A Holistic Framework For Autonomous Shipping Safety Security and Cybersecurity Assurance

Project type: IA Innovation Action
Start of the project: 01/06/2019 Duration: 42 months
[D2.6] A holistic framework for autonomous shipping safety, security

and cybersecurity assurance
WP n° and title WP2 - Scenario Assessment and identification of Gaps and Barriers
for Scale-up
Responsible Author(s) Victor Bolbot, Gerasimos Theotokatos (USTRAT)
Contributor(s) Jerome Faivre (BV), Dag Atle Nesheim, Lars Andreas Lien
Wennersberg (STF)
Dissemination Level PU
This project has received funding from the European Union’s Horizon 2020 research and
innovation programme under grant agreement No 815012
D2.6 - A holistic framework for autonomous shipping safety,
security and cybersecurity assurance
Dissemination level - PU
DELIVERABLE INFORMATION
Status F
(F: final; D: draft; RD: revised draft):
Planned delivery date 31/01/2021 (M20)
Actual delivery date 03/11/2021 (M30)
Dissemination level: PU
(PU = Public; PP = Restricted to other
program participants; RE = Restricted to
a group specified by the consortium; CO
= Confidential, only for members of the
consortium)
Type: Report, Website, Other, Ethics Report
DOCUMENT HISTORY
Version Date Created/Amended Changes

by
(DD/MM/YYYY)
01 15/01/2020 Victor Bolbot Drafting the report
02 24/03/2020 Victor Bolbot Introduction, review section and framework

description section added
03 18/06/2021 Victor Bolbot Incorporating feedback from KOGM, BV and STF

and writing the first draft of the report for the
framework section
04 16/07/2021 Victor Bolbot Incorporating feedback from STF and BV
Adding the sections related to novel methods

description
05 25/08/2021 Victor Bolbot Incorporating feedback from STF and BV
Updating based on novel class society standards
Adding novel methods
06 30/10/2021 Victor Bolbot Incorporating feedback from Gerasimos

Theotokatos and KOGM
Including additional information
AUTOSHIP Page 2 of 73
QUALITY CHECK REVIEW
Reviewer (s) Main changes
Jerome Faivre Proof reading and corrections
Lars Andreas Wennersberg Inclusion of RS and CCS related guidance
Carolina Salas Final template/format check before submission
DISCLAIMER AND COPYRIGHT
© 2021, AUTOSHIP CONSORTIUM
This publication has been provided by members of the AUTOSHIP consortium and is intended as input to
the discussions on and development of autonomous ship systems. The content of the publication has been
reviewed by the AUTOSHIP consortium members but does not necessarily represent the views held or
expressed by any individual member of the consortium.
While the information contained in the document is believed to be accurate, AUTOSHIP members make
no warranty of any kind with regard to this material including, but not limited to the implied warranties of
merchantability and fitness for a particular purpose. None of the AUTOSHIP members, their officers,
employees or agents shall be responsible, liable in negligence, or otherwise howsoever in respect of any
inaccuracy or omission herein. Without derogating from the generality of the foregoing neither of the
AUTOSHIP members, their officers, employees or agents shall be liable for any direct, indirect, or
consequential loss or damage caused by or arising from any information advice or inaccuracy or omission
herein.
AUTOSHIP has received funding from the European Union’s Horizon 2020 research and innovation
programme under grant agreement No 815012. The same disclaimers as they apply to the consortium
members equally apply to the European Union employees, officers and organisations.
REFERENCES TO THIS DOCUMENT - ACKNOWLEDGEMENTS
The material in this publication can be reproduced provided that a proper reference is made to the title of
this publication and to the AUTOSHIP project (https://www.autoship-project.eu/). References to this
document should use the following format, modified as appropriate to the publication where the reference
appears:
Bolbot V, Theotokatos G, Wennersberg L.A.L, Faivre J, Nesheim D.A: "AUTOSHIP deliverable D2.6: A
holistic framework for autonomous shipping safety, security/cybersecurity assurance", October 2021.
The authors listed in the above citation have contributed with material that has been included in this report,
or with review, proposal for improvements and business and user perspectives that will be used as
background for further work planned. The authors kindly acknowledge the comments and feedback
received from Kongsberg Maritime and Strategic Advisory Group. The opinions expressed in this
deliverable are those of the authors and should not be construed to reflect the views of Kongsberg
Maritime, Strategic Advisory Group and other AUTOSHIP project participants.
LIST OF CONTENTS
Deliverable information ................................................................................................................................ 2

Document history ......................................................................................................................................... 2
Quality check review .................................................................................................................................... 3
Disclaimer and copyright ............................................................................................................................. 4
References to this document - Acknowledgements .................................................................................... 4
List of abbreviations and definitions ............................................................................................................ 7
Executive summary ..................................................................................................................................... 9
1. Introduction ........................................................................................................................................ 11
1.1. Background .................................................................................................................................... 11

1.2. Aim and objectives......................................................................................................................... 11
1.3. Scope ............................................................................................................................................. 12
1.4. Report structure ............................................................................................................................. 12
2. Holistic framework for safety, security and cyber security assurance ............................................... 13
2.1. The rationale behind the framework .............................................................................................. 13

2.2. The difference between safety and security .................................................................................. 13
2.3. Differences between MASS and conventional ships ..................................................................... 14
2.4. SSCSAF requirements .................................................................................................................. 16
2.5. The SSCSAF overview .................................................................................................................. 17
2.6. SSCSAF relationship with standards, guidances, codes and recommended practices ................ 19
2.6.1. SSCSAF relationship to the NMA guidance and Maritime UK code ................................. 19
2.6.2. SSCSAF relationship with the class societies guidance ................................................... 25
2.6.3. SSCSAF relationship to other standards and guidelines. ................................................. 29
2.7. Practical recommendations for the SSCSAF application .............................................................. 33
3. Novel methods ................................................................................................................................... 36
3.1. Overview ........................................................................................................................................ 36

3.2. Use of Unified Modelling Language (UML) for systematic safety and security analyses .............. 37
3.2.1. The rationale ...................................................................................................................... 37
3.2.2. Method brief description .................................................................................................... 37
3.3. Structured Hazid ............................................................................................................................ 40
3.3.1. The rationale ...................................................................................................................... 40
3.3.2. Short method description ................................................................................................... 40
3.4. CYber-Risk Assessment for Marine Systems (CYRA-MS) method .............................................. 42
3.4.1. The rationale ...................................................................................................................... 42
3.4.2. Method brief description .................................................................................................... 42
3.5. ESHA-Mar ...................................................................................................................................... 45
3.5.1. The rationale ...................................................................................................................... 45
3.5.2. Method description ............................................................................................................ 45
3.6. Identifying testing scenarios for collision avoidance system ......................................................... 47
3.6.1. Rationale ............................................................................................................................ 47
3.7. Automatic safety monitoring system .............................................................................................. 49
3.7.1. Rationale ............................................................................................................................ 49
3.8. Supplementing Fault Trees calculations with neural networks ..................................................... 51
3.8.1. Rationale ............................................................................................................................ 51
4. Conclusions ....................................................................................................................................... 53
Appendix A - Review of the existing standards and guidances ................................................................ 55
A.1 Maritime guidance and guidelines for MASSs .................................................................................... 55

A.2 Maritime guidelines for novel technology qualification ........................................................................ 56
A.3 Maritime guidance for safety, security and cybersecurity ................................................................... 57
A.4 Relevant standards and guidelines from other industries ................................................................... 61
References ................................................................................................................................................ 68
LIST OF ABBREVIATIONS AND DEFINITIONS
Abbreviation Definition
AI Artificial Intelligence
ANN Artificial Neural Networks
ANS Autonomous Navigation System
ASC Autonomous Ship Control system
BBN Bayesian Belief Network
BDMP Boolean Driven Markovian Processes
CASA Combinatorial Approach to Safety Analysis
CCS China Classification Society
CCSS Connectivity and Cyber Security System
CPHA Cyber Preliminary Hazard Analysis
CPS Cyber-Physical Systems
CYRA-MS CYber-Risk Assessment for Marine Systems
EC European Commission
ESHA-Mar Environmental Survey Hazard Analysis for Maritime
FHA Functional Hazard Analysis
FLSA Failure Logic Safety Analysis
FMEA Failure Modes and Effects Analysis
FMVEA Failure Modes, Vulnerabilities and Effects Analysis
HAZID Hazard Identification
HAZOP Hazard and Operability studies
HIL Hardware In the Loop
HRA Human Reliability Analysis
IACS International Association of Classification Societies
ICT Information and Communication Technologies
IMS Intelligent Machinery System
Abbreviation Definition
IT Information Technology
KET Key Enabling Technology
LOPA Level of Protection Analysis
MACRA Maritime Cyber-Risk Assessment
MASS Maritime Autonomous Surface Ships
ML Machine Learning
NIST National Institute of Standards and Technology
OT Operational Technology
PSSA Preliminary System Safety Analysis
RCC Remote Control Centre
RS Russian Maritime Register of Shipping
SA Situation awareness system
SAHARA Security-Aware Hazard Analysis and Risk Assessment
SIL Software In the Loop
SSCSAF Safety, Security and Cyber Security Assessment Framework
STPA System Theoretic Process Analysis
SWIFT Structured What-if
SysML System Modelling Language
UML Unified Modelling Language
VTS Vessel Traffic Services
Short name Name
BV Bureau Veritas Marine & Offshore
KOGM Kongsberg Maritime
PNO Ciaotech Srl
STF Sintef Ocean AS
USTRAT University of Strathclyde
EXECUTIVE SUMMARY
The Maritime Autonomous Surface Ships (MASS) can be described as systems of Cyber-Physical
Systems (CPSs). The additional challenges with the safety assurance of the marine CPSs on MASS can
be attributed to the introduction of novel technologies and systems/elements, such as the Remote Control
Centre (RCC) and the communication links between the RCC and the MASSs, the challenges associated
with interactions between humans and the MASS overall system (both RCC and MASS), the extensive
cyber (software) supported functions, as well as the complexity of interactions with the environment. It is
expected that the traditional methods and safety assurance methods will have inherent issues for
supporting the safety analysis and certification of the MASS related systems.
In this report, a safety assurance framework is developed and proposed to support the design of safe,
secure and cybersecure MASSs. This framework consists of three phases associated to the three major
design phases: preliminary design, detailed design and verification and validation activities. The framework
is aligned to the existing guidance for assurance of MASSs and novel technology in the maritime industry,
whereas it also demonstrates sufficient alignment to the existing standards in other industries that can be
used for the MASSs design.
This report demonstrates how the existing classification societies’ guidance and recommended practices
can fit into this framework. The main weakness of existing guidance and standards can be attributed to
lack of detailed procedures for the testing of Key Enabling Technology (KET) required to render the MASSs
operatable, lack of standardised approaches for guiding the design and implementing the preliminary risk
assessment, and the need to "marinise" pertinent guidelines that exist in other industries to make them
applicable to MASS and ships in general.
In addition, a number of novel safety, security and cybersecurity analysis methods, fitting into the
developed safety assurance framework are proposed. The use of Unified Modelling Language (UML) is
proposed for the MASS preliminary design to standardise the design presentation and support Hazard
Identification (HAZID). A novel approach is proposed to support the ranking of scenarios under scarce data
availability. A structured HAZID based on the functional and operational hierarchical breakdown is
proposed for the simultaneous safety, security and cybersecurity analysis at preliminary design phase. A
method for Cyber-Risk Assessment of Marine Systems is proposed for cybersecurity analysis at various
design phases. The ESHA-Mar method is proposed for the identification and ranking of items influencing
the safety of autonomous navigation and situation awareness systems. An algorithmic approach for
identifying scenarios for testing of collision avoidance system is also developed. An approach for
development of system supporting safe system management has been proposed. The use of neural
networks to complement calculations of safety models has been also investigated.
The developed framework and the novel methods can be applied in conjunction with other established
methods, guidelines and standards. Due to the introduction and use of innovative KETs, the proposed
framework and methods can be further enhanced and improved by further enhancing existing or
developing new methods, especially the ones related to the verification of KETs. This is left as a
recommendation for future research.
1. INTRODUCTION
1.1. BACKGROUND
The maritime industry is being rapidly transformed by the introduction of new technologies coming through
the Industry 4.0 revolution. One of these technologies are the Maritime Autonomous Surface Ships
(MASS). A number of projects has been initiated for this purpose. Examples of the relevant research
projects include the autonomous Yara Birkeland ship design and construction [1], the MUNIN [2], the
AAWA [3], the SISU [4], SVAN [4], AEGIS [5], RECOTUG [6] projects. A new initiative to be added is the
AUTOSHIP project [7]. AUTOSHIP project aims at demonstrating the autonomous technology capabilities,
thus pushing the available technology and autonomy levels further on larger size vessels.
The introduction of MASS though is accompanied with a number of challenges related to safety, security
and cybersecurity. The safety challenges can be attributed to increased complexity related to the unknown
interactions in the MASS systems as well as between MASS and environment [8]. Furthermore,
cybersecurity has been an important issue, as a cyber-attack can exploit vulnerabilities in the
communication links and directly affect the integrity or availability of the data and control systems, leading
to accidents [8, 9]. A number of incidences with unauthorised people gaining remote access to the ship
control systems has been already reported [10]. Terrorists or pirates could potentially board a MASS,
taking control over and trying to collide with passenger or cruise ships or requesting significant ransom.
All these challenges may jeopardise the introduction of MASSs. Accidents or serious incidents may lead
to significant inadvertent coverage by media, backslash from the local community or unbearable litigation
costs. The accidents involving the 737 Boeing MAX [11] and Viking Sky [12] are just typical examples of
potential inadvertent consequences in shipping. Similar examples can be given in the automotive industry
involving the autonomous cars [13].
1.2. AIM AND OBJECTIVES
Therefore, the MASS industry is in need of tools and practical guidance on how to tackle these issues
effectively.
The aim of the present deliverable is two-fold:
1. The first aim is to propose a novel and practical framework based on the sound practices in the
maritime and other industries which supports the design of safe, secure and cybersecure MASS.
2. The second aim is to propose novel methods to support the safe, secure and cybersecure design
of the MASS during different design phases.
1.3. SCOPE
There is a variety of regulatory instruments and classification society rules available for conventional ship
design and safety assurance. An overview of major regulatory instruments can be found in Deliverable 2.3
of the AUTOSHIP project [14]. Still, there is a limited number of the methods and frameworks that are
available for the autonomous technologies' safe design and testing, as will be demonstrated in the next
sections and appendices.
This deliverable provide emphasis on technologies that enable MASS operations, as this is aligned with
the aims of the current deliverable. Also, the emphasis will be given to the technologies, enabling the
autonomous and unmanned ship operations considered in the AUTOSHIP, namely:
- Autonomous Navigation System (ANS)

- Situational Awareness System (SA)
- Connectivity and Cyber Security System (CCSS)
- Intelligent Machinery System (IMS)
- Remote Control Centre (RCC)
A representative description of the above systems is available in the AUTOSHIP deliverable 2.4 [15] and
for brevity purposes is not repeated herein .
The goal of the framework is to ensure that MASS have inherent safety, security and cybersecurity through
design. The issues related to the accountability and liability are left outside this framework, as they will be
analysed in WP7 of the AUTOSHIP project. Issues related to the operational management of MASS and
MASS disposal are also left outside the framework.
Wherever applicable the terminology and the levels of autonomy used in the framework and generally in
the deliverable have been taken from Deliverable D3.1 [16].
The novel methods that are being developed also have a similar scope. They focus mostly on the MASS
related technology and systems, and support the safety, security and cybersecurity analysis and
verification of the MASS.
1.4. REPORT STRUCTURE
This report is organised as following. Chapter 2 provides the developed framework, the rationale behind
various steps and the recommendations for its practical application. In Chapter 3, the novel developed
methods are presented. Chapter 4 provides the main conclusions and remarks of the performed research.
2. HOLISTIC FRAMEWORK FOR SAFETY, SECURITY AND CYBER

SECURITY ASSURANCE
2.1. THE RATIONALE BEHIND THE FRAMEWORK
A merger of safety, security and cyber security assessments of MASS into a holistic framework requires
some initial considerations, which will prove vital to the effectiveness and usefulness of such a framework
and the actual assessments. The holistic safety, security and cyber security assessment framework
(SSCSAF) need to consider elements pertaining to the autonomous aspect of shipping, namely what
differentiates autonomous shipping from conventional shipping. That being said, conventional shipping
does not mean "paper-based shipping". Conventional shipping is becoming more and more digitalised,
implying that the difference between conventional and autonomous shipping in the context of the SSCSAF
relates to the autonomous operation of the ship. Commercial considerations are not relevant as they do
not differ significantly for conventional and autonomous shipping. The same is true for mandatory reporting
and communication, unless directly related to the safe operation of the ship (such as automated
communication with Vessel Traffic Services (VTS) and other ships).
The overall idea for the SSCSAF is to enable the user to collect the requirements to which the autonomous
shipping operation must comply, identify and consider the hazards and unwanted events, and define how
to mitigate the probability of said hazards or how to mitigate the consequences of the unwanted events if
they cannot be avoided.
2.2. THE DIFFERENCE BETWEEN SAFETY AND SECURITY
Requirements are derived from defining the operational envelope of the MASS operations, namely which
are the parameters under which the MASS shall operate, what are the standard operations or functions
and what are the potential fallback states of bespoke operations and functions.
By practical means we can say that the difference between safety and security is that safety considers
incidental hazards while security considers antagonistic threats [17, 18]. The results in terms of operational
consequences are more or less the same. A grounding is a grounding, regardless of whether the root
cause is an ice-covered GNSS antenna in pitch black conditions or a bribed junior officer disabling the
helmsman and running the ship aground. The same is true for cyber security. A Remote Control Centre
(RCC) that sends dangerous commands or information to the ship can be caused by malfunctions in the
RCC or a hostile takeover, either by brute force (security) or remotely (cyber security), and they will have
similar consequences. However, the probability of a harmful consequence will normally differ in the two
cases.
With this in mind, one may argue that what separates safety, security and cyber security, is the types of
root causes, hence, how these can be mitigated in terms of reducing the probability of such root causes
resulting in an unwanted event (top event).
However, this viewpoint may need to be modified, based on what is viewed as the top event (centre of the
bow tie). If the top event is the accident itself, then it is a basically a true statement If the top event takes
place earlier in the chain of events, e.g. loss of control, then there will be cases where recovery control
options may have to be accounted for, so that the threat is a security breach rather than a technical fault.
A security breach may for instance mean that more attacks will follow.
The relationship between root causes, active mitigation measures (barriers reducing probability), unwanted
events, recovery measures (reducing the consequences and getting back to normal operations) and
consequences is defined through the use of a bow tie diagram, as shown in Figure 1.
Figure 1 Bow tie diagram - legend
2.3. DIFFERENCES BETWEEN MASS AND CONVENTIONAL SHIP S
Likewise, the determination of the differences between safety, security and cyber security (as described
above), the differences between autonomous shipping and conventional shipping is relatively straight
forward to be defined: MASS are to a much larger degree automated and controlled by computerised
systems. In cases of uncrewed MASSs, they lack the ability to allow the crew to fix things that get broken.
More specifically, MASS will be more vulnerable to cyberattacks as more functions will be moved from the
ship to the remote-control centres and more interconnections will exist between the shore and the ship. At
the same time, the introduction of novel technologies will make critical the human-machine interactions
link. Also, since a number of functions will be delegated to machines from the ship personnel, it will be
essential to ensure that the systems acquire adequate and correct information and also implement correct
decisions. Therefore, there will be a need to assure the employed algorithms and the quality of employed
data. For the unmanned ships, there will be no crew available to mitigate the hazards and to repair the
equipment, so there will be a need to consider the ship designs and hazards from the whole ship design
perspective. Considering the heterogeneity of equipment suppliers, it will be important to ensure that all
the novel and state of the art equipment will be effectively integrated. It will be also important to ensure
that the unmanned ships interaction with the infrastructure will be safe. All these challenges are
exacerbated by the fact that a ship is having usually a long-life span, therefore it is required to try to foresee
all the possible impacts of novel technology on the ship design. More details are provided in Table 1.
Thus, autonomous shipping has a larger (more varied) window of opportunity and threat actors not
previously known by conventional shipping, and a less flexibility for mitigating the consequences once an
attack has been successfully executed. However, the actual consequences of an accident/incident on the
asset, company and environment are more or less the same. This with the exception of any consequences
for crew safety onboard unmanned ships, as onboard crew are not part of the loop when considering
uncrewed ships. This is graphically depicted in Figure 2.
Table 1 Additional safety challenges vs ships with various autonomy degree according to IMO regulatory scoping exercise.
Autonomy degree [19] Additional safety challenges compared to conventional ships
Degree one: Ship with automated Improper human machine interactions due the use of novel decision
processes and decision support: support systems
Seafarers are onboard to operate and
Higher dependence on sensor measurements quality
control shipboard systems and
Higher dependence on the quality of condition-monitoring tools and
functions. Some operations may be
systems
automated and at times be
unsupervised but with seafarers Higher vulnerability to cyberattacks
onboard ready to take control
Developments in the cybersecurity and infrastructure during the ship
lifetime
Degree two: Remotely controlled ship Similar to degree 1

with seafarers onboard. The ship is
In addition to degree 1:
controlled and operated from another
Ensuring adequate situation awareness of the personnel implementing
location. Seafarers are available
remote operations
onboard to take control and operate
shipboard systems and functions
Degree three: remotely controlled ship Similar to degree 2

without seafarers onboard. The ship is
Additionally:
controlled from another location.
No mitigation actions from the crew onboard
There are no seafarers onboard
Autonomy degree [19] Additional safety challenges compared to conventional ships
Ensuring proper situation awareness in the remote-control centre
Dependence on high quality connectivity between the ship and remote-

control centre
Maintenance only in ports or in hubs
No crew on the ship to implement administrative duties
Interactions with the infrastructure
Degree four: Fully autonomous ship: Similar to degree 3

The operating system of the ship is
Additionally:
able to make decisions and determine
In depth assurance of situation awareness equipment and algorithms
actions by itself.
In depth assurance of self-learning algorithms
In depth assurance of decision-making algorithms
Crew skills degradation and overreliance on autonomous technologies
Figure 2 The effect of introducing autonomy in conventional transport systems in terms of risk
2.4. SSCSAF REQUIREMENTS
For the identification of the SSCSAF requirements and SSCSAF development, an analysis of the existing
guidance for MASS, novel technology assurance guidance and standards used for safety, security, and
cybersecurity assurance used in maritime and other industries has been implemented, as in Appendix A.
Based on these standards and the provided feedback, the set of requirements for the SSCSAF as in Table
2 has been generated. These requirements are applied for the development of the SSCSAF provided in
the following sections. The rationale for these requirements is also provided in Table 2.
Table 2 The list of requirements for the SSCSAF
a/a Requirement The rationale
1 Incorporate safety, security and To be in line with the aim and scope of the study
cybersecurity aspects into the SSCSAF to
the level required for safety assurance of
MASS addressing MASS challenges (Table
1)
2 Align to the certification process for MASSs To ensure the acceptance and usefulness of the developed
as proposed in current international and framework
national maritime regulations and class
guidance and codes
3 Alignment with design processes To support design of safe, secure and cybersecure MASS
and to ensure the effectiveness of the framework
4 Generic and flexible To allow the framework adaptation to the novel developments
and to ensure the wider adoption of the framework. The
framework is therefore on a level higher that is currently
occupied by the standards.
5 Interconnected to other industries To incorporate best principles from other standards such as
ISO PASS 21488[20], ARP 4761[21] and to support
designers who employ other standards for ship design
2.5. THE SSCSAF OVERVIEW
The developed SSCSAF is provided in Figure 3. The SSCSAF consists of three phases. During the first
phase, the concept design is being proposed and analysed. All the activities related to the concept and
preliminary design as described in [22] are considered to be included in this phase. If the design is deemed
as acceptable and approved by the relevant authorities, then a detailed design and analysis is implemented
during the second phase. The second phase, which focuses on the detailed design, includes activities
related to the contract and detailed design as described in [22]. During the third phase, the verification is
implemented first for the designed and manufactured elements, then for the designed systems and finally
for the ship. The developed SSCSAF is aligned to the design framework that has been demonstrated in
Deliverable D3.2 [23]. The results generated during the three phases of the SSCSAF can be used to
develop the safety case (the argument that the safety requirements for a system are complete and satisfied
by evidence compiled from work products of the safety activities during development [24]) for the
investigated MASS design.
The developed SSCSAF is of generic nature (requirement 4) and does not aim at replacing the current
standards and guidance that exist for the safety assurance. Rather this framework attempts to generalise
them, to demonstrate how they can be integrated with each other, to extend them and to identify the gaps
in existing standards and guidance. Such an approach also permits for future developments to be easily
incorporated in the SSCSAF framework.
There is no distinction between the different types of safety, security and cybersecurity analyses herein
(requirement 1), to allow the SSCSAF for being generic (requirement 4) as it is elaborated in the next
sections. They are referred simply as analyses in Figure 3. The SSCSAF is aligned with the IMO
MSC.1/Circ. 1455 Guidance [25] for the approval of novel technology, by considering the following three
phases of SSCSAF in the design and analysis, a) the concept design and analysis; b) detailed design and
analysis; c) testing procedures. In this way, the 2nd requirement from previous section (Table 2) is satisfied.
This is implemented considering that the IMO MSC.1/Circ. 1455 [25] is one of the main tools for the
acceptance of novel technology, whereas other guidelines for the novel technology assurance in the
maritime industry are also aligned with this circular as demonstrated in Appendix A and in the next sections.
Figure 3 provides a schematic of the proposed SSCSAF illustrating an adaptation of the Vee design
process from the aviation and other industries [21, 26] for the case of MASSs. This is implemented in line
with the requirement 3, as the Vee design process constitutes an important tool in the hands of the
designers. We do not indicate any specific methods at this stage in the SSCSAF schematic, but designate
potential methods, to render SSCSAF being as generic as possible (requirement 4). Additionally, for the
same reason, we do not specify in any way preference to treating safety, security, cybersecurity
simultaneously or in parallel, to allow for the designer and analyst to choose. The SSCSAF also resembles
the ARP 4761 design process [21], as we try to incorporate the most effective procedures from other
industries (requirement 5).
Figure 3 Overall SSCSAF schematic.
2.6. SSCSAF RELATIONSHIP WITH STANDARDS, GUIDANCES, CODES AND

RECOMMENDED PRACTICES
In this section we demonstrate the relationship between the different steps of the SSCSAF and the
guidelines, codes, standards that are available. First, the similarities and equivalences between the
SSCSAF and the national guidance/code for MASS (NMA [27] and Maritime UK [28]) are provided. Then,
the relationship between the SSCSAF and the different classification societies’ guidelines/recommended
practices for MASS, novel technology assurance and cybersecurity assessment is provided. Lastly, the
similarities between the different standards and the SSCSAF steps are provided. In parallel, relationship
of SSCSAF to the IMO MSC.1/Circ. 1455 is also provided.
2.6.1. SSCSAF relationship to the NMA guidance and Maritime UK code

The relationship between the proposed SSCSAF and the national authorities’ guidance is provided in Table
3. It should be noted that there is similarity between NMA and IMO MSC.1/Circ. 1455, as NMA guidance
is based on the IMO MSC.1/Circ. 1455 steps. Therefore, following of the SSCSAF and
ensuring/demonstrating compliance to the NMA guidance should be relatively easy. For comparison
reason, stages, processes and activities from the system engineering standards are also provided [26, 29].
The Maritime UK code is different in principle from the NMA guidance, as it is written in a more prescriptive
nature through inclusion of a list of requirements that need to be satisfied in the design. The alignment
between the SSCSAF and the Maritime UK code can be ensured, if the requirements provided in various
chapters, are incorporated in the design and considered during the analysis phases during the framework
use. Since the Maritime UK code does not specify the methods for the safety analysis, it is up to designer
to select the most appropriate method for design and compliance, which allows for greater flexibility. It
should be noted though, that the Maritime UK code refers to a number of standards to ensure the
compliance with security and cybersecurity requirements, which limits the methods that can be used in the
MASSs safety analysis.
Both of the approaches (the NMA and Maritime UK) have their own strength and weaknesses. The NMA
guidance is a very simple, short and straightforward document but requires continuous cooperation with
the relevant authorities. The NMA guidance does not provide any reference to the security and
cybersecurity analyses as well. Instead, the Maritime UK code is rather a large set of generic safety,
security and cybersecurity requirements that need to be incorporated in the design. The Maritime UK
guidelines is more tailored to the existing regulations for certification of conventional ships; thus, it can
easily guide the design process. The Maritime UK code is also oriented around the KET and their relevant
requirements. It is not guaranteed though that this requirements list is complete. The Maritime UK code
also does not prescribe any guidance for the designer on how to ensure the safety in detail, thus providing
the freedom for the methods selection and to which extent to use them. It is also not clear in this code how
to demonstrate the compliance with the requirements at the concept design stage and at a more detailed
design stage. Both the codes provide very generic guidance on the testing procedures related to KETs on
MASS.
It seems that the two approaches, if combined, can contribute to a much more robust safety, security and
cybersecurity analysis of the MASS. The requirements and lists that are available in Maritime UK code can
contribute to the implementation of more robust and faster risk assessment following the NMA process at
various stages. At the same time, the methods and steps proposed by the NMA can be used in the
SSCSAF or to demonstrate how the Maritime UK code requirements are satisfied. Recommendations
tailored to the various design phases' analyses in the Maritime UK code would also facilitate the
development of the safety case for MASS. In return, the results of the risk assessment as implemented
according to NMA can contribute to the more robust list of requirements in Maritime UK code. Both
guidelines can benefit if they incorporate information from standards in other industries presented in
section 2.6.2 or guidance presented in section 2.6.2.
Table 3 The relationship between the SSCSAF, IMO MSC. 1/Circ. 1455, NMA and Maritime UK code.
SSCSAF IMO System Engineering NMA [27] Maritime UK [28]

phases and MSC.1/ stages, processes
steps Circ. 1455 activities
steps [25]
Concept Steps 4.5 – Concept stage 7.1 Concept of operations Part 1 – Chapter 6 Product safety design and construction
design 4.7 (CONOPS)
Stakeholders needs and Part 2 – Chapter 4 Cyber security considerations for MASS
Section 6 requirements definition 7.3 Safety philosophy
Part 2 – Chapters 7 Ship design and manufacturing standards for
process
7.4 Design philosophy MASS
Business and mission
7.5 Operation and Part 2 – Chapters 8 Navigation lights, shapes and sound signals
needs identification
maintenance philosophy
Part 2 – Chapters 9 Situational awareness and control
Problem and solution
space definition Part 2 – Chapters 10 Communication systems
Identification of Part 2 – Chapters 11 Remote Control Centre – Operation

preliminary concept and Part 2 – Chapter 15 Security
enabling technologies
Part 2 – Chapter 16 Prevention of pollution
Identification of
Part 2 – Chapter 17 Carriage and transfer of cargo (including
alternatives
dangerous goods)
Concept selection
Part 2 – Chapter 18 Rendering of assistance to persons in
Feasibility verification distress at sea
Part 2 – Chapter 19 Salvage and Towage

steps [25]
Preliminary Steps 4.8 – Concept and development 7.2 Pre-HAZID NA

safety, 4.10 stage
7.2 Updated Pre-HAZID
security and
System analysis process
7.6 Gap Analysis
cybersecurity
Identification of
analysis 7.7 Preliminary assessment
technological risks and
7.9 Risk assessments and
technology readiness
HAZID
assessment for the
concept
Integration, verification
and validation initial
planning
System requirements
definition process
Detailed Steps 4.11 Development stage 7.8 Construction notice Part 1 – Chapter 6 Product safety design and construction
design – 4.12
Detailed systems Part 2 – Chapter 4 Cyber security considerations for MASS
Section 6 requirements
Part 2 – Chapters 7 Ship design and manufacturing standards for
Systems architecture and MASS
design definition process
Part 2 – Chapters 8 Navigation lights, shapes and sound signals

steps [25]
Detailed requirements for Part 2 – Chapters 9 Situational awareness and control

production,
Part 2 – Chapters 10 Communication systems
Part 2 – Chapters 11 Remote Control Centre – Operation
Part 2 – Chapter 15 Security
Part 2 – Chapter 16 Prevention of pollution
Part 2 – Chapter 17 Carriage and transfer of cargo (including

dangerous goods)
Part 2 – Chapter 18 Rendering of assistance to persons in

distress at sea
Part 2 – Chapter 19 Salvage and Towage
Detailed Steps 4.13 Development stage 7.9 Risk assessments and NA

safety, – 4.15 HAZID
System analysis process
security and
7.10 FMEA
cybersecurity,
analysis
Element and Steps 4.16 Development and 7.10 FMEA Part 2 – Chapter 12 System integrity certification and test
systems, – 4.18 production stage procedures
7.11 Third party verification
integration

steps [25]
and
Detailed planning and 7.12 Certification and
verification at
execution of verification qualification of equipment
element,
and validation activities
9. Test requirements
system and
Elements and systems
ship level
verification and validation
Integration and verification

process
Validation process
2.6.2. SSCSAF relationship with the class societies guidance

The relationship between the class societies’ guidance/recommended practice and the SSCSAF is
provided in Table 4. The IMO MSC.1/Circ. 1455 steps are also provided for reference. The analysis has
been conducted for the main classification societies such as Bureau Veritas (BV), DNV, ABS, LR, NK and
China Classification Society (CCS), Russian Maritime Register of Shipping (RS). In each class society
column also the reference to the relevant guidance chapters/sections is made (if they are publicly available).
Such analysis is implemented to demonstrate how the framework processes including the three basic
phases can be satisfied by following the classification societies guidance.
The results demonstrate that there is no direct and exact equivalence between the SSCSAF phases and
a specific class society guidance for MASS. This can be justified by the fact that the SSCSAF has been
designed as rather generic and includes aspects of safety, security and cybersecurity. Also, not all the
class societies guidance for the MASS are harmonised with the IMO MSC.1/Circ. 1455. LR and ABS
guidance for MASS instead are closer to the Maritime UK code for MASS and to the goal-based
approaches. Nonetheless, these guidance can also be incorporated into the developed SSCSAF.
There is no equivalence between the various class societies’ guidance for MASS either. It should be noted
that discrepancies are anticipated due to the involvement of different expert groups in their development
at each class society. This is still not true for the guidance related to the novel technology introduction,
which share some similarities among the investigated class societies (BV, DNV, ABS) and demonstrate
strong resemblance to IMO MSC.1/Circ. 1455.
It was also noted that the class guidance are more comprehensive under the scope of preliminary design
and analysis. There exists a set of various high-level requirements for the KET on the MASS in the
guidance and recommendations. However, there is limited reference to the detailed design of the KET and
their analysis method. Such information was mostly found in the class guidance and recommended
practices on assurance of novel technology. Especially, the aspects related to AI and ML seems not be
adequately covered. A future development of the guidance for MASS could focus on how to include these
aspects in the detailed design and analysis of KETs more rigorously.
Another aspect that is worth mentioning is related to testing of MASS functions. It seems that the aspects
linked to the testing of autonomous functions are either spread over a series of documents, or no clear
process existing for developing and testing the various aspects of the KETs. e.g., safe performance of
collision avoidance system. Therefore, this gap could be an aspect for further consolidation and
harmonisation in the class societies recommended practices, codes and guidance.
Table 4 The equivalence between class societies’ guidance and the SSCSAF.
SSCSAF IMO BV DNV ABS LR Class NK RS CCS

phases and MSC.1/
(Reference to (Reference to (Reference to (Reference to (Reference to (Regulations for Classification (Guidelines for autonomous cargo ships
steps Circ.
of MASS [44] [46]
1455 NI 641 DT R01 E [30], DNV GL –CG–0264 [33] Guide for autonomous and LR code for unmanned Guidelines for
steps remote control functions marine systems [40] automated/autonomous Guidelines for cyber safety Guidelines on Maritime Cyber Risk
NI 525 DT R01 E [31], DNV-RP-A203 [34]
[36], operation on ships [42] [45]) Assessment and Cyber Safety
Procedures for the
NR 659 DT R01 [32]) DNGL-RP-0496 [35]) Management System [47]
Qualifying new assessment of cyber Class NK cyber security
technologies [37], security [41]) approach [43]) Guidance for Implementation of Ship
Security Assessment [48]
Review and approval of
novel concepts [38], Guidelines for Requirement and
Security Assessment of Ship Cyber
The application of
System [49])
cybersecurity principles
[39])
Concept Steps Guidance note NI 641 DT DNV GL –CG–0264 Guide for autonomous and LR code for unmanned Guidelines for Regulations for Classification of Guidelines for autonomous cargo ships
design 4.5 – 4.7 R01 E
Section 2 Main principles
remote control functions marine systems automated/autonomous operation MASS
Chapters 2 to Chapter 14
on ships
Section Section 3 Functionality of Section 3 Concept of Chapters 2-9 Appendix A
Section 4 Navigation Guidelines on Maritime Cyber Risk
6 Automation system operations Chapter 3 Design development of
functions, Annex A Concept of Concept of maritime autonomous Assessment and Cyber Safety
automated operation system
Section 4 Reliability of Appendix 1 High level goals operations and remotely controlled surface Management System
Section 5 Vessel
Automation systems Chapter 7 Remote operation ship (mass) operation
engineering functions, The application of
Centre
Section 6 Remote Control cybersecurity principles v2 Guidelines for cyber safety
Centre Class NK cyber security approach
Appendix 2 Functional Chapter 2 Technical
Section 7 Communication description document Part 2 Chapter 2 Controls in documentation
functions shipbuilding
Chapter 4 Technical
DNV-RP-A203 requirements
Section 6.2 Technology Appendix Data Quality

description
Section 7.2 Technology

composition analysis
Preliminary Steps Guidance note NI 641 DT DNV GL –CG–0264 Guide for autonomous and Procedure for the Guidelines for Regulations for Classification of Guidelines on Maritime Cyber Risk
analysis 4.8 – R01 E
Section 3 Qualification and
remote control functions assessment of cyber automated/autonomous operation MASS Assessment and Cyber Safety
4.10 security on ships Management System

Section 2 Risk and approval plan Section 4 Risk Chapter 8 Risk-oriented process
Technology assessment categorization and Chapter 3 Cyber security Chapter 3 Design development of of MASS approval 3 Maritime Cyber Risk Assessment
DNV-RP-A203
assessment assessment automated operation system
Appendix C Risk assessment Annex 2
Section 7.4 Identification of
Appendix 2 List of major Class NK cyber security approach procedure of maritime
main challenges and Guidance for Implementation of Ship
hazards autonomous and
uncertainties Applications of ICT and cyber Security Assessment
remotely controlled surface ships
Qualifying new technologies risks in the maritime field
Section 11 Performance (MASS), remote control All the steps
assessment Section 2 Getting started centre (RCC)l Guidelines for Requirement and Security
DNV GL-RP-0496 Section 3 Feasibility stage Guidelines for cyber safety Assessment of Ship Cyber System 2020
Section 2.1 High level Review and approval of Chapter 3 Risk assessment Appendix 1 Risk analysis
assessment novel concepts
Appendix 2 Pre-assessment form of ship
Section 2.2 Focused Section 2 Approval in cyber security
assessment principle
Section 3 Improvement The application of

cybersecurity principles v1
Section 3 Basic capability

set
The application of
Appendix 1 Maritime
cybersecurity risk
assessment
Detailed Steps Guidance note NI 641 DT DNV GL –CG–0264 Advisory on autonomous LR code for unmanned Guidelines for Regulations for Classification of Guidelines for autonomous cargo ships
design 4.11 – R01 E
functionality marine systems automated/autonomous operation MASS
4.12 on ships
Section 3 Functionality of Section 5 Autonomous Chapters 2-9 Chapter 9 Requirements for
Section 4 Navigation Guidelines for Requirement and Security
Section Automation system functions Chapter 3 Design development of MASS and its systems
functions, Assessment of Ship Cyber System 2020
6 automated operation system
Section 4 Reliability of Section 6 Remote control Chapter 10 Remote Control
Section 5 Vessel Chapter 3 Technical requirements
Automation systems functions Chapter 6 Risk assessment Centre (Fixed or mobile)
engineering functions,
Section 6 Remote Control Chapter 7 Remote operation Chapter 11 Means of movement
Centre Centre delimiting marking (Fixed or
mobile)
Section 7 Communication Class NK cyber security approach
functions Chapter 12 Cyber security of
Part 2 Chapter 2 Controls in
distributed information network
shipbuilding
Guidelines for cyber safety
Chapter 2 Technical
documentation
Chapter 4 Technical
requirements
Appendix Data Quality
Detailed Steps NI 525 DT R01 E DNV GL –CG–0264 Advisory on autonomous Procedure for the Guidelines for Regulations for Classification of Guidelines for Requirement and Security
analysis 4.13 – Chapters 1-6 (for safety) Section 3 Qualification and
functionality assessment of cyber automated/autonomous operation MASS Assessment of Ship Cyber System 2020
4.15 security Chapter 4-35 on ships

approval plan S Section 4 Risk Chapter 8 Risk-oriented process Appendix 3 Ship cyber system /device
NR 659 DT R01 Various sections
categorization and Chapter 3 Design development of of MASS approval assessment form
DNV-RP-A203
(for cybersecurity) All assessment automated operation system
Appendix C Risk assessment Appendix 4&5 Detailed assessment form
chapters Section 8 Threat
Qualifying new technologies procedure of maritime of ship cyber security
assessment
autonomous and
Section 2 Getting started
Section 11 Performance remotely controlled surface ships
assessment Section 3 Feasibility stage (MASS), remote control
DNVGL-RP-0496 centre (RCC)
Section 2.3 Comprehensive, Review and approval of Guidelines for cyber safety
in depth assessment novel concepts
Chapter 3 Risk assessment
Section 3 Improvement Section 3 Final class
approval
The application of
Section 4 Developed
capability set
Section 5 Integrated
capability set
Element and Steps Guidance note NI 641 DT DNV GL –CG–0264 Advisory on autonomous Procedure for the Information spread over guidance Regulations for Classification of Guidelines for autonomous cargo ships
systems, 4.16 – R01 E
functionality assessment of cyber MASS
integration and 4.18 security
Section 4 Reliability of Tests, installation and Appendix B Methods of
verification at Section 3 Qualification and Guidelines for Requirement and Security
Automation systems – commissioning surveys Chapter 4-35 Various verification of systems of
element, approval plan Assessment of Ship Cyber System 2020
Chapter 8 Testing sections maritime autonomous
system and Qualifying new technologies
DNV-RP-A203 and remotely controlled surface Chapter 4 Product assessment
ship level NI 525 DT R01 E LR code for unmanned
Section 4 Concept ships (MASS)
Section 9 Technology marine systems
Chapters 7 and 8 (for safety) verification
qualification plan Guidelines for cyber safety
Annex B Verification
NR 659 DT R01 Section 5 Prototype
Section 11 Performance methods Chapter 6 Test and checks
validation
Chapter 6, section 2-4, assessment
Chapter 7 (for cybersecurity) Section 6 Systems
DNV GL-RP-0496
integration
Section 4 Verification and
Review and approval of
validation
novel concepts
Sections 2.3.1 and 2.3.3

Verification of feasibility of
the proposed new
technologies and verification
of conventional technologies
The application of
Section 4 Developed
capability set
Section 5 Integrated
capability set
2.6.3. SSCSAF relationship to other standards and guidelines.

The relationship between the SSCSAF and the standards used in other industries is provided in Table 5.
A detailed presentation of these standards and guidelines is available in Appendix A.
The ISO standard 27000 [50] has been excluded from the analysis, as it deals mostly with the security
management during actual operation and not during design phase. However, the principles presented in
ISO standard 27000 can be used at preliminary and detailed analysis phases, e.g., for safety analysis. For
NIST-SP-800 [51] related standards, the guidance related to specific systems details are not provided in
this report as they are too numerous to be presented in Table 5. These standards though can support the
design of the KET with respect to cybersecurity. ISO 15288 [29], ISO 8000 [52], IEC 62508 [53], ISO 11064
[54] and ISO 10181 [55] are not provided in the table, as they are pertain to only specific KETs. The EASA
guidelines for AI/ML [56] are also omitted as they include only a set of generic requirements. Additional
information about these standards and their applicability to KET is provided in the Appendix A.
The ISO 31000 [57] and barrier management [58] standard incorporate general guidance for risk
assessment and risk management. Yet, the principles presented there can be also considered during the
design. For the other standards, their application for the ships is not straightforward, as they have been
developed for other or more generic industries. Therefore, their application requires a proper marinisation.
It should be noted that some standards e.g. ARP 4761 [21], ISO 31000 [57] and barrier management [58]
provide very limited information for the verification and testing procedures, which are important under the
context of MASSs. This gap in ARP 4761 [21] and other standards can be potentially covered by using
guidance from ISO PAS 21448 [20]. Still these testing procedures need to be properly marinised.
Some of these standards and guidance provide a set of requirements with respect to preliminary design
and analysis such as ISO-PAS 21448, however some other standards focus solely on the detailed design,
such as ISO 61508 [59] and IEC 62443 [60]. Still, the preliminary analysis requirements are not connected
to the ship functions and operation phases. Among the presented standards ARP 4761 [21] is the more
closely harmonised to the design process of SSCSAF, as it has been considered during the SSCSAF
development, however it should be noted that it is a standard applicable to aviation and not the maritime
industry. Guidelines such SCSC-153A [61] include a set of requirements which can be applied to the
unmanned ships as a whole, as well as to specific system and elements.
Concluding, Table 5 effectively demonstrates that the SSCSAF incorporates the major steps presented in
the existing standards, and additionally offers a more comprehensive and complete picture compared to
the other standards. Table 5 also demonstrates that for the compliance to the SSCSAF, the use of a
number of standards is necessary. It should be noted that these standards offer limited guidance on
verification of autonomous related functions, which should be a subject of intense research.
Table 5 The relationships between the known standards and the developed SSCSAF.
SSCSAF phases and IMO ISO Barrier IEC ARP 4761 [21] MIL-STD-882E [62] ISO/PAS 21448 [20] NIST SP800 IEC 62443 [60] BSI 16000 [63] SCSC-153A [61]
steps MSC.1/Circ. 31000 management 61508 [51]
1455 step [57] [58] [59]
Concept design Steps 4.5 – Section 5 Functional and 18 Guide for Section 6 Platform level
4.7 system specification developing framework description
security plans
Section 6
for federal
information
systems
Preliminary analysis Steps 4.8 – Chapter All sections Section 3.2 Task 100 Management Section 6 Identification Section 5 Section 7 Platform level
4.10 6 Functional and evaluation of Security risk framework objectives
Task 201 Preliminary hazard
Process Hazard hazards caused by the assessment
list
assessment intended functionality
Task 202 Preliminary hazard
Section 7 Identification
analysis
and evaluation of
Task 208 Functional hazard
triggering events
analysis
Task 209 System-of-systems

hazard analysis
Task 210 Environmental

hazard analysis
Task 300 Evaluation
Detailed design Steps 4.11 – Section 8 Functional A series of 2-1 Section 6 Section 2 Computational
4.12 modifications to reduce guidelines Requirements for implementing level framework –
SOTIF related risks industrial security options Description
Section 6
automation and
Section 8 Section 4 Autonomy
control systems
Security architecture level
management
solutions framework - Description
system
2-5
Implementation
guidance
3-1 Security
technologies
3-3 System
security
requirements
1455 step [57] [58] [59]
4-1 Product
requirements
4-2 Technical
security
requirements
Detailed analysis Steps 4.13 – Chapter All sections Part 1 Section 3.3 Task 100 Management 30 Guide for 2-2 Protection Section 5 Section 3 Computational
4.15 6 Preliminary risk levels Security risk level framework –
Part 2 Task 203 System
Process system safety assessments assessment Objectives
requirements hazard analysis 2-3 Patch
Part 3
assessment
37 Risk management Section 5 Autonomy
Task 204 Subsystem hazard
Part 5
Section 3.4 management architecture level
analysis 2-4
Part 6 System safety framework for framework - Objectives
Requirements for
Task 205 System hazard
assessment information
industrial
analysis
systems and
Section 4 automation and
Task 206 Operating and organizations
Safety control systems
support hazard analysis
assessment solution
analysis Task 207 Health hazard providers
methods analysis
3-2 Security risk
Appendixes Task 300 Evaluation assessment
Element and systems, Steps 4.16 – Part 1 Section 3.5 Task 100 Management Section 9 Definition of 22 A statistical 8 Summary
integration and 4.18 Verification the verification and test suite for
Part 2 Task 300 Evaluation
verification at element, means validation strategy random and
Part 3 Task 400 Verification
system and ship level pseudorandom
Section 10 Verification
Part 7 number
of the SOTIF
generators for
Section 11 Validation of
cryptographic
the SOTIF
applications
85 PIV data
model test
guidance
115 Technical
guide to
information
security testing
and
assessment
1455 step [57] [58] [59]
142 Practical
combinatorial
testing
166 Derived
PIV application
and data
model test
guidelines
192
Verification
and test
methods for
access control
policies/models
2.7. PRACTICAL RECOMMENDATIONS FOR THE SSCSAF APPLICATION
To support the SSCSAF application, Table 6 was generated to demonstrate how the SSCSAF steps are
interconnected with the IMO MSC.1/Circ. 1455 and the most renown, in the authors’ opinion, state-of-the-
art and advanced methods for safety, security and cybersecurity analysis, which can be used at the various
SSCSAF phases. A limited number of safety methods is considered herein, as there are more than 800
methods reported in the literature [64]. These methods are applicable at a ship level as well as at the
system level. More details about these methods and their drawbacks/advantages can be found in
Deliverable 2.4 [15], ISO 31010 [65], ARP 4761 [21], IEC 62508 [53], relevant class societies’ guidance
and recommended practices, as well as pertinent review papers [8, 17]. At this stage, we do not make any
comparison between the different safety methods and do not make any recommendations towards this
direction, as the safety methods should be decided in cooperation with relevant authorities involved in the
certification process for MASS. The methods selection can also be bounded by the specific standards.
The SSCAF is proposed to be applied as depicted in Figure 4. Based on the MASS operating area and
the authorities involved in MASS certification the relevant guidance for MASS assurance should be
selected. Then, based on the initial MASS concept, the relevant autonomy degree according to IMO [19]
should be assigned. If the autonomy degree allows for people presence onboard (autonomy degree 1 or
2), then the analysis can concentrate on relevant KETs assurance, subject to certification authorities’
permission. The justification for that comes through the fact that people are still present on board and
therefore, can mitigate the hazards on the ship. For higher autonomy degree (degree 3 or 4), novel
mitigation actions on ship level need to be considered and therefore, a risk assessment on ship level needs
to be conducted. In both cases, equivalence with the existing ship designs should be ensured, either on
systems level (for ships with autonomy degree 1 and 2) or on ship level (for ships with autonomy degree
3 and 4).
Table 6 SSCSAF steps versus IMO MSC.1/Circ. 1455
SSCSAF IMO Proposed Methods

step MSC.1/Circ.
Safety Security Cybersecurity
1455 step
Concept Steps 4.5 – Use of UML/SysML language for the design description and update
design 4.7 CONOPS as described in D3.1 [16] and D3.2 [14, 23] of AUTOSHIP
Phase 1
Section 6
Preliminary Steps 4.8 – HAZID, FHA, SWIFT, Security HAZID, Cyber HAZID [66]
analysis 4.10 STPA, LOPA, Bow-Tie Structured
SAHARA [67]
checklists
MACRA [68]
Detailed Steps 4.11 – Relevant design tools as selected by the designer

design 4.12
Section 6
Detailed Steps 4.13 – FMEA, FTA, STPA, Attack Tree, FMVEA, Attack
Phase 2
analysis 4.15 HAZOP, CASA [69], FMVEA [70] Trees, STPA-

PSSA, FLSA methods, (safe)sec, MACRA,
Markov Models, BDMP,
BV NR 659 [22]
BBN, Bow-Tie, Common
Mode analysis, HRA
methods
Element and Steps 4.16 – Model-checking Ship inspection Penetration testing,

systems, 4.18 methods, Theorem and analysis Model-checking
integration provers, SIL, HIL, verification methods, Theorem
and Software unit, provers,
Phase 3
verification integration, simulation

NIST-800 testing
at element, testing, sea trials
methods
system and
ship level
Safety case Section 6 Goal structuring notation [71]
Figure 4 Flowchart for SSCAF application
3. NOVEL METHODS
3.1. OVERVIEW
Figure 5 provides an overview of the novel safety methods developed in the AUTOSHIP project and
indicates the SSCSAF phase/step that they can be employed. Only a brief description of these methods is
provided in the following sections, as more detailed information is available in the relevant open access
publications and reports. The presented methods are the one that have been developed in the AUTOSHIP
project. The methods are presented without a connection to each other. Other methods as described in
2.7 can also be employed. It is also acknowledged that despite the conducted effort, there is a significant
room for the proposed methods improvement, and therefore they should be applied with caution
considering their limitations.
Figure 5 The Overview of the proposed novel safety methods
3.2. USE OF UNIFIED MODELLING LANGUAGE ( UML) FOR SYSTEMATIC SAFETY

AND SECURITY ANALYSES
3.2.1. The rationale

The AUTOSHIP project has through the deliverables D3.1 [16] and D3.2 [23] discussed how a system
modelling tool, and in particular UML can be used to facilitate the structured concept development of MASS
systems with operational scenarios as a starting point. Specifically, D3.1 [16] provides high level guidelines
on the use of UML as a modelling tool, and D3.2 [23] provides an explanation of the system development
process that includes use-case specification, high level system design and detailed function allocation.
The resulting system model can also be used as a basis for safety and security analyses.
An advantage of using UML (or any equivalent system modelling tool) is the tool's inherent ability to
facilitate the safety and security analyses. Two aspects are of particular importance in the context of MASS.
The first aspect is to ensure safe handover to and from automation systems and humans, where humans
could reside both as crew onboard the ship itself or as operators in an RCC. The second aspect is to
ensure that critical communication is working as intended without abruptions, such as communication links
between the ship and the RCC.
3.2.2. Method brief description

Figure 7 shows a simplified example of possible state diagrams for the MASS system actors, the
Autonomous Ship Control system (ASC) and a RCC Operator. The state diagram illustrates the behaviour
of each individual actor, i.e., the transitions between each of the actors' internal states. State machine
diagrams also provides syntax to formally highlight the triggers and governing preconditions that initiate
and allow a transition between states. For instance, the “No RCC Response” term in Figure 5 is a trigger.
However, this is only a trigger if the system is aware of it, e.g., monitoring RCC responsiveness, which
would be the next step when creating such a model. The transitions that can initiate and complete a
handover between the actors would then be classified as a critical transition that is subject to safety and
security analyses. The corresponding information exchange required to ensure a safe hand-over between
the actors is modelled in sequence diagrams. Figure 6 shows a simplified example with messages that is
transmitted between the RCC Operator and ASC, and which furthermore would be classified as a critical
communication link subject to safety and security analyses.
As stated in the previous section, there are commonalities between the three aspects of safe and secure
autonomous operations. Mainly, the final consequences (as seen from a bow-tie methodology perspective)
are at a great extend the same: Collisions, groundings, injuries, loss of lives, environmental disasters,
disturbance of world trade, etc. In terms of unwanted events, they also share some common ground: Loss
of control of the ship. The three aspects also share the need for an overall understanding of the context:
What do we want to protect (asset), what is the operational envelope and the normal state of operation for
the different functions related to autonomous shipping ( AUTOSHIP D3.1 [16] and D3.2 [23]), what are the
fallback solutions when an unwanted event has occurred?
Regardless of whether we are performing a safety, security or cyber security assessment, we need the
overall picture or context. A use case description so to speak. Such a description represents the starting
point of an overall SSCSAF: A detailed overview of what we want to protect in terms of assets and
functions.
Figure 6 - Simplified example of a sequence diagram illustrating critical communication link between RCC and ASC.
Figure 7 - Simplified example of a state diagram for a RCC operator and an ASC.
3.3. STRUCTURED HAZID

To facilitate the MASS risk assessment at initial design stages, a comprehensive hazard identification and
risk assessment process that considers the safety, security and cybersecurity, as well as the potential
causes and consequences in various operating phases is required.
Therefore, the aim of this section is to present a structured process for the risk assessment of MASSs
applicable at the initial design stages. This process is developed in such a way to allow for its semi-
automation, thus rendering its implementation effective.
3.3.2. Short method description

The steps of the developed HAZID and risk assessment process are presented in the flowchart of Figure
8. The process follows the guidance for risk management according to International Standard Organisation
(ISO) 31000 [57] and it is also aligned to an extent to the Bureau Veritas (BV) guidance for MASSs risk
assessment [72]. However, it is modified to: (a) inherently integrate the security and cybersecurity risk
assessment; (b) render the approach more systematic by using specific guidewords, and; (c) include a
novel way for analysing uncertainty. This process is proposed to be employed at the step 4.8 of the IMO
guidance for alternative systems approval [25].
First, the relevant safety information for the investigated system is gathered in step 1. In step 2, the relevant
risks, their causes, and consequences are identified. In step 3, the risks are analysed and ranked. In step
4, the risks are treated by relevant control measures. In the last step, testing scenarios for the MASS
verification are proposed.
Figure 8 Hazard identification and risk assessment process overview
The developed process is applicable during initial stages of the MASSs design, where only high-level
information about the systems is available. A coarse functional decomposition of the ship is thus required
to initiate the process. Moreover, some initial design recommendations and testing requirements are
developed based on the analysis results. In this way, the method can drive the decisions regarding ship
design and verification early at the system design process, allowing more time for relevant testing
arrangements to be planned and carried out.
An advantage of the proposed process is that it is interconnected with the Formal Safety Assessment risk
matrix and consequences classification. This is of great value for demonstrating the compliance of the
initial design with the potential future maritime risk acceptance criteria to the relevant authorities. The
proposed HAZID process employed a hybrid approach integrating both the ship functions and operational
phases hierarchical structures as well as the use of specific guidance words. In this respect, the proposed
method contributed to the systematisation and inclusiveness of the process, thus allowing for a more
effective and thorough analysis. This is the main advantage of this approach compared to the classical
HAZID methods, which are usually based on what-if process and simple brainstorming sessions. The
proposed steps can lead to the semi-automation of the HAZID process and development of corresponding
software tools to facilitate the more effective HAZID process implementation.
Further details about the current process can be found in the Deliverable 2.4 [15] and in the relevant
publication at the Journal of Risk and Reliability [73].
3.4. CYBER-RISK ASSESSMENT FOR MA RINE SYSTEMS (CYRA-MS) METHOD

Considering the recent developments, it is expected that ships and especially MASSs will attract more
attention from different hacker groups and the number of these incidents will increase. Therefore, there is
a need to ensure that these attack scenarios are identified and properly addressed.
The ships can be viewed as complex transport systems, where Information Technology (IT) is strongly
intertwined with Operational Technology (OT) [74, 75]. It is important therefore to consider not only the
financial but also the safety and environmental impact of successful cyber-attacks [74, 76]. However,
different attack types can be applied to different elements, might have different consequences and also
different control barriers [66]. The classical hazard identification and analysis methods, properly modified,
can support the identification of inadvertent attack scenarios and their control measures in systems [17,
66]. Nevertheless, due to the scarcity of the available data mentioned previously, it is necessary to support
the scenarios ranking process to allow for a cost-efficient safety enhancement. In this respect, the
likelihood and the attack scenarios will be affected by the specific attack group goal [68], which can be
used to support the identification and ranking of these scenarios. As it is referred to the marine systems, it
is also essential to ensure that these systems risk is in accordance with acceptable maritime criteria. As
the whole context has constantly been evolving [8], it is crucial to ensure that the method allow for the easy
reassessment of scenarios when new vulnerabilities are identified or new systems are installed.
3.4.2. Method brief description

The Cyber Preliminary Hazard Analysis (CPHA) is selected as the basis for the development of the novel
proposed method. This method is rather similar with classical HAZID, which is widely used in maritime
industry, so it can be easily understood and used by the safety engineers participating in this analysis
together with security experts in its original form or a modified form. Furthermore, a similar approach based
on CPHA has been adopted by Bureau Veritas (BV) according to their rules [76]. In addition, this approach
seems to be more aligned with the IEC 62433 standard guidelines for cyber risk assessment of industrial
systems, as HAZID results are suggested to be used as input to the cyber risk assessment.
The developed method, named CYber-Risk Assessment for Marine Systems (CYRA-MS), consists of four
phases (A to D) and follows in total ten steps, as illustrated in the flowchart depicted in Figure 9. The
method initiates with the identification of the system elements and the mapping of the relevant
connections/interactions (Step 1) as it is important first to understand properly the investigated system.
The proper understanding of element functions and interactions will support the identification of attack
consequences. Subsequently, a specific attack group is selected for the analysis (Step 2), as different
attack groups will focus on different attack scenarios. In parallel, based on the literature review and an
existing vulnerabilities database, the existing vulnerabilities for the system elements are identified (Step
3). The vulnerabilities are used to identify the potential attacks on various system elements. Based on the
specific attack group goal and vulnerabilities, the potential attacks types (Step 4) on the system elements
along with the potential consequences (Step 5) of each attack type are identified. In Step 6, an estimation
for the success likelihood of each specific attack scenario is provided based on attack group goals, activity
level, technological level, connectivity level, required resources for exploiting vulnerabilities and available
control barriers. The different consequences are ranked in terms of their severity in Step 7. In Step 8, the
control measures for each hazardous scenarios are identified/proposed. The scenarios risk is reassessed
based on the new control measures in Step 9. In Step 10, the different safety requirements and suggestions
for the system design are summarised based on previous steps.
Figure 9 CYRA-MS method flowchart [77].
The novelty of the CYRA-MS method compared to the CPHA include: (a) the consideration of attack group
goals in the analysis; (b) the incorporation of different attack types; (c) estimating the likelihood of the
successful attacks considering the attack group goals, activity level, technological level, connectivity level,
required resources and available control barriers; (d) expanding the FSA consequences table to allow
ranking of scenarios in financial, safety and environmental terms.
The method allows for the incorporation to the cyber risk analysis of different consequences types including
safety, environmental and financial. Furthermore, the method includes more potential attack scenarios
than the STRIDE [78] or the MaCRA [68] methods. The method has been aligned with the FSA risk matrix
facilitating the qualification of the new system and its approval by classification societies or derivation of
prescriptive requirements for similar type of vessels at national level. The method supports the
identification of various control measures enhancing the design. The provision of specific rules and
guidelines for the scenarios identification and ranking is also expected to facilitate the cyber risk
assessment process and improve its repeatability. This can be argued as the identification is implemented
based on a formalised system representation and the ranking is implemented based on the available
resources and guidelines bypassing the lack of relevant statistical data.
The method is a way to go forward with respect to ranking, when no or scarce statistical data is available.
The method results could be validated when the relevant accident statistical data is available, but this data
might take long to be accumulated. The method potentially could be enhanced by analysing the incidents
data and estimating the leading/lagging safety and cybersecurity indicators, which could be another way
to validate and update the method. Still, it is expected that the availability of accident data would constitute
a better ground for making judgements. Involvement of results can be achieved by involvement of an
experts’ team. It would be relevant to add that the integrator and the operator should have implemented a
Cyber Security Management System, which takes a wholistic view upon Cyber Security within their
operational contexts.
Further information about the method and relevant supportive materials can be found in [77] and advisory
information reported in [79].
3.5. ESHA-MAR

The ANS can be considered as a critical system on the MASS, as it makes decisions affecting the safety
of the ship and surrounding ships [80]. A number of accidents have occurred in the other industries
involving similar functions as the design of such systems is associated with a number of challenges [81,
82]. One of the challenges is ensuring adequate situational coverage of the potential conditions that may
be encountered by the ship associated with environmental complexity [83]. Environmental complexity
pertains to all those objects and potential interactions, that an MASS will need to deal with during operation,
which are currently covered by good seamanship practices [84].
This problem can be tackled through systematic identification and analysis of the potential collision and
interaction scenarios and by developing testing and verification techniques which would allow earning
sufficient confidence in the autonomous navigation system functionalities. In other words, only once an
adequate number of scenarios has been tested in a virtual or real environment can we be assured that
such a system will not jeopardise safety, once put into operation. Therefore, it is required to reduce the
unknown scenarios to the extent possible.
Automatic Identification System (AIS) data from ship traffic systems carrying the relevant transponder uses
the information sent by the relevant transceivers for better situation awareness on ships. It can be a
valuable data source for identifying collision situations and it has been widely used for the analysis of traffic
conditions and identification of the most probable collision situations (see for instance [85-91]. However,
the quality of AIS data is under question, as the ships which have switched off their AIS transponder and
small recreational ships, which do not require to have AIS, are not visible on this data [92]. Also objects
other than ships and buoys are not included in this data. Therefore, the sole use of AIS data during design
will inevitably lead to a number of objects and interactions being omitted.
One potential way to tackle the problem is to proceed with the operation of MASS under constant
supervision of the remote operator or to allow MASS operation in strictly confined environment. This would
inevitably lead to delays in launching the product on higher autonomy degree and would result in higher
operational costs or significant operational limitations imposed. A faster way to cover the knowledge gap
would be by using the existing expertise of the ship crew who are in ship charge on a daily basis. In this
respect methods which would support the elicitation of such information are required.
3.5.2. Method description

The novelty of the present method constitutes in a marinisation and adaptation of Environmental Survey
Hazard Analysis method for the needs of MASS, which is called ESHA-Mar (Mar derive from Marine or
Maritime).
ESHA-Mar overview is provided in Figure 10. As it can be observed, first the overall context and the study
boundaries are specified. Then, the items outside the ship interacting with ANS are identified. During the
third step, the hazardous interactions between the ANS and the items are found. The consequences of the
hazardous interactions are located in step 4. In step 5, the specified items are ranked on their priority using
the information from previous steps. Then, in step 6, the recommendations for improvement are made.
Lastly, the results of each step are used to populate the table with items, their interactions rankings and
protective barriers proposals.
Figure 10 ESHA-Mar overview
More information about the method is available in the relevant draft publication, which has been submitted
to the Journal of Navigation. The draft can be made available upon request.
3.6. IDENTIFYING TESTING SCENARIOS FOR COLLISION AVOIDANCE SYSTEM
3.6.1. Rationale
As mentioned in the preceding sections, the collision avoidance system can be considered as a critical
system on MASS as it will be making decisions [80], affecting the safety of the ship and surrounding
vessels. One of the challenges is to ensure adequate situational coverage of the potential conditions that
may be encountered by the vessel stemming from its environmental complexity [83], i.e., all potential
objects and conditions that a MASS has to face are covered. The testing procedure is also restricted by
the fact that the collision avoidance designers would prefer to conceal the details of their collision
avoidance system, to avoid leakages of proprietary information [93].
This dual problem can be tackled through systematic identification and analysis of the potential collision
and interaction scenarios, and by developing black box testing and verification techniques that would
provide sufficient confidence in the collision avoidance system without the disclosure of proprietary
information. In other words, only once an adequate number of scenarios has been tested in a virtual or
real environment can we be assured that such a system will not jeopardise safety, once put into operation.
Moreover, black-box functional or performance testing is desirable, as these techniques do not require the
release of sensitive intellectual property information [93, 94].
The navigation of ships is primarily regulated by COLREGs [95]. However, COLREG requirements have
been designed having crew in mind and not automatic systems. They do not provide numerical criteria for
crew actions and their implementation relies on crew judgement, therefore it cannot be used to develop a
comprehensive set of testing scenarios [96]. They do not include information on the frequency of
encountered situations and do not contain a comprehensive list of objects with which the MASSs will be
interacting.
Automatic Identification System (AIS) data from vessel traffic systems can be a valuable data source for
identifying such information. It has been widely used for the analysis of traffic conditions, identification of
the most probable collision situations and development of safety domain [85-88]. However, the quality of
AIS data has some limitations as the vessels which have switched off their transponder and small
recreational vessels, which do not require to have AIS, are not visible on this data [92]. Also, objects other
than ships and buoys are not included in this data. Testing scenarios generated based on AIS data will
also suffer from the problem, since they will not include scenarios which have never been encountered
before.
Therefore, there is a need to develop a process that specifies encounter situations for a ship collision
avoidance system testing allowing robust analysis of potential encounter conditions.

The method overview is provided in Figure 11. The method uses ship and operational area (fairway)
parameters as input. Then, sampling of the selected parameters is implemented to develop the encounter
situations. Following that, hazardous situations are identified using a set of deterministic rules developed
in step two. During the third step, the risk metrics and risk vector for each situation are estimated. During
the fourth step, grouping of hazardous situations into equivalence classes using classification algorithms
is implemented. During the last step, the situations that need to be tested, are proposed.
Figure 11 Process overview.
The main advantage of the presented process is that it follows a deductive and not inductive thinking
compared to the traffic situation generated by AIS data. It starts by considering the whole set of potential
encounter conditions and progresses from the whole set to the more specific. The reduction of scenarios
is achieved either by using better coverage of potential encounter situations (use of sampling techniques
during step 1) or by excluding scenarios which are non-hazardous (application of rules in step 2) or by
grouping the scenarios based on similarity and selecting the most risky one (steps 3-5).
This is more robust than inferring the potential encounter conditions based on the AIS data, as there the
scenarios generation proceeds from specific scenarios that already occurred in the past. This will
contribute to the identification and testing of scenarios that have not been encountered before, but might
occur in the future, belonging to the ‘known unknown’ region of Johari window [97]. The consideration of
these type of scenarios during testing will contribute to the greater safety of collision avoidance system.
Another advantage of the approach is that it can generate data for the vessels, for which AIS equipment
is not required and therefore no AIS data exists, e.g., sailboat and leisure high speed craft. This is
important, as these types of vessels constitute an important source of hazards for MASS. More details
about the process can be found in the relevant journal publication which has been submitted to the Journal
of Ocean Engineering and supporting information in [98, 99].
3.7. AUTOMATIC SAFETY MONITORING SYSTEM
3.7.1. Rationale
Another critical parameter related to the operation of MASS is the significant cognitive load imposed by
the ship systems on operators with respect to prevention of the accidents [8]. The system complexity leads
to significant amount of alarms that the crew has to deal with constantly [100] and impeding the distinction
of one critical alarm from another. This type of cognitive operator overload has been identified as one of
the contributory factors to the Three Mile Island nuclear reactor accident [101, 102]. In the recent blackout
case on a cruise ship, whilst it is still unclear why the crew accepted and cleared low lubrication oil alarms,
this in combination with heavy roll and pitch lead to loss of 3 Diesel Generators (DGs) out of 4 [12].
One potential solution to overcome the problem of cognitive load is to combine sensors and alarms with
system safety models rather than to use them independently from each other in specifically dedicated
devices. The role of such automated safety monitoring devices “is to detect conditions that signal potentially
hazardous disturbances, and assist the operators of the system in the timely control of those disturbances”
[103]. The idea of using sensor measurements for enhancement of safety during operations has been
introduced during the decade of 1980s. For example, [103] used those elements in condition monitoring
systems. Numerous studies focused on integrating safety models with sensor measurements on other
systems such nuclear power plant [104], gas turbine [105, 106], power distribution system [107, 108],
aircraft system [109], windfarms [110], ship propulsion systems [111, 112]. The novel method can be used
for the design of IMS.

The general overview of the followed methodology for the development and validation of the proposed
automated safety monitoring system is provided in Figure 14. The first step includes the development of a
safety model suitable for the automated safety monitoring for the investigated system. In the second step,
the parameters that can be monitored using sensors and data acquisition systems for the investigated
system elements/parameters are identified. During the third step, the failure rates/probabilities are
estimated based on sensor measurements. In the fourth step, the selected system parameters/sensor
measurements are fused with the developed safety models and existing reliability data. In the fifth step,
the suggested safety enhancement actions for each failure/hazardous scenario are identified. In the sixth
step, the system is simulated in a virtual environment and the concept is validated.
Figure 12 The flowchart followed for the development and verification of safety monitoring system.
The safety monitoring system, developed using this methodology satisfies some of the automated safety
monitoring system criteria [103]. It provides high-level functional alarm for the system based on the
prevailing system operating conditions. It also allows for the organisation of the alarms/failures to reflect
their present importance in the investigated system. Furthermore, in this way it allows the operator to
assess indirectly the impact of different failures on the ship functions and to select the elements that need
to be maintained or disconnected from the system. Therefore, it can be inferred that this concept facilitates
the systems management.
However, the suggested automated safety monitoring system has some limitations. A future study could
focus on diagnostics development and connection of the ship subsystems measurements with diagnostics
toolboxes. Prognostics algorithms estimations could be also incorporated in the safety monitoring system.
Methods for diagnosing the sensor failures, measurement reliability, could be incorporated in the system
as well. Still, this constitutes the first essential step to the development of this automated safety monitoring
system.
More details about the methodology can be found in [113].
3.8. SUPPLEMENTING FAULT TREES CALCULATIONS WITH NEURAL NETWORKS
3.8.1. Rationale
During the safety analysis and real-time safety monitoring, it is important to estimate safety metrics for the
CPSs to identify the critical elements and recommend the relevant safety control actions [103]. Under ideal
conditions, the CPSs safety analysis should be completed in a very short time to allow the swift safety
reconfiguration during real-time, e.g., change of course, or reconfiguration to another element and smooth
design decisions. However, the inherent complexity of the CPSs introduces computational challenges for
the estimation of the safety metrics [8, 114]. This can constitute a barrier to the wider adoption of automated
monitoring system for the CPSs. Therefore, there is an immediate need to consider ways to overcome this
problem.
The development of mathematics discipline has equipped the safety engineers with new tools that can be
used for ensuring the safety of CPSs such as Artificial Intelligence algorithms, Machine Learning
techniques, and so on [115-117]. These new mathematical tools have demonstrated effective properties
with respective to calculation accuracy as well as fast performance, provided they can be provided with
adequate data. Therefore, the aim of novel method is to investigate the potential use of Machine Learning
techniques for supplementing the calculations implemented during safety analysis.

The overview of the followed methodology is provided in Fig. 13. For the analysis, a Diesel-Electric
Propulsion (DEP) system and its frequency of blackout is being considered. An existing Fault Tree of
blackout for a Diesel-Electric Propulsion system is used for generation of the sampled measures during
step 1. Subsequently, the sampled estimates are used to develop a Neural Network metamodel of the fault
tree in step 2. This procedure is repeated using different numbers of samples. Once the results are
assembled, they are analysed and relevant conclusions are being made regarding the methodology and
relevant future steps.
Fig. 13 Methodology overview.
The developed ANN demonstrated tolerable accuracy when 10,000 training points were involved for 142
failure rates, where the minimum and maximum values had a difference of six orders of magnitude. The
use of ANN allowed for significantly reducing the computational cost of the initial Fault Tree.
Whilst the finally achieved accuracy is deemed as tolerable, further improvements are necessary for the
ANN to achieve the accuracy required for an application in a safety critical system. Potential future research
could focus on identification of clusters of input values to the ANN, which provide the estimate according
to the set target accuracy. In this way, the use of hybrid computational methods would be pursued, and in
cases where the input value belongs to the cluster of input values resulting in accurate ANN estimation,
then the ANN is employed. For values outside these clusters, then the actual Fault Tree could be
employed. This will inevitably lead to higher computational costs, but still would result in computation cost
reduction. An alternative could be a set of ANN, each of which achieves an accurate estimate of the values
in the pre-set clusters. All these constitute recommendations for future research.
More details about the proposed methodology can be found in [118].
4. CONCLUSIONS
In this deliverable two objectives were accomplished. First, a framework, addressing safety, security and
cybersecurity aspects has been presented. Second, a number of novel methods related to safety and
cybersecurity assurance of MASS have been developed and presented.
The findings with respect to the safety, security and cybersecurity framework are as follows:
• The framework is aligned to IMO MSC.1/Circ. 1455 Guidance and relates to the standard ship
design processes.
• The framework generally aligns to the existing national and class society guidance for the
assurance of MASSs in connection to safety, security and cybersecurity.
• Future class society and national authorities’ guidance could include more guidance on how to test
the KET especially the one using AI/ML algorithms.
• Under the umbrella of the framework various safety, security and cybersecurity related standards
from other industries can be accommodated.
• A number of existing methods can be used during various framework steps.
• The suggested framework is of generic nature and can incorporate integrative and parallel
approaches to the management of safety, security, and cybersecurity.
• The framework is flexible enough to incorporate novel developments in safety, security and
cybersecurity.
The findings with respect to novel methods for addressing some of the challenges related to safety, security
and cybersecurity of MASS:
• Several methods addressing the issues related to safety and cybersecurity at various design
stages have been presented.
• Use of UML language is proposed for the modelling of ship system to support system analysis and
verification at preliminary design stages.
• A novel method is proposed for ranking the likelihood of accidents in systems with no historical
data.
• A structured HAZID, dependent on a hierarchical breakdown of functional and operational phases
is proposed for the concurrent safety, security and cybersecurity analysis at preliminary design
stages.
• CYRA-MS is proposed for the identification and ranking of cybersecurity related inadvertent
events.
• ESHA-Mar is proposed for identification of items influencing the performance of autonomous
navigation system.
• An algorithmic approach for identifying encounter scenarios for testing of collision avoidance
system is proposed.
• A method for developing an automated safety monitoring system has been suggested.
• A method for substituting safety models calculations with neural networks has been proposed.
• The proposed methods cover only a small part of the suggested framework. They can be applied
in conjunction with state-of-the art and other novel methods.
The MASSs and KETs constitute novel technologies being under an intense focus of many researchers.
The needs associated with the MASSs can demand more advanced methods and enhanced frameworks
supporting the MASS design and safety, security and cybersecurity assurance than the ones presented in
this deliverable. However, this is left as a recommendation for future research.
APPENDIX A - REVIEW OF THE EXISTING STANDARDS AND GUIDANCES
A.1 MARITIME GUIDANCE AND GUIDELINES FOR MASSS
Organisation Name Details
IMO MSC.1- Generic guidelines have been also developed for testing the
Circ.1604 [119] MASSs by IMO.
NMA RSV 12 - 2020 Guidance for the design of automated systems on the ship.
[27] These guidelines are interconnected to the IMO Circ.1455 and
incorporate steps and methodology from there.
BV NI641 R01 [30] BV has issued in 2019 a new revision of guidelines for MASSs.
The guidelines specify the autonomy and control degrees for
ships, include IMO FSA based risk matrix for safety analysis
and supporting material for HAZID implementations as well as
main requirements for the autonomous systems functions and
their reliability. The guidelines have considered the practices
presented in ISO 15288 for software design [29], for data
quality management in ISO 8000 [52] and series of others
DNV DNVGL-CG- DNV has also developed guidelines for MASS safety analysis.
0264 [33] It follows a two-step approach to safety analysis at concept and
design level based on DNV GL RP-A203 guidance [34]. The
main focus of these guidelines is on requirements for the
design of the vessel navigation, engineering, remote control
and communication functions. List of potential hazards is also
available in this standard.
LR Unmanned LR code for unmanned systems have been built based on the
marine systems philosophy of goal-based standards. This code describes the
code [40] specific goals and performance requirements for the unmanned
systems without referencing to specific procedures that can be
followed to achieve them. The requirements are rather of a
high-level nature and do include the list of hazards as in the
previous two standards.
ABS ABS guide for The document issued by ABS an updated version of advisory
Autonomous and document. It includes the list of generic goals and hazards to

remote control be satisfied and is interconnected with the lifecycle approach to
functions [36] system design.
ClassNK Guidelines for This document presents the required documentation and
automated/ provides guidance for the risk assessment accompanied with
autonomous list of sample hazards
operation on
ships [42]
RS Regulations These guidelines include a list of requirements with respect to

for classification various systems of MASS and a description of some of the
of maritime processes to follow to ensure risk-oriented approval of MASS
autonomous and
remotely
controlled
surface ships
(MASS)[44]
CCS Guidelines for These guidelines are aligned to a large extent to the goal-
autonomous based standards and include a list of requirements for various
cargo ships[46] systems on MASS
UK Maritime Maritime UK Maritime authority has issued guidelines with respect to the
Autonomous design of MASSs. The guidelines except classification of
Ship Systems different MASS types include a number of requirements for the
(MASS) UK situational awareness and control systems, communication
Industry Conduct systems; safety, security and cybersecurity management.
Principles and These guidance focus on the small and high-speed class
Code of Practice vessels.
[28]
A.2 MARITIME GUID ELINES FOR NOVEL TECHNOLOGY QUALIFICATION
IMO Guidelines on A risk design approach has been presented at IMO for
approval of risk- assuring new system designs. The approach suggests the
based ship design use of two stage risk analysis accompanied by verification

MSC 86/5/3 (2009) and validation of systems design parameters. Albeit
[120] presented as approach for ship structure design, it has
interest from the methodological perspective when dealing
with alternative designs.
IMO Guidelines for the These are generic guidelines for the analysis and approval
approval of of novel systems. It is based on a two-step approach, where
alternatives and first the concept and then the detailed design are being
equivalents as analysed.
provided in various
IMO instruments
MSC.1/Circ.1455
[25]
BV NI 525 DT R01 E BV has developed guidelines for risk-based approval of new

2020 [31] technologies. These guidelines suggest the development of
system functional description, hazard identification for each
subsystem and Failure Modes and Effects Analysis for the
product. The approach also includes criteria for
benchmarking and comparing the technologies.
DNV DNV GL RP-A203 These guidelines focus on the analysis of novel technology
[34] by considering the technology maturity and application field,
risk assessment and verification processes.
ABS Qualifying new These guidelines suggest a sequential approach to the

technologies [37] development of a new technology by going through various
design stages from concept to prototype and final
operational product.
A.3 MARITIME GUIDANCE FOR SAFETY, SECURITY AND CYBERSECURITY
Organisation Name Type Details
IMO SOLAS chapter Security The main source of reference for maritime security is
XI-2 [121] the International Convention for the Safety of Life at
Sea (SOLAS) chapter XI-2 Special Measures to
enhance maritime security, which makes mandatory

the use of International Ship and Port Facility Security
Code (ISPS Code).
IMO ISPS [122] Security The ISPS Code is divided into two sections, Part A and
Part B. Mandatory Part A outlines detailed maritime
and port security-related requirements which must be
adhered to. Part B of the Code provides a series of
guidelines on how to meet the requirements set out
within the provisions of Part A.
IMO MSC.1/Circ. Cyber- These guidelines specify the list of vulnerable systems,
1526 Interim security prescribe the separation between information and
guidelines on operational technologies and generic principles for
maritime cyber cyber security management and ways to control cyber
risk risk
management[75]
(Also
MSC98/Inf.4 and
MSC 98/5/2)
BV Rules on Cyber Cyber- BV Rule Note shares similarities with the ANSSI 2013
Security for the security [66] approach but is marinised to account for
Classification of connectivity and autonomy types in ships. The
Marine Units approach focuses both on ship system design and
[32] management. These requirements follow a one-step
approach to the risk assessment. The updated Rule
Note also includes the notion of cyber resilience.
DNV DNVGL-RP- Cyber- DNV guidelines shares similarities with NIST SP800
0496 [35] security series approach as it assess consequences in terms of
integrity, availability and confidentiality. This approach
also shares the philosophy of implementing the risk
assessment at two stages: high-level and more
detailed, low level. These guidelines are supported
with a number of potential threat scenarios and
measures.
LR Procedure for Cyber- A framework for cyber technology at various levels of

the assessment security technology. The guidance covers of aspects in addition
of cyber security to the cybersecurity. System security is demanded for
for ships and the system certification.
ships systems
[41]
ABS Cybersecurity Cyber- These are guidance provided in two volumes and have
principles and security strong interconnections to the NIST and ENISA
their framework. The guidance provides a set of
implementation requirements for the certified systems, as well suggest
to Marine and methods for risk assessment.
offshore
operation (2
documents) [39]
ClassNK Guidelines for Cyber- These guidelines are closely aligned to the NIST
designing and security guidelines for the design and ISO 27000 for ship
management (2 management. They also include a set of prescriptive
documents) [43] guidance.
RS Guidelines on Cyber- These guidelines include procedures for cyber risk

cyber safety [45] security assessment and a list of requirements for the
equipment and safety management system
CCS Guidelines on Cyber Guidance supporting the implementation of cyber

Maritime Cyber Security security risk assessment and cyber security
Risk management
Assessment and
Cyber Safety
Management
System [47]
Guidelines for
Requirement
and Security
Assessment of
Ship Cyber

System 2020
[49]
CCS Guidance for Security Guidance supporting the implementation of security

Implementation risk assessment in line with ISPS code
of Ship Security
Assessment [48]
BIMCO The guidelines Cyber- These guidelines incorporate elements from the NIST
on cyber security framework and relevant IMO guidance on the
security onboard management. They also incorporate IACS guidance on
ships [74] the cyber resilience. Their main focus is the cyber risk
management and cyber risk assessment.
Maritime Best practices Cyber- A set of recommendations for cybersecurity

Affairs for cyber security
Directorate of security on-
France board ships
United States Cyber strategy Cyber- A set of goals to be complied by the vessels
Coast Guard [123] security
Centre for The cyber threat Cyber- Definition of threat levels and a generic list of
cyber-security against security vulnerabilities
operational
systems on
ships[124]
The Institute of Code of practice Cyber- Guidance focusing on the design and management of
Engineering security ships interconnected to ISO 27000 standard
Cyber security
and
for ships[125]
Technology
A.4 RELEVANT STANDARDS AND GUIDELINES FROM OTHER IN DUSTRIES
Organisation Name Type Details Relevance to MASS
ISO ISO31000 Safety ISO 31000 is a general framework for assessing and managing Generic standards whose
[126] standard risks [126]. This framework is suggested for application primary principles can be applied during
at an organisational level but it can be also applied to any risk assessment of operations.
function, project, product or activity [127]. It differentiates from Primarily for management.
IEC 61508 by taking a high-level view of the risk through viewing
it as a combinatory result of cooperation between the human
organisation and the system [126].
Norwegian Barrier Safety Barrier management has its origins in oil and gas industry [126]. The thinking in terms of barriers
Petroleum management standard The central concept is that the safety can be achieved by adding with some restrictions, can be
authority [58] obstacles, which are called barriers, in the anticipated hazardous applied to the MASS safety
sequence of events [58]. Humans, technical systems and assessment and enhancement
processes can be viewed as elements of these barriers [58]. The
visualisation of barriers is achieved using Bow-Tie diagrams or a
Swiss-Cheese model [126]. An effective risk management can
be achieved by involving in the process personnel that has a
good understanding of the system properties and the necessary
barriers. The barrier management can be implemented in the
context of ISO 31000 or ISO 9000 standards.
IEC IEC 62508 Safety IEC 62508 is a standard focusing on the dependability of human Can be used for the ROC/RCC
[128] standard factors during the system life cycle stages with applicability to the design
human/machinery interface. The dependability assessment is
implemented by considering the system goal, the behaviour of a
human operator, a machine, the social and physical environment,
the impact of the human/machinery interaction on the
environment and the characteristics of the machinery to the
human feedback. This standard also provides information about
human characteristics, human performance shaping factors,
human reliability analysis methods, critical situations where
human intervention is required and human-centred design
process during different stages of the system engineering
approach. The standard is intended for design of the safe human-
machine interface, however the methods involved can be used
during the system operation for development of the relevant
management system [128].
IEC IEC 61508 Safety IEC 61508 standard is ‘the international standard for electrical, Principles from standard can be
[129] standard electronic and programmable electronic safety-related systems’. used during the design of MASS
A whole family of standards was developed based on IEC 61508
[130]. These standards have a purpose to support the
implementation of the risk assessment and incorporation of safety

systems to ensure that the failures in systems leading to accidents
are minimised. The safety of the system is evaluated based on
the achieved Safety Integrity Level (SIL), which expresses the
probability of failure of the system. Similar standards ensuring
functional safety exist for other industries, such as EN 5012X
series in railway, DO 178C & DO 254 in aviation, IEC 60601 in
medical, IEC 61513 in nuclear, ISO 26262 in automotive, IEC
61511 in process oil & gas etc. industry [126, 130]. These
standards are widely used for the safety assessment of software-
intensive systems as reported in [131].
SAE ARP Safety SAE standard ARP 4761 is a standard for the system safety Principles from standard can be
4761[21] assessment in avionics [132]. This standard follows the steps of a used during the design of MASS
typical “V” system engineering model. It starts with Functional
Hazard Analysis (FHA) at an aircraft level and uses the
Preliminary System Safety Analysis (PSSA) to determine the
failures that can lead to functional hazards for deriving the safety
requirements [132]. The process finishes with the System Safety
Analysis (SSA), which verifies that the system is designed
according to the requirements set [132].
Military MIL-STD- Safety MIL-STD-882E is the standard used by the Military Departments Like ISO31000 it is a generic
Department 882E [133] and Defense Agencies of United States of America. It integrates standard principles from which
and Defense the risk management and the system engineering processes. The can be applied in a new context
Agency of standard describes the documentation required for risk
United management, methods for hazards analysis, procedures for
States of evaluation of hazards and verification of safety requirements. This
America standard also considers Systems of Systems (SoS) and considers
the software impact on the behaviour of the system.
ISO ISO/PAS Safety ISO/PAS 21448 is a standard focusing on the safety of advanced Principles from standard can be
21448 [20] functions of the modern cars such as advance driver assistance used to determine the testing
systems with level 1 and 2 of autonomy. The processes in the properties
standard start with the functional definition of the system, proceed
further with the hazard identification and risk analysis based on
the triggering events, continues with the system design
enhancement and finishes with a high-level guidance for the
description of verification and validation activities.
ISO ISO 27000 Cyber- ISO 27000 includes a generic cyber risk assessment framework. Same as ISO 31000, primarily for
[50] security It also focuses both on system and associated management management of IT MASS
system in similar way with ISO 31000 [126]. The risk management systems
process is also rather similar with the ISO 31000 [126]. These
standards focus is mainly on non-industrial systems [66].
NIST NIST SP800 Cyber- The NIST SP800 series approach focuses on cyber security Can be used for design and
[51] security management. The standard includes a four-phase risk management of IT and OT
management process. The attacks impact is assessed in terms of systems
integrity, availability and confidentiality. These standards consider
both industrial and non-industrial systems.
IEC IEC 62443 Cyber- IEC 62443 is a standard for industrial systems cybersecurity, Similarly with ISO 61508 can be
[60] security which to the best of the author knowledge is presently under used for design of the MASS,
revision. The principal concept of the standard is in assigning a with respect to cybersecurity
specific protection level against cybersecurity threats using
cybersecurity risk assessment. LR guidelines [41] refer to IEC
62443 for cyber-risk assessment, when applied to the ships. DNV
have made their interpretation of the security levels in 62443 and
named them security profiles which is an interpretation in context
of maritime sector. Safety is a part of this approach as well.
BSI BSI16000 Security BS 16000 is a generic standard on security management and Same as ISO 31000 and ISO
[134] operational resilience. This standard has rather similar with ISO 27000, can be used for MASS
31000 [127] and ISO 27000 [50] framework, which is based on management
identification of security threats, risk analysis and risk control. It
also focuses on control both at system and management level.
SCSC SCSC-153A Safety Safety of Autonomous Systems Working Group (SASWG) has The requirements are of generic
[135] developed guidelines providing objectives for the autonomous nature and can be applied to
systems using Artificial Intelligence (AI) algorithms. The MASSs
objectives are independent from specific industry and include
system requirements at computational, architecture and platform
level. The standard is under constant development and will
include also guidance on how to satisfy the objectives in the
newest version.
ISO ISO 15288 Software This is a generic standard focusing on the software design The requirements are of generic
[29] design processes management aligned to system engineering nature and can be applied to the
processes. design of software associated
elements in KET. Can be useful
for KET software verification
before integration testing.
ISO ISO 8000 Generic The standard considers the generation and management of data This standard can be useful for
[52] used by the systems the design of IMS and SAS
ISO ISO 11064 Ergonomic The standard focuses on ergonomic design of control stations Can be useful for design of
[54] design ROC/RCC
ISO ISO 10181 Cyber This standards focuses on control of access to information in This standard can be useful for
[55] security interconnected systems design of CCSS
EASA EASA Generic This is a standard providing guidance on trustworthy, ethical and Can be used for the development
concept safe application of AI and ML of SAS and ANS on MASS
paper [56]
REFERENCES
[1] Yara. Yara Birkeland press kit. 2018.

[2] MUNIN. Maritime Unmanned Navigation through Intelligence in Networks. 2016.
[3] AAWA. AAWA project introduces the project’s first commercial ship operators. 2016.
[4] Daffey K. Technology Progression of Maritime Autonomous Surface Ships. 2018.
[5] AEGIS. What if marine automation can take waterborne transport to the next level? 2021.
[6] RECOTUG. SVITZER, KONGSBERG Maritime and ABS join forces to develop the world's first
commercial tug to be fully remotely controlled. 2021.
[7] AUTOSHIP. Autonomous Shipping Initiative for European Waters. 2019.
[8] Bolbot V, Theotokatos G, Bujorianu LM, Boulougouris E, Vassalos D. Vulnerabilities and safety
assurance methods in Cyber-Physical Systems: A comprehensive review. Reliability Engineering &
System Safety. 2019;182:179-93.
[9] Eloranta S, Whitehead A. Safety aspects of autonomous ships. In: Gl DNV, editor. 6th International
Maritime Conference. Germany, Hamburg2016. p. 168-75.
[10] Wingrove M. Shipborne systems most vulnerable to cyber-attack. Marine electronics &
communications. United Kingdom, Enfield: Riviera Maritime Media Ltd; 2017. p. 27.
[11] Transportasi KNK. Aircraft Accident Investigation Report. Tanjung Karawang, West Java, Republic of
Indonesia2019.
[12] Accident Investigation Boar Norway. INTERIM REPORT ON THE INVESTIGATION INTO THE LOSS
OF PROPULSION AND NEAR GROUNDING OF VIKING SKY. 2019.
[13] Merriman SE, Plant KL, Revell KMA, Stanton NA. What can we learn from Automated Vehicle
collisions? A deductive thematic analysis of five Automated Vehicle collisions. Safety Science.
2021;141:105320.
[14] FAIVRE J, NZENGU W. D2.3 Regulatory framework mapping & Identification of gaps and
requirements for autonomous ships compliance. 2020.
[15] Bolbot V, Theotokatos G, Wennersberg LA, Rødseth ØJ, Boulougouris E, Vassalos D, et al. D2.4 Risk
assessments, fail-safe procedures and acceptance criteria. 2021.
[16] Rødseth ØJ, Faivre J, Hjørungnes SR, Andersen P, Bolbot V, Pauwelyn A-S, et al. AUTOSHIP
deliverable D3.1 Autonomous ship design standards, Revision 2.0. 2020.
[17] Kriaa S, Pietre-Cambacedes L, Bouissou M, Halgand Y. A survey of approaches combining safety
and security for industrial control systems. Reliability Engineering & System Safety. 2015;139:156-78.
[18] Line MB, Nordland O, Røstad L, Tøndel IA. Safety vs. Security? (PSAM-0148). In: Stamatelatos MG,
Blackman HS, editors. Proceedings of the Eighth International Conference on Probabilistic Safety
Assessment & Management (PSAM): ASME Press; 2006. p. 0.
[19] IMO. Autonomous shipping. 2021.
[20] BSI. PD ISO/PAS 21448: Road vehicles - safety of the intended functionality. 2019.
[21] SAE. ARP4761 - Guidance and methods for conducting the safety assessment process on civil ariborn
systems and equipment. 1996.
[22] Papanikolaou A. Ship design: methodologies of preliminary design: Springer; 2014.
[23] Wennersberg LA, Rødseth ØJ. D3.2 Autonomous ship design methods and test principles. 2021.
[24] ISO. ISO 26262: Road vehicles — Functional safety. Part 1: Vocabulary. United Kingdom, London:
British Standard Industries; 2011.
[25] IMO. MSC. 1/Circ 1455 Guidelines for the approval of alternatives and equivalents as provided for in
various IMO instruments. United Kingdom, London2013.
[26] INCOSE. Systems Engineering Handbook: A Guide for System Life Cycle Processes and Activities.
Fourth Edition ed. USA, New Jersey: John Wiley & Sons, Inc., Hoboken; 2015.
[27] Norwegian flag state authorities. Guidelines for the construction or installation of automated
functionality, with the intention of performing uncrewed or partially uncrewed operations. Norway2020.
[28] Maritime UK. Maritime Autonomous Surface Ships UK code of practice Version 4. In: UK M,
editor.2020.
[29] ISO. ISO 15288 Systems and software engineering — System life cycle processes. 2015.
[30] BV. Guidelines for autonomous shipping - Guidance Note NI 641DT R01 E. In: BV, editor.2019.
[31] BV. Risk based qualification of new technology - methodological guidelines. NI 525 DT R01 E2020.
[32] BV. Rules on Cyber Security for the Classification of Marine Units. In: BV, editor. NR 659 DT R01.
Paris, France2020.
[33] DNV GL. Autonomous and remotely operated ships. In: GL D, editor. DNVGL-CG-02642018.
[34] DNV GL. Qualification of new technology. DNV-RP-A2032011.
[35] DNV GL. DNVGL-RP-0496 - Cyber security resilience management 2016.
[36] ABS. Guide for autonomous and remote control functions. 2021.
[37] ABS. Qualifying new technologies. 2017.
[38] ABS. Review and approval of novel concepts. 2017.
[39] ABS. Cybersecurity implementation for the marine and offshore industries. In: ABS, editor. ABS
CyberSafetyTM VOLUME 22018.
[40] LR. LR Code for Unmanned Marine Systems. In: LR, editor.2017.
[41] LR. Procedures for the assessment of cyber security for ships and ships systems. 2019.
[42] ClassNK. Guidelines for automated/autonomous operation on ships. 2020.
[43] ClassNK. Cyber security management system for ships. 2019.
[44] shipping Rmro. Regulations for classification of maritime autonomous and remotely controlled surface
ships (MASS). 2020.
[45] Shipping RMRo. Guidelines on Cyber Safety. 2020.
[46] society Cc. Guidelines for autonomous cargo ships. 2018.
[47] Society CC. Guidelines on Maritime Cyber Risk Assessment and Cyber Safety Management System.
2019.
[48] Society CC. Guidelines for implementation of ship security assessment. 2004.
[49] Society CC. Guidelines for Requirement and Security Assessment of Ship Cyber System. 2020.
[50] ISO/IEC. Information technology — Security techniques — Information security management systems
(ISO/IEC 27000). British Standard Institution; 2016.
[51] NIST. Computer security resource center. 2019.
[52] ISO. ISO 8000 Data quality. 2011.
[53] International Organization for Standardization. Guidance on human aspects of dependability - EN
62508. United Kingdom, London: British Standard Institution; 2010.
[54] ISO. ISO 11064 Ergonomic design of control centres. 2001.
[55] ISO. ISO/IEC 10181 Information technology — Open Systems Interconnection — Security frameworks
for open systems. 1996.
[56] EASA. EASA Concept Paper: First usable guidance for Level 1 machine learning applications A
deliverable of the EASA AI Roadmap. 2021.
[57] ISO. Risk management - Guidelines - ISO 31000. United Kingdom, London: British Standards
Institution; 2018.
[58] Petroleum Safety Authority. Principles for barrier management in the petroleum industry. Norway:
Petroleum Safety Authority; 2013.
[59] ISO. Functional safety of electrical/electronic/programmable electronic safety-related systems - IEC
61508. Part 1: General requirements. United Kingdom, London: British Standard Institution; 2010.
[60] IEC. Security for industrial automation and control systems - IEC 62443. 2018.
[61] Safety of Autonomous Systems Working Group (SASWG). Safety assurance objectives for
autonomous systems. Version 2 (SCSC-153A): Safety Critical Systems Society; 2020.
[62] US Department of Defense. MIL-STD-882E: System Safety. U.S. Department of Defense; 2012.
[63] Institution BS. BS 16000 - Security management – Strategic and operational guidelines. London
UK2015.
[64] Everdij MHC, Blom HAP. Safety methods database. In: Allocco M, Bush D, Çeliktin M, Kirwan B, Mana
P, Mickel J, et al., editors. Netherlands: Netherlands Aerospace Centre NLR; 2016.
[65] ISO. Risk management — Risk assessment techniques. ISO 31010. Switzerland, Geneva:
International Organization for Standardization; 2009. p. 92.
[66] Flaus J-M. Cybersecurity of industrial systems. London, United Kingdom: ISTE Ltd; 2019.
[67] Macher G, Sporer H, Berlach R, Armengaud E, Kreiner C. SAHARA: a security-aware hazard and risk
analysis method. 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE): IEEE;
2015. p. 621-4.
[68] Tam K, Jones K. MaCRA: a model-based framework for maritime cyber-risk assessment. WMU
Journal of Maritime Affairs. 2019;18:129-63.
[69] Bolbot V, Theotokatos G, Boulougouris E, Psarros G, Hamann R. A novel method for safety analysis
of Cyber-Physical Systems - Application to a ship exhaust gas scrubber system. Safety. 2020;6:26.
[70] Schmittner C, Ma Z, Schoitsch E, Gruber T. A case study of FMVEA and CHASSIS as safety and
security co-analysis method for automotive Cyber-Physical Systems. 1st ACM Workshop on Cyber-
Physical System Security. Singapore, Republic of Singapore: ACM; 2015. p. 69-80.
[71] Kelly T, Weaver R. The goal structuring notation–a safety argument notation. Proceedings of the
dependable systems and networks 2004 workshop on assurance cases: Citeseer; 2004. p. 6.
[72] Bureau Veritas. Guidelines for Autonomous Shipping. In: Veritas B, editor. NI 641 DT R01E. Paris:
Bureau Veritas; 2019.
[73] Bolbot V, Theotokatos G, Andreas Wennersberg L, Faivre J, Vassalos D, Boulougouris E, et al. A
novel risk assessment process: Application to an autonomous inland waterways ship. Proceedings of the
Institution of Mechanical Engineers, Part O: Journal of Risk and Reliability. 2021:1748006X211051829.
[74] BIMCO. The Guidelines on Cyber Security Onboard Ships Version 3.0. 2018.
[75] IMO. Interim guidelines on maritime cyber risk management. MSC1-CIRC15262016. p. 6.
[76] BV. Rules on Cyber Security for the Classification of Marine Units. In: BV, editor. NR 659 DT R00.
Paris, France2018.
[77] Bolbot V, Theotokatos G, Boulougouris E, Vassalos D. A novel cyber-risk assessment method for ship
systems. Safety Science. 2020;131:104908.
[78] Kavallieratos G, Katsikas S, Gkioulos V. Cyber-Attacks Against the Autonomous Ship. In: Katsikas
SK, Cuppens F, Cuppens N, Lambrinoudakis C, Antón A, Gritzalis S, et al., editors. Computer Security.
Cham: Springer International Publishing; 2019. p. 20-36.
[79] Bolbot V, Theotokatos G, Boulougouris E, Vassalos D. Safety related cyber-attacks identification and
assessment for autonomous inland ships. Internation Seminar on Safety and Security of Autonomous
Vessels. Helsinki, Finland2019.
[80] Bolbot V, Theotokatos G, Boulougouris E, Vassalos D. A novel cyber-risk assessment method for ship
systems. Safety Science. 2020;Under review.
[81] National Transportation Safety Board (NTSB). Collision Between a Car Operating With Automated
Vehicle Control Systems and a Tractor-Semitrailer Truck Near Williston, Florida May 7, 2016 Highway
Accident Report. United States, Washington D.C.: National Transportation Safety Board; 2017.
[82] Guiochet J, Machin M, Waeselynck H. Safety-critical advanced robots: A survey. Robotics and
Autonomous Systems. 2017;94:43-52.
[83] Alexander R, Hawkins HR, Rae AJ. Situation coverage–a coverage criterion for testing autonomous
robots. 2015.
[84] Zhou X-Y, Huang J-J, Wang F-W, Wu Z-L, Liu Z-J. A Study of the Application Barriers to the Use of
Autonomous Ships Posed by the Good Seamanship Requirement of COLREGs. Journal of Navigation.
2020;73:710-25.
[85] Gao M, Shi G-Y. Ship collision avoidance anthropomorphic decision-making for structured learning
based on AIS with Seq-CGAN. Ocean Engineering. 2020;217:107922.
[86] Mou JM, Van Der Tak C, Ligteringen H. Study on collision avoidance in busy waterways by using AIS
data. Ocean Engineering. 2010;37:483-90.
[87] Goerlandt F, Goite H, Valdez Banda OA, Höglund A, Ahonen-Rainio P, Lensu M. An analysis of
wintertime navigational accidents in the Northern Baltic Sea. Safety Science. 2017;92:66-84.
[88] Kulkarni K, Goerlandt F, Li J, Banda OV, Kujala P. Preventing shipping accidents: Past, present, and
future of waterway risk management with Baltic Sea focus. Safety Science. 2020;129:104798.
[89] Jinyu L, Lei L, Xiumin C, Wei H, Xinglong L, Cong L. Automatic identification system data-driven model
for analysis of ship domain near bridge-waters. Journal of Navigation. 2021:1-22.
[90] Zhang W, Feng X, Qi Y, Shu F, Zhang Y, Wang Y. Towards a Model of Regional Vessel Near-miss
Collision Risk Assessment for Open Waters based on AIS Data. Journal of Navigation. 2019;72:1449-68.
[91] Rawson A, Brito M. Developing contextually aware ship domains using machine learning. Journal of
Navigation. 2021;74:515-32.
[92] IMO. Revised guidelines for the onboard operational use of shipborne Automatic Identification
Systems (AIS) Resolution A.1106(29). 2015.
[93] Pedersen TA, Glomsrud JA, Ruud E-L, Simonsen A, Sandrib J, Eriksen B-OH. Towards simulation-
based verification of autonomous navigation systems. Safety Science. 2020;129:104799.
[94] Nidhra S, Dondeti J. Black box and white box testing techniques-a literature review. International
Journal of Embedded Systems and Applications (IJESA). 2012;2:29-50.
[95] COLREGS. International Regulations for Preventing Collisions at Sea - Articles of the Convention on
the International Regulations for Preventing Collisions at Sea. 1972.
[96] Woerner K, Benjamin MR, Novitzky M, Leonard JJ. Quantifying protocol evaluation for autonomous
collision avoidance. Autonomous Robots. 2019;43:967-91.
[97] Luft J, Ingham H. The johari window. Human Relations Training News. 1961;5:6-7.
[98] Bolbot V, Theotokatos G. Automatically generating collision scenarios for testing ship collision
avoidance system using sampling techniques. LEAC2021.
[99] Bolbot V, Gkerekos C, Theotokatos G. Ships traffic encounter situation generation using sampling and
clustering techniques. In: Vassalos D, editor. Stability and Safety of Ships and Ocean Vehicles. Glasgow
2021.
[100] Stefani A. An introduction to ship automation and control systems. United Kingdom, London: Institute
of Marine Engineering, Science & Technology; 2013.
[101] Malone T, Kirkpatrick M, Mallory K, Eike D, Johnson J, Walker R. Human factors evaluation of control
room design and operator performance at Three Mile Island-2. Washington DC, United States: Essex
Corp., Alexandria, VA (USA); 1980.
[102] DNV. 2025 Technology outlook. 2015.
[103] Papadopoulos Y, McDermid J. Automated safety monitoring: A review and classification of methods.
International journal of COMADEM. 2001;4:14-32.
[104] Xing J, Zeng Z, Zio E. A framework for dynamic risk assessment with condition monitoring data and
inspection data. Reliability Engineering & System Safety. 2019;191:106552.
[105] Hu J, Zhang L, Ma L, Liang W. An integrated method for safety pre-warning of complex system.
Safety Science. 2010;48:580-97.
[106] Hu J, Zhang L, Ma L, Liang W. An integrated safety prognosis model for complex system based on
dynamic Bayesian network and ant colony algorithm. Expert Systems with Applications. 2011;38:1431-46.
[107] Aizpurua JI, Catterson VM, Papadopoulos Y, Chiacchio F, Manno G. Improved Dynamic
Dependability Assessment Through Integration With Prognostics. IEEE Transactions on Reliability.
2017;66:893-913.
[108] Aizpurua J, Catterson V, Papadopoulos Y, Chiacchio F, D'Urso D. Supporting group maintenance
through prognostics-enhanced dynamic dependability prediction. Reliability Engineering & System Safety.
2017.
[109] Gomes JPP, Rodrigues LR, Galvão RKH, Yoneyama T. System level RUL estimation for multiple-
component systems. Proceedings of the 2013 Annual conference of the prognostics and health
management society2013. p. 74-82.
[110] Pattison D, Segovia Garcia M, Xie W, Quail F, Revie M, Whitfield R, et al. Intelligent integrated
maintenance for wind power generation. Wind Energy. 2016;19:547-62.
[111] Abaei MM, Hekkenberg R, BahooToroody A. A multinomial process tree for reliability assessment of
machinery in autonomous ships. Reliability Engineering & System Safety. 2021;210:107484.
[112] Eriksen S, Utne IB, Lützen M. An RCM approach for assessing reliability challenges and maintenance
needs of unmanned cargo ships. Reliability Engineering & System Safety. 2021;210:107550.
[113] Bolbot V, Theotokatos G, Hamann R, Psarros G, Boulougouris E. Dynamic blackout probability
monitoring system for cruise ship power plants. Energies. 2021;14:6598.
[114] Pereira A, Thomas C. Challenges of Machine Learning Applied to Safety-Critical Cyber-Physical
Systems. Machine Learning and Knowledge Extraction. 2020;2:579-602.
[115] Hegde J, Rokseth B. Applications of machine learning methods for engineering risk assessment–A
review. Safety science. 2020;122:104492.
[116] Hughes P, Van Gulijk C, El Rashidy R. An interactive machine-learning method to obtain safety
information from free text. 29th European Safety and Reliability Conference2019. p. 46-54.
[117] Schwarz M, Schepers P, Van Boggelen J, Loendersloot R, Tinga T. Application of an Unvalidated
Process Model to Define Operational Functional Failures. 30th European Safety and Reliability
Conference (ESREL) and the 15th Probabilistic Safety Assessment and Management Conference (PSAM)
2020: Research Publishing; 2020. p. 3554.
[118] Bolbot V, Gkerekos C, Theotokatos G. Supplementing Fault Trees calculations with neural networks.
ESREL 20212021.
[119] IMO. Interim guidelines for MASS trials. MSC1/Circ16042019.

[120] IMO. Goal-based new ship construction standards - Guidelines on approval of risk-based ship design.
MSC86/5/32009.
[121] Organization IM. SOLAS: consolidated text of the International Convention of Safety of Life at Sea,
1974, as amended. 6th consolidated edition ed: International Maritime Organization; 2014.
[122] IMO. International Ship and Port Facility Security Code 2003.
[123] United States Coast Guard. Cyber strategy. Washington D.C.2015.
[124] Cybersecurity Cf. The cyber threat against operational systems on ships. 2020.
[125] technology Tioea. Code of practice Cybersecurity for ships. 2017.
[126] SafeCOP. State of the art on safety assurance. 2016. p. 94.
[127] ISO I. 31000: 2009 Risk management–Principles and guidelines. International Organization for
Standardization, Geneva, Switzerland. 2009.
[128] IEC. Guidance on human aspects of dependability. United Kingdom, London: British Standard
Institution; 2010.
[129] IEC. Functional safety. Essential to overall safety. Switzerland, Geneva2015.
[130] Smith DJ, Simpson KG. The Safety Critical Systems Handbook: A Straightforward Guide to
Functional Safety: IEC 61508 (2010 Edition), IEC 61511 (2015 Edition) and Related Guidance:
Butterworth-Heinemann; 2016.
[131] de la Vara JL, Borg M, Wnuk K, Moonen L. Survey on safety evidence change impact analysis in
practice: Detailed description and analysis. Simula Research Laboratory, Tech Rep Nov. 2014.
[132] Joshi A, Whalen M, Heimdal MPE. Model-Based Safety Analysis final report. Nasa Langley Research
Center; 2006.
[133] Defense UDo. MIL-STD-882E: System Safety. U.S. Department of Defense; 2012.
[134] Sampigethaya K, Poovendran R. Aviation Cyber–Physical Systems: foundations for future aircraft
and air transport. Proceedings of the IEEE. 2013;101:1834-55.
[135] (SASWG) SoASWG. Safety assurance objectives for autonomous systems. Version 2 (SCSC-
153A): Safety Critical Systems Society; 2020.

A Holistic Framework For Autonomous Shipping Safety Security and Cybersecurity Assurance

Uploaded by

Copyright:

Available Formats

A Holistic Framework For Autonomous Shipping Safety Security and Cybersecurity Assurance

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Holistic Framework For Autonomous Shipping Safety Security and Cybersecurity Assurance

Uploaded by

Copyright:

Available Formats

Project type: IA Innovation Action

Start of the project: 01/06/2019 Duration: 42 months

[D2.6] A holistic framework for autonomous shipping safety, security

Responsible Author(s) Victor Bolbot, Gerasimos Theotokatos (USTRAT)

Version Date Created/Amended Changes

02 24/03/2020 Victor Bolbot Introduction, review section and framework

03 18/06/2021 Victor Bolbot Incorporating feedback from KOGM, BV and STF

04 16/07/2021 Victor Bolbot Incorporating feedback from STF and BV

Adding the sections related to novel methods

05 25/08/2021 Victor Bolbot Incorporating feedback from STF and BV

Updating based on novel class society standards

Adding novel methods

06 30/10/2021 Victor Bolbot Incorporating feedback from Gerasimos

Including additional information

QUALITY CHECK REVIEW

Reviewer (s) Main changes

Jerome Faivre Proof reading and corrections

Lars Andreas Wennersberg Inclusion of RS and CCS related guidance

Carolina Salas Final template/format check before submission

DISCLAIMER AND COPYRIGHT

© 2021, AUTOSHIP CONSORTIUM

REFERENCES TO THIS DOCUMENT - ACKNOWLEDGEMENTS

Deliverable information ................................................................................................................................ 2

List of abbreviations and definitions ............................................................................................................ 7

Executive summary ..................................................................................................................................... 9

1.1. Background .................................................................................................................................... 11

2.1. The rationale behind the framework .............................................................................................. 13

2.6.2. SSCSAF relationship with the class societies guidance ................................................... 25

2.6.3. SSCSAF relationship to other standards and guidelines. ................................................. 29

2.7. Practical recommendations for the SSCSAF application .............................................................. 33

3. Novel methods ................................................................................................................................... 36

3.1. Overview ........................................................................................................................................ 36

3.2.1. The rationale ...................................................................................................................... 37

3.2.2. Method brief description .................................................................................................... 37

3.3. Structured Hazid ............................................................................................................................ 40

3.3.1. The rationale ...................................................................................................................... 40

3.3.2. Short method description ................................................................................................... 40

3.4. CYber-Risk Assessment for Marine Systems (CYRA-MS) method .............................................. 42

3.4.1. The rationale ...................................................................................................................... 42

3.4.2. Method brief description .................................................................................................... 42

3.5. ESHA-Mar ...................................................................................................................................... 45

3.5.1. The rationale ...................................................................................................................... 45

3.5.2. Method description ............................................................................................................ 45

3.6. Identifying testing scenarios for collision avoidance system ......................................................... 47

3.6.1. Rationale ............................................................................................................................ 47

3.6.2. Method description ............................................................................................................ 48

3.7. Automatic safety monitoring system .............................................................................................. 49

3.7.1. Rationale ............................................................................................................................ 49

3.7.2. Method description ............................................................................................................ 49

3.8. Supplementing Fault Trees calculations with neural networks ..................................................... 51

3.8.1. Rationale ............................................................................................................................ 51

3.8.2. Method description ............................................................................................................ 51

Appendix A - Review of the existing standards and guidances ................................................................ 55

A.1 Maritime guidance and guidelines for MASSs .................................................................................... 55

LIST OF ABBREVIATIONS AND DEFINITIONS

ANN Artificial Neural Networks

ANS Autonomous Navigation System

ASC Autonomous Ship Control system

BBN Bayesian Belief Network