Safety Assurance for Autonomous Vessels: An Accessible Explanation

By /

Why Safety Assurance Matters for Autonomous Shipping

One of the key questions surrounding autonomous and remotely operated ships is simple but fundamental: how can we demonstrate that a crewless ship is at least as safe as a conventional ship with crew on board?

From a regulatory perspective, this question is directly linked to the International Maritime Organization (IMO) framework, and in particular to MSC.1/Circ.1455, which allows the approval of alternative and equivalent solutions provided that an equivalent level of safety can be demonstrated.

For autonomous ships, safety can no longer rely primarily on trained crew, procedures, and human judgement on board. Instead, safety must be demonstrated through engineering evidence, structured arguments, and systematic verification activities. This is where the concept of Safety Assurance becomes essential.

This article explains, in accessible terms, the integrated safety assurance approach proposed by Nakashima et al. (2024), clarifying key concepts such as Model-Based Systems Engineering (MBSE), System-Theoretic Process Analysis (STPA), and their role in building a credible safety argument for autonomous vessels.

What Is a Safety Assurance Case?

A safety assurance case (often simply called a safety case) is a structured and documented argument that a system is acceptably safe for its intended operation.

At its core, a safety case answers three questions:

  • What are we claiming? (for example: “The autonomous navigation system is safe within its operational domain”)
  • Why should this claim be believed? (the logical argument linking design choices, analyses, and mitigations)
  • What evidence supports it? (tests, simulations, analyses, standards, operational data)

This structure is often expressed using formalisms such as GSN (Goal Structuring Notation) or CAE (Claims–Arguments–Evidence). While the graphical notation is helpful, the key idea is conceptual: safety is not assumed, it is argued and demonstrated.

For autonomous ships, the safety case becomes the main vehicle to demonstrate equivalence with conventional ships under IMO rules.

Why Autonomous Ships Need a Different Safety Approach

Traditional ships rely heavily on:

  • Human perception and judgement
  • On-board decision-making
  • Crew intervention in abnormal situations

Autonomous ships, by contrast, rely on:

  • Sensors and data fusion
  • Software-driven decision-making
  • Remote operators or supervisory systems
  • Predefined operational limits

This shift introduces new types of risk as minimum the following:

  • Software and algorithmic failures and intrusions
  • Incomplete or incorrect system models
  • Unexpected interactions between subsystems
  • Mismatches between system assumptions and real-world conditions

As a result, safety assurance for autonomous ships must:

  • Address system-level behaviour, not just component failures
  • Be traceable from high-level safety goals down to design and tests
  • Remain valid throughout the system lifecycle, including updates and operational changes

Model-Based Systems Engineering (MBSE) Explained Simply

Traditional Design vs. MBSE

In traditional ship design, systems are often described using:

  • Text documents
  • Drawings and schematics
  • Interface descriptions written in natural language

While familiar, this approach has weaknesses:

  • Ambiguities in interpretation
  • Inconsistencies between documents
  • Difficult traceability between requirements, design, and tests

Model-Based Systems Engineering (MBSE) addresses these issues by making models the central element of system development.

What Does “Model-Based” Mean?

In MBSE:

  • Requirements, functions, interfaces, and behaviours are represented in formal models
  • A shared modelling language (such as SysML) is used
  • Different stakeholders view the same underlying system model from different perspectives

Instead of asking “What did this document mean?”, stakeholders ask “What does the model show?”

Why MBSE Is Crucial for Safety

MBSE enables:

  • Clear decomposition of safety requirements into verifiable elements
  • Traceability from safety goals to design decisions and test cases
  • Early identification of inconsistencies and missing assumptions

In the context of safety assurance, MBSE provides the structural backbone that links risk analysis, verification, and operational monitoring.

Understanding STPA: Looking Beyond Component Failures

Limits of Traditional Hazard Analysis

Classical methods such as FMEA (Failure Modes and Effects Analysis) focus on component failures:

  • What happens if this sensor fails?
  • What happens if this actuator stops working?

While important, this approach is not sufficient for complex autonomous systems, where accidents may occur even when components are functioning as designed.

What Is STPA?

System-Theoretic Process Analysis (STPA) is a top-down hazard analysis method based on systems theory.

Instead of asking “What breaks?”, STPA asks:

  • What unsafe control actions could lead to accidents?
  • Under what conditions could these unsafe actions occur?
  • How could interactions between subsystems create hazards?

In simple terms, STPA focuses on control, feedback, and assumptions, rather than isolated failures.

Why STPA Fits Autonomous Ships

Autonomous navigation systems involve:

  • Multiple controllers (software, remote operators, supervisory systems)
  • Feedback loops (sensor data, system health information)
  • Dynamic interactions with other vessels and the environment

STPA helps identify hazards such as:

  • Incorrect assumptions about vessel manoeuvrability
  • Mismatches between planning and execution
  • Delayed or missing feedback between ship and shore

These are precisely the types of risks that matter most for autonomous ships.

Combining MBSE, STPA, and FMEA

The approach described by Nakashima et al. does not rely on a single method, but integrates several complementary ones:

  • MBSE provides the system structure and traceability
  • STPA identifies system-level hazards and unsafe interactions
  • FMEA captures component-level failure modes, including conventional ship equipment

Together, these methods:

  • Generate multi-level safety requirements
  • Reduce blind spots in hazard identification
  • Support a defensible safety argument aligned with IMO expectations

Verification: From Requirements to Evidence

A safety case is only credible if safety requirements are verified.

In the described methodology, verification is performed through multiple stages:

  • Unit and subsystem testing
  • Integration testing
  • Simulation-based testing (MIL, HIL)
  • Dockside and offshore trials

Advanced simulators are used to:

  • Reproduce ship dynamics and environmental conditions
  • Explore large numbers of scenarios
  • Define and validate the Operational Design Domain (ODD)

Simulation is particularly important for autonomous ships, because it allows the exploration of rare, dangerous, or impractical-to-test situations.

Traceability and Continuous Assurance

One of the most important outcomes of this integrated approach is traceability:

  • From safety goals
  • To requirements
  • To design decisions
  • To verification evidence

This traceability allows:

  • Impact assessment of design changes
  • Structured handling of residual risks
  • Ongoing safety monitoring during operation

In other words, safety assurance is not a one-time certification activity, but a continuous process.

Relevance to IMO MSC.1/Circ.1455

MSC.1/Circ.1455 requires that alternative designs demonstrate an equivalent level of safety through:

  • Engineering analysis
  • Risk assessment
  • Verification and validation

The methodology described here aligns well with this philosophy:

  • Safety equivalence is argued, not assumed
  • Evidence is structured and traceable
  • Both technical and operational aspects are addressed

This makes integrated safety assurance a strong candidate framework for future approval of autonomous and remotely operated ships.

Conclusion

Autonomous ships challenge traditional approaches to maritime safety, but they also offer an opportunity to make safety more explicit, transparent, and engineering-based.

By combining Model-Based Systems Engineering, System-Theoretic Process Analysis, conventional risk analysis, and simulation-based verification, it is possible to construct a robust safety assurance case that meets both technical and regulatory expectations.

For regulators, designers, operators, and classification societies, this integrated approach provides a common language to discuss and demonstrate safety equivalence—an essential step toward the real-world deployment of autonomous ships.

Source and Attribution

This article is based on:

Nakashima, T., Kureta, R., & Nakamura, J. (2024). Towards Integrated Safety Assurance Methodology for Autonomous Vessel Navigation Systems. Journal of Physics: Conference Series, 2867, 012038. https://doi.org/10.1088/1742-6596/2867/1/012038

The original work is published under the Creative Commons Attribution 4.0 License (CC BY 4.0). This article provides an original explanatory interpretation and summary, with full attribution to the original authors.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top