1. Introduction
This Circular describes the documentation requirements and principles applied in the administrative processing of ships that are to be autonomous, and fully or partially remotely operated.
Autonomous, and fully or partially remotely operated ships must hold the same level of safety as conventional ships. Therefore, such ships will be assessed based on the degree of autonomy and remote operation in addition to the legislation already applying to the ship type (passenger ship, cargo ship, fishing vessel etc.).
2. Scope of application
This Circular applies to all ships with a level of autonomy equal to levels three to five (see appendix 1) that will be engaged on Norwegian domestic voyages. In practice, this means a degree of autonomy where on-board functions usually attended by persons are replaced fully, partially or periodically by remote operation or automation.
3. Legislation
The legislation applicable for the ship type in question is used as a basis. Since there are no regulations that specifically address autonomous or remotely operated ships, the legislation applicable for the relevant ship type (cargo ships, passenger ships, fishing vessels etc.) is used as a basis both for the construction and operation of autonomous or remotely operated ships. To ensure that autonomous or remotely operated ships have the same safety levels as conventional ships, and that risks that may arise due to remote operation or autonomy are identified, the Norwegian Maritime Authority uses the IMO guidelines for the approval of alternatives and equivalents (MSC.1/Circ. 1455) in the processing.
Examples of legislation that must be followed:
Pursuant to section 9 of the Regulations of 16 February 2007 No. 9 on ship safety and security (Ship Safety and Security Act) a ship shall be designed, constructed and equipped so that it according to its purpose and trade area provides for the satisfactory protection of life, health, property and the environment.
Technical and operational safety are covered in chapter 3 of the Ship Safety and Security Act and appurtenant regulations. Operation and maintenance are covered in chapter 11 of the Ship Safety and Security Act and appurtenant regulations.
The Regulations of 1 July 2014 No. 1072 on the construction of ships (Construction Regulations) mainly cover the construction of Norwegian ships. Section 75 of the Regulations contains a provision on exemption. The Norwegian Maritime Authority may upon written application permit other solutions than those required by these Regulations when it is documented that such solutions are equivalent to the requirements of the Regulations. Similar provisions are also found in other relevant vessel-specific regulations.
It follows from section 14 of the Ship Safety and Security Act, section 14 states that a ship shall be navigated in such a way that it does not pose a risk to life, health, property and the environment. The Regulations of 1 December 1975 No. 5 for Preventing Collisions at Sea (rules of the road at sea), and others, are laid down pursuant to this provision.
Section 15 of the Ship Safety and Security Act sets out requirements for the ship to be safely manned, and for the watchkeeping arrangements on board to be adequate to maintain safe navigation of the ship and other operating and safety procedures. The functional requirements are listed in the Regulations of 18 June 2009 No. 666 on the manning of Norwegian ships (Manning Regulations) and the Regulations of 27 April 1999 No. 537 on watchkeeping on passenger ships and cargo ships (Watchkeeping Regulations).
The Norwegian Maritime Authority will in principle apply the guidelines given by the IMO through SOLAS for the approval of alternatives and equivalents, also for vessels that are not subject to the Convention, such as SOLAS II/I, Reg. 55 (MSC.1/Circ. 1455). For the sake of clarity, section 3 of the Regulations on the construction of ships refers to SOLAS II/I, where Regulation 55 refers to MSC.1/Circ.1455.
This list is not exhaustive.
4. Authority and certification
Temporary assessment and final approval of new technology and new solutions in accordance with this Circular will be provided by the Norwegian Maritime Authority.
Autonomous or remotely operated ships accepted by the Norwegian Maritime Authority (NMA) in accordance with this Circular may be provided with a certificate or an approval to operate on domestic voyages. This applies also when a vessel is constructed in accordance with the guidelines and rules of a classification society.
5. Definitions
5.1 CONOPS
«Concept of operations» – a detailed description of the ship’s operation.
5.2 Third-party verification
Third-party verification documentation must be presented for those areas that deviate from existing legislation. The documentation must verify that new technology will entail a security level that is better or equal to that of a ship that is constructed pursuant to the current legislation.
5.3 Approved independent organ (third party)
An approved independent body/company in connection with a third-party verification is a company that can document competence, and that has been approved by the NMA for third-party verification for each individual project (see chapter 10.3).
5.4 Minimum Risk Condition (MRC)
An MRC condition means that the ship enters a state that poses the least risk to life, environment and property. The state may be dynamic (e.g. active positioning of the vessel, embarking of crew etc.) or static (for example anchoring). Which state that is acceptable to the NMA must be based on the nature of the operation, the operational readiness available and the location of the ship.
5.5 Fail to Safe
Describes how individual functions or systems go into safe mode in the event of a failure. The safe mode of a valve can be either open or closed following a power failure depending on the function of the valve.
5.6 HAZID
Hazard Identification – review of an operation, a system, a ship or similar to identify potential errors or situations that may arise and lead to an undesirable situation. The findings must subsequently be ranked based on level of severity, and actions must be taken to lower the risk to an acceptable level.
5.7 GAP analysis
Review of existing legislation related to the designed system or ship in order to identify the areas where require alternative solutions or deviations are required.
5.8 HIL test
Hardware-in-the-loop testing are tests where parts of a system are simulated and tested against actual hardware from the system.
5.9 Simulations
Tests using data models of a system.
5.10 SIL (Safety Integrity Level)
Method for calculating and determining the safety level for a given system.
5.11 Safety philosophy
The safety philosophy describes how an equal safety level is maintained during unmanned operation.
5.12 Design philosophy
The design philosophy describes how the ship’s design or technical solutions will meet the planned autonomous functions, including minimum risk conditions (MRCs).
5.13 DOC holder
The DOC (Document of Compliance) holder is the shipping company responsible for operations and compliance with the ISM Code.
5.14 Operation and maintenance philosophy
The operation and maintenance philosophy describes how the unmanned ship should be operated, taking into account maintenance and repairs.
5.15 Segregation
Division of and independence between systems with associated cables etc., separated both vertically and horizontally, taking into account fire and water damage.
5.16 Operational manager (cf. 5.13)
The shipping company or any other organisation or person, such as a bareboat charterer, who has assumed the responsibility for the operation of the ship from the shipowner, and who upon assuming such responsibility has agreed to take over all the duties and responsibility imposed by chapter 2 of the Ship Safety and Security Act.
6. Connection to MSC.1/Circ. 1455
The Norwegian Maritime Authority’s follow-up on alternative solutions and the new technology resulting from an increasing degree of autonomy and remote operation will be based on the process described in MSC.1/Circ.1455. More detailed information about the different documentation requirements in this Circular is available in the MSC circular:
|
MSC.1/Circ. |
|||
|
1. Preliminary Design |
|
4.5 |
|
|
1.1 Concept of operation - CONOPS |
4.5 |
7.1 |
|
|
1.2 Pre-HAZID |
|
7.2 |
|
|
1.3 Safety philosophy |
|
7.3 |
|
|
1.4 Design philosophy |
|
7.4 |
|
|
1.5 Operation and maintenance philosophy |
|
7.5 |
|
|
2. Analysis of preliminary design |
|
4.8 |
|
|
2.1 Updated Pre-HAZID with associated |
|
7.2 |
|
|
2.2 Risk analyses/assessments |
|
7.2 |
|
|
2.2 Gap analysis |
|
7.6 |
|
|
2.3 HAZID and risk assessments |
|
7.9 |
|
|
3. Analysis of final design |
|
4.1 |
|
|
3.1 HAZID and risk assessments |
|
7.9 |
|
|
4. Performance approval tests & analyses |
|
4.1 |
|
|
4.1 Failure Mode and Effect Analysis (FMEA) |
|
7.10 |
|
|
Test requirements |
|
9 |
|
Table 1
7. Design and documentation requirements
The documentation requirements described here apply in addition to the drawing lists set out in the legislation for each vessel type.
For ships not intended for operation in a specific area, all voyage-specific documentation must be updated before every operation at a new location. The operation-specific documentation must be updated before each operation and should be complemented with tests. For these vessels, it is important to design for all possible operations performed by the vessel.
The NMA will make vessel-specific document lists based on the operation, location, management and philosophy described for the vessel. This means that the following vessel-specific documentation needs to be compiled and submitted to the NMA:
7.1 Concept of operations (CONOPS)
A detailed description of the entire operation of the ship.
a. The CONOPS must be updated when changes are made to the design, operation, and location. The document should describe which operations usually performed by the crew, that will be replaced by autonomous or remotely controlled operations.
b. Each operation must be described to such an extent that it clearly appears which functions/operations that are performed by humans and which operations that are carried out without human intervention. The human-machine interface (HMI) must be described. Furthermore, it must be described when human interaction is required or necessary. This description must cover all the functions set out in the Norwegian Manning Regulations and the Watchkeeping Regulations. The description can either be an attachment to the CONOPS document or be prepared as a separate document. See also chapter 7.13.
c. In addition, the document must describe:
- vessel’s planned route and estimated traffic volume
- intended type of operation
- intended degree of autonomy
- planned safe manning documents, as well as where, whether and when persons will embark the vessel
- intended lines of communication
- shore-based control station for control and/or monitoring
- operational readiness
- minimum risk conditions (MRC) available in a normal situation
- energy capacity
- handling of passengers in a normal situation
- communication with other vessels
- description of operational responsibility according to the safety management system
7.2 Pre-HAZID
Based on the CONOPS, a pre-HAZID must be carried out, where the entire operation is reviewed and where the focus is on the hazards that exist in the various parts of the operation. Risk analyses/assessments related to the hazards identified in HAZID must be performed. HAZID must as a minimum include the following:
a. communication
b. navigation and fairway
c. vessel functions
d. remote operation
e. evacuation/emergency procedures
f. environmental considerations
In the event of operational changes, the Pre-HAZID must be updated accordingly.
7.3 Safety philosophy
a. The safety philosophy must describe how the ship functions and an equal safety level is met during unmanned and autonomous operation.
b. Attention should also be paid to safety levels and barriers in systems that would be vulnerable to cyber-attacks.
c. It must be described how a minimum of two MRCs are available during normal operation of the vessel. MRCs can be dynamic or static.
d. At least one MRC must be available at all times after a fire or the filling of a fire zone or a watertight compartment, in case of blackout or loss of communication with any Remote Control Station.
e. For some vessel operations, more than one MRC may be necessary; this must be considered and stated in the safety philosophy.
Figure 1: Example of philosophy for unmanned operation
f. The safety philosophy must as a minimum include the following:
- detailed description of intended MRC available to the ship;
- description of which MRC should be available at any time during the operation. See philosophy example in figure 1;
- specification of critical components, systems and equipment that must be functional in order for the MRC to be operative; Documentation must be provided of the reliability of such functions;
- proposed acceptance criteria for safe operation;
- block diagram of control systems for automated functions;
- detailed description of the conduct of the vessel in relation to other vessels.
- safety measures to maintain data and communication safety (concerning communication, connection to shore, physical safety on board, procedures for software updates and standards to be applied).
- Description of compliance with the Norwegian Rules of the Road at Sea. The description must as a minimum include:
- selected technical solution
- operation of the vessel
- applied sensor technology and sensor strategy (i.e. weighting, fail-to-safe mode and limitations related to weather conditions)
- any operational limitations (such as interaction between vessel and shore-based control stations)
- ability to handle complex traffic situations, including situations where other traffic does not comply with the Rules of the Road at Sea.
7.4 Design philosophy
The design philosophy must as a minimum describe:
a. how the ship’s equipment is to handle the intended autonomous functions as well as MRC;
b. any limitation in the various integrated systems relative to the function they are to replace or automate;
c. intended qualification and verification of equipment necessary to meet the safety philosophy;
d. fail-to-safe mode in the event of system and equipment errors.
e. principles for segregation, redundancy and robustness.
7.5 Operation and maintenance philosophy
The operation and maintenance philosophy must as a minimum describe:
a. how the unmanned ship should be operated when it comes to maintenance and repairs:
b. systems diagnosing and monitoring ship operations;
c. function and responsibility of any remotely located control room. See also chapter 7.14;
d. safety critical systems for operation must be defined, taking into account redundancy and segregation (see chapter 10.2 below).
7.6 GAP analysis
A GAP analysis must be performed between current legislation and the described solution. The GAP analysis will shed light on the areas where the project does not meet the requirements of current regulations. Risk assessments must be made for deviations or alternative solutions, and there must be a thorough justification for the chosen solution. The analysis can be included in the safety philosophy or the design philosophy.
7.7 Preliminary assessment
The NMA will make a preliminary assessment of the project on receipt of documentation covering paragraphs 7.1 to 7.6. The preliminary assessment will determine the status of the project and whether it is possible to proceed.
7.8 Construction notice
Only when the yard has received a preliminary assessment from the NMA and the preliminary assessment shows that the project has the potential to be implemented, should the yard submit a construction notice for the vessel.
7.9 Risk assessments and HAZID
When the final design and solutions have been clarified, an overall risk analysis with associated HAZID must be submitted. The risk analysis must shed light on areas that deviate from the current legislation.
Risk analyses must be performed by persons with documented knowledge of the relevant methodology used and the required knowledge of the systems to be assessed. It must be possible to document roles and competence. In general, risk assessments must include the following:
a. fulfilment of defined acceptance criteria for the project;
b. overall risk analyses must include a reliability analysis/vulnerability analysis from each supplier/manufacturer of safety-critical operating systems. This should identify the consequences of any individual errors. The analysis should take into account the manufacturer’s operational and design limitations;
c. risk analyses should take into account the introduction of new technology and/or new application of existing technology;
d. safety-critical systems for operation must be identified;
e. risk regarding human-machine interface (HMI).
7.10 Failure Mode and Effect Analysis (FMEA)
FMEA must document that at least one MRC is available in any error scenario. The associated test program must be prepared for on-board verification.
7.11 Third-party verification
A third-party verification must be presented (cf. chapter 10.3 below).
7.12 Certification and qualification of equipment
Marine equipment placed on board must be wheel-marked unless the NMA, upon application, grants an exemption pursuant to the Norwegian Marine Equipment Regulations sections 11, 12, 14 or 16.
Other equipment that is installed with the intention of automating functions on board must undergo a technology qualification (TQ), which takes into account the degree of autonomy and how critical the function is. The result of such a TQ must be presented to the NMA on request.
7.13 Manning
If the manning is eliminated or removed, the safety functions represented by the manning will have to be replaced by equivalent solutions, cf. section 4 of the Watchkeeping Regulations and section 3 of the Manning Regulations. Also see chapter 7.1(b).
7.14 Control centre
If the entire or part of the operation of the ship is carried out by means of a control centre, a description thereof must be provided. The description should state the functions to be covered by the control centre and the division of responsibilities between the ship and the control centre. The equipment and setup of the control centre must be accepted by the NMA. The competence of the control centre operators are subject to approval by the NMA and other relevant supervisory authorities.
The NMA may request additional documentation in the individual project.
8. Safety management system
The NMA assumes that ships that are accepted as autonomous or remotely operated according to the process described in this Circular must have a certified safety management system, regardless of whether the Regulations on a safety management system for Norwegian ships and mobile offshore units apply.
Chapter 2 of the Ship Safety and Security Act on safety management systems will play a central role in the assessment of autonomous systems and vessels. The documentation described in chapter 7 very important in relation to the safety management system. It is therefore important that a preliminary safety management system is prepared as early as practicable in the process.
9. Test requirements
9.1 Model tests
Model tests, in the form of data models or physical scale models, must be applied to verify the control system before a full-scale test of the ship is performed. The test procedure must be submitted to the NMA before testing. The test report must be submitted to the NMA after testing. Model tests must at least include:
a. verification of defined MRC scenarios
b. verification of COLREG compliance
c. a full run-trough of all parts of the vessel’s operation
9.2 Test period
Time must be allocated for vessel tests before the vessel is put to operation. Testing of the vessel must take place in one of the test areas approved by the NMA, and on the terms applicable to such areas. A plan for testing and test procedures must be submitted to the NMA in due time before the test is conducted. A test report must be submitted to the NMA when the tests have been conducted. These tests must include:
Failure Mode and Effect Analysis (FMEA) Verification that at least one MRC is available during each error scenario.
Verification of COLREG compliance
A full run-trough of all parts of the vessel’s operation
Verification of energy capacity
9.3 Simulations
Simulations of control systems and/or parts of systems, with pertaining scenarios, may replace full-scale testing of individual systems, but may not replace full-scale testing as a whole.
9.4 Commissioning
Procedures for commissioning of equipment and systems must be prepared and submitted to the NMA for review.
10. General guidelines
10.1 The Norwegian Maritime Authority's involvement and participation
The NMA must be contacted as early as possible and involved in the project from an early stage. In general, the NMA wishes to participate as an observer during all HAZIDs. Based on the test plan, the NMA will consider participation in certain tests.
10.2 Segregation and redundancy
Based on the results of the philosophy for MRC, as well as GAP risk assessments for the current legislation, design measures must be taken to ensure that a minimum risk condition can be achieved and used to the degree intended in the given accident scenarios. In these cases, special consideration must be given to segregation and duplication of equipment.
General guidelines for segregation and redundancy:
a. Safety-critical systems for operation and service must be redundant and segregated systems or solutions.
b. Any control functions intended to work in the event of an accident must be sustainable long enough to prevent an aggravation of the accident.
c. An individual failure or accident in a system, room or area must under no circumstances result in a total functional failure.
d. The degree of redundancy of individual systems and equipment may be adjusted according to the risk of functional failure in the system.
e. Functions performed by electric, electronic, and programmable equipment can be secured using integrated security level (SIL), if deemed appropriate.
10.3 Verification by third party
In projects with a particularly high degree of novelty, complexity, or high risk, the NMA requires a third-party verification to ensure that an equivalent level of safety is maintained. Verification by third parties must be submitted for areas where the project deviates from from existing rules to ensure that all functions are taken care of. The documentation must verify that a better or equivalent safety level, similar to the one applying to a conventional ship built according to existing rules, has been maintained.
Third-party verification must generally be carried out by a recognised classification society, but the NMA can accept other independent third-party verification if deemed appropriate and equivalent. In some cases, it may also involve certification or re-certification of equipment adapted to the unconventionally designed or equivalent solution.
10.4 Sister ships and similar equipment
For sister ships it is important that the shipping company prepares a list of any alterations and differences. Based on this list, the NMA may consider reuse of previously submitted documentation and analyses. The same applies to equipment that is previously assessed and will be used in a different vessel.
10.5 Project information flow
The parties responsible at any time on behalf of the owner for contact with or deliveries to the NMA must be clearly communicated to the NMA.