Use of Hybrid Causal Logic Method for Preliminary Hazard Analysis of Maritime Autonomous Surface Ships

: Recently, the safety issue of maritime autonomous surface ships (MASS) has become a hot topic. Preliminary hazard analysis of MASS can assist autonomous ship design and ensure safe and reliable operation. However, since MASS technology is still at its early stage, there are not enough data for comprehensive hazard analysis. Hence, this paper attempts to combine conventional ship data and MASS experiments to conduct a preliminary hazard analysis for autonomy level III MASS using the hybrid causal logic (HCL) method. Firstly, the hazardous scenario of autonomy level III MASS is developed using the event sequence diagram (ESD). Furthermore, the fault tree (FT) method is utilized to analyze mechanical events in ESD. The events involving human factors and related to MASS in the ESD are analyzed using Bayesian Belief Network (BBN). Finally, the accident probability of autonomy level III MASS is calculated in practice through historical data and a test ship with both an autonomous and a remote navigation mode in Wuhan and Nanjing, China. Moreover, the key inﬂuence factors are found, and the accident-causing event chains are identiﬁed, thus providing a reference for MASS design and safety assessment process. This process is applied to the preliminary hazard analysis of the test ship.


Introduction
Thanks to the rapid development of the artificial intelligence and 5G technology, autonomous ships will become one of the key transportation vehicles in the future [1][2][3].Nowadays, several companies and organizations have performed research on MASS.The vehicle ferry Falco successfully navigated autonomously during its voyage between Parainen and Nauvo, and its return journey was conducted under remote control [4].Wärtsilä successfully tested such innovative technology into a voyage, during which a vessel was automatically controlled by a software, while manual intervention and control was still possible at any time [5].YARA and Kongsberg are building a ship named "YARA Birkeland", which will be the world's first fully electric and autonomous container vessel upon completion [6].DNV GL built a 1:20 scale model of MASS to investigate sensor fusion and collision avoidance [7].The AAWA project aimed to produce the preliminary specifications for the next generation of advanced ship solutions [8].Finally, the MUNIN research project developed a technical concept for the operation of an unmanned merchant ship and assessed its technical, economic and legal feasibility [9].In order to clarify the definition of autonomous ships, the International Maritime Organization (IMO) defines autonomous ships as maritime autonomous surface ships (MASS).MASS is classified into four degrees according to their autonomy level, as follows [10,11].Note that, during the navigation of MASS, the MASS can change the autonomy level according to the scenario:

•
Autonomy level I: Ship with automated processes and decision support: Seafarers are on board to operate and control shipboard systems and functions.Some operations may be automated; • Autonomy level II: Remotely controlled ship with seafarers on board: The ship is controlled and operated from another location, but seafarers are on board; • Autonomy level III: Remotely controlled ship without seafarers on board: The ship is controlled and operated from another location.There are no seafarers on board; • Autonomy level IV: Fully autonomous ship: The operating system of the ship is able to make decisions and determine actions by itself.
The safety of MASS will become a key issue for autonomous ship operations.MASS should have the desired level of safety, i.e., at least the same safety level as conventional ships [12].Researchers believe that, compared to conventional ships, MASS are more economical and safer due to the reduction in crew on board [13,14].Moreover, changed technologies, systems and procedures also bring new influence factors [15][16][17].Thus, there is an urgent need for a risk assessment of MASS to assist MASS design.
Maritime risk assessments are considered a hotspot for MASS [18][19][20].Due to complexity and novelty of MASS, several studies were performed for hazard identification, which is the basis for risk assessment.Fan et al. proposed a framework for the identification of factors that influence the navigational risk of remotely controlled MASS without crew on board [21].It classifies a total of 55 influence factors into ship-related, human-related, environment-related and technology-related factors.More in detail, failure of onboard equipment may result in the degradation or failure of functions related to propulsion.At the same time, the results show that the majority of these influence factors are related to human error.Kretschmann et al. [22] found 23 identified hazards with acceptable risk based on a formal safety assessment (FSA).These hazards are related to various influence factors such as weather, equipment and cyber security.Human errors may be related to remote monitoring, control and maintenance.At the same time, this study shows that a failure of the power and propulsion system will lead to unacceptable consequences.Wróbel et al. [19] reviewed a hundred maritime accident reports, analyzing various safety hazards that lead to accidents for conventional ships based on what-if and human factors analysis and classification system for marine accident (HFACS-MA) methods, and considering the impact of these safety hazards on MASS.The results show the existence of the human factor in unmanned systems' operation, as long as people are involved in operation.In summary, almost all studies on MASS hazard identification mentioned the complexity and diversity of MASS influencing factors, as well as the significant influence of mechanical failure and human error.
Based on hazard identification, some studies have been conducted to analyze equipment failure and human error.In relation to the human error in SCC, Ramos et al. [23] divided the possible human error process into four stages, and established an event tree model of the MASS.Moreover, they classified the influencing factors, describing their differences across various human factor reliability analysis methods and the shortcomings of the current behavior influencing factor set, simulating the human-machine interaction process and proposing an avoidance based on hierarchical task analysis.Man et al. [24] invited six participants to conduct a scenario-based simulation as proposed operators in the SCC.Their conclusions suggest that human factor issues, such as psychophysical and perceptual limitations of operators, decision-making latencies and automation bias, may remain in systems assembled by assumed reliable technological components.Zhang et al. [11] presented a model based on the Technique for Human Error Rate Prediction (THERP) and on Bayesian Network, which can depict the causal relationship focused on human-autonomy collaboration and perform a quantitative assessment.Unlike for human errors, research on equipment failure focuses mainly on power and propulsion systems.Bolbot et al. [25] analyzed the hazards related to the electric propulsion system based on the System theoretic process analysis (STPA) method.In addition, Bolbot et al. [26] combined event tree analysis (ETA), fault tree and STPA method to analyze a simplified diesel electric propulsion system and identify the hazardous scenarios leading to a blackout.Wang et al. [27] determined the weakness of the ship power system and put forward a design of the ship power plant.These studies provided a reference for MASS designers in case of human error or equipment failure.However, they overlooked the influence of individual factors on the safety of the entire MASS, and often neglected the mutual influence of different factors.
The hazard scenario of MASS usually gradually evolves from a hazard event.Different outputs of safety barriers in this process will lead to different end states.The interaction among influence factors needs to be taken into consideration in this complex process [28].Thieme et al. [29] formulated nine criteria and used them to assess 64 relevant ship risk models since 2005.The results show that none of them are suitable to be directly used for MASS risk assessment.In fact, MASS risk assessment should comprehensively include various influence factors, instead of only analyzing specific factors.Accordingly, new methods have been applied for MASS risk assessment.The STPA method has been applied to MASS, as it can analyze the interactions between its components.Valdez Banda et al. [30] applied the STPA to analyze the safety hazards in the foreseen functioning of two concepts of autonomous ferries operating in urban waterways in, and near, the city of Turku in Finland.Employing the STPA, a safety-controlled structure and hazard list has been created for the system to ensure that remotely controlled ships do not have a negative impact on maritime safety [18].Wróbel et al. [31] applied the STPA to identify the hazards, formulate hazard mitigation and improve the safety performance of autonomous ships.In addition, Utne et al. [16] proposed a framework combining STPA and Bayesian Belief Networks to establish an online risk model for autonomous ships.In parallel, Ramos et al. [32] proposed the human-system interaction in autonomy (H-SIA) method, which consists of an event sequence diagram (ESD) and concurrent task analysis (CoTA), to analyze the system as a whole and focus on the interactions between sub-systems.At the same time, Ramos et al. [28] extended the H-SIA to include the paths to failure through the Fault Tree (FT).However, these approaches can only be used in qualitative analyses, and are not suitable to perform quantitative analyses.The relationship of potential hazards of MASS can be easily described by these qualitative methods.However, the failure probability and sensitivity of potential hazards cannot be obtained.The results have limited contribution to the safety design of MASS.
Since MASS is still in the experimental stage and concept stage rather than the operation stage, there are insufficient data to quantitatively analyze the risk of MASS.A preliminary risk analysis should take place to evaluate the ability of the MASS to operate safely and reliably during the concept and experimental stages [12].In this study, we want to develop a model which can perform a preliminary hazard analysis of MASS.For the function during concept stage, the historical data such as failure rate are used for qualitative analysis.For the function during the experimental stage, the experimental data of the MASS model are used to develop the quantitative model.This result will be used to further improve the performance of MASS experiment.At the same time, the data can assist in judging whether these concepts of MASS are suitable or not and help develop the function which is still in the concept stage.
The shift from conventional ships to autonomous ships is a gradual process [21].Compared with conventional ships, the MASS will be equipped with an autonomous system (AS) that may help or replace human decision-making and action.At the highest level of autonomy, MASS can be controlled by AS completely.Given the current development of MASS technology, in the near future, MASS will have a constrained autonomy, and their operation will be supervised or controlled by a shore control center (SCC) [33].Autonomy level III MASS will be an important stage with the participation of AS and operators in SCC.According to the elaboration of autonomy level III, MASS are equipped with AS, an advanced sensor module, a SCC, a satellite communication equipment, alarm devices, other facilities and without anyone onboard.Various sensors will provide sufficient data for AS system and SCC to identify the navigation status and environment.The AS system can control navigation according to the surrounding environment and ship condition; in case of hazardous events, it will propose strategies to guarantee the safety of MASS.At the same, the operator in SCC will supervise the operation of MASS, including the operating environment, decision proposed by AS, etc.The remote operator has the highest right to take over the control of MASS at any time.In case the AS system cannot propose effective measures or a situation develops in a particularly difficult direction, the SCC can take over the control of the MASS and dispatch a professional team to deal with problems [34].Above all, the autonomy level III MASS is a suitable object to conduct a preliminary hazards analysis for MASS.
The hybrid causal logic (HCL) methodology provides a vehicle for the identification and communication of cause-effect relations including those associated with human, organization and system hardware and software, and the physical and regulatory environment of the system [35].The HCL method uses ESD as the first layer to describe system behavior, and then provides a more detailed picture of the contributing causes by using FTs.Fault tree analysis is the one of the popular techniques used for reliability studies for a complicated system [36].Fault trees are widely used in mechanical systems with obvious structure and causal logic such as the aviation industry and offshore systems.Mohaghegh et al. [37] applied the HCL method to include the organizational roots of risk.Groth et al. [38] introduced a software platform for the HCL method and applied it to analyze a type of aviation accidents.Røed et al. [39] discussed the applicability of HCL to the offshore industry and its relationships with the barrier and operational risk analysis project (BORA).Sklet et al. [40] applied the HCL to analyze the installation-specific factors with respect to technical systems, operational conditions, and human and organizational factors.Thus, the HCL method is a suitable tool to analyze MASS, as it includes various influence factors.
Based on these considerations, this article hopes to introduce the HCL method into MASS to assist the early design of MASS.Taking contact hazards as an example, this paper applies the experimental MASS model and historical data to conduct hazard analysis on MASS.The ESD was applied to define the hazard scenario, focusing on the interaction between AS and operators in the SCC.For non-human-related events (such as mechanical failure) that can be decomposed into the equipment level, we applied the FT to develop a branch model to analyze in detail the influence factors.The concept of the mechanical system of MASS and the failure data of conventional ships were used to conduct a preliminary analysis.As for human-and organization-related events, due to their uncertainties, we applied the Bayesian Belief Network (BBN) to analyze in detail the influence factors based on the experimental statistics This process was applied to demonstrate a case study of a test ship, equipped with an autonomous navigation mode and a remote navigation mode in Wuhan and Nanjing, China.
The rest of this paper is organized as follows.Section 2 describes the HCL methodology used to develop the model.Section 3 presents the MASS hazard scenarios.Section 4 introduces the quantitative case study of contact scenario.Finally, Section 5 presents the conclusions of this study and the future work.

Methodology
HCL methodology is a powerful modeling tool for developing hazards scenarios and search the more detail potential hazards.Figure 1 presents the main framework and the flowchart of the HCL method.The application of HCL can be divided into 4 steps and described in detail below.Step 3 Step 4 The failure probability quantification   [34]

P2
Detection by SCC During navigation, the MASS should transmit images and sounds to the SCC, so that the operators may detect the hazardous event. [28] Decision-making stage P3 Control by AS The AS should choose the optimal maneuver to stop the hazardous event according to the information gathered.
[28] Step 1: Development of a MASS hazard scenario using ESD.ESDs are used to define the system hazard scenarios.The ESD presents a temporal sequence of events, from an initiating event to various end states.The initiating event (IE) is commonly a hazardous event or a source of risk.Once a hazardous event occurs, some safety barriers, regarded as pivotal events in ESD, should be adopted to prevent or mitigate the hazard.The output of safety barriers (i.e., normal or failure of operation) determines whether or not the hazardous event evolves into an accident.Different pivotal events and their output will lead to different end states, such as safe or accident states.In order to determine the probability of each end state, the probability of each pivotal event output (i.e., normal or failure of operation) must be obtained.According to the characteristics of pivotal events, their detailed influence factors can be analyzed using FT and BBN.In this study, the equipment events were analyzed using FT, as shown in Step 2. The events involving human factors were analyzed using BBN, as shown in Step 3.
Step 2: Analysis of mechanical events using FT.The FT is used to develop a branch model to quantitative analyze mechanical events in ESD.Fault tree analysis is the one of popular techniques used for reliability studies for a complicated system.The system failure event is regarded as top event.The subsystem failure events which may cause the top events are identified and linked to top event through logical connective function (such as AND/OR gate) [36].Fault trees are widely used in mechanical systems with obvious structure and causal logic such as the aviation industry and offshore systems.The quantitative analysis of the fault tree first needs to convert the logical structure established by it into an equivalent probability expression.Once the failure rate and operation time are obtained, the failure probability of the basic event can be calculated.Thus, according to the equivalent probability expression, the failure probability of the top event can also be obtained.
Step 3: Analysis of events related to human factors using BBN.Unlike for mechanical events, the events related to human factors are non-deterministic and uncertain, and can be effectively analyzed using BBN.The BBN network consists of nodes and directed arcs.The events involving human factors in ESD are regarded as target nodes in the BBN network.The detailed influence factors of the events involving human factors are regarded as subnodes.The nodes are divided into various states according to their characteristics and requirements, while the arcs between nodes represent the direct influences.Similar to FT, the BBN also allows us to quantify the probability of events in the ESD when the probability of root nodes and conditional probability table are obtained (see further details in Section 3.3).
Step 4: Quantification of the failure probability.The probability of events in ESD are calculated in Steps 2 and 3.This way, we obtain the occurrence of various end states by logics.At the same time, the hazard scenario can be expressed by the accident-causing events.These chains of events can be ranked according to their probabilities.In addition, important measures are adopted to provide information about the criticality of basic events according to their contribution to the overall system performance (see Section 4 for further details).

HCL Model for the Hazard Scenario for Mass
The preliminary hazards analysis for MASS should at least cover the relevant hazards such as collision/contact, grounding, unable to detect, etc. [12, [41][42][43].In this section, we take contact with foreign objects/obstacles (non-detected and detected) as an example.Contact refers to ships striking or being struck by an external object include floating object, fixed object or flying object.According to the definition of the contact scenario, several experiments were carried out in the Tangxun Lake in Wuhan and in the Qinhuai River in Nanjing, China [44].Through the experiments and historical database, the hazard model for contact scenarios of MASS is developed.

Develop a MASS Hazard Scenario Using ESD
It is important to understand the entire process of MASS contact scenarios.Once an external object occurs, the AS and the operators in the SCC have a responsibility to detect it and avoid [28].The MASS will strike or be struck by an external object if the course/speed of the vessels does not change.
To assist in the analysis of the contact scenarios for MASS, the ESD is used to develop a model.IE usually refers to potentially hazardous events that may lead to accidents.In the contact scenario, the initiating event (IE) is commonly an external object appears on the planned sailing route.For a better description, several pivotal events and end states of the contact scenario are classified into three stages: (1) hazardous event perception; (2) decision-making; and (3) execution based on the experimental situation combined with experts' knowledge [21,28,45].They are described as follows: • λPerception stage: In this stage, the external object is perceived by the MASS; accordingly, information should be acquired based on sensors and human perceptions.
Through the analysis of information, the MASS can detect the external object in two ways [12].The first way mainly relies on sensing devices and AS and is labeled as 'detection by AS' (P1).Accordingly, the MASS is equipped with various sensing devices that ensure a timely perception of hazardous events.The second way is labeled as 'detection by SCC' (P2), where operators in SCC should monitor the MASS in case the external object is not perceived by the sensing devices.A failure in the perception stage will directly lead to an accident.

•
λDecision-making stage: In this stage, an agent (either the AS or the operators in the SCC) should propose an effective strategy to prevent contact with external objects according to the data and information gathered at the perception stage.This covers situation assessment, diagnosis and response planning [28].In this stage, the AS should control the ship and propose a strategy to avoid the external events, an occurrence labeled as 'control by AS' (P3).If the AS cannot propose an effective strategy, the operators in the SCC should take over the control of MASS, an occurrence labeled as 'remote control by the SCC' (P4).

•
λExecution stage: In this stage, the MASS should successfully execute the strategy selected at the decision-making stage.More in detail, the actuators will operate a control system to change the course/speed according to the strategy [12].In this study, the execution system mainly includes the 'steering system' (P5) and the 'power and propulsion system' (P6).
The normality or failure of operation of pivotal events will lead to different end states.In this study, four end states were determined.In the 'normal navigation' (E1) end state, the MASS successfully avoid the objects and has the ability to continue navigation.In 'accident due to perception failure' (E2), the MASS does not recognize external objects and struck with them.In 'accident due to decision-making failure' (E3), the MASS does not propose effective strategies to avoid the external object.Finally, in 'accident due to execution failure' (E4), the MASS does not adjust the speed and course lead in a timely manner due to a mechanical failure resulting in a contact accident.
The description of the pivotal events and of the end states in the contact scenario is presented in Table 1.At the same time, the ESD model for the MASS contact scenario was elaborated and is shown in Figure 2.During navigation, the MASS should transmit images and sounds to the SCC, so that the operators may detect the hazardous event. [28]

Decision-making stage P3 Control by AS
The AS should choose the optimal maneuver to stop the hazardous event according to the information gathered. [28]

Remote control by SCC
When the situation requires navigational operation from the SCC, the operators in the SCC will go into the situation handling room to handle the risk. [46] Execution stage P5 Steer system The steer system has the responsibility to actuate ship motion.The MASS should control the direction to avoid the hazardous event. [16]

P6 Power and propulsion system
The power and propulsion system has the responsibility to actuate ship motion.The MASS should control the speed to avoid the hazardous event. [47] End state

E1 Normal navigation
The MASS successfully handles the hazardous event and continues navigation. [28]

E2
Accident due to perception failure MASS does not recognize external objects and struck with it.[11] E3 Accident due to decision-making failure MASS does not propose an effective strategy to avoid the object.[11] E4 Accident due to execution failure MASS does not timely adjust the speed and course lead due to a mechanical failure resulting in a contact accident. [48] Step  [34]

P2
Detection by SCC During navigation, the MASS should transmit images and sounds to the SCC, so that the operators may detect the hazardous event. [28] Decision-making stage P3 Control by AS The AS should choose the optimal maneuver to stop the hazardous event according to the information gathered. [28]

Analysis of Mechanical Events Using FT
In order to prevent the contact accident, MASS needs to adjust the course and speed which mainly relied on steer system and power and propulsion system.In this study, we developed a model for the MASS power and propulsion system using the FT method as an example.
Since there is no MASS in operation, its mechanical system structure and failure data cannot be obtained.In the current study, the researchers usually use the failure data of conventional ships to continue the research about the MASS [49].Thus, in this section, we will develop a FT for the mechanical events of MASS based on the MUNIN report and DNV GL guideline.
In conventional ships, machinery problems have a very high frequency of causing minor incidents which, however, will be more severe in MASS without maintenance [22].The power and propulsion system of a conventional ship, which includes the main engine, the propeller and the auxiliary system, is considered to be the cause of major ship technical failures.Thus, the normal operation of the mechanical system is key for MASS navigation.There are different opinions about the MASS power and propulsion system.Some projects, such as the AAWA project and the ReVolt project, selected batteries as power source because they have a good efficiency and can ensure zero emissions [8].In the MUNIN project, the diesel engine propulsion line was selected as the propulsion system [22].Although the forms of power and propulsion are different, it is commonly accepted that MASS should be purposely built with redundant energy propulsion systems.In this study, we adopted the requirement that MASS should be arranged with a minimum of two independent propulsion lines, as proposed by DNV GL.In parallel, each propulsion line should have a sufficient capacity to meet the specifications for normal operation [12].This arrangement has two advantages: (i) the two propulsion lines are redundant; and (ii) two independent propulsion lines can prevent common cause failures.In this study, considering that the energy provided by the battery is not enough to support long-term sailing, the diesel electric propulsion was selected as the power and propulsion system.The equipment in the power and propulsion system is shown in Table 2.
Table 2. Description of the components of the power and propulsion system.

Bus bar
The bus dispatching power according to the load.[50] Transformer The transformer has the responsibility to obtain different voltage levels and sometimes also to phase shift. [50]

Converter
The frequency converter has the responsibility to control the shaft line speed. [51]

Electric motor
The electrical motor is the commonly used device for the conversion of electrical power into mechanical power.[50] Diesel generator Diesel engines supply power to the electric generator shaft. [52]

Propeller
The electric propulsion motor drives the propeller to provide propulsion.[51] According to the FT logic and to the equipment of diesel electric propulsion, we established the FT of diesel electric propulsion systems for MASS.The failure of operation of the 'power and propulsion system' (P6) was regarded as the top event and was labeled as F1.A failure of both the first diesel electric propulsion line (F2) and the second diesel electric propulsion line (F3) will lead to propulsion loss (F1).The second diesel electric propulsion line (F2) has the same arrangement as, and is independent from, the first diesel electric propulsion line (F1).We took the first propulsion line as an example.The single diesel electric propulsion line can be decomposed into three elements: power plant, distribution and loads.The power plant (F5) includes three diesel generators (F16, F17 and F18), two of which can provide sufficient power.Multiple diesel generator sets feed a fixed-frequency high-voltage electrical bus (F6), upon which the distribution depends to dispatch power according to the load.In this section, we only consider the load of the propulsion.This bus feeds the electrical propulsion motor drive, in most cases through a transformer (F7).The electric propulsion motor (F9) drives a frequency converter (F8) to control the shaft line speed and the propeller (F10) to provide propulsion to the MASS [51].The propulsion system failure was modeled by using FT, as shown in Figure 3.The nodes in the FT are shown in Table 3.

Bus bar
The bus dispatching power according to the load.[50] Transformer The transformer has the responsibility to obtain different voltage levels and sometimes also to phase shift. [50]

Converter
The frequency converter has the responsibility to control the shaft line speed. [51]

Electric motor
The electrical motor is the commonly used device for the conversion of electrical power into mechanical power.[50] Diesel generator Diesel engines supply power to the electric generator shaft.
[52] Propeller The electric propulsion motor drives the propeller to provide propulsion.[51] According to the FT logic and to the equipment of diesel electric propulsion, we established the FT of diesel electric propulsion systems for MASS.The failure of operation of the 'power and propulsion system' (P6) was regarded as the top event and was labeled as F1.A failure of both the first diesel electric propulsion line (F2) and the second diesel electric propulsion line (F3) will lead to propulsion loss (F1).The second diesel electric propulsion line (F2) has the same arrangement as, and is independent from, the first diesel electric propulsion line (F1).We took the first propulsion line as an example.The single diesel electric propulsion line can be decomposed into three elements: power plant, distribution and loads.The power plant (F5) includes three diesel generators (F16, F17 and F18), two of which can provide sufficient power.Multiple diesel generator sets feed a fixed-frequency high-voltage electrical bus (F6), upon which the distribution depends to dispatch power according to the load.In this section, we only consider the load of the propulsion.This bus feeds the electrical propulsion motor drive, in most cases through a transformer (F7).The electric propulsion motor (F9) drives a frequency converter (F8) to control the shaft line speed and the propeller (F10) to provide propulsion to the MASS [51].The propulsion system failure was modeled by using FT, as shown in Figure 3.The nodes in the FT are shown in Table 3.    Electric motor F16, F17, F18, F19, F20, F21 Diesel generator

Analysis of Events Related to Human Factors Using BBN
Although autonomy level III MASS have no crew on board, the human error in the SCC can still lead to contact, especially in the remote driving mode.In this step, we used BBN to develop a branch model for the 'remote control by the SCC' (P4), which was defined as the target node of the BBN model (C1).The influence of the detailed variables on the 'remote control by the SCC' (C1) is mainly reflected in the form of the various nodes in the network.We first investigate the historical literature to obtain potential influence factors with their associated definitions and descriptions.After that, develop and apply contact scenarios in Tanxun Lake and Qinhuai River, and remotely control MASS ships to conduct contact avoidance experiments.After experimentation and expert judgment, 15 influence factors that influence the 'remote control by SCC' (C1) are regarded as sub-nodes, as shown in Table 4.The process employed is as follows:

Remote control by SCC
The MASS switches into remote control.The operators in the SCC should send updated route information or directly control the MASS and propose a strategy to handle hazardous events. [32]

C3 Ship condition
The various technical aspects of the ship condition, including, but not limited to, communication and engine conditions. [54]

C4
Operating environment Weather conditions and traffic density.[13] C5 Fatigue Although more advanced technology can reduce operators' fatigue, a long work schedule may still lead to fatigue. [11]

C6 Situational awareness
The operators should ensure an appropriate situation awareness of the MASS, despite the physical distance with the crew and vessel. [9]

C7 Experience
The operators should have the theoretical knowledge of and experience in remote control in a virtual environment. [11]

C8 Communication and collaboration
The SCC is articulated into specific roles (e.g., supervisor, captain and engineer), which need to communicate and collaborate with each other to handle hazardous events.
[46] The MASS should establish a two-way communication with the SCC.The ship's feedback means that the information is transferred from the ship to the SCC. [31]

Software performance
The onboard software decides the operation of the MASS and the communication with the SCC. [55]

C11 SCC's feedback
The MASS should establish a two-way communication with the SCC.The ship's feedback means that the information is transferred from the SCC to the ship. [31]

C12
Communication quality Quality of the communication between the SCC and the ship.Heavy weather conditions may push the ability to control the ship to the limit, while at the same time affecting communication. [30]

C15
Traffic density Traffic density could be specified based on the relevance of potential accident risks in the area.[13] (1) Determination of BBN nodes The 'remote control by the SCC' (C1) is influenced not only by the operators' performance, but also by the ship condition and operating environment.Different from the 'remote control by SCC' (C1), which is a binary node, these influence factors have multiple states.The sub-nodes are classified into multiple states according to the criteria presented in Table 5.The operators are able to operate the ship and to handle hazardous events.

Medium (b)
The operators are able to fulfil basic requirements for ship operation.

Bad (c)
Failure by the operators to operate the ship as required.

C3 Ship's condition
Good (a) The automated function can assist the operator to drive well.

Medium (b)
The automated function can meet the basic driving requirements.

Bad (c)
The automated function cannot meet the driving requirements.

C4
Operating environment

Good (a)
The environment has no impact on remote driving.

Medium (b)
The environment has a slight impact on remote driving.

Bad (c)
The environment has a serious impact on remote driving.

C5 Fatigue
Good (a) The operator does not feel tired at all.

Medium (b)
The operator is slightly tired.Bad (c) The operator feels tired after a long time of operation.

Good (a)
The operator can clearly judge the situation.

Medium (b)
The operator can basically judge the situation.Bad (c) The operator cannot accurately judge the situation.

Good (a)
Operators have sufficient remote driving experience.

Medium (b)
Operators have some remote driving experience.Bad (c) Operators do not have remote driving experience.The ship can feedback sufficient information.

Medium (b)
The ship can feedback information related to driving.

Bad (c)
The ship gives no feedback on the ship's situation.

C10
Software performance

Good (a)
The software can meet the driving requirements well.

Medium (b)
The software can meet the basic driving requirements.Bad (c) The software cannot meet the driving requirements.

C11 SCC's feedback
Good (a) The SCC has a timely response to the ship.

Medium (b)
The SCC can feedback information related to driving.Bad (c) The SCC does not respond to the ship in time.

C12 Communication quality
Good (a) Information can be transmitted well between the ship and the SCC.
Medium (b) Incomplete information is transmitted, but sufficient to drive.Bad (c) Sufficient information cannot be transmitted.

C13 Communication bandwidth
Good (a) Approaching the maximum value.

Medium (b)
Within the normal range of communication equipment.

Bad (c)
Only a small amount of information can transmit.

C14
Weather conditions

Good (a)
Have almost no effect on ships.

Medium (b)
Have a certain impact on ships.Bad (c) Have a greater impact on ship control.

C15 Traffic density
Good (a) More than three ships.

Medium (b)
The ship encounters other ships.

Bad (c)
No ships around when the ship is sailing.
a, b, c represent the abbreviations for the good, medium and bad states, respectively.
(2) Analysis of BBN nodes The label C1 refers to a situation where the operators in the SCC remotely control the ship and handle the hazardous events.This node is mainly related to three aspects: 'operators' performance' (C2); 'ship's condition' (C3); and 'operating environment' (C4).
The label C2 refers to the operators' performance during the remote control of MASS in the contact scenario.During the remote driving mode, the SCC will assign a group of people including a supervisor, an engineer and a captain to remotely drive the MASS.After a long work schedule, the operators may be in a state of 'fatigue' (C5).'Situational awareness' (C6) refers to operators' awareness of the current emergency situation of MASS.'experience' (C7), 'communication and collaboration' (C8) and 'ship's feedback (C9) influence the 'situational awareness' (C6).In terms of 'experience' (C7), the crew group should not only master the ability of remote driving, but also have experience in handling various hazardous events.'Communication and collaboration' (C8) means that the crew group needs to exchange information and collaborate to propose effective strategies.
The SCC operators cannot handle hazardous events without the support of ship's function.The label C3 refers to whether or not the ship can capture and deliver the necessary information needed by the SCC, which depends on 'software performance' (C10), 'SCC's feedback' (C11) and 'operating environment' (C4).'Ship's feedback' (C9) and 'SCC's feedback' (C11) refer to the quality of the data and information transferred between the ship and the SCC, which depends on 'software performance' (C10) and 'communication quality' (C12).In turn, 'communication quality' (C12) is related to 'communication bandwidth' (C13) and "operating environment" (C4), and determines the sufficient and timely delivery of information.In case of insufficient communication between the ship and the SCC, 'software performance' (C10) should give priority to providing the urgently needed information, which affects both the 'ship's feedback' (C9) and 'SCC's feedback' (C11).
The label C4 refers to the surrounding environment of MASS, it includes 'weather conditions' (C14) and 'traffic density' (C15), which will affect the difficulty of remote driving.After determining the nodes, and according to the relationship between them, a model of remote control error was developed, as shown in Figure 4.
function.The label C3 refers to whether or not the ship can capture and deliver the necessary information needed by the SCC, which depends on 'software performance' (C10), 'SCC's feedback' (C11) and 'operating environment' (C4).'Ship's feedback' (C9) and 'SCC's feedback' (C11) refer to the quality of the data and information transferred between the ship and the SCC, which depends on 'software performance' (C10) and 'communication quality' (C12).In turn, 'communication quality' (C12) is related to 'communication bandwidth' (C13) and "operating environment" (C4), and determines the sufficient and timely delivery of information.In case of insufficient communication between the ship and the SCC, 'software performance' (C10) should give priority to providing the urgently needed information, which affects both the 'ship's feedback' (C9) and 'SCC's feedback' (C11).
The label C4 refers to the surrounding environment of MASS, it includes 'weather conditions' (C14) and 'traffic density' (C15), which will affect the difficulty of remote driving.After determining the nodes, and according to the relationship between them, a model of remote control error was developed, as shown in Figure 4.

Case Study
A case study of preliminary hazard analysis of MASS contact scenario based on experimental data, historical data and experts' judgement is presented.According to the definition of the contact scenario, several experiments were carried out in the Tangxun Lake in Wuhan and in the Qinhuai River in Nanjing, China [44].The experimental ship employed is a 1:7 scale MASS model with three operation modes, namely remote driving, crew maneuvering and autonomous driving [45,48,56].It weighs 5.5 ton and is about 7.2 m in length.Its profile and propeller rudder are consistent with MASS.The ship is equipped with various sensors, a laser radar, cameras and other hardware, which allow us to obtain the surrounding weather, traffic and other navigation environment information in a timely manner.In this quantitative analysis, the events related to the autonomous navigation are all obtained from experimental data.The mechanical systems of MASS are determined through the quantitative analysis of historical data.

Case Study
A case study of preliminary hazard analysis of MASS contact scenario based on experimental data, historical data and experts' judgement is presented.According to the definition of the contact scenario, several experiments were carried out in the Tangxun Lake in Wuhan and in the Qinhuai River in Nanjing, China [44].The experimental ship employed is a 1:7 scale MASS model with three operation modes, namely remote driving, crew maneuvering and autonomous driving [45,48,56].It weighs 5.5 ton and is about 7.2 m in length.Its profile and propeller rudder are consistent with MASS.The ship is equipped with various sensors, a laser radar, cameras and other hardware, which allow us to obtain the surrounding weather, traffic and other navigation environment information in a timely manner.In this quantitative analysis, the events related to the autonomous navigation are all obtained from experimental data.The mechanical systems of MASS are determined through the quantitative analysis of historical data.

Quantification of the Nodes of the FT Model
Quantitative analysis of the FT consists of transforming its logical structure into an equivalent probability expression by "minimal cut set" method at first [36].Take the F2 FT as an example, the logical structure of F2 is transformed into equivalent probability expression in Equation (1).P(F2) = P(F4) + P(F6) + P(F7) + P(F8) + P(F9) + P(F16) × P(F17) + P(F16) × P(F18) + P(F17) × P(F18) (1) In order to quantify the failure of top events, the failure probability of basic events (equipment) in FT had to be obtained.Because the MASS power and propulsion line is the same as conventional ships, the existing failure data on the power and propulsion system of conventional ships and other industries could be used to estimate the failure probability of the power and propulsion system.The failure rate of each component in FT is shown in Table 6.In this study, the following assumptions were made in the development of the FT to calculate the failure probability of the propulsion system: • λThe failure rate of each component is a constant value.

•
λDuring MASS navigation, no maintenance and repair activities are performed.In this study, the voyage of the MASS was considered to last 30 days, or 720 h.

•
λWhile the MASS is in the port, the SCC should dispatch engineers to repair and maintain the system.This is a perfect-repair process, which means that the power and propulsion system can be the same as the new equipment.

•
λFailure processes are modeled with an exponential distribution.

Quantification of the Nodes in BBN Model
Based on the proposed BBN model and on the multiple states of nodes, experiments were conducted from October 2019 to November 2019 in a section of the Qinhuai River in Nanjing, to simulate the MASS contact scenario.Conventional ships include mainly passenger cruise ships, cleaning boats, patrol boats and others.Ferries and docks are present on both sides of the riverbank; there are several bridges above the water area, and the river channel is narrow.The experimental MASS model and the surrounding environment are shown in Figure 5.We selected some representative risk scenarios in the experiment, simultaneously recording all the information on the MASS model.In parallel, we determined the current states of related risk factors and the conditional probability distribution of the intermediate variables according to interviews and observations.
Based on the proposed BBN model and on the multiple states of nodes, experiments were conducted from October 2019 to November 2019 in a section of the Qinhuai River in Nanjing, to simulate the contact scenario.Conventional ships include mainly passenger cruise ships, cleaning boats, patrol boats and others.Ferries and docks are present on both sides of the riverbank; there are several bridges above the water area, and the river channel is narrow.The experimental MASS model and the surrounding environment are shown in Figure 5.We selected some representative risk scenarios in the experiment, simultaneously recording all the information on the MASS model.In parallel, we determined the current states of related risk factors and the conditional probability distribution of the intermediate variables according to interviews and observations.

Prior Probability Determination of Each Root Node
By analyzing the record of the experiments, we regarded the frequency of occurrence of each root node as the prior probability.For objective factors, such as communication bandwidth, the communication bandwidth is recorded and classified in every experiment.In the experiment, the percentage of the number of times in which the communication bandwidth state is good, medium or bad is regarded as the prior probability.Subjective data that reflect the operators' performance, such as experience and fatigue, were evaluated through interviews.Taking the experience node as an example, an operator who has no remote control experience, has undergone remote control training and has sufficient remote control experience will be the experimental personnel.The percentage of the total number of experiments performed by these three types of people is regarded as the prior probability.The prior probability of each root node is shown in Table 7.

Prior Probability Determination of Each Root Node
By analyzing the record of the experiments, we regarded the frequency of occurrence of each root node as the prior probability.For objective factors, such as communication bandwidth, the communication bandwidth is recorded and classified in every experiment.In the experiment, the percentage of the number of times in which the communication bandwidth state is good, medium or bad is regarded as the prior probability.Subjective data that reflect the operators' performance, such as experience and fatigue, were evaluated through interviews.Taking the experience node as an example, an operator who has no remote control experience, has undergone remote control training and has sufficient remote control experience will be the experimental personnel.The percentage of the total number of experiments performed by these three types of people is regarded as the prior probability.The prior probability of each root node is shown in Table 7.

Conditional Probability Table (CPT) Estimation
Both the arcs and the CPTs in the BBN reflect the causal relationship between the nodes.For the BBN, there are large number of CPTs that need to be determined.At the same time, it is difficult to accurately quantify the limited experimental data.Therefore, we adopted the method proposed by Røed et al. [39] to allocate CPTs.This method provides a structured way to derive the CPTs, thereby making it relatively less time-consuming.It is structured as follows.At the same time, this article provides a suitable way to convert experimental statistics into CPT:

•
Determination of the relative importance weights between parent nodes and child node.
First, different parent nodes affecting the same child node have different degrees of importance, which can be addressed by assigning a weight w i each parent i through expert judgement.The sum of the weight of all parent nodes should be equal to 1.To this end, we adopted the interval type-2 fuzzy analytic hierarchy process (IT2FAHP) method proposed by Hu et al. [61].The linguistic terms for importance as shown in Table 8.Based on the experimental certainty of the MASS model in the Qinhuai River in Nanjing, China, and the previously established BBN, a questionnaire on the importance of the parent nodes was designed and used to query three experts.To achieve a single view on the importance of parent nodes, we used TIT2-WAA operation to aggregate the fuzzy judgment proposed by three experts.After TIT2-WAA operation, the fuzzy weight of each parent node was obtained.Finally, the fuzzy weights were defuzzified and normalized to obtain the relative weights of each parent node.The rationality of the result was further corrected through expert opinions.Taking the "operator performance" node as an example, the hierarchical structure is shown in the Figure 6.Three MASS remote operators gave a judgment on the relative importance of the two nodes, as shown in Table 9.After TIT2-WAA operation and defuzzification, the relative weights of fatigue 'C5 and situation awareness 'C6 are 0.4 and 0.6.The more detailed method and equation are in Hu et al. [61].The relative weights of all nodes in the BBN are shown in Table 10.
Table 8.Linguistic terms for importance.

Linguistic Variable Trapezoidal Interval Type-2 Fuzzy Sets
Absolutely Strong (AS) ( Both the arcs and the CPTs in the BBN reflect the causal relationship between the nodes.For the BBN, there are large number of CPTs that need to be determined.At the same time, it is difficult to accurately quantify the limited experimental data.Therefore, we adopted the method proposed by Røed et al. [39] to allocate CPTs.This method provides a structured way to derive the CPTs, thereby making it relatively less time-consuming.It is structured as follows.At the same time, this article provides a suitable way to convert experimental statistics into CPT:

•
Determination of the relative importance weights between parent nodes and child node.
First, different parent nodes affecting the same child node have different degrees of importance, which can be addressed by assigning a weight i w for each parent i through expert judgement.The sum of the weight of all parent nodes should be equal to 1.To this end, we adopted the interval type-2 fuzzy analytic hierarchy process (IT2FAHP) method proposed by Hu et al. [61].The linguistic terms for importance as shown in Table 8.Based on the experimental certainty of the MASS model in the Qinhuai River in Nanjing, China, and the previously established BBN, a questionnaire on the importance of the parent nodes was designed and used to query three experts.To achieve a single view on the importance of parent nodes, we used the TIT2-WAA operation to aggregate the fuzzy judgment proposed by three experts.After TIT2-WAA operation, the fuzzy weight of each parent node was obtained.Finally, the fuzzy weights were defuzzified and normalized to obtain the relative weights of each parent node.The rationality of the result was further corrected through expert opinions.Taking the "operator performance" node as an example, the hierarchical structure is shown in the Figure 6.Three MASS remote operators gave a judgment on the relative importance of the two nodes, as shown in Table 9.After TIT2-WAA operation and defuzzification, the relative weights of fatigue 'C5′ and situation awareness 'C6′ are 0.4 and 0.6.The more detailed method and equation are in Hu et al. [61].The relative weights of all nodes in the BBN are shown in Table 10.

Operators performance (C2) Fatigue (C5)
Situation awareness (C6)   • Determination of the weight distance between the parent node state and the child state.
After that, the distance between the parent node state and the child node state should be determined.The distance represents the difference between the parent node state and the child node state.The probability of a state of a child node is close to or equal to the state of its parent node.Therefore, if the parent node is in a 'good' state, the probability that the child node is in a good state should be greater than a medium state than a bad state.Taking the node 'communication quality' (C12) as an example, if 'operating environment' (C4) and 'communication bandwidth' (C13) are in a good state, the probability that 'communication quality' will be in a good state is bigger than that in a medium and bad state.Røed et al. [39] argued that no matter how large the difference between the state of the parent node and the child node, the relative distance can be reflected by obtaining the absolute value of distance.However, Li et al. [62] contended that the state of the child node, i.e., whether it is better or worse than the state of the parent node, influences the distance.The change in a different direction should be recorded with different importance.This means that the positive distance and the negative distance can be weighted, and then they cancel each other.In this study, we adopted the method proposed by Li et al. [62].The good, medium and bad states of each node are marked as a, b and c, respectively.The formula to calculate the weighted distance is shown in Equation ( 4): where i, j ∈ {a, b, c} and D ij refers to the distance between the state of the parent node i and the state of the child node j.If the parent node is in a "good (a)" state, and the child node is in a "medium (b)" state, then the corresponding distance value is 1. is the number of parent nodes corresponding to the child node and w i represents the relative weight value of the corresponding parent nodes.We took the node 'communication quality' (C12) as an example, as shown in Figure 7. C12 has two parent nodes, i.e., 'operating environment' (C4) and 'communication bandwidth' (C13).We assumed that the parent nodes C4 and C13 are in a "good (a)" and "medium (b)" state, respectively.At the same time, assuming that C12 node is in a "good (a)" state, the distance between C12 and C4 is 0; correspondingly, the distance between C12 and C13 is −1.As shown in Table 8, the weights of C4 and C13 are w C4 = 0.36 and w C13 = 0.64, respectively, and its weighted distance is.tively.The formula to calculate the weighted distance is shown in Equation ( 4 where { } , , , i j a b c ∈ and ij D refers to the distance between the state of the parent node i and the state of the child node j.If the parent node is in a "good (a)" state, and the child node is in a "medium (b)" state, then the corresponding distance value is 1. n is the num- ber of parent nodes corresponding to the child node and i w represents the relative weight value of the corresponding parent nodes.We took the node 'communication quality' (C12) as an example, as shown in Figure 7. C12 has two parent nodes, i.e., 'operating environment' (C4) and 'communication bandwidth' (C13).We assumed that the parent nodes C4 and C13 are in a "good (a)" and "medium (b)" state, respectively.At the same time, assuming that C12 node is in a "good (a)" state, the distance between C12 and C4 is 0; correspondingly, the distance between C12 and C13 is −1.As shown in Table 8, the weights of C4 and C13 are In Equation ( 5), the numerator represents the probability distribution in each state, where

{ }
, , j a b c ∈ and R refers to the modified index value.The higher the R index,

•
Determination of the CPTs of the child nodes.
The CPTs of the child nodes were determined based on experimental statistics, following Røed et al. [39], who calculated it using Equation (5).The good, medium and bad states of each node were marked as a, b and c, respectively.
In Equation ( 5), the numerator represents the probability distribution in each state, where j ∈ {a, b, c} and R refers to the modified index value.The higher the R index, the lower the probability that the child node in focus is in a state derived from its parents' states.
The R value was determined using the statistical data of the MASS model experiment.First, we selected representative statistical data in the record as the basis.For example, when the C12 is obtained, C4 is in a "good (a)" state and C13 is in a "medium (b)" state.Second, the upper limits and the "medium (b)" state of the data's probability distribution were used to calculate the value of R When C4 is in a "good (a)" state, C13 is in a "medium (b)" state; in this case, there are 33 sets of data selected by the experiment, 9 of which are for C4 in a "good (a)" state, and the other 24 for C4 in a "medium (b)" state, with 0 groups for C4 in a "bad (c)" state.Therefore, the upper limit probability value of 0.27 and the intermediate state probability value of 0.73 could be used for calculation.The calculation process of the R value of the C12 node is shown in Equations ( 6) and (7) as follows: P a /P b = e −0.64R /e −0.36R = 0.37 ⇒ R = 3.55 (7) The values of D a , D b , D c were calculated according to Equation (4).For example, when the parent node C13 is in a "good (a)" state, C4 is in a "good (a)" state and the weighted distance among the "good (a)", "moderate (b)" and "bad (c)" states of the C12 node are D a = 0, D b = 1, D c = 2, respectively.After obtaining the D and R values, the conditional probability distribution of this child node could be obtained as shown in Equations ( 8)-( 10):  55 = 0.0008 (10) The CPT of "communication quality" (C12) is shown in Table 11.Similarly, we obtained other weighted distances for each combination of any state of the parent that pushes the child node in different states.The BBN model can be quantified by inputting the obtained CPTs and the prior probability of the collected root node.The 'remote control by the SCC' (C1) is a binary node (success, failure), as such, it is completely different from the other nodes, which have multiple states.Thus, the 'remote control by the SCC' (C1) cannot be calculated using the aforementioned method.Røed et al. [39] proposed applying the barrier and operational risk analysis (BORA) method to calculate the probability of a binary node.This method is articulated in three steps.
First, the basic probability of the event in focus is assigned through the use of historical genetic data combined with a model.Then, the maximum deviation from the basic error probability of the target node, by considering the worst and best states of its parent node, is determined.The values of the adjustment factors proposed by Røed were adopted [39], as shown in Table 12.

State of the Parent Node
Adjustment Factor Q a, b, c represent the abbreviations for the good, medium and bad states, respectively.
Finally, the conditional probability of the target node is determined.Accordingly, the CPTs were calculated based on the parent node states and the adjustment factors Q i as follows: where P ik is the probability of each parent i to be in each state k = a, b, c; Q ik is the corresponding adjustment factor according to Table 10; and w i is the weight of the parent nodes i, whose sum is 1.The index j indicates the possible states of the event we are considering (i.e., success or failure).to experiment statistics and literature review, the basic probability of the remote control error is 8.58 × 10 −3 [11].The 'remote control by the SCC' (C1) has three parent nodes, i.e., 'operators' performance' (C2), 'ship's condition' (C3) and 'operating environment' (C4).When the weights and the probability distributions of three parent nodes are known, the 'remote control by the SCC' (C1) can be calculated, as shown in Table 13.After calculation, the failure probability of the 'remote control by the SCC' (C1) is 7.722 × 10 −3 .Therefore, the success probability of 'remote control by SCC' is 0.9923.

Failure Probability Quantification of the MASS Contact Scenario
Once the normal operation and failure probability of pivotal events are calculated, several end states probability in the MASS contact scenario are obtained.As shown in Sections 4.2 and 4.3, the probability of several events in ESD was calculated.The probability that the 'power and propulsion system' (P6) works normally, calculated by using the FT model in Section 4.2, is 0.9946.The probability of success of the 'remote control by the SCC' (P4), calculated by using the BBN model in Section 4.3, is 0.9923.In the same way, the normal operation and failure probability of other pivotal events was calculated according to the experiment and historical data.Different outputs of pivotal events will lead to different end states, such as safe or accident states, with different probabilities.After calculating the probability of each pivotal event in ESD, we could obtain the probability of each end state in the MASS hazard scenarios, according to the following steps:

•
Calculation of the end states' probability of the MASS contact scenario.
The probability of each end state was obtained according to the HCL quantitative calculation method.The probability values of all end states are listed in Table 14.As shown in Table 14, the probability of MASS avoiding the external events and continuing operation is 9.45 × 10 −1 .According to the Table 14, the failure of perception stage and execution stage is the main cause of contact accidents.Thus, the perception stage of MASS is the first safety barrier of hazard scenario.It is necessary to ensure that the sensor equipment and the perception of the operator can perceive the risk and ensure that the risk will be detected immediately.For the execution stage of MASS, although the MASS is equipped with a redundant system, it is still very likely to cause an accident.The probability of the contact scenario can be mitigated by shortening the sailing time.

•
Calculation of the accident-causing event chains.
In the HCL method, through the combination of the ESD model, the FT model and the BBN model, the events in the ESD model were extended to the FT and the BBN, and then different accident-causing event chains and their probability could be obtained.We selected the five accident-causing event chains with the highest risk and they are shown in Table 15.* The normal functioning of the pivotal event is marked as 1; its failure is marked as 0.
As shown in Table 15, the accident-causing event chain with the highest risk is the one that leads to accident end state, due to the failure to perceive the danger (E2).This shows that the perception stage is the most important stage in the MASS hazard scenarios.Secondly, the second main cause of accident-causing event chains is that the operators in the SCC did not propose an effective strategy which leads to accident end state (E3).Thus, it is necessary to train remote operators and maintain the equipment, while at the same time MASS should avoid sailing in bad environmental conditions.Thirdly, most of the occurrences in all accident-causing event chains relate to the failure of the mechanical system (E4), which is the last guarantee for the safe navigation of the MASS.Before the voyage, detailed planning and preparation work should be carried out.Reasonable remedial measures are an important way to effectively improve the safety of the MASS.Finally, the third, fourth and fifth accident-causing event chains involved the failure of operation of the steering system and of the propulsion system.Therefore, in order to guarantee the safety of MASS, it is necessary to design a redundant steering and propulsion system, as well as to propose a maintenance plan for the mechanical system.Through appropriate technical solutions, the MASS risk can be reduced to an acceptable level.

•
Identification of the influence factors in the power and propulsion system leading to a failure of the MASS emergency response process (E4).
The reliability of the propulsion system has relatively the largest impact on MASS navigation accidents.In order to support the future design of the MASS power and propulsion system, it is necessary to identify the most influencing equipment in the power and propulsion system.Using the existing evaluation indicators comprehensively, the basic events or risk factors with the highest impact on risk can be identified for improvement.The Fussell-Vesely (VF) importance measure is an evaluation criterion that represents the impact of components on the total failure probability of a system [63]: VF(S, e) = P(e|S ) = P(S • e) P(S) = P(S|e )P(e) P(S) When the MASS has an accident, we selected E4 to measure the importance factors.As shown in Table 16, the failure of the converter, failure of the diesel generator and failure of the electric motor are the most important factors.Therefore, priority should be given to the maintenance of this equipment.In the future design, a more reasonable redundancy design and maintenance plan will improve propulsion reliability, especially of the converter, the diesel generator and the electric motor.In order to analyze the influence of each factor contributing to the failure of remote driving, the sensitivity of the BN model of remote driving is analyzed in this section.First, the probability of each parent node is assigned the value of one.Then, the probability variation table of target node is obtained.Take the weather condition (C14) as an example, set the probability of being in a "good" state to 100%, obtain the probability of C2, C3 and C4.Based on the Equation ( 11), the failure probability of "remote driving" is 0.00619.Similarly, the other nodes in BN are assessed.Figure 8 shows the probability change in "remote driving" after adjusting each node.The sensitivity of the nodes affecting remote driving is ranked as follows: C10 > C14 > C7 > C15 > C13 > C8 > C5.
ilarly, the other nodes in BN are assessed.Figure 8 shows the probability change in mote driving" after adjusting each node.The sensitivity of the nodes affecting rem driving is ranked as follows: 10  Based on the result, "software performance" (C10) is the most sensitivity node.ing the remote driving, the software should be more attention.At the same time, th ternal influence factors such as "weather condition" (C14) and "traffic density" (C15) significantly affect the failure probability of remote driving.Among the influence fa related to the operator, "experience" (C7) is the most important factor.In summary software in SCC should be updated in time to ensure high availability and quality.SCC should strengthen the training about contact scenarios in case the operator is u miliar with remote driving or does not understand external object avoidance rules.

Conclusions and Future Work
With the increase in the use of automation technology in the maritime indu MASS risk influence factors are increasingly various and complex.This paper is a tempt to conduct a preliminary hazard analysis of MASS in the design and experime stages based on the conceptual design of MASS, historical data and experiments of Based on the result, "software performance" (C10) is the most sensitivity node.During the remote driving, the software should be more attention.At the same time, the external influence factors such as "weather condition" (C14) and "traffic density" (C15) will significantly affect the failure probability of remote driving.Among the influence factors related to the operator, "experience" (C7) is the most important factor.In summary, the software in SCC should be updated in time to ensure high availability and quality.The SCC should strengthen the training about contact scenarios in case the operator is unfamiliar with remote driving or does not understand external object avoidance rules.

Conclusions and Future Work
With the increase in the use of automation technology in the maritime industry, MASS risk influence factors are increasingly various and complex.This paper is an attempt to conduct a preliminary hazard analysis of MASS in the design and experimental stages based on the conceptual design of MASS, historical data and experiments of conventional ships.The applicability of the HCL method to MASS was demonstrated through a case study of a contact scenario for a MASS model ship.Key conclusions can be summarized as follows:

•
The use of the HCL method allows a clear classification of the pivotal events of the hazard scenarios.

•
The paper established a branch model to analyze the events in the ESD and used FT and BBN to analyze influence factors in a more detailed way according to their characteristics.

•
The importance of more detailed influencing factors is quantified based on the FT and BBN method.

•
The HCL method provides a quantitative calculation result of the MASS hazardous scenario and presents a way to verify whether the conceptual design of MASS is reasonable and can help find the weak links in the MASS experiment.
Based on the analysis and test ship, redundant design for MASS is necessary.For example, the operators in the SCC can perceive the risk in case of AS system failure.In relation to the power and propulsion system, at least two independent power and propulsion lines can mitigate the failure probability.However, the development of MASS is still in an early phase.With the development of technology, more risk influence factors will arise and the cooperation between AS and the operators in the SCC will be further discussed.For example, the control priority between the operators in the SCC and AS may change with the development of technology.Moreover, this paper analyzed in detail both mechanical and human events, while overlooking software events.In the future, an important problem to address is how to include software events in risk assessments.The failure probability and the conclusions of the present study can be used as references for the design of MASS.

•
Accident causing events chain modeling • Ranking of basic events • Probability estimations

Figure 1 .
Figure 1.Framework and flowchart of the HCL method.

Figure 2 .
Figure 2. ESD model of the MASS contact scenario.

Figure 1 .
Figure 1.Framework and flowchart of the HCL method.

Figure 1 .
Figure 1.Framework and flowchart of the HCL method.

Figure 2 .Table 1 .
Figure 2. ESD model of the MASS contact scenario.Table 1. Description of the nodes in the proposed ESD model.Stage Label Event Description Reference

Figure 2 .
Figure 2. ESD model of the MASS contact scenario.

Figure 3 .
Figure 3. FT of the power and propulsion system.

Figure 3 .
Figure 3. FT of the power and propulsion system.

Figure 4 .
Figure 4. BBN model for MASS remote control.

Figure 4 .
Figure 4. BBN model for MASS remote control.

Figure 5 .
Figure 5.The Shore Control Center, several models of ships and the MASS model.

Figure 5 .
Figure 5.The Shore Control Center, several models of ships and the MASS model.

Figure 6 .
Figure 6.The hierarchical structure of C2 node.Figure 6.The hierarchical structure of C2 node.

Figure 6 .
Figure 6.The hierarchical structure of C2 node.Figure 6.The hierarchical structure of C2 node.

Figure 7 .
Figure 7. Relationship between C4, C13 and C12.•Determination of the CPTs of the child nodes.The CPTs of the child nodes were determined based on experimental statistics, following Røed et al.[39], who calculated it using Equation(5).The good, medium and bad states of each node were marked as a, b and c, respectively.

Figure 8 .
Figure 8. Sensitivity analysis of remote driving mode.

Figure 8 .
Figure 8. Sensitivity analysis of remote driving mode.

Table 1 .
Description of the nodes in the proposed ESD model.

Table 1 .
Description of the nodes in the proposed ESD model.

Table 2 .
Description of the components of the power and propulsion system.

Table 3 .
Nodes in the FT of the power and propulsion system.

Table 3 .
Nodes in the FT of the power and propulsion system.

Table 4 .
The influence factors of remote control.

Table 5 .
Multiple states and description of the sub-nodes in BBN.

Table 6 .
Equipment failure rate data in the FT model.

Table 7 .
Prior probability of each root node.

Table 7 .
Prior probability of each root node.

Table 9 .
The relative importance of C5 and C6 nodes.

Table 10 .
Relative weight of the parent nodes.

Table 12 .
Adjustment factors for the basis error probabilities.

Table 13 .
Probability of the 'remote control by the SCC' (C1) and its parent node.
a, b, c represent the abbreviations for the good, medium and bad states, respectively.

Table 14 .
Failure probability of the end states.

Table 15 .
Five accident-causing event chains with the highest risk.

Table 16 .
The VF of the power and propulsion system equipment across accident end states.Identification of the influence factors in the remote driving mode.