., 2018a; Aro and Heiskari, 2017; Allal et al., 2017) and related international maritime law issues (Karlis, 2018; Chwedczuk, 2016; Carey, 2017). In general, autonomous ships have received significant attention from the academic community and industry in recent years, which have become a popular research topic.

As the initiatives to develop and implement autonomous ships into the global shipping industry are gaining momentum, their safety remains in the spotlight. It is argued that every effort shall be taken to ensure that autonomous ships at least do not undermine the current level of safety. Besides technical considerations and social controversies, safety became the most important issue to resolve. The conclusion of the above is that the occurrence of navigational accidents can be expected to decrease with the development of autonomous ships (Wróbel et al., 2017), but more real-time data is required and some issues still require addressing in order to reduce the uncertainties.

The traditional hazard identification approaches to safety, such as Hazard and Operability Analysis (HAZOP), Failure Mode and Effect Analysis (FMEA), Event Tree Analysis (ETA) and Fault Tree Analysis (FTA), were developed for systems that were built more than 50 years. These reliability- and probability-based approaches to safety analysis as applied in afore-mentioned research is neither exhaustive nor free of significant drawbacks. But as the complexity of system increases, traditional bottom-up or top-down safety assessment tools become insufficient to assure the product safeness (Stringfellow et al., 2010). Such hazard analysis tools can only be performed for systems, reliability structure of which is known. For autonomous ships, their concepts of design are still being developed and the final structure of the system remains uncertain, therefore it is difficult to explore all the possible scenarios that may arise from the combination of the components' behavior and to assess system safety in the reliability-based form (Wróbel et al., 2018b). Furthermore, a large amount of system understanding and data for analysis comes from real accidents or case studies. Hence, the traditional methods are not applicable to identify hazards of autonomous ships, which focus to address failures based on accidents data-driven and chain of events related to component malfunction (Zhou et al., 2020a).

Recently, a new hazard analysis tool System-Theoretic Process Analysis (STPA) has emerged as an approach for improving the safety of modern complex systems (Leveson, 2011). Rooted in System-Theoretic Accident Model and Process (STAMP) (Leveson, 2002), it has been widely applied in some engineering domains (Aps et al., 2015; Meng et al., 2018; Abdulkhaleq et al., 2015, 2017; Williams, 2015; Salmon et al., 2018). The above researches indicate the effectiveness of STAMP/STPA in the evaluation of modern, complex and highly-automated system safety, which can better provide safety constraints to help mitigate those hazards.

Some maritime-related research applied STPA began to fade into spotlight in these two years (Aps et al., 2017; Zou, 2018; Rokseth et al., 2017; Valdez Banda and Goerlandt, 2018; Uddin and Awal, 2020; Sultana et al., 2019). And better to illuminate the prevailing causal factors, not least the systemic ones. Especially, Wróbel et al. first applied STPA to develop a suitable safety analysis model for autonomous merchant vessels (Wróbel et al., 2018a) and remotely-controlled merchant vessels (Wróbel et al., 2018b), which identify the most likely safety control structure of the analyzed system and assess the impact of potential uncertainties. To some extent, Wróbel's project and his contribution bridges a gap between the safety analysis based on a systemic approach and autonomous merchant vessels, and provide an effective suggestion for future designers. At the same time, the most important is that the research results prove the effectiveness of STPA to access safety and identify hazards of autonomous ships. Sequentially, Solberg (2018) and Zou (2018) applied STPA to a prototype of a fully autonomous ship called Revolt. Solberg (2018) suggested improvements to this prototype based on the outputted results of hazard analysis, and Zou (2018) compared STPA with functional FMEA and computer HAZOP. Valdez Banda et al. (2019) applied STPA in the initial design process of autonomous ships, analyzed in detail the potential hazards of two urban autonomous ferry ships in Turku, Finland, and constructed the initial safety management strategy for guiding the design, construction, and operation of autonomous ships. Ventikos et al. (2020) elaborated the significant contribution of STPA in ensuring the safety of autonomous ships, and used STPA to execute the hazard analysis on an autonomous ship with multiple levels of autonomy. The results indicate that the number of violated safety constraints is reduced but the mitigative control actions become less feasible with increasing autonomy.

Additionally, there is an increasing number of concerns with respect to the ship systems vulnerability to cyber-attacks in the maritime industry (IMO, 2020; Fitton et al., 2015). Some studies aimed at trying to identify different attack scenarios on a cargo ship, proposing some novel cyber risk assessment approaches (Tam and Jones, 2018, 2019; Kavallieratos et al., 2019) and mitigation framework for improved resilience (Sahay et al., 2018). Autonomous ships are complex safety-critical cyber-physical systems (CPS) of which safety and security are two crucial properties. It is imperative to identity inter-dependencies between safety and security for thoroughly assessing and managing potential risks. Therefore, a combined safety and security co-analysis of autonomous ships is being needed. In this paper, a novel safety and security co-analysis methodology based on STPA was proposed, and the feasibility of applying on hazard analysis of autonomous ships was explored. The proposed method synthesizes safety analysis and security analysis into one concise framework. Comparing with existing works, it introduces 6 improvements and provides a comprehensive process to identify hazards and reveal causal factors, so as to achieve continuous tracking and closed-loop management of potential system hazards. Furthermore, the key question facing of preventing system losses is focused on system design that may cause system vulnerability and unacceptable losses, meanwhile, the new way of synthetic analysis is used to address the interdependencies of safety and security, which to reduce the number of possible iterations that may be incurred by the requirement conflicts between safety and security in parallel approaches. The results of analysis can be used by various stakeholders and provide important data for the design of autonomous ships operation.