A Parallel STPA–FTA Risk Assessment Framework for Maritime Autonomous Surface Ships: Development and Case Study Application ^†

Abstract

Maritime Autonomous Surface Ships (MASS) introduce new safety challenges associated with complex cyber–physical systems, distributed control architectures, and remote supervisory operation. Traditional maritime risk assessment approaches primarily focus on component failures and historical accident data and may therefore be insufficient for capturing interaction-driven hazards arising in autonomous vessel systems. This study develops a parallel and architecturally synchronized risk assessment framework integrating System-Theoretic Process Analysis (STPA) and Fault Tree Analysis (FTA) for the safety assessment of MASS. Within the proposed framework, both analyses evolve concurrently within a shared system architecture, enabling explicit traceability between hazards, unsafe control actions, causal scenarios, failure events, and accident propagation pathways. The framework is demonstrated through a case study of a Degree of Autonomy 3 short-sea freight vessel operating in a high-density North Sea traffic environment. The integrated analysis identifies dominant accident pathways related to perception degradation, communication disturbance, authority coordination conflicts, maneuver execution deviations, and incorrect collision-risk assessment. The results illustrate how the framework supports structured safety assessment of MASS while preserving traceability between systemic control deficiencies and accident propagation mechanisms.

1. Introduction

The maritime sector is currently experiencing a technological transition driven by developments in digitalization, sensing technologies, artificial intelligence, and remote operation capabilities. These developments are enabling the emergence of Maritime Autonomous Surface Ships (MASS), which introduce varying levels of autonomy in vessel navigation, decision-making, and system management. Autonomous and remotely operated vessels are expected to enhance operational efficiency, reduce human exposure to hazardous working environments, and potentially improve aspects of navigational safety. At the same time, however, the increasing reliance on complex cyber–physical systems, distributed control architectures, and remote supervisory operation introduces new safety challenges that differ fundamentally from those associated with conventionally manned ships [1,2,3,4,5,6].

Recognizing these challenges, international regulatory bodies and maritime institutions have initiated efforts to establish frameworks capable of governing the safe deployment of autonomous vessel technologies. The International Maritime Organization (IMO) is currently progressing the development of a dedicated regulatory framework for Maritime Autonomous Surface Ships, including the formulation of the MASS Code, which aims to define functional requirements and operational principles for vessels operating with varying degrees of autonomy [7,8,9]. Parallel efforts are being pursued by classification societies, which are progressively developing rules and guidance addressing autonomous vessel technologies, remote operation centers, and system redundancy requirements. Organizations such as ABS, DNV, and Bureau Veritas have introduced preliminary frameworks addressing autonomy levels, human–machine interaction, and cyber resilience in autonomous maritime systems [10,11,12]. At the European level, the European Maritime Safety Agency (EMSA) has also contributed to the regulatory discussion through initiatives such as the Risk-Based Assessment Tool (RBAT) methodology, which aims to support the safety of autonomous vessel technologies [13,14]. Collectively, these developments highlight the increasing recognition that robust and transparent safety assessment methodologies are essential for enabling the safe integration of autonomous vessels into existing maritime operations.

Despite these regulatory advancements, the safety assessment of autonomous ships remains a complex challenge. Traditional maritime risk assessment approaches have largely relied on accident statistics, empirical failure data, and analytical techniques focusing primarily on component failures or human error aboard conventionally manned vessels. Methods such as Fault Tree Analysis (FTA), Failure Modes and Effects Analysis (FMEA), HAZID, HAZOP, and Bayesian-based models remain valuable in maritime safety assessment [15,16,17,18,19]. However, when applied in isolation, they may be less capable of fully capturing the emergent, interaction-driven, and software-intensive risks introduced by Maritime Autonomous Surface Ships. In MASS, hazards may arise not only from hardware faults, but also from unsafe control actions, software logic deficiencies, degraded communication, human–automation coordination failures, and cascading effects across tightly coupled shipboard and shore-based systems. These characteristics challenge purely traditional accident models, particularly in the context of sparse failure data and evolving autonomy functions [20,21,22,23].

In parallel, System-Theoretic Process Analysis (STPA) has gained increasing attention as a safety analysis method particularly suited to complex socio-technical systems. Unlike traditional reliability-based methods, STPA does not focus exclusively on component failures but instead examines how unsafe system states may emerge from inadequate control actions, flawed feedback mechanisms, or deficiencies in system design and operational procedures. This systems-oriented perspective is particularly relevant for autonomous and remotely operated vessels, where safety depends on the correct functioning of integrated control architectures linking shipboard automation, sensor systems, communication channels, and shore-based supervisory operators. However, STPA as a standalone method remains primarily qualitative. It does not by itself provide explicit probability estimates, quantitative prioritization of accident contributors, or direct risk ranking, and its application may be affected by modelling subjectivity, analyst expertise, and the increasing complexity of software-intensive control structures [20,21,22,24,25,26,27,28,29,30,31].

Despite the increasing application of both probabilistic and system-theoretic approaches in maritime safety research, their use has largely remained methodologically separate. STPA-based studies typically focus on identifying unsafe control actions and systemic hazards within complex control architectures, whereas probabilistic methods such as Fault Tree Analysis (FTA) are primarily used to model failure propagation mechanisms within technical systems. As a result, existing analyses often address either systemic control deficiencies or probabilistic accident pathways, but rarely integrate both perspectives within a unified analytical structure [19,20,21,22,24,25].

Fuzzy logic has also been explored as a means of addressing uncertainty in MASS. Recent studies have applied fuzzy-based fault tree approaches to complex maritime autonomous systems, enabling the incorporation of expert judgement and linguistic variables in the absence of sufficient statistical data. While such approaches enhance the treatment of epistemic uncertainty and allow for flexible representation of imprecise information, they also introduce increased modelling complexity and may reduce the transparency and direct structural traceability between system-level hazard identification and failure propagation mechanisms [32,33,34].

Several studies have attempted to bridge this gap by combining STPA with probabilistic modelling techniques, most commonly through Bayesian Network (BN) representations derived from STPA outputs [27,28]. While these approaches enable probabilistic reasoning over system-theoretic causal scenarios, they often rely heavily on expert judgement when translating qualitative STPA results into probabilistic structures. In addition, BN formulations may introduce increased modelling complexity, and the resulting models may weaken the explicit traceability between system control interactions and accident propagation pathways.

In addition, to the authors’ knowledge, integrations between STPA and fault-based techniques such as FTA remain relatively limited within the MASS literature. Where such combinations have been explored in other engineering domains, such as process safety and energy systems, they are typically implemented through sequential or loosely coupled approaches, in which the results of STPA are used as an input to fault-tree construction or, conversely, fault-tree structures are developed independently and subsequently linked to system-level analyses [35,36]. While such sequential integrations provide useful insights, they may introduce limitations in maintaining explicit traceability between system-theoretic control structures and fault-based representations. In particular, the separation between the two analytical stages may lead to partial loss of contextual information, inconsistencies in system representation, reduced transparency of the analytical process, and reduced capability to capture feedback interactions and control deficiencies within probabilistic accident propagation models. For complex cyber–physical systems such as Maritime Autonomous Surface Ships; however, the ability to explicitly connect systemic control failures with probabilistic accident propagation mechanisms is particularly important [19,20,27,28,37].

Previous work by the authors introduced the concept of combining System-Theoretic Process Analysis (STPA) with Fault Tree Analysis (FTA) within a parallel analytical framework for investigating safety risks in autonomous shipping operations [20]. That study demonstrated the value of analyzing systemic control deficiencies and component-level failure mechanisms simultaneously in order to obtain a more comprehensive understanding of accident causation in Maritime Autonomous Surface Ships. By combining the systemic perspective of STPA with the structured failure logic of FTA, the approach enables the identification of critical system vulnerabilities, potential cascading failures, and safety control mechanisms that may mitigate emerging risks in complex autonomous maritime systems. At the same time, the integration of FTA provides the capability to evaluate accident pathways quantitatively and to support the prioritization of risk contributors within the system. However, the framework presented in that earlier work was primarily conceptual and did not provide a fully structured methodological workflow or a detailed application within a realistic operational scenario.

Building upon this earlier contribution, the present study further develops and formalizes the approach into a parallel and architecturally synchronized STPA–FTA risk assessment framework for Maritime Autonomous Surface Ships (MASS). Within the proposed framework, system-theoretic hazard identification and fault-tree modelling are integrated within a shared system architecture, enabling both analytical processes to evolve concurrently while maintaining explicit traceability between unsafe control actions, system interactions, failure mechanisms, and accident propagation pathways. In contrast to existing hybrid integration approaches reported in the literature, such as STPA–Bayesian Network (BN) or STPA-FTA combinations, which are typically implemented through transformation-based or sequential/loosely coupled workflows, where the results of one method are introduced into another at a later stage, the framework proposed in this study introduces an architecturally synchronized parallel workflow in which the STPA and FTA analyses evolve concurrently within a shared system architecture.

This coordinated development enables continuous feedback between system-level hazard reasoning and component-level failure analysis, supports the quantitative evaluation of dominant accident pathways, where suitable data are available, and improves the identification and prioritization of safety mitigation strategies for complex autonomous maritime systems. In this study, dominant accident pathways refer to the failure propagation paths corresponding to minimal cut sets (MCS) that structurally represent the most significant contributors to the defined top event when suitable data are available.

This distinction is particularly important when compared to STPA–Bayesian Network (BN) approaches, which primarily rely on the transformation of system-theoretic results into probabilistic dependency structures. While such formulations support probabilistic inference, they may reduce the direct structural traceability between control-level hazard identification and failure propagation modelling. Similarly, sequential or loosely coupled STPA–FTA approaches, where the two methods are applied in stages or linked through intermediate interpretation, may introduce limitations in maintaining consistency between system-theoretic and fault-based representations, as well as reduced integration between control-level reasoning and failure propagation modelling. In contrast, the proposed STPA–FTA framework preserves explicit structural linkage between unsafe control actions, causal scenarios, and fault-tree representations, thereby enhancing interpretability, consistency, and transparency in the analysis of complex autonomous maritime systems. A conceptual comparison of representative hybrid approaches, including STPA–BN, sequential or loosely coupled STPA–FTA, and the proposed parallel STPA–FTA framework, is provided in

Table 1. Conceptual comparison of STPA-based hybrid approaches.

Aspect	STPA–BN Approaches	Sequential/Loosely Coupled STPA–FTA	Proposed Parallel STPA–FTA Framework
Integration logic	Transformation of STPA results into probabilistic dependency structures, introducing additional modelling complexity	Methods applied in stages and linked, with potential loss of contextual information	Concurrent development within shared system architecture
Structural traceability	May be reduced due to transformation into probabilistic dependencies; Reliance on expert judgement	Limited due to separation of analytical stages	Preserved through explicit linkage between control actions and fault-tree elements
System representation consistency	Dependent on abstraction into probabilistic models	May lead to inconsistencies between STPA and FTA models	Maintained through shared system architecture
Feedback and control representation	Implicit within probabilistic dependencies	Limited representation due to staged modelling	Explicitly represented through integrated control and failure modelling
Interpretability	May be reduced due to probabilistic abstraction of system behavior	Dependent on consistency between separate models	Enhanced through direct mapping between system behavior and failure logic

.

To demonstrate the applicability of the methodology, the framework is applied to a Degree of Autonomy 3 (DoA) short-sea freight vessel operating within the North Sea corridor. This operational context represents a realistic short-sea shipping scenario characterized by dense maritime traffic, mixed vessel types, and varying operational conditions typical of European coastal routes [38,39,40,41]. The analysis illustrates how unsafe control actions identified through STPA can be systematically connected to probabilistic failure propagation pathways represented within a fault tree structure, enabling the identification of dominant accident pathways and systemic control vulnerabilities within the autonomous vessel architecture.

The main contributions of this work can be summarized as follows. First, the study further develops and formalizes a parallel and architecturally synchronized STPA–FTA risk assessment framework tailored to the safety analysis of Maritime Autonomous Surface Ships. Second, it demonstrates how system-theoretic hazard identification and probabilistic failure modelling can be integrated within a shared analytical architecture, enabling explicit traceability between unsafe control actions, system failures, and accident propagation pathways. Third, the study presents the structured application of the framework to a realistic DoA3 vessel operation, illustrating its practical applicability for safety assessment in complex maritime operational environments. The results demonstrate how the proposed framework enables explicit traceability between systemic hazards, unsafe control actions, and accident propagation pathways while supporting structured and reproducible safety assessment of complex autonomous maritime systems.

The remainder of this paper is organized as follows. Section 2 presents the materials and methods, including the analytical structure and workflow of the proposed STPA–FTA framework. Section 3 describes the results obtained from the case study application. Section 4 discusses the implications of the findings for safety assessment in autonomous maritime operations, while Section 5 summarizes the main conclusions of the study.

2. Materials and Methods

2.1. Research Methodology Overview

This study adopts a methodological research approach aimed at developing and demonstrating a structured risk assessment framework for Maritime Autonomous Surface Ships (MASS). The proposed methodology integrates System-Theoretic Process Analysis (STPA) and Fault Tree Analysis (FTA) within a parallel and architecturally synchronized analytical workflow, enabling systemic hazard identification and failure-based accident modeling to be performed concurrently.

The framework is designed to preserve traceability between system-level hazards, unsafe control actions, causal scenarios, and accident propagation mechanisms. By combining the system-theoretic perspective of STPA with the structured failure logic of FTA, the approach enables structured qualitative evaluation of accident causation and, where suitable data are available, supports quantitative evaluation in complex autonomous maritime systems.

To illustrate the practical applicability of the proposed framework, the methodology is applied to a representative DoA3 short-sea freight vessel operating within a high-density European maritime corridor. The case study demonstrates how the integrated analytical workflow can support structured safety assessment and mitigation strategy development for MASS.

2.2. System-Theoretic Process Analysis (STPA)

System-Theoretic Process Analysis (STPA) is a hazard analysis method derived from the Systems-Theoretic Accident Model and Processes (STAMP), which conceptualizes accidents as the result of inadequate control of system behavior rather than solely as the consequence of component failures. Unlike traditional reliability-based approaches, STPA focuses on interactions within complex socio-technical systems and examines how unsafe system states may emerge from deficiencies in control actions, feedback mechanisms, or system design [21,22,24,26,42].

The STPA methodology typically follows four main steps, as illustrated in Figure 1. First, system losses, hazards, and safety constraints are defined to establish the safety objectives of the analysis. Second, the system control structure is modeled to represent the interactions between controllers, controlled processes, sensors, and actuators within the system. Third, Unsafe Control Actions (UCAs) are identified by examining how control actions may become unsafe under specific operational conditions. Finally, causal scenarios are developed to explain how these unsafe control actions may arise due to control flaws, process model inconsistencies, or system interactions [26].

The systems-oriented perspective of STPA makes it particularly suitable for the analysis of autonomous and remotely operated vessels, where safety depends on complex interactions between automated control systems, onboard sensors, communication channels, and remote supervisory operators [21,24,25,26,42].

2.3. Fault Tree Analysis (FTA)

Fault Tree Analysis (FTA) is a deductive risk analysis technique used to model the logical relationships between system failures and undesired top events. A simplified example of a fault tree structure is illustrated in Figure 2. Starting from a defined accident or system failure event, the method decomposes the contributing causes through a hierarchical structure of logic gates that represent the combinations of lower-level failures required to produce the top event [33,43,44,45,46,47,48].

The fault tree structure allows the systematic identification of failure pathways and the evaluation of their relative significance within the system. Through the identification of minimal cut sets, FTA enables the determination of the smallest combinations of basic events that can lead to the occurrence of the defined top event. When failure probability data are available, the method also supports quantitative risk evaluation and the identification of dominant accident pathways [43,44,45].

Within the context of autonomous maritime systems, FTA provides a structured means of analyzing failure propagation mechanisms associated with system components, software functions, and operational subsystems [20,32,33,46].

2.4. Parallel STPA–FTA Integration Framework

The proposed framework integrates STPA and FTA within an architecturally synchronized parallel analytical structure. Rather than applying the two methods sequentially, the framework develops both analyses concurrently while maintaining traceability between systemic control deficiencies identified through STPA and failure propagation pathways modeled through FTA. This framework builds upon the conceptual parallel STPA–FTA integration introduced in the authors’ earlier work [20], which is here further formalized into a structured analytical workflow and applied to a realistic autonomous vessel case study.

The integration is achieved through a shared system definition that establishes the operational context, system losses, hazards, safety constraints, top events, and failure domains. From this common baseline, the STPA and FTA branches evolve in parallel while maintaining bidirectional interactions between their respective analytical elements. The system control structure developed within STPA informs the architectural structure of the fault tree, while the predefined failure domains are associated with identifiable elements of that control structure and then used to organize the first level of fault-tree decomposition beneath the selected top event.

This synchronized development preserves abstraction consistency between the two analytical branches and maintains explicit traceability between unsafe control actions, causal scenarios, fault-tree events, and accident propagation pathways. In addition, the integrated structure enables the representation of dependencies and interactions between system components across both analytical branches. In this context, common-cause (CCF) and common-mode failures (CMF) [45] affecting multiple subsystems, such as the Autonomous Navigation System (ANS) and the Remote Operations Centre (ROC), are captured through shared causal scenarios identified in the STPA analysis and their consistent representation within the fault-tree architecture. This allows correlated or simultaneous failures to be incorporated at the structural level of the model, without requiring explicit probabilistic common-cause failure formulations.

The integrated outputs of the STPA and FTA analyses are subsequently combined to support risk evaluation and mitigation strategy development. The overall structure of the framework is illustrated in Figure 3.

2.5. Analytical Workflow of the Framework

The analytical workflow of the proposed framework consists of seven main steps.

• Step 1—Definition of Operational Context, Losses, Hazards, Failure Domains, and Top Events

The analysis begins with the definition of the operational context of the system under consideration, including the system boundary, operating assumptions, and the conditions under which the autonomous functions are expected to operate. System losses, hazards, and safety constraints are then identified in order to establish the safety objectives of the analysis. In parallel, the corresponding top events and a set of failure domains relevant to the fault tree analysis are defined. Failure domains represent major areas of the system within which failures or degraded conditions may contribute to the occurrence of the top event. These elements establish the common analytical baseline from which both the STPA and FTA branches develop.

• Step 2—Development of Control Structure and Fault Tree Architecture

In the second step, the Hierarchical Control Structure is constructed to represent the functional interactions between controllers, sensors, actuators, controlled processes, and supervisory functions within the system. The predefined failure domains are then associated with the relevant elements of the control structure in order to preserve architectural consistency between the STPA and FTA branches. In parallel, the architectural structure of the fault tree is initiated by retaining the selected Step-1 top event as the root event and organizing the first level of decomposition through the mapped failure domains. Bidirectional interactions between the control structure and the fault tree architecture ensure that both representations remain consistent with the underlying system design and preserve traceability between control logic and fault-tree development.

• Step 3—Identification of Unsafe Control Actions and Intermediate Fault Tree Events

Based on the hierarchical control structure, Unsafe Control Actions (UCAs) are identified by examining how control actions may become unsafe under specific operational conditions. In parallel, the preliminary fault tree architecture is refined by introducing UCA-derived unsafe functional conditions beneath the relevant failure domains as intermediate events. At this stage, the analysis remains at the level of control logic and unsafe functional behavior; detailed component-level failure modes and probabilities are intentionally deferred. Interactions between the STPA and FTA branches ensure that unsafe control reasoning is incorporated into the fault-tree structure without violating the architectural constraints established in the previous steps.

• Step 4—Development of Causal Scenarios and Basic Fault Tree Events

The STPA analysis proceeds with the development of causal scenarios that explain how unsafe control actions may arise due to system design deficiencies, inadequate feedback, process model inconsistencies, or interaction failures. In parallel, these causal scenarios are used to guide the further decomposition of the fault tree beneath the unsafe functional conditions introduced in Step 3. The fault tree is thus expanded into lower-level failure paths and basic events representing the technical, functional, communication, software, and operational mechanisms contributing to the accident scenario. These causal representations remain synchronized to preserve traceability between systemic control failures and fault-tree decomposition.

• Step 5—Evaluation of Risk Significance through Integrated STPA–FTA Analysis

The outputs of the STPA and FTA analyses are integrated in order to evaluate the significance of the identified accident pathways. Within the fault tree analysis, this step includes the structural evaluation of the refined fault-tree branches through minimal cut-set identification and, where suitable data are available, may also include probabilistic evaluation of the modelled accident scenarios. In parallel, the STPA results provide the systemic interpretation of how control deficiencies, unsafe control actions, and causal scenarios contribute to these pathways. The integration of both perspectives enables a comprehensive evaluation of the accident mechanisms within the system.

• Step 6—Development and Prioritization of Safety Mitigation Strategies

Using the integrated results of the previous step, safety mitigation strategies are developed to address both systemic control deficiencies and failure propagation mechanisms identified through the STPA–FTA analysis. These strategies may include improvements to system control structures, enhanced feedback mechanisms, redundancy provisions, or operational safeguards aimed at preventing the occurrence or escalation of hazardous scenarios and prioritizing safety interventions according to their contribution to dominant accident pathways.

• Step 7—Result Validation

Finally, the results of the analysis are reviewed and validated in order to assess the robustness, internal consistency, causal plausibility, and traceability of the identified accident pathways and mitigation strategies. Validation may be performed through one or more complementary approaches depending on the scope of the study and the availability of data, including structural consistency review, traceability-based assessment, sensitivity analysis, expert review, simulation, testing, and iterative refinement of earlier analytical steps where necessary.

To demonstrate the applicability of the proposed framework, the methodology is applied to a representative DoA3 short-sea freight vessel operating under remote supervision. The system boundary includes the autonomous navigation system, key shipboard subsystems, communication interfaces, and the Remote Operations Centre (ROC). The detailed configuration of the case study and the results of the analysis are presented in Section 3.

3. Results

3.1. Case Study Description and Operational Context (Step 1—Part A)

To demonstrate the applicability of the proposed framework, the methodology was applied to a representative DoA3 short-sea freight vessel operating within a realistic operational context of high-density maritime traffic typical of North Sea short-sea shipping routes [7,16,39,40,49,50,51]. This operational configuration reflects realistic conditions for near-term deployments of Maritime Autonomous Surface Ships (MASS), where vessels operate with a high level of onboard automation while remaining subject to supervisory monitoring and potential intervention from a Remote Operations Centre (ROC) [27,52,53].

The operational context and system boundary were first defined in order to establish the scope of the safety analysis. The case study operational assumptions were framed in a manner consistent with the Concept of Operation (ConOps) and Operational Envelope (OE) logic used in the emerging IMO MASS regulatory framework [8].

The vessel architecture considered in the case study integrates an Autonomous Navigation System (ANS) responsible for route execution and maneuvering decisions under normal operating conditions [54,55]. The system is supported by multiple sensor subsystems providing situational awareness, including radar, AIS, and other perception technologies. Propulsion and steering control systems execute navigation commands, while communication systems maintain connectivity between the vessel and the ROC.

The operational environment considered in the case study represents a typical short-sea freight operation involving interactions with other vessels, dynamic traffic conditions, and reliance on sensor-based situational awareness and communication links. These characteristics provide a realistic operational context for examining how systemic control deficiencies and component-level failures may interact to produce hazardous scenarios in autonomous maritime operations [39,40,49]. The environmental parameters considered in the case study are defined through representative operational envelopes, capturing variations in traffic density, weather conditions, and visibility typical of high-density short-sea shipping corridors. Rather than being expressed as fixed numerical limits, these parameters are bounded qualitatively to reflect realistic operating conditions where perception, communication, and navigation performance may be degraded.

3.2. System Definition: Losses, Hazards, Failure Domains and Top Event (Step 1—Part B)

Within Step 1 of the framework, the safety objectives of the system were established through the identification of system losses, hazards, and safety constraints associated with the operation of the autonomous vessel. System losses represent unacceptable outcomes that the analysis seeks to prevent.

In the present analysis, the definition of system losses was informed by established maritime safety definitions, including those contained in the IMO Casualty Investigation Code, which classifies marine casualties involving loss of life, total loss of the vessel, or severe environmental damage as very serious marine casualties [56]. Based on these principles, a set of unacceptable losses relevant to the autonomous vessel operation was defined.

Subsequently, system hazards were identified as system states or operational conditions that may lead to these losses if not properly controlled. The identified hazards reflect situations such as degraded situational awareness, incorrect maneuvering decisions, or failures in the interaction between onboard autonomous systems and the Remote Operations Centre (ROC).

For the purpose of the fault tree modelling, a selected accident scenario was defined as the top event in the form of collision with another vessel, which constitutes one of the most critical accident types in dense maritime traffic environments [34,57,58]. While multiple losses and hazards were considered in the STPA branch, focusing on a single representative top event in the FTA branch enables a detailed examination of the traceability between unsafe control actions identified through STPA and failure propagation pathways represented in the fault tree model within the integrated STPA–FTA framework. This focused analysis allows the methodological capabilities of the framework to be illustrated clearly without introducing excessive structural complexity.

In addition, the failure domains relevant to the accident scenario were defined to support the initial architectural structure of the fault tree analysis, which will subsequently provide the first-level branches used in the development of the fault tree model.

The resulting system losses, a representative subset of hazards and failure domains identified during the analysis, and the selected top event are summarized for illustration purposes in

Table 2. System losses, representative hazards, top event and representative failure domains.

Category	Description
Loss L1	Loss of life or serious injury to crew, passengers, or third parties
Loss L2	Total loss of the vessel or loss of seaworthiness resulting from navigational accident
Loss L3	Severe environmental damage or pollution
Loss L4	Major damage to own vessel or third-party assets
Hazard H1	Inadequate situational awareness for encounter context
Hazard H2	Unsafe or non-compliant maneuver command issued
Hazard H3	Required collision-avoidance maneuver not issued in time
Hazard H5	Remote supervisory/override function is unavailable or delayed
Top Event	Collision with another vessel
Failure Domain FD3	Decision/planning failure affecting encounter assessment or maneuver selection
Failure Domain FD7	Human supervisory (ROC) failure affecting timely intervention, interpretation, or override decisions

. The complete set of hazards and the failure domain definitions derived during the analysis are provided in Appendix A (

Table A1. Complete set of hazards identified for the case study autonomous vessel.

Hazard ID	Hazard Description
H1	Inadequate situational awareness for the current encounter context, including missing or incorrect targets, degraded tracking or classification, or an incomplete traffic picture.
H2	Unsafe or non-compliant maneuver command issued, such as a trajectory, speed, or heading command that increases collision or grounding risk or conflicts with COLREG intent.
H3	Required risk-reducing maneuver not issued or executed in time during a developing encounter situation.
H4	Operation outside the validated Operational Envelope (OE) or Operational Design Domain (ODD), including cases where sensing or communication degradation persists without detection or without activation of defined degraded-state behavior.
H5	Remote supervisory or override function unavailable or delayed beyond safe limits during operational phases where supervisory intervention is required (Degree of Autonomy 3 specific).
H6	Command execution deviates materially from intended behavior without timely detection, resulting in actuation or maneuver execution mismatch that is not detected or compensated.
H7	Hazardous interaction between shipboard autonomy and Remote Operations Centre control, including mode confusion, conflicting commands, or unclear authority handover (Degree of Autonomy 3 specific).
H8	Integrity of critical navigation inputs (sensor or communication data) compromised without timely detection, leading to incorrect situational awareness or decision-making.

and

Table A2. Failure domains used to structure the preliminary fault tree architecture.

Failure Domain	Description
FD1—Perception/Sensing	Failures affecting sensor availability or detection capability, including sensor outage, interference, misdetection, or misclassification of surrounding traffic.
FD2—Fusion/Integrity	Failures related to track fusion and integrity monitoring, including inconsistent or stale traffic information, integrity monitoring failure, or unverified or maliciously altered input data.
FD3—Decision/Planning	Failures affecting encounter assessment, COLREG reasoning, or maneuver planning logic resulting in unsafe trajectory generation.
FD4—Communication (ANS↔ROC)	Failures in the communication link between the Autonomous Navigation System and the Remote Operations Centre, including loss, latency, corruption, or bandwidth degradation affecting supervision or override capability, including cybersecurity-induced corruption or unauthorized command injection.
FD5—Command Execution/Actuation	Failures affecting maneuver execution, including steering or thrust commands not executed correctly or vessel response deviating from commanded behavior.
FD6—Mode/Authority Management	Failures in control authority allocation, including mode confusion, conflicting control commands, or improper handover between autonomous and supervisory control.
FD7—Human Supervisory (ROC)	Failures associated with remote human supervision, including delayed intervention, incorrect interpretation of system state, or incorrect override decisions.

).

3.3. System Control Structure and Fault Tree Architecture (Step 2)

The second step of the framework involves the development of the Hierarchical Control Structure, which forms the foundation for the STPA analysis by representing the interactions between controllers, sensors, actuators, and controlled processes within the autonomous vessel system. The hierarchical control structure provides the basis for identifying how navigation decisions are generated, communicated, monitored, and executed within the autonomous vessel architecture and provides the basis for identifying potential control deficiencies.

The hierarchical control structure developed for the case study vessel is illustrated in Figure 4. The diagram represents the primary control relationships governing vessel navigation, including the interaction between the Remote Operations Centre (ROC), the Autonomous Navigation System (ANS), the actuation system, the perception system, the controlled process represented by vessel motion, and the external environment and surrounding traffic.

Within this control hierarchy, the ANS performs the primary navigation control function during normal operation, issuing heading and speed commands to the actuation system on the basis of perception inputs and vessel-state feedback. The ROC performs a supervisory role, receiving vessel status, alerts, and Mode-of-Operation (MoO) information while retaining the capability to issue override or authority actions when required. The perception system integrates sensing inputs relevant to vessel state and surrounding conditions, while the controlled process and external environment provide the feedback and disturbances that shape navigation performance.

Within the operational context defined in Step 1, which established the Concept of Operation (ConOps) and the relevant Operational Envelope (OE) assumptions, the autonomous navigation system operates within a defined Operational Design Domain (ODD) describing the environmental, traffic, and system conditions under which the autonomous navigation functions are designed to operate safely. The vessel operates under different Modes of Operation (MoO) reflecting the allocation of control authority between onboard automation and the Remote Operations Centre. Under normal conditions, the vessel operates in an autonomous navigation mode supervised by the ROC. If the operational conditions exceed the defined ODD or the system is unable to maintain safe operation within its design limits, the control architecture supports transition to a fallback state, in which predefined safety responses or supervisory intervention from the ROC may be required to maintain safe vessel operation [8].

In parallel, the Fault Tree Analysis (FTA) structure was initiated in a manner consistent with the same system boundary and control architecture. In accordance with the framework, the representative top event selected in Step 1 was retained as the root event of the fault tree. The failure domains defined at Step 1 were then associated with the relevant elements of the control architecture, including decision-making, supervisory control, communication, and execution-related interfaces, and used to form the first-level intermediate branches of the fault-tree, as illustrated in Figure 5. At this stage, the objective is not yet detailed component-level fault decomposition, but the establishment of a traceable architectural structure linking the selected accident scenario to the major failure domains of the system.

This preliminary architectural correspondence between the Hierarchical Control Structure and the fault-tree structure supports the synchronized development of the STPA and FTA branches within the proposed framework. Detailed refinement of the fault-tree branches through UCA-derived unsafe functional conditions and subsequent lower-level causal decomposition is performed in the following stages of the analysis.

3.4. Unsafe Control Actions and Intermediate Fault Tree Events (Step 3)

Following the development of the hierarchical control structure and the initial fault-tree architecture in Step 2, the analysis proceeded with the parallel refinement of the STPA and FTA branches. At this stage, the STPA analysis focused on the identification of Unsafe Control Actions (UCAs) associated with the control interactions represented in the system architecture.

Unsafe control actions arise when control commands provided by system controllers may lead to hazardous system states under specific operational conditions. Consistent with the STPA methodology, unsafe control actions were identified by examining the control actions exchanged between the Autonomous Navigation System (ANS), the actuation system, and the Remote Operations Centre (ROC), and evaluating the conditions under which these control actions may become unsafe. The analysis considered the four standard categories of unsafe control actions:

• a required control action is not provided when needed
• an incorrect or unsafe control action is provided
• a control action is provided too early, too late, or in an incorrect order
• a control action is applied for too long or stopped too soon

Through this process, a set of unsafe control actions was identified within the navigation control loop of the autonomous vessel. These include situations where collision-avoidance maneuvers are issued too late during a developing encounter, are issued prematurely due to incomplete situational awareness, or supervisory intervention from the Remote Operations Centre (ROC) is not provided when required during critical operational conditions. For clarity of presentation, representative unsafe control actions identified during the analysis are summarized in

Table 3. Representative UCAs.

UCA ID	Control Action	Unsafe Control Condition	STPA Category	Linked Hazard(s)
UCA-ANS-03	Issue heading/course change command	A course-change command is issued too late to achieve the required safe separation distance.	Provided too late	H3
UCA-ANS-15	Issue trajectory/maneuver plan update	A trajectory update is issued prematurely based on incomplete situational awareness.	Provided too early	H1, H2
UCA-ROC-01	Override maneuver (heading/speed/trajectory)	ROC override maneuver is not issued when intervention is required due to unsafe ANS behavior or degraded system capability.	Not provided when required	H5, H2

, illustrating the relationship between control actions, unsafe control conditions, STPA category, and hazards. The complete set of unsafe control actions (UCAs) derived from the STPA analysis is provided in Appendix A (

Table A3. Complete Unsafe Control Action Set.

UCA ID	Control Action	Unsafe Control Condition	STPA Category	Linked Hazard(s)
UCA-ANS-01	Issue heading/course change command	No course-change command is issued when an avoidance turn is required in a developing encounter.	Not provided when required	H3, H2
UCA-ANS-02	Issue heading/course change command	A course-change command is issued although no collision-avoidance maneuver is required.	Provided when not required	H2
UCA-ANS-03	Issue heading/course change command	A course-change command is issued too late to achieve the required safe separation distance.	Provided too late	H3
UCA-ANS-04	Issue heading/course change command	A course-change command is issued prematurely before a stable encounter assessment is available.	Provided too early	H2
UCA-ANS-05	Issue heading/course change command	A course-change command is issued in an incorrect sequence relative to other maneuver commands (e.g., relative to speed update).	Wrong order	H2
UCA-ANS-06	Issue heading/course change command	A course-change command is maintained too long or terminated too early, resulting in an unsafe maneuver execution.	Applied too long/stopped too soon	H2
UCA-ANS-07	Issue speed/thrust command	No speed adjustment is issued when speed reduction is required to safely manage an encounter.	Not provided when required	H3
UCA-ANS-08	Issue speed/thrust command	A speed adjustment command is issued although no change in speed is required.	Provided when not required	H2
UCA-ANS-09	Issue speed/thrust command	A speed adjustment command is issued too late to influence vessel maneuverability.	Provided too late	H3
UCA-ANS-10	Issue speed/thrust command	A speed adjustment command is issued prematurely, reducing maneuverability under normal navigation conditions.	Provided too early	H2
UCA-ANS-11	Issue speed/thrust command	A speed command is maintained too long or terminated prematurely, resulting in an unsafe speed profile.	Applied too long/stopped too soon	H2
UCA-ANS-12	Issue trajectory/maneuver plan update (collision avoidance)	No trajectory update is issued when a maneuver re-planning is required to maintain safe navigation.	Not provided when required	H3, H2
UCA-ANS-13	Issue trajectory/maneuver plan update (collision avoidance)	A trajectory update is issued although no maneuver adjustment is required.	Provided when not required	H2
UCA-ANS-14	Issue trajectory/maneuver plan update (collision avoidance)	A trajectory update is issued too late to safely resolve the encounter.	Provided too late	H3
UCA-ANS-15	Issue trajectory/maneuver plan update (collision avoidance)	A trajectory update is issued prematurely based on incomplete situational awareness.	Provided too early	H1, H2
UCA-ANS-16	Issue trajectory/maneuver plan update (collision avoidance)	A trajectory update is issued while the vessel is under ROC authority or during an ongoing authority handover.	Wrong order	H7
UCA-ANS-17	Issue trajectory/maneuver plan update (collision avoidance)	The trajectory plan remains active too long or is terminated prematurely despite changes in traffic conditions.	Applied too long/stopped too soon	H2
UCA-ANS-18	Initiate mode transition	Mode transition is not initiated when degradation or ODD exceedance requires fallback behavior.	Not provided when required	H4, H7
UCA-ANS-19	Initiate mode transition	Mode transition is initiated when not required, creating unnecessary operational disruption and authority confusion.	Provided when not required	H7
UCA-ANS-20	Initiate mode transition	Mode transition is initiated too late after degradation is detected, leaving unsafe operation ongoing.	Provided too late	H4
UCA-ANS-21	Initiate mode transition	Mode transition is initiated too early (false-positive degradation), causing inappropriate fallback behavior in critical phases.	Provided too early	H4, H7
UCA-ANS-22	Initiate mode transition	Mode transition is commanded during an authority handover before the ROC is confirmed ready to assume control.	Wrong order	H7, H5
UCA-ANS-23	Initiate mode transition	Fallback/degraded mode is maintained too long/exited too soon, resulting in unsafe capability mismatch in changing conditions.	Applied too long/stopped too soon	H4
UCA-ANS-24	Request ROC intervention/escalation	Escalation to the ROC is not requested when supervisory intervention is required.	Not provided when required	H5, H7
UCA-ANS-25	Request ROC intervention/escalation	Escalation is requested when not required, overloading ROC and increasing delay for truly critical events.	Provided when not required	H5
UCA-ANS-26	Request ROC intervention/escalation	Escalation request is sent too late for effective supervisory intervention.	Provided too late	H5, H3
UCA-ANS-27	Request ROC intervention/escalation	Escalation request is sent too early, before sufficient system assessment is available, leading to ineffective or conflicting interventions.	Provided too early	H7
UCA-ANS-28	Request ROC intervention/escalation	Escalation request persists too long or is cancelled prematurely while the unsafe condition remains active.	Applied too long/stopped too soon	H7, H5
UCA-ANS-29	Input Integrity Validation	Integrity validation of critical navigation inputs is not performed before those inputs are used for encounter assessment.	Not provided when required	H8, H1
UCA-ANS-30	Input Integrity Validation	Integrity is flagged compromised when not compromised, causing inappropriate degraded behavior	Provided when not required	H4
UCA-ANS-31	Input Integrity Validation	Integrity compromise is detected or flagged too late to prevent unsafe decision-making	Provided too late	H8, H1, H3
UCA-ANS-32	Input Integrity Validation	Integrity compromise flag is cleared prematurely, resulting in unsafe trust in navigation inputs that may still be unreliable.	Stopped too soon	H8, H1
UCA-ANS-33	Input Integrity Validation	Integrity compromise flag remains active longer than required, resulting in unnecessary degraded operation or restriction.	Applied too long	H4
UCA-ROC-01	Override maneuver (heading/speed/trajectory)	ROC override maneuver is not issued when intervention is required due to unsafe ANS behavior or degraded system capability.	Not provided when required	H5, H2
UCA-ROC-02	Override maneuver (heading/speed/trajectory)	ROC override maneuver is issued when not required, disrupting a safe ANS maneuver and potentially creating new conflicts.	Provided when not required	H7, H2
UCA-ROC-03	Override maneuver (heading/speed/trajectory)	ROC override maneuver is issued too late to alter outcome in a developing encounter.	Provided too late	H5, H3
UCA-ROC-04	Override maneuver (heading/speed/trajectory)	ROC override maneuver is issued before adequate situational assessment is available.	Provided too early	H1, H2
UCA-ROC-05	Override maneuver (heading/speed/trajectory)	ROC override is issued in the wrong order relative to authority confirmation (commands sent while ANS still in control/unclear authority).	Wrong order	H7
UCA-ROC-06	Override maneuver (heading/speed/trajectory)	Override command is maintained too long/stopped too soon, producing oscillation or incomplete risk reduction.	Applied too long/stopped too soon	H7, H2
UCA-ROC-07	Approve/force mode transition	ROC does not approve/force required mode transition under verified degradation/ODD exceedance.	Not provided when required	H4, H5
UCA-ROC-08	Approve/force mode transition	ROC forces mode transition when not required, creating unnecessary fallback and authority confusion.	Provided when not required	H7, H4
UCA-ROC-09	Approve/force mode transition	ROC approval/forcing is issued too late, leaving unsafe operation in normal mode.	Provided too late	H4, H5
UCA-ROC-10	Approve/force mode transition	ROC approval/forcing is issued in the wrong order relative to handover (e.g., approves fallback after authority already assumed/released without sync).	Wrong order	H7
UCA-ROC-11	Execute authority handover (assume/release control)	ROC does not assume control when required (e.g., ANS requests escalation and degradation prevents safe autonomy).	Not provided when required	H5, H7
UCA-ROC-12	Execute authority handover (assume/release control)	ROC assumes/releases authority when not required, creating mode confusion and conflicting commands.	Provided when not required	H7
UCA-ROC-13	Execute authority handover (assume/release control)	Authority handover occurs too late to provide effective control.	Provided too late	H5, H3
UCA-ROC-14	Execute authority handover (assume/release control)	Authority handover occurs too early (before communication stability and situational awareness are sufficient), increasing unsafe intervention risk.	Provided too early	H1, H7
UCA-ROC-15	Execute authority handover (assume/release control)	Authority handover is executed in the wrong order relative to mode confirmation (handover without confirmed state alignment).	Wrong order	H7
UCA-ROC-16	Execute authority handover (assume/release control)	Authority is held too long/released too soon, causing unstable responsibility allocation during multi-phase operations.	Applied too long/stopped too soon	H7
UCA-ROC-17	Impose supervisory operational constraints (e.g., speed limit, conservative policy)	ROC does not impose supervisory constraints when required (e.g., reduced visibility/high traffic/degraded sensors).	Not provided when required	H5, H4
UCA-ROC-18	Impose supervisory operational constraints (e.g., speed limit, conservative policy)	ROC imposes constraints when not required, causing unsafe maneuver limitations (e.g., inability to comply with COLREG due to too strict speed limit).	Provided when not required	H2, H7
UCA-ROC-19	Impose supervisory operational constraints (e.g., speed limit, conservative policy)	Constraints are imposed too late to influence decision/execution.	Provided too late	H5, H3
UCA-ROC-20	Impose supervisory operational constraints (e.g., speed limit, conservative policy)	Constraints are imposed too early (before situation assessment), causing suboptimal/unsafe behavior in dynamic encounters.	Provided too early	H1, H2
UCA-ROC-21	Impose supervisory operational constraints (e.g., speed limit, conservative policy)	Constraints are imposed in the wrong order relative to authority/mode change (constraint conflicts with current control policy state).	Wrong order	H7
UCA-ROC-22	Impose supervisory operational constraints (e.g., speed limit, conservative policy)	Constraints are maintained too long/removed too soon, creating policy oscillation or unsafe relaxation of operational constraints.	Applied too long/stopped too soon	H4, H7

).

Each identified unsafe control action was subsequently associated with the relevant system failure domains defined in Step 1, ensuring that the STPA results remained traceable to the corresponding failure domains used in the development of the fault-tree architecture. For example, the unsafe control action UCA-ANS-03, in which the Autonomous Navigation System fails to timely issue a required collision-avoidance maneuver during a developing encounter, is associated with the failure domain FD3—Decision/Planning, reflecting potential deficiencies in encounter assessment, timing or maneuver generation logic. Similarly, unsafe maneuver decisions arising from incomplete situational awareness, such as UCA-ANS-15, are also associated with the failure domain FD3—Decision/Planning, where incorrect interpretation of the operational situation may lead to unsafe maneuver planning. Unsafe control actions related to the absence of supervisory intervention from the Remote Operations Centre, such as UCA-ROC-01, are associated with the failure domain FD7—Human Supervisory (ROC), reflecting situations where required override or intervention commands are not issued during critical operational conditions. The complete mapping between unsafe control actions and the corresponding failure domains used in the analysis is summarized in Appendix A (

Table A4. Mapping of Unsafe Control Actions to Failure Domains within the Integrated STPA–FTA Framework.

Failure Domain	Associated Control Actions	UCAs Localized in Domain	Basis for Assignment
FD1—Perception/Sensing	—(input generation/sensing functions)	—	No UCAs are localized in this domain at Step 3 because sensing functions do not issue control actions; failures in sensing/perception are represented as component-level/basic events during later FTA refinement (Step-5) and as causal factors in Step-4 scenarios.
FD2—Fusion/Integrity	Input Integrity Validation	UCA-ANS-29–UCA-ANS-33	Integrity monitoring and validation of critical navigation inputs (originating from FD1 and communication sources) prior to encounter assessment and decision-making.
FD3—Decision/Planning	Issue heading/course change command Issue speed/thrust command Issue trajectory/maneuver plan update	UCA-ANS-01–UCA-ANS-17	Unsafe maneuver planning, timing, and trajectory generation within ANS decision logic.
FD4—Communication (ANS–ROC)	Request ROC intervention/escalation	UCA-ANS-24–UCA-ANS-28	Unsafe supervisory interaction mediated through the ANS-ROC communication interface (escalation timing/necessity/duration).
FD5—Command Execution/Actuation	—(execution/actuation response)	—	No UCAs are localized in this domain at Step-3 because actuation does not originate control actions; execution deviations are represented through component-level/basic events and detection/compensation failures during later FTA refinement (Step-5).
FD6—Mode/Authority Management	Initiate mode transition Approve/force mode transition Execute authority handover	UCA-ANS-18–UCA-ANS-23; UCA-ROC-07–UCA-ROC-16	Mode transitions and authority allocation/transfer between ANS and ROC.
FD7—Human Supervisory (ROC)	Override maneuver Impose supervisory operational constraints	UCA-ROC-01–UCA-ROC-06; UCA-ROC-17–UCA-ROC-22	ROC supervisory intervention (override) and policy/constraint imposition affecting ANS behavior.

).

In parallel with the identification of unsafe control actions, the Fault Tree Analysis (FTA) branch established in Step 2 was further refined. The failure domains defined in Step 1 were retained as the primary structural branches of the fault tree, while unsafe functional conditions associated with the identified unsafe control actions informed the logical refinement of the corresponding fault-tree branches. The resulting structural correspondence between failure domains and localized unsafe control actions is illustrated in Figure 6, demonstrating how the STPA results inform the progressive refinement of the fault-tree architecture.

This synchronized development preserves the architectural correspondence between systemic control reasoning and failure propagation modelling, enabling explicit traceability between unsafe control actions, system failure mechanisms, and accident propagation pathways within the integrated STPA–FTA framework.

3.5. Causal Scenario Development and Fault Tree Refinement (Step 4)

Following the identification of unsafe control actions, the analysis proceeded with the development of causal scenarios describing the conditions under which these unsafe control actions may arise within the system. In accordance with the STPA methodology, causal scenarios were derived by examining potential deficiencies within the control loop structure, including limitations in situational awareness, communication disruptions between the Autonomous Navigation System (ANS) and the Remote Operations Center (ROC), authority-management inconsistencies, execution deviations, and limitations in encounter-assessment logic.

The analysis identified five representative causal scenarios illustrating how such deficiencies may lead to unsafe control actions within the autonomous vessel control architecture.

• CS-1—Incomplete traffic picture leading to delayed avoidance maneuver.
• CS-2—Communication latency preventing timely supervisory intervention.
• CS-3—Authority handover conflict between ANS and ROC.
• CS-4—Actuation deviation not detected by the controller.
• CS-5—Incorrect collision-risk assessment by the ANS.

In parallel with the development of causal scenarios, the Fault Tree Analysis (FTA) model was progressively refined by decomposing the unsafe functional conditions identified in Step 3 into intermediate and basic events representing the specific failure mechanisms described by the corresponding causal scenarios. In this way, the fault-tree branches were developed as structural representations of the causal mechanisms identified through the STPA analysis, while remaining organized within the failure-domain architecture established in the earlier stages of the framework.

An illustrative portion of the resulting fault-tree structure is presented in Figure 7, showing the refinement of the FD3—Decision/Planning branch. In this example, the unsafe control action UCA-ANS-03 (avoidance maneuver issued too late) is decomposed into underlying causal conditions, such as incomplete traffic information, delayed traffic updates, or incorrect encounter-risk estimation, and further decomposed into basic events, such as radar sensor failure, delayed sensor data processing, inaccurate vessel state estimation, etc.

Through this process, the causal reasoning developed within the STPA analysis directly informs the failure propagation structure represented in the fault-tree model. This step establishes the analytical bridge between systemic control deficiencies and accident propagation pathways within the integrated STPA–FTA framework.

3.6. Risk Significance Evaluation Through Integrated STPA-FTA Analysis (Step 5)

Following the development of the causal scenarios and the refinement of the representative fault-tree branches in Step 4, the analysis proceeded with the structural evaluation of the resulting fault-tree models. This step identifies the combinations of failure events that may lead to the defined accident scenario and interprets their significance within the systemic hazard structure established through the STPA analysis.

Within the fault-tree analysis, this evaluation was performed through the identification of minimal cut sets associated with the representative fault-tree branches. In the present case study, the minimal cut-set evaluation was used primarily to support the structural interpretation of accident propagation pathways rather than to derive precise probabilistic estimates, as validated reliability data for several of the modeled autonomous-navigation and supervisory-control functions are not currently available. In this context, the identification of dominant accident pathways was guided by the structural characteristics of the fault-tree representation and their linkage to the causal scenarios developed in Step 4. Each pathway represents a distinct failure propagation mechanism through which unsafe control actions may lead to the defined accident scenario. The pathways are therefore identified based on their structural representation and traceability within the model, rather than on any form of quantitative ranking or prioritization. The structural evaluation of the fault-tree branches revealed five dominant accident pathways corresponding to the primary mechanisms represented in the causal scenarios:

• DP1—Perception and situational-awareness degradation pathway (CS-1)
• DP2—Communication disturbance pathway (CS-2)
• DP3—Authority allocation and mode-coordination pathway (CS-3)
• DP4—Actuation and maneuver-execution deviation pathway (CS-4)
• DP5—Decision-algorithm collision-risk assessment pathway (CS-5)

These accident pathways, therefore, represent the dominant structural mechanisms through which unsafe control actions identified in the STPA analysis may propagate toward the defined accident scenario. Because the fault-tree branches were derived directly from the STPA causal scenarios and the associated unsafe control actions, the minimal cut sets obtained from the fault-tree evaluation correspond to concrete realizations of the systemic control deficiencies embedded within the system control structure.

Representative minimal cut sets derived from the structural fault-tree evaluation are summarized in Appendix A (

Table A5. Representative minimal cut sets derived from the structural fault-tree evaluation for the perception degradation pathway (DP1).

Minimal Cut Set	Order	Basic Event(s)	Interpretation
MCS-1	1	Radar sensor failure	Loss of primary traffic detection capability
MCS-2	1	AIS signal reception loss	Loss of AIS-based vessel identification and traffic awareness
MCS-3	1	Sensor-fusion processing failure or delay	Failure or excessive latency in fusion processing preventing timely construction of the traffic picture
MCS-4	1	Corrupted navigation data input	Invalid navigation inputs propagating to perception and decision modules
MCS-5	1	Sensor data processing or synchronization delay	Timing misalignment between sensing modules affecting traffic state estimation
MCS-6	1	Incorrect motion or vessel state estimation	Errors in relative-motion or vessel state calculation affecting encounter assessment
MCS-7	1	Inconsistent multi-source traffic data not detected	Integrity monitoring failure allowing conflicting sensor inputs
MCS-8	2	Dense traffic environment + insufficient target discrimination capability	Environmental complexity combined with insufficient filtering performance

), illustrating the combinations of basic events associated with the dominant accident pathways. The interpretation of these cut sets reconnects the structural failure-propagation perspective of FTA with the systemic control reasoning of STPA, preserving traceability across the analytical chain linking:

$$\mathrm{Losses} \to \mathrm{Hazards} \to \mathrm{Unsafe\; Control\; Actions} \to \mathrm{Causal\; Scenarios} \to \mathrm{Failure\; Events} \to \mathrm{Accident\; Pathways}$$

Through this integrated interpretation, the STPA–FTA framework enables the identification of the most critical causal mechanisms contributing to the accident scenario while maintaining explicit traceability between systemic control deficiencies and the failure propagation structure represented in the fault-tree model.

3.7. Safety Mitigation Strategies (Step 6)

Following the identification of the dominant accident pathways in Step 5, safety mitigation strategies were developed to address the systemic control deficiencies and failure propagation mechanisms identified through the integrated STPA–FTA analysis. This step aims to reduce the likelihood of unsafe control actions and to interrupt the accident propagation pathways revealed through the fault-tree evaluation.

Because the dominant accident pathways correspond directly to the causal mechanisms identified in the STPA scenarios, the mitigation strategies focus on strengthening the reliability and coordination of the perception, decision-making, communication, supervisory control, and maneuver execution functions within the autonomous vessel architecture.

The mitigation strategies derived from the analysis address the following principal safety areas:

• Perception and situational-awareness robustness (DP1)—improving reliability of traffic detection and sensor-fusion processes
• Communication resilience between the vessel and the Remote Operations Centre (DP2)—ensuring timely supervisory awareness and intervention capability
• Authority-management coordination between the Autonomous Navigation System (ANS) and the Remote Operations Centre (DP3)—preventing conflicting control actions during authority transitions
• Execution monitoring and maneuver verification (DP4)—ensuring that commanded maneuvers are correctly executed and deviations are detected
• Collision-risk assessment robustness within the decision-making algorithms (DP5)—improving the reliability of encounter evaluation and maneuver planning

Representative mitigation strategies derived from the analysis are summarized in

Table 4. Representative mitigation strategies addressing dominant accident pathways.

Dominant Pathway	Representative Mitigation Strategy
DP1—Perception degradation	Sensor redundancy, improved sensor-fusion integrity monitoring, and cross-validation of traffic information from multiple sensing sources.
DP2—Communication disturbance	Communication redundancy, degraded-mode procedures, and buffered telemetry transmission to ensure continuity of supervisory awareness.
DP3—Authority coordination conflict	Explicit authority-management protocols, synchronized mode-transition logic, and confirmation mechanisms for control transfer between ANS and ROC.
DP4—Maneuver execution deviation	Closed-loop maneuver monitoring, execution feedback verification, and adaptive control adjustments to compensate for actuation disturbances.
DP5—Decision algorithm misclassification	Improved encounter prediction models, validation of collision-risk thresholds, and integration of supervisory monitoring for anomalous decision behavior.

.

The prioritization of mitigation strategies follows the dominant accident pathways identified in Step 5, with perception robustness, authority coordination, and decision-algorithm validation emerging as particularly important safety improvement areas within the present case study.

The mitigation strategies derived from this step demonstrate how the integrated STPA–FTA framework supports the identification of safety improvements addressing both systemic control deficiencies and failure propagation mechanisms. By targeting the dominant accident pathways revealed through the analysis, these strategies contribute to reducing the likelihood of hazardous scenarios within autonomous vessel operations.

To facilitate navigation across the integrated STPA–FTA results,

Table 5. Navigation map of the integrated STPA–FTA traceability chain.

Traceability Element	Location
Losses (L)	Table 2
↓
Hazards (H)	Table 2; Appendix A
↓
Unsafe Control Actions (UCAs)	Table 3; Appendix A
↓
Causal Scenarios (CS)	Section 3.5
↓
Fault Trees/Failure Events/Representative Minimal Cut Sets (MCS)	Figure 5, Figure 6 and Figure 7; Appendix A
↓
Dominant Accident Pathways (DP)	Table 4
↓
Mitigation Strategies	Table 4

provides a structured overview of the analytical traceability chain linking losses, hazards, unsafe control actions, causal scenarios, failure events, dominant accident pathways, representative minimal cut sets, and mitigation strategies, together with their corresponding locations within the manuscript.

3.8. Result Validation (Step 7)

Following the development of the mitigation strategies in Step 6, the results of the integrated STPA–FTA analysis were reviewed and validated in order to assess their consistency, plausibility, and methodological robustness within the defined case study scope. In accordance with the proposed framework, Step 7 does not introduce additional hazards, unsafe control actions, or fault-tree branches, but examines whether the analytical results obtained in the previous steps provide a coherent and credible representation of the safety-critical mechanisms of the system.

Given the conceptual and primarily qualitative nature of the present case study, supported by structural fault-tree evaluation through minimal cut-set identification, and the absence of validated empirical reliability data for the modeled autonomous-navigation, supervisory-control, and ship–shore interaction functions, validation in this paper was performed primarily through structural consistency review and traceability-based plausibility assessment, rather than through full probabilistic sensitivity analysis, experimental testing, or formal expert elicitation. This is consistent with the role of validation at an early design stage, where the objective is to confirm that the model structure, control relationships, and identified safety mechanisms are credible before more detailed verification and quantitative evidence become available [16,25,59,60,61].

The validation performed for the case study focused on three principal aspects:

• First, the analysis was reviewed for internal structural consistency across the seven-step workflow. In particular, it was confirmed that the operational context and system boundary defined in Step 1 remained stable throughout the analysis; that the Hierarchical Control Structure developed in Step 2 remained consistent with the Unsafe Control Actions identified in Step 3; that the causal scenarios developed in Step 4 plausibly explained the selected UCAs; and that the representative fault-tree branches refined in Steps 4 and 5 remained traceable to the corresponding failure domains, unsafe functional conditions, and dominant accident pathways.
• Second, the results were examined for causal plausibility within the operational context of the case study. This review considered whether the dominant accident pathways identified in Step 5 were credible for a DoA3 short-sea vessel operating under high-density traffic conditions with ROC supervision. In this respect, the resulting pathways, i.e., perception degradation, communication disturbance, authority-coordination conflict, actuation deviation, and decision-algorithm error, were found to be consistent with the control architecture, mission assumptions, and degraded/fallback conditions represented in the case study.
• Third, the analysis was reviewed for traceability completeness. Particular attention was given to the preservation of the analytical chain linking losses, hazards, unsafe control actions, causal scenarios, fault-tree branches, minimal cut sets, dominant accident pathways, and mitigation strategies. This traceability is a core requirement of the proposed framework and constitutes one of the principal validation criteria for the integrated STPA–FTA application.

On this basis, the validation indicates that the integrated model provides a structurally coherent and operationally plausible representation of the accident mechanisms associated with the selected collision scenario. In particular, the results support the conclusion that the proposed framework preserves explicit traceability between systemic control deficiencies identified through STPA and failure propagation pathways represented through FTA, while also supporting the structured derivation of targeted mitigation strategies.

In addition to the above validation aspects, the results were further examined from a structural sensitivity perspective. As part of this perspective, a conceptual sensitivity assessment with respect to the system control architecture was also considered. Within the proposed STPA–FTA framework, the minimal cut sets identified in the fault-tree analysis are directly derived from the causal scenarios and control interactions defined in the system control structure. As a result, modifications to the control architecture, such as changes in authority allocation between the Autonomous Navigation System (ANS) and the Remote Operations Centre (ROC), variations in communication pathways, or the introduction of additional supervisory or redundancy mechanisms, lead to corresponding changes in the composition of minimal cut sets. For example, the introduction of additional communication redundancy or supervisory confirmation between the ANS and ROC alters minimal cut sets associated with communication disturbance and coordination failures by removing single-point failure combinations or modifying the combinations of basic events required to produce the top event. Conversely, simplified control structures or reduced communication robustness may preserve or amplify such failure combinations. This analysis demonstrates that the identified minimal cut sets are structurally dependent on the system control architecture and confirms that the proposed framework enables the systematic evaluation of how design modifications influence accident propagation pathways.

At the same time, the present validation remains bounded by the scope of the study. No formal expert review workshop, simulation campaign, prototype testing, or empirically grounded probability sensitivity analysis was conducted at this stage. Accordingly, the present Step 7 should be interpreted as a methodological and structural validation of the case study results, rather than as full external validation of the autonomous vessel design itself. Future work should therefore extend this validation through expert assessment, simulation-based scenario evaluation, and/or, where possible, testing or operational evidence from relevant MASS implementations, in line with the broader validation approaches identified in the framework.

4. Discussion

The results of the case study demonstrate that the proposed framework can support a structured and traceable integration of System-Theoretic Process Analysis (STPA) and Fault Tree Analysis (FTA) for the safety assessment of Maritime Autonomous Surface Ships (MASS). Applied to a representative Degree of Autonomy 3 short-sea freight vessel, the framework enabled the analysis to progress coherently from the definition of losses, hazards, failure domains, and top events to the identification of Unsafe Control Actions (UCAs), causal scenarios, dominant accident pathways, and targeted mitigation strategies. The main value of the framework is therefore not only that it combines two established methods, but that it preserves explicit traceability between systemic control deficiencies and structured accident propagation pathways throughout the analysis.

From the perspective of previous research, the findings are consistent with the growing view that autonomous ship safety may not be adequately captured by traditional risk assessment methods alone. Recent reviews continue to describe STPA as particularly suitable for complex, software-intensive, and autonomy-enabled ship systems, while also noting that many existing MASS risk studies still rely either on qualitative STPA alone or on STPA combinations that are translated into Bayesian-network structures rather than fault-tree logic [17,27,28,37,61,62,63,64]. In this context, the present study supports the argument that a hybrid approach is beneficial, but shows that such integration can also be performed through an architecturally synchronized STPA–FTA structure rather than through a sequential or loosely coupled workflow.

A central implication of the case study is that the dominant accident pathways identified through the fault-tree evaluation are not isolated technical failures, but manifestations of broader socio-technical control problems. The pathways associated with degraded situational awareness, delayed supervisory intervention, authority handover conflict, undetected execution deviation, and incorrect collision-risk assessment show that the safety of a DoA3 vessel depends on the interaction between onboard autonomy, sensing and perception quality, communication performance, supervisory control, and fallback coordination. This interpretation is aligned with recent MASS literature emphasizing that autonomous ship safety is shaped by control-loop interactions, operational context, and the safe management of degraded states and supervisory intervention, not only by component reliability [29,52,65].

The discussion also highlights the relevance of the selected case study configuration. The use of a short-sea autonomous vessel operating in a dense North Sea traffic context provided a demanding and methodologically appropriate application environment for the framework, since it involves conditions in which perception reliability, collision-risk assessment, communication latency, and ROC coordination are safety-critical. The case study was also framed using operational concepts such as the Concept of Operation, Operational Envelope, Operational Design Domain, Modes of Operation, and fallback-state logic, which in the present study served mainly to structure the operational context and interpret degraded and supervisory-control conditions [7,8,21,41,66].

Methodologically, the study suggests that the proposed framework offers two main advantages over the isolated use of either STPA or FTA. First, STPA provides the systemic and control-oriented basis needed to explain why unsafe functional conditions arise in a complex ANS–ROC architecture. Second, FTA provides a disciplined structure for representing how those unsafe conditions propagate through explicit failure branches and for identifying dominant combinations of lower-level events through minimal cut-set analysis, thereby supporting structured risk significance evaluation and, where suitable data are available, quantitative risk evaluation. The combined framework, therefore, supports a richer interpretation than STPA alone, while also avoiding the reduction in safety analysis to purely technical failure propagation detached from the control architecture. This point is particularly important in MASS, where the safety problem is strongly shaped by software behavior, remote supervision, and dynamic authority allocation. Recent review studies similarly conclude that hybrid approaches are likely to be necessary for MASS risk assessment, while also noting that current literature still lacks sufficiently integrated and operationally grounded applications [16,17,22,24,27,29,62,63].

The applicability of the proposed STPA–FTA framework is not limited to the specific case study examined in this work but extends to a broader range of Maritime Autonomous Surface Ship (MASS) configurations and operational scenarios. The structured seven-step workflow enables systematic adaptation to different levels of autonomy, accident classes, and vessel architectures through the consistent application of the defined analytical steps. In this context, variations in system configuration, operational concept, and hazard domain are addressed through the redefinition and refinement of the relevant elements within each step of the analysis, including system boundaries, losses, hazards, control structures, unsafe control actions, and corresponding failure propagation mechanisms. In this way, the framework maintains methodological consistency while allowing systematic and reproducible adaptation to different vessel types, operational concepts, and safety assessment objectives.

At the same time, the study also has important limitations. The case study remains focused on a representative collision scenario and does not attempt to exhaustively evaluate all possible top events or all operational phases in full detail. The fault-tree evaluation was used primarily for structural interpretation of accident pathways through minimal cut-set analysis, rather than for validated probabilistic estimation. This is because empirically grounded reliability data for autonomous navigation, ANS–ROC interaction, and supervisory-control functions remain limited, which is a challenge repeatedly noted in recent autonomous-ship safety research [16,17,18,60]. Accordingly, the results should be interpreted as demonstrating the methodological capability of the framework and the internal coherence of the integrated safety model, rather than as providing final quantitative risk values for a real vessel design.

A second limitation concerns validation. In the present paper, Step 7 was implemented through structural consistency review, plausibility assessment, and traceability validation. This is defensible for an early-design, concept-level case study, particularly given that STPA is widely used at the early concept and architecture stage of system development [64]. However, it does not replace later-stage validation activities such as expert review workshops, high-fidelity simulation, formal verification, prototype testing, or analysis using validated operational datasets. Recent work in autonomous-ship hazard verification also points to the difficulty of validating hazard-analysis results in the absence of supporting data and suggests that additional formal and simulation-based approaches will be increasingly important [60].

These limitations indicate several directions for future research. First, the framework should be extended to additional top events, including allision and grounding, in order to further examine its generalizability across different navigational accident classes. Second, future studies should apply the framework to additional MASS configurations and degrees of autonomy in order to examine how the dominant pathways change with different control architectures and levels of ship–shore dependence. Third, the present structural fault-tree evaluation should be complemented by more robust data-supported quantification when suitable reliability and operational data become available. Finally, the validation stage should be expanded through expert elicitation, simulation-based scenario analysis, and/or, where feasible, operational or experimental evidence.

Overall, the results suggest that the proposed framework provides a structured methodological basis for the integrated safety assessment of autonomous maritime systems. Its main contribution lies in demonstrating that STPA and FTA can be applied in a synchronized and traceable manner within a shared system architecture, enabling the analyst to move systematically from systemic hazards and unsafe control actions to dominant accident pathways and targeted mitigation strategies. In this sense, the framework contributes not only to methodological development in MASS risk assessment but also to the broader challenge of building defendable safety cases for the deployment of remotely supervised and autonomous vessels.

5. Conclusions

This study presented a parallel and architecturally synchronized STPA–FTA risk assessment framework for Maritime Autonomous Surface Ships (MASS) and demonstrated its application to a representative DoA3 short-sea freight vessel operating in a high-density North Sea traffic context.

The proposed framework conceptualized in an earlier work by the authors [20], has now been expanded and critically calibrated to address a persistent methodological gap in MASS safety assessment, namely the limited integration between system-theoretic hazard analysis and fault-based accident propagation modelling. In contrast to sequential or loosely coupled approaches, the framework integrates STPA and FTA through a shared system architecture, enabling both analytical branches to evolve in parallel while preserving explicit traceability between hazards, unsafe control actions, causal scenarios, failure events, and accident pathways.

The case study demonstrated that the framework can support a coherent progression from the definition of operational context, losses, hazards, failure domains, and top events to the identification of Unsafe Control Actions (UCAs), development of causal scenarios, refinement of fault-tree branches, interpretation of dominant accident pathways, and derivation of targeted mitigation strategies. The results showed that the dominant accident pathways in the analyzed collision scenario were associated with perception and situational-awareness degradation, communication disturbance, authority and mode-coordination conflict, actuation and maneuver-execution deviation, and incorrect collision-risk assessment. These findings indicate that autonomous-vessel safety is governed not only by component failures but also by control deficiencies and interactions across the onboard autonomy, sensing, communication, and remote supervisory layers.

The main contribution of the study, therefore, lies in demonstrating that STPA and FTA can be combined in a synchronized and traceable analytical workflow capable of supporting structured safety assessment of complex autonomous maritime systems. In particular, the framework preserves the systems-oriented strengths of STPA while extending the analysis through the structured accident-pathway reasoning of FTA. This makes it suitable for supporting early-stage safety assessment and the development of more transparent and defendable safety cases for MASS.

At the same time, the present study remains bounded by the scope of a concept-level case study. The fault-tree evaluation was used primarily for structural interpretation through minimal cut-set analysis rather than for fully validated probabilistic estimation, and the validation stage focused on structural consistency, plausibility, and traceability rather than experimental or operational verification. Future work should therefore extend the framework to additional accident scenarios, vessel types, and autonomy levels, while also strengthening quantitative support and external validation through expert review, simulation-based assessment, and, where possible, testing or operational evidence.

Overall, the findings suggest that the proposed parallel STPA–FTA framework provides a credible methodological basis for the integrated safety assessment of autonomous ships and contributes to the broader effort to support the safe and regulated deployment of remotely supervised and autonomous vessel operations.