Safety and Reliability Analysis of an Ammonia-Powered Fuel-Cell System

: Recently, the shipping industry has been under increasing pressure to improve its environmental impact with a target of a 50% reduction in greenhouse gas emissions by 2050, compared to the 2008 levels. For this reason, great attention has been placed on alternative zero-carbon fuels, speciﬁcally ammonia, which is considered a promising solution for shipping decarbonisation. In this respect, a novel ammonia-powered fuel-cell conﬁguration is proposed as an energy-efﬁcient power generation conﬁguration with excellent environmental performance. However, there are safety and reliability concerns of the proposed ammonia-powered system that need to be addressed prior to its wider acceptance by the maritime community. Therefore, this is the ﬁrst attempt to holistically examine the safety, operability, and reliability of an ammonia fuel-cell-powered ship, while considering the bunkering and fuel speciﬁcations. The proposed methodology includes the novel combination of a systematic preliminary hazard identiﬁcation process with a functional and model-based approach for simulating the impact of various hazards. Furthermore, the critical faults and functional failures of the proposed system are identiﬁed and ranked according to their importance. This work can be beneﬁcial for both shipowners and policymakers by introducing technical innovation and for supporting the future regulatory framework.


Background
Awareness has grown recently of the progressive climate change starting two centuries ago. Over the last few centuries, climate change has become a reality, and societies have been facing its adverse effects. The level of global greenhouse gas (GHG) emissions has increased by more than 10% in the last decade [1], accelerating climate change. For this reason, during the last few decades, societies have been urged to adopt more environmentally friendly behaviours regarding their energy production and consumption. In addition, governments have taken action to introduce policies that promote sustainable development; in 2016, 196 nations signed the Paris Agreement at the United Nations Framework Convention on Climate Change, which aimed to reduce global warming below 2 • C [2]. At the same time, it is argued that there is a lag in the decarbonisation of the shipping industry [3], which is one of the fastest-growing industries in the world [4], as well as a significant contributor of anthropogenic emissions (3% in 2018) [5]. It is projected that, in 2050, the GHG emissions from ships will rise to higher levels than 2008, by approximately 130%, if this accelerating operational trend continues [5]. For this reason, following the Paris Agreement targets, the International Maritime Organisation (IMO) set a goal to reduce the carbon oxide emissions from the shipping sector by 70%, compared to the 2008 levels until 2050, as well as the GHG emissions by 50% [6].

Critical Review
Frameworks and processes have been proposed to address the safety of novel designs and fuels in the maritime industry; the Formal Safety Assessment (FSA) is employed by IMO, for fleet-wide safety, whereas the Technology Qualification (TQ) process is proposed from Det Norske Veritas (DNV) for case-specific analysis. Both of the above identify the potential risks and hazards [40] and then evaluate their impact, to reduce the risks in the As Low as Reasonably Practicable (ALARP) region [40,41]. For clarity, in this work, hazard is defined as 'the conditions with the potential to compromise safety', whereas risk is calculated for the hazards and indicates 'the likelihood and consequences of a future hazard event in a given context' [42,43].
Various tools exist in the literature for assessing the safety, reliability, and operability of a system and establishing safeguards (summarised in Table 1). Two of the most used methods for safety assessment that help to systematically identify hazards and assess the operability of the system are Hazard Identification (HAZID) and the Hazard and Operability study (HAZOP) [40,44]. They are both applied as a knowledge-pooling exercise during a meeting that is typically held with the relevant parties and different shipping stakeholders. In HAZID, a brainstorm of potential hazards during the ship lifecycle is performed, while taking into account the current and upcoming regulations [45]. HAZID is a crucial process for the approval of alternative fuels and configurations, according to the International Code of Safety for Ships Using Gases (IGF) [46]. On the other hand, the HAZOP is a process to systematically evaluate the severity of deviations from normal operations of the system [42]. Consequently, HAZID focuses on identifying hazards in the design of the system, whereas HAZOP targets hazards related to the system's operation. The design stage of a novel system is the most appropriate time to employ both tools and rely on the knowledge of experts [47].
Another tool commonly used for the safety and reliability assessment of new systems is fault-tree analysis (FTA) and failure modes, effects, and criticality analysis (FMECA) [48]. The former is a top-down approach that is initiated by stating an undesirable event [49]. It captures the functional dependencies within the examined system, and failure statistics for each component are used as inputs to examine the likelihood of the undesirable event [50]. On the other hand, FMECA can be employed to control risk by foresing possible failures during the design of a system, by examining the various ways a system can fail, and by identifying all the potential failure modes [48]. It also quantifies and ranks the criticality of each failure, caused by the various hazards.
Different applications of HAZID in the maritime industry can be found in the relevant literature, and thorough reviews regarding the merits of the available tools can be found in [51,52]. As argued in the previous sources, examining all the risks present in a system represents a genuine hurdle, which emphasises the significance of creating hybrid methods such as the one presented in this work. Focus has been placed on the risks related to natural gas hydrate transportation [53]. In addition, scholars have assessed the hazards of LNG dual-fuel ships [54][55][56]. On the other hand, hazards and operability analysis was carried out to assess the risk existing in the 10,000 TEU container ship in [57]. HAZID has also been used as part of the concept design stages for a nuclear-powered vessel [58], as well as for mooring and dynamic positioning systems in arctic conditions [59].
Failure mode analysis is widely used in many different sectors [60], with several publications summarising their different merits, shortcomings, and caveats [48,61]. In shipping, it has been employed to calculate appropriate maintenance tasks to improve the safety and reliability analysis of a hybrid system that includes fuel cells [62] or of a marine fuel oil system [63]. Similarly, FMEA/FMECA can be used to minimise downtime and improve reliability [64]. Furthermore, these tools have been used to create an integrated methodology combining FMEA with fuzzy logic for the reliability assessment of offshore marine assets [65]. The possible failure modes and effects of their occurrence in the fuel oil system of a marine diesel engine were investigated in [66]. On the other hand, a fuzzy FMECA approach was followed to identify the potential failure modes and hazards, as well as operability difficulties, of a marine boiler [67] or an oil tanker tank [68]. Lastly, the use of FMECA has also seen applications under the scope of the identification of critical equipment onboard merchant vessels [69].
In the existing literature, FTA has widespread applicability [50,70], with many publications reviewing the applicability of the method [71,72]. In the maritime sector, FTA was employed to investigate the availability of a large ethane carrier hybrid system that includes an ethane-powered SOFC for the electric demands of the vessel [73]. Others have investigated the safety enhancement of a cruise ship lubricating oil system using FTA [74]. The reliability of the marine propulsion system was investigated by employing FTA in [75]. Furthermore, a combination of FMECA and FTA methods was employed to assess the safety and reliability of a low-pressure LNG fuel feeding system [76]. In [77], the main engine lubricating oil system of an autonomous ship was assessed using FTA and FMEA methods. Lastly, FTA has also been used in conjunction with other tools for the identification of critical equipment of ships [78]. Table 1. Tools for safety and reliability assessment of marine systems.

Reference
Tool System [51,52] HAZID/HAZOP Review [53] HAZID Natural gas hydrate carrier [54,56] HAZID LNG fuelled vessel [55] HAZID LNG carrier [57] HAZOP Containership [58] HAZID Nuclear-powered ship [59] HAZID Mooring and positioning systems [48,61] FMEA/FMECA Review [62] Layer of Protection Analysis & FMEA Electric hybrid system [63] FMEA Fuel oil system [64] FMEA/FMECA Ship auxiliary systems [65] FMEA/FMECA Offshore marine assets [66] FMEA Fuel oil system [67] Fuzzy FMECA Marine boiler [68] Fuzzy FMECA Marine oil tanker [69] FMECA Critical equipment of merchant vessels [71,72] FTA Review [73] FTA Hybrid system with SOFC [74] FTA Lubricating oil system [75] FTA Marine propulsion system [76] FMECA & FTA LNG fuel feeding system [77] FMECA & FTA Lubricating oil system [78] FTA Critical equipment of merchant vessels In the existing literature of different sectors, when reviewing the safety and reliability of a novel system, such as a zero-carbon fuel-cell systems, a combination of FTA and failure mode analysis is indicated as a necessary step before commercialisation, since this technology is at an 'infancy stage' [79]. In other studies, the significance of FTA for the reliability assessment of a hybrid system, including fuel cells, was highlighted [80]. Furthermore, reviews on the different safety and risk assessment techniques indicate that it is challenging to account for all the risks in a system; thus, hybrid methods are required [51,52,81,82].
From the examined literature it is deduced that the design of novel ship systems requires the systematic identification of hazards and risks. This is optimally done using a holistic methodology for risk assessment that employs a combination of HAZID and HAZOP to address the hazards from the design and operation of the system [83]. In addition, a detailed reliability and safety analysis based on FTA and FMECA that identifies the critical components and failure modes is important for any novel hybrid system that employs emerging technologies and fuels. In general, a combination of different methods can provide a more accurate assessment of the risks in complex systems, such as the system proposed herein. However, as concluded from the analysis, there is a gap in a holistic safety assessment methodology that addresses both the design and the operability hazards, as well as identifies the critical components and failure modes of a marine ammonia fuel system.
For this purpose, a holistic safety approach is adopted for the proposed NH 3 fuel-cellpowered system. This is the first study that examines the safety, operability, and reliability assessment of an NH 3 fuel-cell-powered ship, as well as the NH 3 bunkering, considering the fuel specifications. A HAZID for the identification of the functional hazards and a reaction of the system to these hazards is performed, as well as an FTA and FMECA for the identification of critical components and failure modes of the system.
The impact of this work herein is vital to understand the new safety requirements created by the introduction of NH 3 as a marine fuel. This work aims to gain an understanding of the hazards of NH 3 -powered fuel cells, thereby establishing safety practices and preventing accidents. It should be noted that the focus of this work is on the safety analysis of the ammonia-powered system, not its operation. The outcome of this work is valuable for both shipowners and policymakers for introducing technical innovations, while also increasing the reliability of the proposed novel system. This is the first work to propose an NH 3 fuel-cell-powered system for ocean-going vessel propulsion, it provides insight to shipowners regarding the safety concerns of using NH 3 to develop the required safeguards. Second, even though there are numerous regulations ensuring the safe transportation of NH 3 on ships, amendments are required to the IGF code for the use of NH 3 for propulsion. Therefore, this work can be beneficial for the future regulatory framework.
In the next sections, the methodology employed for the safety and risk assessment of the NH 3 fuel-cell-powered system is described, and the key findings are presented and then discussed.

Methodology
The developed model-based methodology for the safety assessment of an NH 3 fuel system consists of four steps, presented in Figure 1. These steps ensure that the methodology identifies operation hazards, examines the reaction of the system to these hazards, and detects critical components and functional failures. First, a HAZID is performed with experts to identify the critical hazards of the system. These hazards are used as input by the developed functional-based modelling (FBM) to examine the system's reaction to those hazards. Then, an FTA is performed taking into account the FBM of the system for the identification of critical components by evaluating the reliability of the system. Finally, an FMECA analysis is carried out and the functional failures of the components are derived. In summary, the compilation of the different tools used to assess the safety, operability, and reliability of the discussed novel system is presented in Figure 1. and preventing accidents. It should be noted that the focus of this work is on the safety analysis of the ammonia-powered system, not its operation. The outcome of this work is valuable for both shipowners and policymakers for introducing technical innovations, while also increasing the reliability of the proposed novel system. This is the first work to propose an NH3 fuel-cell-powered system for ocean-going vessel propulsion, it provides insight to shipowners regarding the safety concerns of using NH3 to develop the required safeguards. Second, even though there are numerous regulations ensuring the safe transportation of NH3 on ships, amendments are required to the IGF code for the use of NH3 for propulsion. Therefore, this work can be beneficial for the future regulatory framework.
In the next sections, the methodology employed for the safety and risk assessment of the NH3 fuel-cell-powered system is described, and the key findings are presented and then discussed.

Methodology
The developed model-based methodology for the safety assessment of an NH3 fuel system consists of four steps, presented in Figure 1. These steps ensure that the methodology identifies operation hazards, examines the reaction of the system to these hazards, and detects critical components and functional failures. First, a HAZID is performed with experts to identify the critical hazards of the system. These hazards are used as input by the developed functional-based modelling (FBM) to examine the system's reaction to those hazards. Then, an FTA is performed taking into account the FBM of the system for the identification of critical components by evaluating the reliability of the system. Finally, an FMECA analysis is carried out and the functional failures of the components are derived. In summary, the compilation of the different tools used to assess the safety, operability, and reliability of the discussed novel system is presented in Figure 1. As mentioned, the objective of the HAZID is to ensure that any risks arising from the installation and design of the novel NH3 SOFC system are under control and that adequate safeguards are in place to reduce these risks to ALARP region. It should be noted that hazards when at the yard for repairs/docking are outside the scope of this study. A workshop meeting with ship operators, equipment manufactures, and academic institutions was performed; experience from previous accidents was also considered. The results from the Sea-Web (IHS Markit) database indicated that most accidents were due to the use of As mentioned, the objective of the HAZID is to ensure that any risks arising from the installation and design of the novel NH 3 SOFC system are under control and that adequate safeguards are in place to reduce these risks to ALARP region. It should be noted that hazards when at the yard for repairs/docking are outside the scope of this study. A workshop meeting with ship operators, equipment manufactures, and academic institutions was performed; experience from previous accidents was also considered. The results from the Sea-Web (IHS Markit) database indicated that most accidents were due to the use of ammonia in refrigeration systems; however, the quantities carried were much less compared to what is needed when ammonia is used as a primary fuel. Furthermore, in a few cases, the leakage of ammonia led to fatalities due to the fuel's toxicity. An overview of the followed HAZID methodology is presented in Figure 2, in accordance with IACS document No. 146 [84]. ammonia in refrigeration systems; however, the quantities carried were much less compared to what is needed when ammonia is used as a primary fuel. Furthermore, in a few cases, the leakage of ammonia led to fatalities due to the fuel's toxicity. An overview of the followed HAZID methodology is presented in Figure 2, in accordance with IACS document No. 146 [84]. The next step of the methodology is the creation of an FBM of the proposed system that depicts the architecture and functions of the system. Furthermore, FBM can be used to examine the reaction of a system to functional and hardware-based failures; as such, it can serve as a cornerstone for safety and risk assessments as seen in other research [74,76]. The Maintenance Aware Design environment (MADe) software from PHM Technology is a user-friendly model-based tool that has been used in various applications in the automotive and aviation industries for risk-based analysis including reliability, availability, and maintainability analysis [85][86][87]. It was employed in this work for the FBM development for the following reasons [86]:  It clearly depicts the systems, subsystems, and components, as well as their interconnections, and functions.  It allows the investigation of the propagation of failures within the system, thus supporting the identification of the system-critical components and their failure end-effects.  It serves as a starting point for additional analysis and examination.
In more detail, the examination of the behaviour of the system when subjected to various hazards is based on fuzzy cognitive mapping (FCM). FCM is used to rank the factors that affect the reliability of the system [88], by simultaneously analysing the system risk-based factors and taking into consideration the causal relationships among them [89]. It can be employed as an effective decision-making tool for risk analysis [89]. Moreover, additional analysis and examination can be performed through FTA and FMECA. To develop the FBM, the system is represented by its subsystems and components. Then, the subsystems and components are interlinked through the built-in functions, which represent the processes and functions of the different items [74]. Subsequently, inflows and outflows are assigned as a function of the purpose of each subsystem/component, and a causal relationship is defined for each inflow and outflow, with a positive or negative value depending on the individual functionality and its effect on the system operating parameters [76,90]. Once this process is completed, hazards and failures can be injected into the system by changing the appropriate flows in the component/sub-system of inter- The next step of the methodology is the creation of an FBM of the proposed system that depicts the architecture and functions of the system. Furthermore, FBM can be used to examine the reaction of a system to functional and hardware-based failures; as such, it can serve as a cornerstone for safety and risk assessments as seen in other research [74,76]. The Maintenance Aware Design environment (MADe) software from PHM Technology is a user-friendly model-based tool that has been used in various applications in the automotive and aviation industries for risk-based analysis including reliability, availability, and maintainability analysis [85][86][87]. It was employed in this work for the FBM development for the following reasons [86]: I It clearly depicts the systems, subsystems, and components, as well as their interconnections, and functions. In more detail, the examination of the behaviour of the system when subjected to various hazards is based on fuzzy cognitive mapping (FCM). FCM is used to rank the factors that affect the reliability of the system [88], by simultaneously analysing the system risk-based factors and taking into consideration the causal relationships among them [89]. It can be employed as an effective decision-making tool for risk analysis [89]. Moreover, additional analysis and examination can be performed through FTA and FMECA. To develop the FBM, the system is represented by its subsystems and components. Then, the subsystems and components are interlinked through the built-in functions, which represent the processes and functions of the different items [74]. Subsequently, inflows and outflows are assigned as a function of the purpose of each subsystem/component, and a causal relationship is defined for each inflow and outflow, with a positive or negative value depending on the individual functionality and its effect on the system operating parameters [76,90]. Once this process is completed, hazards and failures can be injected into the system by changing the appropriate flows in the component/sub-system of interest [91]. Then, the injections propagate according to FCM [89], and the reaction of the system is obtained. Finally, FTA and FMECA can be performed as required using standard methods and procedures.
For the purpose of the FTA, failure statistics are required as inputs to the FBM; thus, the OREDA [92] database was used to collect failure rates and mean time to failure (MTTF) values for various functions and components of the system [93]. The aim of the FTA is to derive a pictorial and quantified representation of how subsystems (gates) and components (basic events) can lead to the loss of the reliability of the broader system they influence (top gate) [94]. The structure of the FTA was derived through the MADe interface, by considering the functions and interconnections of the different components. The modelled systems and subsystems are represented in the FTA using gates, and the components are described as basic events. One of the most common gates is the OR gate, which requires a minimum of two inputs (A 1 , A n ) and is used according to Equation (1).
Another very common gate used in FTA is the AND gate, which also requires a minimum of two inputs (A 1 , A n ) and is used according to Equation (2).
Furthermore, the VOTING gate represents another widely used way of modelling systems and subsystems with partial failsafe capabilities, which also requires a minimum of two inputs (A 1 , A n ) and is used according to Equation (3).
In the final step of the methodology, an FMECA study is conducted, where failure modes for each subsystem/component are considered in addition to the effects they have on the various components. This analysis is significant to ensure that the appropriate safeguards are taken into consideration. The risk priority number (RPN) was estimated as indicated in Equation (4) by considering the occurrence (O), severity (S), and detection (D) of the failures to rank the failure modes. Occurrence expresses the frequency of potential failures, and it was derived from the failure rates found in the OREDA database. The severity and detection assess, respectively, the seriousness of the potential failure and the probability to detect the potential cause and failure mode [95]. For the latter, experts' knowledge was employed in accordance with the guidelines provided in [67].
In the next section, the key findings of the safety, reliability, and operability assessment methodology are presented and discussed.

System Description
The main aim of this paper is to investigate the safety and reliability of an NH 3 fuelcell fuel supply system, with liquid NH 3 stored in an independent type C tank on the main deck of the vessel. The intent is to use NH 3 vapor as fuel in an array of the SOFC, located underneath the fuel tank, also located on the deck. Additionally, a dedicated fuel supply system (FSS) is located next to the fuel tank to treat and process the NH 3 prior to its use in the fuel cells. Lastly, batteries and additional electronics are in a container next to the SOFC array. Obtaining a clear definition of the system under consideration is an essential step as it identifies the main nodes (systems and subsystems) that are used during the HAZID process. Moreover, the definition of the system also assists in the functional-based model, as presented in further sections. A line diagram of the model considered herein is shown in Figure 3.

Critical Hazards
The main hazards were identified according to the process shown in Figure 2. Moreover, the causes, consequences, and safeguards associated with these hazards were also discussed. The main hazards considered for the system according to the output of the HAZID workshop are presented in Table 2. A quantitative assessment of the hazards was not performed; however, the listed hazards were regarded as of high criticality according to the experts during the HAZID workshop. As observed, most of the hazards relate to the loss of containment of NH3 as this can be hazardous for crew and personnel due to the toxicity of NH3. One of the main challenges in introducing ammonia is the toxicity of the fuel that can cause severe skin burns and eye damage; it is dangerous when inhaled, and it can even be fatal. This is also highlighted in the outcomes of the HAZID, where one of the main hazards was identified as the leakage of ammonia inside the FC room or on the bunkering connection. As a result, it is of high importance to introduce and consider safety measures for the crew on board. Classification societies [96] have recently published safeguard measures that need to be considered for the crew protection, as mentioned in Table  2. Similarly, the majority of the hazards can be mitigated through the development of operating procedures and alterations in the design.

Critical Hazards
The main hazards were identified according to the process shown in Figure 2. Moreover, the causes, consequences, and safeguards associated with these hazards were also discussed. The main hazards considered for the system according to the output of the HAZID workshop are presented in Table 2. A quantitative assessment of the hazards was not performed; however, the listed hazards were regarded as of high criticality according to the experts during the HAZID workshop. As observed, most of the hazards relate to the loss of containment of NH 3 as this can be hazardous for crew and personnel due to the toxicity of NH 3 . One of the main challenges in introducing ammonia is the toxicity of the fuel that can cause severe skin burns and eye damage; it is dangerous when inhaled, and it can even be fatal. This is also highlighted in the outcomes of the HAZID, where one of the main hazards was identified as the leakage of ammonia inside the FC room or on the bunkering connection. As a result, it is of high importance to introduce and consider safety measures for the crew on board. Classification societies [96] have recently published safeguard measures that need to be considered for the crew protection, as mentioned in Table 2. Similarly, the majority of the hazards can be mitigated through the development of operating procedures and alterations in the design.

Functional-Based Model
The NH 3 fuel supply system described in the previous section was functionally modelled by considering the different subsystems and components. In detail, the systems included were the control unit for the system, the bunkering system, the fuel-cell stack, the NH 3 containment system, the NH 3 supply system, the reliquefication system, and the NH 3 heater. Moreover, as subsystems, the emergency shutdown valves, bunkering pumps, control valves, pressure control valves, storage tank, temperature sensors, compressor, and condenser were modelled. Figure 4 shows the resulting functional model of the system considered, with its boundaries represented by the 'in' and 'out' blocks.

Functional-Based Model
The NH3 fuel supply system described in the previous section was functionally modelled by considering the different subsystems and components. In detail, the systems included were the control unit for the system, the bunkering system, the fuel-cell stack, the NH3 containment system, the NH3 supply system, the reliquefication system, and the NH3 heater. Moreover, as subsystems, the emergency shutdown valves, bunkering pumps, control valves, pressure control valves, storage tank, temperature sensors, compressor, and condenser were modelled. Figure 4 shows the resulting functional model of the system considered, with its boundaries represented by the 'in' and 'out' blocks. The different systems are modelled as blue boxes and the various components are shown with pale brown. As observed, the various items are organised to represent their functional dependencies. Furthermore, the model shows the distinct inputs and outputs within each item. As seen, the inputs and outputs can take several forms including the transfer of data, energy, and material. To that end, outputs from one subsystem or com- The different systems are modelled as blue boxes and the various components are shown with pale brown. As observed, the various items are organised to represent their functional dependencies. Furthermore, the model shows the distinct inputs and outputs within each item. As seen, the inputs and outputs can take several forms including the transfer of data, energy, and material. To that end, outputs from one subsystem or component must be treated as an input for another element. For instance, the gas static pressure that is the output of the NH 3 containment system is used as an input for the NH 3 supply system, together with continuous data provided from the system's controller. Moreover, it should be clarified that the modelling process is based on engineering knowledge, and the final arrangement of flows and components was validated with the equipment manufac-turer that participated in the HAZID workshop. Figure 5 shows the function, inflows, and outflows of a fuel-cell module. As seen, the function of the module is to convert the inflow of data (from controller) and gas mass flow rate (from NH 3 fuel) to voltage, temperature, and residual NH 3 . ponent must be treated as an input for another element. For instance, the gas static pressure that is the output of the NH3 containment system is used as an input for the NH3 supply system, together with continuous data provided from the system's controller. Moreover, it should be clarified that the modelling process is based on engineering knowledge, and the final arrangement of flows and components was validated with the equipment manufacturer that participated in the HAZID workshop. Figure 5 shows the function, inflows, and outflows of a fuel-cell module. As seen, the function of the module is to convert the inflow of data (from controller) and gas mass flow rate (from NH3 fuel) to voltage, temperature, and residual NH3.

System's Reaction
Once the functional-based model was completed, the identified critical hazards (Table 2) were injected sequentially into the system, and the reaction of the system was evaluated through a response simulation. This process was based on FCM, which propagates the presence of a failure downstream of the system [74]. The injection of each hazard was represented by an increase or decrease in the appropriate flow property of the involved item, and the simulation showed the direction of the change of the flow properties of the different modelled items. Figure 6 presents on the horizontal axis the hazards of Table 2, while the vertical axes show the number of affected components by each hazard, together with the number of steps needed for the system to reach equilibrium following the injection of the failure. In other words, the figure examines the intensity of each hazard and how each hazard can affect and destabilise the system. Therefore, the manner in which each hazard propagates through the system can be studied and the severity of each hazard can be gauged, by examining the components it affects and the time required for the system to reach equilibrium. Since the examined system is of relative complexity, identifying components that can be affected by hazards can provide insight into safety improvements. Similarly, examining the time to equilibrium can provide insight into the control of the system, by examining the components it affects and the time required for the system to reach equilibrium. In detail, it was remarked that a failure in the control system (ID 2) would affect the most components (more than 100) in the system; as such, it had the greatest spread. Therefore, the control system can be flagged as critical, and the design of the system can be altered to improve its safety performance. Similarly, a failure in the NH3 tank heater (ID 6) required the most steps until the system reached a state of equilibrium; as such, it destabilised the operation of the system for the longest period. Consequently,

System's Reaction
Once the functional-based model was completed, the identified critical hazards ( Table 2) were injected sequentially into the system, and the reaction of the system was evaluated through a response simulation. This process was based on FCM, which propagates the presence of a failure downstream of the system [74]. The injection of each hazard was represented by an increase or decrease in the appropriate flow property of the involved item, and the simulation showed the direction of the change of the flow properties of the different modelled items. Figure 6 presents on the horizontal axis the hazards of Table 2, while the vertical axes show the number of affected components by each hazard, together with the number of steps needed for the system to reach equilibrium following the injection of the failure. In other words, the figure examines the intensity of each hazard and how each hazard can affect and destabilise the system. Therefore, the manner in which each hazard propagates through the system can be studied and the severity of each hazard can be gauged, by examining the components it affects and the time required for the system to reach equilibrium. Since the examined system is of relative complexity, identifying components that can be affected by hazards can provide insight into safety improvements. Similarly, examining the time to equilibrium can provide insight into the control of the system, by examining the components it affects and the time required for the system to reach equilibrium. In detail, it was remarked that a failure in the control system (ID 2) would affect the most components (more than 100) in the system; as such, it had the greatest spread. Therefore, the control system can be flagged as critical, and the design of the system can be altered to improve its safety performance. Similarly, a failure in the NH 3 tank heater (ID 6) required the most steps until the system reached a state of equilibrium; as such, it destabilised the operation of the system for the longest period. Consequently, it is recommended that additional safeguards (i.e., testing and inspection) are considered to avoid a failure in the control system and the NH 3 tank heater.
it is recommended that additional safeguards (i.e., testing and inspection) are con to avoid a failure in the control system and the NH3 tank heater. In addition to examining the intensity of each hazard, the sensitivity of each tem was studied. In Figure 7, the horizontal axis lists the modelled sub-systems w flows, and the vertical axis examines the percentage of time that the respective sub is affected by one of the injected hazards, thus evaluating the sensitivity of each tem. It was observed that both the gas static pressure and the gas mass flow rate the NH3 containment system were affected by every injected fault. This means NH3 containment system is more sensitive to the considered hazards. As a res system was given increased attention in the following phase of the methodology ther evaluate its effect on safety and reliability. Examining the effects of the main hazards is a critical step in improving sa developing mitigating measures. As seen, additional inspection and maintenance control system and NH3 tank heater can safeguard against the effects of most of th hazards. Likewise, examining the sensitivity of the different systems to the haza help focus the subsequent steps of the methodology. In addition to examining the intensity of each hazard, the sensitivity of each subsystem was studied. In Figure 7, the horizontal axis lists the modelled sub-systems with their flows, and the vertical axis examines the percentage of time that the respective subsystem is affected by one of the injected hazards, thus evaluating the sensitivity of each subsystem. It was observed that both the gas static pressure and the gas mass flow rate from of the NH 3 containment system were affected by every injected fault. This means that the NH 3 containment system is more sensitive to the considered hazards. As a result, this system was given increased attention in the following phase of the methodology, to further evaluate its effect on safety and reliability. it is recommended that additional safeguards (i.e., testing and inspection) are considered to avoid a failure in the control system and the NH3 tank heater. In addition to examining the intensity of each hazard, the sensitivity of each subsystem was studied. In Figure 7, the horizontal axis lists the modelled sub-systems with their flows, and the vertical axis examines the percentage of time that the respective subsystem is affected by one of the injected hazards, thus evaluating the sensitivity of each subsystem. It was observed that both the gas static pressure and the gas mass flow rate from of the NH3 containment system were affected by every injected fault. This means that the NH3 containment system is more sensitive to the considered hazards. As a result, this system was given increased attention in the following phase of the methodology, to further evaluate its effect on safety and reliability. Examining the effects of the main hazards is a critical step in improving safety by developing mitigating measures. As seen, additional inspection and maintenance on the control system and NH3 tank heater can safeguard against the effects of most of the main hazards. Likewise, examining the sensitivity of the different systems to the hazards can help focus the subsequent steps of the methodology. Examining the effects of the main hazards is a critical step in improving safety by developing mitigating measures. As seen, additional inspection and maintenance on the control system and NH 3 tank heater can safeguard against the effects of most of the main hazards. Likewise, examining the sensitivity of the different systems to the hazards can help focus the subsequent steps of the methodology.

Critical Faults and Components
After identifying the main hazards and examining the reaction of the system to these hazards, the FTA was performed to obtain critical faults according to their reliability metrics. On the basis of the findings of the previous section, the NH 3 containment system was given high priority and was modelled on a high level of the fault tree. To enable the methodology to capture critical faults, the FTA examines on the top level the low-voltage output of the entire system, which is subsequently caused by low-voltage output of the entire fuel-cell arrangement. Connected through an OR gate, the next levels examine the failures of the control system, containment system, supply system, and the fuel-cell stack. The lower levels examine the components and respective failures of the subsystems with the appropriate gates used to reflect the fault tolerance of each case. Moreover, the produced fault tree calculates the probability of each fault of the modelled components (P( f )), Fussel-Vesely importance measure (IFV), Birnbaum importance measure (IB), and minimal cut sets (MCS) [97,98]. Figure 8 shows the calculated probability of failure P( f ) from the FTA. It should be noted that the presented probability figures were estimated for the mission profile of the vessel over 1 year of operation. The P( f ) was calculated for the modelled systems and subsystems, which are represented as intermediate gates. The three subsystems with the highest P( f ) (highlighted in orange) included the FC stack (4.65 × 10 −5 ), the storage tank (3.84 × 10 −5 ), and the reliquification system (3.78 × 10 −5 ). The impact of these faults needs to be taken into high consideration onboard such a vessel that carries large quantities of ammonia, especially in the FC room; as a result, appropriate measures should be taken. Due to their high P( f ), additional operational measures (inspection, maintenance, and testing) are required. Taking into account these results, changes to the design of the system can take place, including the introduction of redundant components, which is outside the scope of this study.

Critical Faults and Components
After identifying the main hazards and examining the reaction of the system to these hazards, the FTA was performed to obtain critical faults according to their reliability metrics. On the basis of the findings of the previous section, the NH3 containment system was given high priority and was modelled on a high level of the fault tree. To enable the methodology to capture critical faults, the FTA examines on the top level the low-voltage output of the entire system, which is subsequently caused by low-voltage output of the entire fuel-cell arrangement. Connected through an OR gate, the next levels examine the failures of the control system, containment system, supply system, and the fuel-cell stack. The lower levels examine the components and respective failures of the subsystems with the appropriate gates used to reflect the fault tolerance of each case. Moreover, the produced fault tree calculates the probability of each fault of the modelled components ( ), Fussel-Vesely importance measure ( ), Birnbaum importance measure ( ), and minimal cut sets (MCS) [97,98]. Figure 8 shows the calculated probability of failure from the FTA. It should be noted that the presented probability figures were estimated for the mission profile of the vessel over 1 year of operation. The was calculated for the modelled systems and subsystems, which are represented as intermediate gates. The three subsystems with the highest (highlighted in orange) included the FC stack (4.65 × 10 ), the storage tank (3.84 × 10 ), and the reliquification system (3.78 × 10 ). The impact of these faults needs to be taken into high consideration onboard such a vessel that carries large quantities of ammonia, especially in the FC room; as a result, appropriate measures should be taken. Due to their high , additional operational measures (inspection, maintenance, and testing) are required. Taking into account these results, changes to the design of the system can take place, including the introduction of redundant components, which is outside the scope of this study. In addition to presenting the probabilities of failures of the subsystems, the severity of the different faults was examined. Figure 9 shows the (left axis) and (right axis) of the different faults, which were modelled as basic events. In addition, these two metrics were combined using the Euclidean distance (left axis) to fully evaluate the different faults. Using the Euclidean distance to combine the two metrics allows for a more accurate assessment of the different faults. As observed, the most critical faults related to the failure of the compressor, which was also flagged as a fault-sensitive subsystem in Figure 8. It should be noted that leakage of ammonia might occur from perforation that can have a severe impact on the crew; thus, identification of hazard zones is required. As In addition to presenting the probabilities of failures of the subsystems, the severity of the different faults was examined. Figure 9 shows the IFV (left axis) and IB (right axis) of the different faults, which were modelled as basic events. In addition, these two metrics were combined using the Euclidean distance (left axis) to fully evaluate the different faults. Using the Euclidean distance to combine the two metrics allows for a more accurate assessment of the different faults. As observed, the most critical faults related to the failure of the compressor, which was also flagged as a fault-sensitive subsystem in Figure 8. It should be noted that leakage of ammonia might occur from perforation that can have a severe impact on the crew; thus, identification of hazard zones is required. As with the previous figure, these results can be used to develop operation procedures and to alter the design of the system. In detail, additional inspection can be used with emphasis of detecting signs of perforation and corrosion in the compressor.
with the previous figure, these results can be used to develop operation procedures and to alter the design of the system. In detail, additional inspection can be used with emphasis of detecting signs of perforation and corrosion in the compressor.

Critical Functional Failure
After identifying the critical faults of the system using the FTA, a quantitative analysis was performed to obtain the critical functional failures of the subsystems. The previous analysis suggested that the FC stack, storage tank, and reliquification subsystem have the highest probability of failure. In addition, it was also found that the faults of the compressor are the most critical as they can affect the reliquification system and its components. An FMECA was performed, and the functional failures were categorised according to the ranking adopted in [67]. The derived results with RPN higher than 100, which are considered of moderate to extremely high criticality, can be found in Appendix A. The percentage of critical failures per system is presented in Figure 10, where it is evident that the ammonia heater system was the system with the highest number of functional failures. However, the systems with the most critical functional failures were the FCs and ammonia containment, as can be derived from the extended table in Appendix A. In this section, only the results of high to extremely high criticality (RPN > 250) are presented and discussed in Table 3.

Critical Functional Failure
After identifying the critical faults of the system using the FTA, a quantitative analysis was performed to obtain the critical functional failures of the subsystems. The previous analysis suggested that the FC stack, storage tank, and reliquification subsystem have the highest probability of failure. In addition, it was also found that the faults of the compressor are the most critical as they can affect the reliquification system and its components. An FMECA was performed, and the functional failures were categorised according to the ranking adopted in [67]. The derived results with RPN higher than 100, which are considered of moderate to extremely high criticality, can be found in Appendix A. The percentage of critical failures per system is presented in Figure 10, where it is evident that the ammonia heater system was the system with the highest number of functional failures. However, the systems with the most critical functional failures were the FCs and ammonia containment, as can be derived from the extended table in Appendix A. In this section, only the results of high to extremely high criticality (RPN > 250) are presented and discussed in Table 3. with the previous figure, these results can be used to develop operation procedures and to alter the design of the system. In detail, additional inspection can be used with emphasis of detecting signs of perforation and corrosion in the compressor.

Critical Functional Failure
After identifying the critical faults of the system using the FTA, a quantitative analysis was performed to obtain the critical functional failures of the subsystems. The previous analysis suggested that the FC stack, storage tank, and reliquification subsystem have the highest probability of failure. In addition, it was also found that the faults of the compressor are the most critical as they can affect the reliquification system and its components. An FMECA was performed, and the functional failures were categorised according to the ranking adopted in [67]. The derived results with RPN higher than 100, which are considered of moderate to extremely high criticality, can be found in Appendix A. The percentage of critical failures per system is presented in Figure 10, where it is evident that the ammonia heater system was the system with the highest number of functional failures. However, the systems with the most critical functional failures were the FCs and ammonia containment, as can be derived from the extended table in Appendix A. In this section, only the results of high to extremely high criticality (RPN > 250) are presented and discussed in Table 3.   As seen in Table 3, components with the most critical functional failures were the FC module and the switchboard of the FC system, the tank heater in the ammonia containment system, and the compressor in the reliquification system. These results are in agreement with the findings of the previous section, and the aim was to further investigate the failure effects of these components. The most critical functional failures of the system were the low electrical voltage and gas mass flow rate of the FC module, which can be caused by either hydrogen attack or thermal degradation. The former is a result of the potential diffusion of atomic hydrogen that can lead to blistering, embrittlement, or cracking of the FC components. On the other hand, the latter is an outcome of the change in the properties of the FC material due to exposure of the high-heat operation of the FCs. In addition, a functional failure with a lower RPN was the low electrical voltage of the FC module due to dielectric breakdown or of the FC switchboard due to burnout. The former can be caused when the electric field strength surpasses the dielectric strength of an insulator material, whereas burnout is a result of material degradation occurring during long-term aging and leading to an increased, localised power density dissipation. On the other hand, the low temperature of the tank heater is a critical functional failure caused by material burnout. Similar causes can lead to a low gas mass flow rate or static pressure of the compressor.

Conclusions
The decarbonisation of shipping has attracted great attention, leading to the introduction of novel configurations and alternative zero-carbon emissions fuels. Nonetheless, prior to the commercialisation and acceptance of these systems, it is incremental to prove that they are at least as safe as the traditional systems. Therefore, a safety and risk assessment of the new technologies and fuels is crucial to support the endorsement of the new system.
In this work, a novel ammonia-powered fuel-cell system is proposed, which can play a significant role in shipping decarbonisation. As a result, a holistic safety, reliability, and operability methodology was developed and applied to the proposed system. A HAZID analysis was performed with participants from both academia and industry for identifying the main hazards, whereas relevant safeguards were proposed. Ammonia leak inside the fuel cell was identified as one of the most critical hazards, which is attributed to the fuel characteristics and can have severe impacts on the other systems. Furthermore, the examined system was depicted in a functional model, allowing further safety and reliability analysis. The operability of the system was evaluated, and it was derived that the failure of the control system can affect the most components, whereas the failure of the ammonia tank heater can destabilise the operation of the system for longer intervals. As a result, further safety operational procedures can be adopted, such as testing and inspection of the control system in order to avoid failures. Furthermore, an FTA was performed to obtain critical components and faults according to their reliability. The results indicated that the switchboard, the controller of the system, the tank heater, the reliquification compressor, and the fuel cells are amongst the most critical components regarding failure and reliability. Finally, an FMECA study was performed, and the functional failures of the systems were ranked according to their criticality, with fuel cells being among the components with the most critical functional failures. Consequently, risk control options including operating practices and design modifications should address these components.
It was derived from the analysis that one of the main challenges in introducing a novel system with ammonia onboard is to limit the potential of exposure of crew to ammonia, due to the toxicity of the fuel. Potential safeguards were discussed in this work, such as placing the bunkering station in a safe location and enabling the crew to remotely oversee the procedure. Another measure is sufficient ventilation and the placement of outlets in areas, where there is low risk of subjecting the crew to ammonia exposure. The need for an identification of hazardous zones was also highlighted. Lastly, it is expected that the crew will be equipped with special attire in order to minimise the risk of potential exposure. At a future stage, the dispersion of potential leakages and the impact they can have on the ship, crew, and marine environment need to be investigated. This is a step that requires dedicated analysis and is significant for the introduction of a novel system with a toxic fuel, such as the one described herein.
In future work, the modelling of the system could be expanded including more detailed analysis of the components, when the system is more mature and relevant information is available. Furthermore, the reliability data found in OREDA are not derived specifically for ammonia; thus, the rates considered should be updated in future work when more specific data are found.
These outcomes shed initial light on the design and operating hazards of the proposed novel ammonia-powered fuel-cell system. This study is vital to understand the new risks and safety requirements created by the introduction of a novel fuel and, thus, can provide support to both technological and policy framework development.  Acknowledgments: This work was partially supported by the "ShipFC" project that was funded by the European Union's Horizon 2020 research and innovation programme under grant agreement No. 875156. The authors greatly acknowledge the funding from the DNV and Royal Caribbean Group for the MSRC establishment and operation. The opinions expressed herein are those of the authors and should not be construed to reflect the views of EU, DNV and RCG.

Conflicts of Interest:
The authors declare no conflict of interest.