Search
Close
Search
Advanced Search
Search Menu
AI Discovery Assistant

Abstract

The development of innovative, complex marine systems, such as autonomous ship concepts, has led to risk-based approaches in design and operation that provide safety level quantification and continuous risk assessment. The existing approaches to dynamic risk assessment mainly aim at updating accident probabilities for specific risk scenarios, based on knowledge of system operation and failure, as well as on past accident and failure information. However, for innovative marine systems that include complex interactions, our ability to identify anything that might go wrong is very limited, which may lead to unidentified risks, and failure data may not be available. This paper presents the foundations of a framework for dynamic risk assessment, which is equally applicable to manned and autonomous ships and mainly relies on information about the safe operational envelope and real-time information regarding deviations from safety. Inspiration is drawn from how the biological immune system identifies the risk of infection in a dynamic environment. The objective is to show the feasibility and benefits of our approach for quantifying the operational risk of marine systems. This paper provides the conceptual basis for developing ship specific applications and describes a process for dynamic risk assessment that is methodologically based on artificial immune systems. To demonstrate the implementation of our framework, we described, an illustrative example that involves a ship in a grounding scenario. The results show that the bio-inspired assessment process and risk description can reflect the changes of the risk level of a marine system.

1. Introduction

Modern conventional ships have a long history of operation and therefore the industry has accumulated significant knowledge about what can go wrong and the potential consequences. This knowledge has led to the development of the International Maritime Organization’s (IMO) framework of prescriptive regulations for maintaining operational safety. However, in regulation-driven risk management, safety is an assumed quantity that is not explicitly quantified.

For providing an explicit statement on the level of safety, risk-based approaches have been developed either at the regulatory level for evaluating risk control options through the IMO’s formal safety assessment [1] or at the designer level for evaluating design solutions through risk-based design [2]. Building on these developments, Vassalos and Papanikolaou [3, 4] have defined the concept of life-cycle risk management (LCRM) as a formal process for assuring safety cost-effectiveness by reducing and mitigating risk in the design phase and managing the residual risk in normal operation and emergencies. In the design phase, the total risk related to major accidents is quantified and unacceptable risks are addressed [2]. The residual risk in operation is managed by employing continuous monitoring with real-time operational data. Continuous risk assessment provides feedback to the operation of the same ship and to the design of future ships.

The incentive for this new approach has been the development of more innovative, complex marine systems that deviate from the regulatory assumptions and therefore their safety level needs to be verified with alternative ways. The latest of such systems are autonomous ship concepts, for which Utne et al. [5, 6] have implied LCRM, although without using the term, as the way forward to address the new risks and related uncertainties about their operation. These are associated with new, more complex interactions for which knowledge is currently very limited, such as that between an unmanned ship with advanced artificial intelligence (AI) and a conventional manned ship.

In practice, the LCRM concept is implemented through: (1) static probabilistic risk assessment (PRA) in the design phase, which is based on risk models that quantify the probability of expected consequences in predefined risk scenarios (e.g. fire, flooding, grounding), and (2) dynamic risk assessment (DRA) in operation, which aims to consider changes in the system and the environment by updating the prior probabilities calculated in the design phase by exploiting system-specific operational data [4, 7]. Predefined risk (or accident) scenarios are a ‘sequence of events from the initiating event to one of the final stages' [1] and have been the foundation of risk assessment since the definition of risk by Kaplan and Garrick [8]. Identifying risk scenarios depends on knowledge of how the system operates and how it might fail, as well as on past accident and failure information. This information is typically used both for determining the specific sequence of events and for quantifying probabilities.

However, for innovative marine systems that include complex interactions, our ability to identify anything that might go wrong is very limited, which may lead to unidentified risks. Although there are approaches that attempt to discover previously unidentified risks during operation, they are based on the availability of relevant safety performance data [9]. This is also the case when Bayesian updating is used [10] or when DRA models are derived from accident data [11]. However, this approach is challenged when appropriate data are not available or are of low quality. Therefore, there is a need to develop risk assessment approaches that do not depend solely on modelling accident scenarios but on models that describe how the system functions [12].

In this paper, we described the foundations for a framework that is inspired by the mechanisms of the biological immune system for identifying and responding to harmful pathogens. The immune system has evolved to control the risk of infection in a dynamic environment without necessarily having prior knowledge of specific pathogens [13]. This property is owed to adaptive immunity, which ‘enables the body to recognise and to respond to any microbe, even if it has never faced the invader before' [14]. The framework aims to guide the development of dynamic, machine-learning approaches for risk identification and assessment that do not solely rely on predefined risk scenarios and past accident data. The main research problem addressed is how we can describe and measure risk given an unsafe state and having limited or no safety performance data.

The objective of this paper is to provide a high-level description of the framework that includes some methodological issues in a non-exhaustive way and to demonstrate the feasibility and benefits of our approach for quantifying the operational risk of marine systems. Our paper focuses on describing the state of the system and assessing risk by evaluating its relationship to normal (safe) operation, considering that the latter is characterized by performance variability. It involves a method for identifying unsafe states that depends mainly on safe operational data and a method for quantifying risk considering the deviation of the current state from safe operation. Our approach exploits a system risk perspective [15], which links hazardous system states influenced by human, organizational and technical factors to potential consequences. Methodologically, it also draws from the artificial immune system (Artificial IS) framework, as described by de Castro and Timmis [16].

The rest of this paper is structured as follows. The Background section describes the biological mechanisms of the immune system, which are relevant to our framework, and provides a survey of existing Artificial IS applications for DRA and fault detection and diagnosis. The next section describes the foundations and the methodology for DRA implemented through our bio-inspired framework. Subsequently, we demonstrate the approach through an illustrative example involving a ship in a grounding scenario. In the Discussion, we position our work with respect to the relevant literature, describe the benefits and limitations of our approach and outline our future research steps. The paper concludes with the benefits of drawing inspiration from the immune system for dynamic risk assessment.

2. Background

2.1 Biological immune system

The biological immune system is a complex, distributed and evolving system that identifies and responds to pathogens throughout the life time of an organism [13]. The purpose of the immune system is to protect in ‘a way that minimises harm to the body and ensures its continued functioning'. Pathogens are harmful microorganisms (e.g. viruses, bacteria, etc.) that attack the host and, if left unchecked, are the source of disease. They constitute the so-called non-self, while self is whatever is part of the organism [17]. The immune system has two defining characteristics: (1) dynamic maintenance of the ‘identity of self' based on its encounters with pathogens and (2) adaptation to self, which is expressed through self tolerance, and to non-self, which is expressed through immune memory [18].

After infection, pathogens attempt to proliferate by exploiting the resources of the organism. The result is that they disrupt normal functionality at the micro (cells) and macro (high-level functionalities, such as breathing) levels. Infection can result in one of the following outcomes: (1) elimination, (2) commensalism, (3) colonization, (4) persistence and (5) disease [19]. If the immune response of the host is effective then the pathogen may be eliminated before causing significant damage. The other four outcomes are differentiated based on the amount of damage inflicted by the pathogen [19]. According to the Merriam-Webster dictionary, disease can be defined as ‘a condition that impairs normal functioning and is typically manifested by distinguishing signs and symptoms'. Symptoms are used by an external observer as indicators of host damage (e.g. difficulty breathing caused by extensive damage to the lungs) or of the immune system’s activity (e.g. increasing the temperature of the body to create an inhospitable environment for pathogens; Fig. 1). The immune system may only perceive microscopic damage to the host and not macroscopic, system-wide consequences. However, there is evidence that it may prioritize its response to protect the most vital organs, which may be connected to an awareness of the critical functionalities for sustaining life [20].

The biological process from infection to disease.
Fig. 1.

The biological process from infection to disease.

Open in new tabDownload slide

The immune system achieves its objectives with two structures, namely the innate and adaptive immune systems, which interact to provide a combined response to pathogens [17]. Immune response involves identifying pathogens as harmful agents, trying to eliminate them and maintaining a memory to provide a faster response in the future [13]. The immune response to a pathogen that has not been previously encountered is called the primary response. When the same or a similar pathogen is identified in the future, the immune response is called secondary and has the following characteristics [13, 19]: (1) lower latency because the pathogen is recognised faster and (2) enhanced response due to the population of antibodies increasing at a higher rate and to higher values. The secondary response is therefore more effective in controlling the replication of pathogens and minimizing the damage to the organism. This is a learning process, which is enabled by the ability to remember interactions with pathogens. Immune memory is also effective for similar pathogens (associative property) and it persists even if some ‘memory cells’ are lost (robustness) [21].

The main components that participate in immune response are antigens and lymphocytes. Antigens are any foreign substance that triggers an immune response [18]. Pathogens hold antigenic receptors on their surface that are used by lymphocytes for detection. Lymphocytes mainly consist of B-cells and T-cells that continuously circulate the organism through the lymphatic system [13] and produce antibodies, whose physical structure complements the structure of the antigens in a ‘lock and key' manner. In the following, we refer to lymphocytes collectively as components of the immune system.

The following is a simplified description of the interactions among the components that contribute to the adaptive immune response (Fig. 2) and the main mechanisms that govern the global behaviour of the immune system. The stages of the response include: (1) generation and maturation, where the relationship between lymphocytes and the self is established for self-tolerance; (2) identification and response, which depends on the interactions between lymphocytes and antigens; and (3) immune memory, where information about encountered pathogens is ‘stored' for future use.

The interactions among the immune system components during an adaptive immune response.
Fig. 2.

The interactions among the immune system components during an adaptive immune response.

Open in new tabDownload slide

Immature lymphocytes are generated in the bone marrow and the thymus, which are included in the lymphatic system, through a random recombination of genes in a library [18]. To avoid self-reactive effects and achieve self-tolerance, these cells go through a maturation process that is based on the principles of negative and positive selection (Fig. 2). In negative selection, cells that bind with self antigens are discarded [13], while in positive selection, cells that bind with non-self antigens are kept.

Antibodies recognize antigens when their similarity (or affinity) to the antigen is sufficiently high [17], which means that ‘a single antibody will recognise more than one type of antigen (diversity)' [22]. Once the antigen has been recognized, lymphocytes become activated and their population is expanded to deal with the increasing population of pathogens through the clonal expansion process [19]. In their activated state, lymphocytes produce antibodies that neutralise antigens (Fig. 2).

This mechanism is described by the clonal selection theory [13], according to which only the antibodies with the highest affinity to an antigen will be allowed to proliferate. During clonal expansion, lymphocytes are cloned with a rate proportional to their affinity, which means that only those with the best match will reproduce. A clone is a copy of its parent cell and ‘clone size refers to the number of offsprings generated by the parent cell' [23]. The clones are subjected to high rates of random mutations (somatic hypermutation) with a rate inversely proportional to their affinity to the antigen. This means that better-matching antibodies will get more clones but do not need to be mutated as much. This process is called affinity maturation and is used to improve the affinity of the lymphocytes to the specific antigen.

With respect to immune memory (Fig. 2), there are two main theories. One theory posits that, after clonal expansion, the best-matching lymphocytes are maintained as memory cells that survive in the organism long after exposure to a pathogen has been terminated. A different view is provided by the immune network theory proposed by Jerne [24], and according to which the immune system can be stimulated even in the absence of antigens with a ‘natural eigen-behaviour' [16] because it preserves an ‘internal image' of the antigens it has encountered [25]. Because antibodies are randomly generated, the theory assumes that they can identify other antibodies, as well as antigens, and therefore they belong to a connected network of cells (idiotypic network) whose dynamics is governed by stimulation and suppression mechanisms. The state of the network is characterized by the population size of different antibody types. In the presence of an antigen, antibodies with high affinity are stimulated, while antibodies with low affinity are suppressed. The network ‘propagates the disturbance as a wave leaving traces as a memory' [18]. Although this theory is controversial, mainly due to the limitations in experimental validation [18], it provides an interesting systemic perspective of the immune system with emergent properties, such as memory and learning.

2.2 Artificial IS for dynamic risk assessment

Artificial IS are a conceptual framework that uses theoretical immunology concepts to construct computational systems for practical problem-solving [26]. This family of methodologies belongs to the AI and machine learning (ML) domains [23]. Artificial IS applications include pattern recognition, robotics, maintenance, learning, anomaly detection and optimization [27, 28]. De Castro and Timmis [16] have described a framework for Artificial IS, which includes the following three layers: (1) representation, where engineering concepts are mapped to biological entities; (2) affinity measures, which determine how the ‘antigen-antibody' interactions are evaluated; and (3) immune algorithms, which determine ‘procedures of adaptation that govern the dynamics of the system' and its behaviour.

The Artificial IS applications relevant to our approach come from the aviation and information security domains and include fault (or more generally anomaly) detection and diagnosis, as well as DRA. It should be noted that DRA approaches encapsulate detection and diagnosis and complement the process with a method for risk assessment. In the information security domain, the motivation for developing real-time risk assessment is to evaluate the current condition of the system and to identify unknown problems, which is not possible with static risk assessments that generally reflect past attacks [29]. In the aviation domain, with respect to the failure detection and identification (FDI) framework developed by Moncayo et al. [30] and Perhinschi et al. [31], the objective is to detect whether an aircraft component has failed and identify which one.

2.2.1 Representation

In information security, ‘self' is defined as normal network activity and ‘non-self' as abnormal activity indicative of an attack on the network. The ‘antigen' is represented by network packets in a binary format and is the real-time information that needs to be evaluated. ‘Lymphocytes' or ‘antibodies' are represented by detectors, which consist of specific patterns in network packets that indicate an attack.

The information contained in the detectors also include concentration, age and related type of attack [29, 32–38]. Concentration is defined as the number of ‘antigens' that have been detected in a specified time window. The age of the detector is indicative of its success in detecting ‘antigens', as explained in the following section. The type of attack is a label used for identification once a detector matches an ‘antigen'.

In the aviation domain, the concepts of ‘self' and ‘non-self' are similarly defined as normal and abnormal system operation, respectively. The ‘antigen' is the real-time information about the behaviour of interest (in this case safety) that provides a way to detect abnormal conditions. In the FDI framework, it is a state vector that includes: aircraft state variables (e.g. aircraft angular rates), pilot input variables (e.g. stick and pedals displacement), stability and control derivatives, variables generated within the control laws and derived variables. The ‘antibody' has the same structure as the ‘antigen' and is a specific combination of state variable values that indicate a specific failure.

2.2.2 Immune algorithms and affinity measures

The basis for the detection applications is the negative selection principle and the negative selection algorithm (NSA) that was originally developed by Forrest et al. [39]. The algorithm starts with a training phase, where detectors are randomly generated, simulating the generation of antibodies in the lymphatic system and compared against self samples. If a detector matches self then it is deleted from the detector set. The resulting detector set is subsequently used for monitoring, where they are compared against real-time information (antigens). If an ‘antigen' is matched to any of the detectors, then an anomaly or change has been detected.

The NSA algorithm requires only self or non-self data and therefore implements one-class learning [40]. The implication for our problem domain is that only knowledge of the self space (i.e. normal operation) would be required for mapping the non-self space. For example, in the FDI framework, the authors used extensive data sets from simulator scenarios at nominal conditions for training. In most of the reviewed approaches, the definition of self is static and determined during the training process. However, there is also the possibility of a dynamic self that is continuously redefined by monitoring the changes to the system itself [29]. In this approach, each time the self is redefined, the detectors are filtered through negative selection to remove the ones that no longer ‘tolerate' the self.

In the information security domain, the detectors are usually represented in binary format. However, other formats can also be used, such as real numbers that are used in a variant of the algorithm, the real-valued negative selection algorithm (RVNSA) developed by Gonzalez et al. [41]. Using real numbers improves the ‘comprehensibility of the problem space representation'. The algorithm generates a random population of detectors that are iteratively improved to provide sufficient coverage of the non-self space. Each detector is associated with a detection radius (rd) that is used as a threshold when comparing them to the self sample. The assumption is that the values within the detection radius are similar to the central value, and therefore indicate the same type of problem. The affinity measure used in RVNSA is the median distance of the k-nearest neighbours in the self sample to the detector. If this distance is smaller than the detection radius then it is deleted from the detector set.

Affinity measures (or matching rules) are used for determining the distance between the ‘antibodies' and the ‘antigen'. Possible affinity measures include the r-contiguous bits rule or the Hamming distance for binary representations and Euclidean distance for real-number representations [40]. This is one of the main parameters affecting the performance of the detection process in Artificial IS algorithms. Another important parameter is the resulting total number of detectors used for clustering the non-self space. There is a trade-off between the accuracy of detection (i.e. being able to distinguish abnormal conditions) and the speed of detection, considering that having more detectors requires more comparisons with the ‘antigen' in real time.

2.2.3 Risk assessment

The Artificial IS applications for risk assessment are inspired by the fact that the presence of antigens stimulates the production of antibodies. The increasing population of antibodies, which target an increasing population of pathogens, can be used as a proxy measure of risk. For example, in Refs. [42, 43], risk is considered proportional to the concentration of ‘antibodies', and a stable population indicates the absence of risk. To enable the identification of the type of risk and the assessment of the potential consequences, information relevant to the detected problem can be attached to the detectors [31]. Combined with detector concentration, this information can be used for assessing the impact to the system, its operational envelope and its users.

In the information security domain, the risk assessment process consists of the following steps: (1) detector training, (2) identification of attack type from the information attached to activated detectors, (3) calculation of detector concentration in a specified time window, (4) calculation of the potential impact on the system and (5) calculation of risk.

For identifying the attack type, there are supervised or unsupervised approaches. Supervised approaches are based on prior knowledge of the type of attacks associated with each detector. Unsupervised approaches attempt to create clusters of similar detectors that are assumed to point to a specific attack type [29, 32], for example, by using self-organizing maps [44].

Concentration is calculated by counting the number of times a detector matches an ‘antigen' in the specified time window. This measure indicates the attack frequency per unit of time and is interpreted as the attack ‘intensity', which is assumed to increase the probability of potential consequences, and therefore increase risk to the system. The calculation is implemented through a counter that is increased either linearly [29, 32, 37] or through the ratio of activation frequency by the age of the detector [33].

The age of the detector is used as an indication of how successful it has been in identifying ‘antigens' and simulates the maturation process in the clonal expansion process. Mature detectors get promoted to memory detectors after successfully recognizing an ‘antigen' several times based on a predefined threshold. Memory detectors also represent ‘the number and types of network attacks that the system has suffered' in a period of time [29]. Detectors that fail to match enough ‘antigens' die out and are deleted from the mature detector set.

Once the attack type and the concentration of the associated detectors have been determined, there are different approaches for assessing the potential damage to the system. These are either based on expert knowledge by directly linking specific damage categories and their severity to attack types or based on influence factors that are weighted, for example, through the analytic hierarchy process (AHP) [37].

The calculation of risk depends on a risk function with values in [0, 1] and whose form is such that detector concentration is linearly proportionate to the value of risk. This is accomplished by including concentration in an inverse exponential [29, 37, 45] or logarithmic function [38]. Detector concentration is also weighted by the severity of the attack on the system and the functional importance of the affected system components.

In the aviation domain, the FDI framework includes the following steps: (1) detection of aircraft subsystem in abnormal condition through detectors; (2) identification of the failed subsystem through identifiers; (3) qualitative evaluation, where the type of failure (e.g. control surface locked) is identified through evaluators; (4) direct quantitative evaluation, where the magnitude of the failure is assessed (e.g. 40% of surface area damaged); and (5) indirect quantitative evaluation, where the impact of the failure on the operational envelope is assessed.

Detectors are trained with a negative selection algorithm on ‘self' samples. Identifiers and evaluators are specialised detectors that ‘have been labeled previously to represent specific categories of failures through an offline process that is equivalent to detectors generation based on positive selection strategy performed repeatedly on selves at each failure category' [30].

The concept of detector concentration is also used in the FDI framework, where ‘a detection parameter ζ is calculated that represents the number of consecutive points over a window ω that trigger detectors summed over all selves' [30]. If the detection parameter remains below a predefined threshold then this indicates a potential failure and a simple warning is issued. If it exceeds the threshold then a failure is considered to have occurred and the identification and evaluation process is triggered. The difference with the information security applications is that concentration is not used as a weighting factor to the potential consequences of a detected problem, but as a way to decrease uncertainty of whether a failure has occurred.

Another difference is that there is no explicit calculation of risk in the FDI framework. However, it includes the evaluation of the magnitude of the detected failure and its potential impact on system operation, which are elements of risk. The failure magnitude can be assessed quantitatively if the Artificial IS algorithms are combined with analytical methods or qualitatively based on another set of evaluators that are used for classification in an ordinal scale (i.e. low, medium, high) or based on the distance of the activated detectors from the self samples [31, 46]. Regarding the impact to the system, the authors have suggested an approach where a ‘new self' is estimated by applying constraints on the state variables that are implied from the failures. The ‘new self' reflects the limitations imposed on system functionality by the failures and is essentially a new, limited operational envelope.

3. Bio-inspired risk framework

In this section, we describe the foundations of a bio-inspired framework for dynamic risk assessment for marine systems, which can be used as a guide for developing Artificial IS algorithms. This framework is based on the idea that the multiplying numbers of antibodies, which are generated by the immune system to fight off an increasing population of pathogens, can be used as an indicator of risk. This is similar to how viral infections are diagnosed by determining the concentrations of specific antibodies in the blood stream. With respect to describing risk, we use the System-Theoretic Accident Model and Processes (STAMP) approach for accident causation as a basis and employ the terminology by Leveson and Thomas [47] to implement a systemic approach that focuses on failed interactions among system components and not just on individual component failures.

3.1 Basic concepts and biological analogies

Based on the Artificial IS framework as described by de Castro and Timmis [16], the first step of our approach is to determine the representation for our problem domain. For this purpose, we describe the engineering analogies to self, non-self and pathogens, as well as their relationships.

We define ‘self' to be a safe state in which the system fulfils its goals within the normal operational envelope and risk is sufficiently controlled. The concept of an operational envelope implies that a certain amount of variability is acceptable for the variables that describe system operation. Complementary to the concept of ‘self', we define ‘non-self' as an unsafe state in which the system’s normal operation is disrupted under the influence of risk factors. Borrowing from the STAMP terminology, ‘non-self' can be considered as a system-level hazard, which is defined as ‘a system state or set of conditions that, together with a particular set of worst-case environment conditions, will lead to an accident (loss)'.

Based on this, we describe an analogy between the process of loss occurrence and disease caused by pathogen infection described in the Background section (see Fig. 2). In the STAMP model, accidents (or losses in general) are caused by factors that influence the development of unsafe control actions (UCAs), which subsequently may lead to system-level hazards (unsafe states). As shown in Fig. 3, the causal factors, or risk-influencing factors (RIFs) [48], are the ‘pathogens', the development of unsafe states is the equivalent of ‘host damage' and the potential consequence of an unsafe state is the ‘disease'. The engineering equivalent of ‘symptoms' can be considered as the indicators that can be observed during operation (e.g. deviation from planned course) and point to compromised system functionality (e.g. limited ship manoeuvrability). Just like fever indicates that the immune system of an organism is active and trying to deal with a pathogen, compromised system functionality can also be inferred from feedback received from a risk monitoring and control system (e.g. a warning). Furthermore, indications of compromised system functionality can be used for ‘diagnosing' the potential consequence of an unsafe state that may result in a loss. Although Fig. 3 includes risk control, we have not elaborated on this aspect of the framework as, in this paper, we focus on risk monitoring and assessment.

Analogy between loss occurrence and the process of disease caused by pathogen infection.
Fig. 3.

Analogy between loss occurrence and the process of disease caused by pathogen infection.

Open in new tabDownload slide

Having defined the high-level concepts, we describe the engineering analogies to antigens, lymphocytes and memory cells, as well as their relationships. It should be noted that for the purposes of this paper, we do not make the distinction between B-cells and T-cells, considering that the basic biological mechanism for identification is the same.

Antigens are the signature of pathogens, from which the immune system can identify them. In an engineering context, the ‘antigen' is the information about the current system state from which we can perceive the development of unsafe states and which reflects the effect of causal factors during operation (see Fig. 4). The ‘antigen' should indicate the compromised system functionality (symptoms) in an unsafe state. This information can be captured by an appropriate number of state variables that describe the safety-related behaviour of the system in relationship with its environment.

The interaction among the components used for risk identification.
Fig. 4.

The interaction among the components used for risk identification.

Open in new tabDownload slide
Considering that our objective is to dynamically measure the risk level of the system, we use the concept of a risk indicator as a good candidate for a state variable. A risk indicator is ‘a measurable/operational definition of a RIF' and is implicitly related to a risk model that describes the relationships among the RIFs and their effect on the risk level [49]. Therefore, the ‘antigen' (Ag) could be structured as a state vector consisting of risk indicator values that should vary in the time frame selected for the dynamic assessment (e.g. hours, days, months, etc.) [48] (see Eq. 1, where N is the number of risk indicators).
(1)
A structured process should be followed for identifying the risk indicators. An indicative example is the work by Utne et al. [6], who implemented System-Theoretic Process Analysis (STPA) and used the extracted information (i.e. system-level hazards, UCAs and RIFs/causal factors) to structure a Bayesian Network (BN) whose parent nodes are variables that can be measured in real time. Regarding the issue of how many variables are necessary, the state vector may be subject to a state explosion effect in terms of the amount of information it contains. Therefore, part of this structured process should be filtering the identified risk indicators to minimise the variables in the state vector while maintaining a comprehensive representation.

In Artificial IS approaches, ‘lymphocytes' have the same structure as the ‘antigen' and their exact representation depends on the problem addressed (e.g. classification, optimization, anomaly detection). In our approach, ‘lymphocytes' are detectors that consist of the same risk indicators as the ‘antigen'. Each detector contains specific values and therefore corresponds to a specific potential unsafe state or condition.

As an engineering analogue to the adaptive immune response, Fig. 4 shows the detector life cycle and the interaction between detectors (lymphocytes) and the current state of the system (antigen). Detectors are generated offline from information about the ‘self', i.e. from samples of normal system operation. Immature detectors are subjected to a negative selection process where they mature to only detect unsafe states (‘non-self') and provide the equivalent of ‘self' tolerance. The resulting set of mature detectors is used during operation to detect problems or, in other words, ‘symptoms' of unsafe operation. Once a detector has been activated and as long as it remains in this state, its ‘concentration' will increase through a counter variable. This mimics the clonal expansion of activated lymphocytes. Detectors with high ‘concentrations' indicate a problem that persists. In addition, activated detectors can be used to assess the problem, which includes identifying the type of problem, assessing its severity, its impact on the system and the potential consequences. Detectors that have been successful in identifying unsafe states are stored as ‘memory cells', which keep a record of encountered risks and their frequency.

3.2 Bio-inspired dynamic risk assessment

The engineering analogies to immune system concepts are used in our process for dynamic risk assessment, which includes the following phases: (1) detector training, (2) detection and diagnosis and (3) risk assessment. The following sections describe the process in each phase.

3.2.1 Detector training

In the detector training phase, a set of mature detectors is created that match only unsafe system states through an iterative negative selection process. Fig. 5 shows the steps of the training process, as well as an indicative mature detector set, with variable detector radii, for a feature space with two elements (X1 and X2) relative to the self space.

Training process and indicative set of mature detectors.
Fig. 5.

Training process and indicative set of mature detectors.

Open in new tabDownload slide

The required ‘self' data are specific values of the risk indicators, which are also used in the ‘antigen' and ‘lymphocyte' structure. The data should adequately reflect the system’s safe operational envelope and can be obtained either through statistical or simulated data. Given the ‘self' data, they can be clustered to improve the performance of the algorithm with respect to the time required for comparing them to the immature detectors [50]. The result would be ‘self' clusters that consist of a representative, central value and a ‘self' radius (rs), see right-hand side of Fig. 5.

Considering that the state variables are real numbers, an appropriate negative selection algorithm could be based on the RVNSA that was described in the background section. The immature detectors can be generated either randomly, as proposed in the original NSA algorithm, or in a non-random way that can be considered equivalent to ‘vaccinating' the system with information about known problems [51]. The objective is to cluster the non-self space based on samples of safe system operation and by considering criteria, such as the coverage of the non-self feature space and the degree of overlap among detectors [31]. An important parameter that affects the detection process is the detection radius (rd), which determines the size of the detector (right-hand side of Fig. 5). Very large detectors would limit the ability to distinguish between different unsafe states, while very small detectors would affect performance because a large number of detectors would be required to adequately cover the non-self space. In addition, the detector size can be fixed, optimized during training, or variable (i.e. each detector can have a different radius).

Immature detectors are evaluated based on their similarity (affinity) to the clustered ‘self' samples. This requires the selection of an affinity measure that is appropriate for the problem domain. In real-valued Artificial IS applications, the Euclidean distance is a commonly used measure. The threshold used for comparing the detectors to the ‘self' samples is a function of the ‘self' and detection radii. The same affinity measure can also be used to determine the amount of overlap among the detectors.

Once the mature set of detectors has been constructed, the last step of the training phase is to associate them with known problems. As identified in the literature, this process can either exploit prior knowledge (supervised, see [29, 32]) or not (unsupervised, see [44]). In addition, some approaches attempt to cluster the mature detectors, while others attempt to construct a second set of detectors through a positive selection process and data from known failures, which are subsequently used during monitoring in combination with the first set (see [31]).

3.2.2 Detection and diagnosis

The objectives of the detection and diagnosis phase are to: (1) classify the current state of the system as either safe or unsafe and (2) identify specific problems that may have caused the development of the unsafe state.

In this phase, the ‘antigen' at time t is compared to each of the mature detectors that resulted from the training phase (Fig. 6). The affinity measure used for the comparison can be the same as that used in the training phase. Given that each detector is associated with a detection radius rd, if the ‘antigen' falls within the radius (Aff(Ag, D) < rd) then the detector is said to be activated and an unsafe state may have been detected (see detector highlighted in grey in right-hand side of Fig. 6). Therefore, this approach allows a detector to be activated even if it does not exactly match the ‘antigen' but is similar enough. This simulates the approximate matching conducted by the immune system that enables it to correctly detect pathogens that it has not encountered before but are similar to the available antibodies. Due to this inexact matching, the detection process is characterized as probabilistic [39], which means that there is uncertainty about whether an unsafe state is detected.

Detection and diagnosis process, indicative set of mature detectors, and ‘antigen' at time t.
Fig. 6.

Detection and diagnosis process, indicative set of mature detectors, and ‘antigen' at time t.

Open in new tabDownload slide

Depending on the information attached to the detectors, the activated detectors can be used for diagnosing a specific type of problem and whether it is a known or unknown problem. If additional sets of detectors associated with known problems are used then the affinity of the ‘antigen' to these sets will also be calculated in the detection and diagnosis phase. The interested reader is referred to the multi-self strategy developed by Perhinschi et al. [31], where additional detectors are used to identify a specific aircraft subsystem or component that may have failed.

3.2.3 Risk assessment

The objectives of the risk assessment phase, given a specific problem that has been detected, are to assess (see Fig. 7): (1) the exposure of the system in a specified time window, (2) the severity of the problem, (3) the potential impact to the system’s functionality and 4) the likelihood of the current state leading to an accident. This is accomplished by exploiting the information available from the detectors, the ‘antigen' and their relationship with the safe operational envelope of the system (i.e. the ‘self').

Risk assessment process and information layers.
Fig. 7.

Risk assessment process and information layers.

Open in new tabDownload slide
The exposure of the system to the detected problem is assessed by using the concept of activated detectors ‘concentration', which is proportional to the number of activations in a specified time window. Due to the probabilistic nature of detection, an activated detector shows the potential development of an unsafe state. Therefore, high concentrations indicate a potential problem that is assumed to increase the likelihood of a failure to occur. In addition, ‘concentration' may refer to the same or different detectors that are activated in a time window and can also be normalized by the total number of detectors available. Eq. 2 provides an indicative way to calculate the concentration (E) of the detectors, assuming N detectors available and n activated detectors in Δt. In the left-hand side of Fig. 7, where a feature space with two elements (X1 and X2) is illustrated, the ‘antigen' has activated detector D1, which corresponds to problem type 1.
(2)
The severity of the problem with respect to the system’s safe operation is assessed by measuring the distance of the ‘antigen' to the ‘self' clusters. The assumption is that the likelihood of the development of unsafe states and subsequently adverse consequences increases with the distance from the safe operational envelope. However, this may not be true for any state variable [31]. The distance measure used can be the same as the one used for training the detectors and determining the similarity of an ‘antigen' to the mature detectors (e.g. Euclidean distance for real-valued variables). Problem severity (S) is defined by Eq. 3, where Aff is an appropriate affinity measure (see Fig. 7).
(3)
For determining how the detected problem impacts the functionality of the system, and therefore its ability to revert to a safe state, we use the concept of the ‘new self' [30]. The idea is that a failure limits what the system can do and this can be reflected in the state variables of the ‘self' clusters by constraining their values accordingly. With the imposed constraints, a ‘new self' can be derived that represents the updated operational envelope of the system. We assume that the difference between the ‘self' and the ‘new self' in the feature space can be used as a measure of how much the system is affected. The impact on system functionality (I) can be calculated by the ratio of the space covered by the ‘self' clusters to that covered by the ‘new self' clusters or the percent reduction observed on the ‘self' clusters (Eq. 4). Fig. 7 shows graphically the relative space covered by ‘self' and ‘new self' in a two-dimensional feature space.
(4)
For assessing the likelihood of the current state leading to an accident we use a proxy measure based on the distance of the ‘antigen' to a known accidental limit state. An accidental state can be considered as irreversible, which means that the accident can no longer be avoided and the only option is to mitigate the severity of the consequences. To determine such a system state, we assume that the definition of the ‘antigen' contains indicators with which accidental states can be clearly represented. Therefore, we can define a set of accidental states (shown as a red line at the top of Fig. 7) and the distance of the ‘antigen' from the nearest limit state (L) may represent how ‘close' the system is to an accident (Eq. 5, where Aff is an appropriate affinity measure). Similarly to other measured distances, the affinity measure can be the same.
(5)
The risk assessment process that has been described leads to the following risk perspective by exploiting the information available from the detectors at time t: R(t) = (E, S, I, L). Eq. 6 is a generalized risk description that includes measures that correspond to each element in the risk perspective. Considering that this risk description mainly depends on how much the current system state deviates from the safe operational envelope, the implied risk definition is a ‘deviation from a reference value and associated uncertainties' [52].
(6)

4. An example of a ship in a grounding scenario

In this section, we describe an illustrative example with which we aim to demonstrate how our bio-inspired approach would be implemented and how dynamic risk would be calculated with our risk description.

The example involves a conventional, manned ship in a potential grounding scenario in a coastal area with significant wind effect that causes a deviation from the planned route (Fig. 8). The officer of the watch (OOW) attempts to correct the ship’s course. However, an unexpected failure in the rudder severely limits the ship’s manoeuvrability and the OOW is no longer able to control the ship, causing it to drift towards shallow waters with a high risk of grounding. It is noted that the difference in a similar scenario involving, for example, a fully autonomous ship would be that an automated navigation system would be in place of the OOW.

Illustration of the potential grounding scenario in a coastal area.
Fig. 8.

Illustration of the potential grounding scenario in a coastal area.

Open in new tabDownload slide

For simplification purposes, in this example we make the following assumptions (see Fig. 9):

(1) The ‘antigen' is represented by a state vector that contains the following real-valued risk indicators: distance from shallow waters (Dsw), deviation from planned route (Devpr). Other indicators that could be used include rate of turn or under keel clearance. However, the selected variables were considered to demonstrate the direction of the risk gradient more clearly.

(2) The ‘self' clusters (marked as green circles) have been generated with equal radii (rs). Given an appropriate set of statistical and/or simulated data from normal operation (i.e. ‘self' data), the available data points are clustered with a suitable methodology (e.g. K-means) into groups that point to similar conditions. This helps to improve the performance of the algorithm by limiting the number of comparisons with the candidate detectors. As described in Section 3.2.1, each ‘self' cluster is characterized by its centre and radius. The radius can be predefined or it can result from the clustering process through an optimization process to achieve, for example, a minimum number of clusters.

(3) The ‘self' space is delimited by the following values that are assumed safe for avoiding the risk of grounding: Dsw ≥ 4 nm, and |$Dev_{\mathrm {pr}}\leq \, 5\%$|⁠. Therefore, risk is inversely proportional to the distance from shallow waters and proportional to the deviation from the planned route (⁠|$R(t) = f(\frac{1}{D_{\text {sw}}}, Dev_{\rm pr})$|⁠). The boundaries of safe operation are not involved in generating the ‘self' clusters and therefore they are not necessary for implementing the method. However, if there is information available regarding what is considered safe, it can be exploited in the method to address the potential lack of ‘self' data.4

(4) The detectors have been generated through a negative selection process from a detector training algorithm as described in Section 3.2.1. The mature detector set consists of 14 clusters with variable detection radii (rd), an amount of allowed overlap among detectors and an incomplete coverage of the ‘non-self' space. The centre of the detector represents a potential unsafe state and may be generated randomly and/or non-randomly if failure data are available. The radii can be predefined or optimized based on criteria, such as ‘non-self' space coverage or detector overlap, which have an impact on the performance of the monitoring algorithm.

(5) A subset of the mature detectors is associated with the following known problems: drifting due to the effect of wind, rudder is unresponsive due to a technical failure. The rest of the mature detectors correspond to unknown or unidentified problems. As described in Section 3.2.2, the association with known problems can be achieved either through a positive selection process by using available failure data or based on expert knowledge.

(6) The accidental state for this scenario is represented as a line in the feature space that involves any combination of Dsw = 0 with Devpr. This set of accidental states indicates that the grounding will have happened. Determining the accident state can be based on expert knowledge with respect to how accidents occur.

Grounding scenario: self and non-self feature space, including ‘self' clusters and the set of mature detectors.
Fig. 9.

Grounding scenario: self and non-self feature space, including ‘self' clusters and the set of mature detectors.

Open in new tabDownload slide

The ‘self' clusters, the detectors and the boundaries described in the assumptions can be determined quantitatively in the proposed method. However, for this example, they have been derived and illustrated only qualitatively for demonstrating the principles in the approach.

For demonstrating the calculation of risk, we make hypothetical observations at two points in time, t and tt, as shown in Fig. 10. The calculations for each element of our risk description (see Eq. 6) are shown in Table 1.

Grounding scenario: detection of ‘antigen' in a time window Δt and the elements for calculating ΔR: (a) risk calculation at time t; (b) risk calculation at time t+Δt.
Fig. 10.

Grounding scenario: detection of ‘antigen' in a time window Δt and the elements for calculating ΔR: (a) risk calculation at time t; (b) risk calculation at time tt.

Open in new tabDownload slide
Table 1.
Open in new tab

Risk element calculations.

Risk elementTime tTime tt
Exposure (E)|$\frac{1}{14} \approx 0.071$||$\frac{4}{14} \approx 0.286$|
Severity (S)d(Ag, self) = Dd(Ag, self) = DD
Impact (I)|$\frac{|(2 - 6\ detectors)|}{6\ detectors} \approx 0.67$||$\frac{|(0 - 6\ detectors)|}{6\, detectors}=1.00$|
Likelihood (L)d(Ag, limitstate) = 5 nmd(Ag, limitstate) = 3.9 nm
Risk elementTime tTime tt
Exposure (E)|$\frac{1}{14} \approx 0.071$||$\frac{4}{14} \approx 0.286$|
Severity (S)d(Ag, self) = Dd(Ag, self) = DD
Impact (I)|$\frac{|(2 - 6\ detectors)|}{6\ detectors} \approx 0.67$||$\frac{|(0 - 6\ detectors)|}{6\, detectors}=1.00$|
Likelihood (L)d(Ag, limitstate) = 5 nmd(Ag, limitstate) = 3.9 nm
Table 1.
Open in new tab

Risk element calculations.

Risk elementTime tTime tt
Exposure (E)|$\frac{1}{14} \approx 0.071$||$\frac{4}{14} \approx 0.286$|
Severity (S)d(Ag, self) = Dd(Ag, self) = DD
Impact (I)|$\frac{|(2 - 6\ detectors)|}{6\ detectors} \approx 0.67$||$\frac{|(0 - 6\ detectors)|}{6\, detectors}=1.00$|
Likelihood (L)d(Ag, limitstate) = 5 nmd(Ag, limitstate) = 3.9 nm
Risk elementTime tTime tt
Exposure (E)|$\frac{1}{14} \approx 0.071$||$\frac{4}{14} \approx 0.286$|
Severity (S)d(Ag, self) = Dd(Ag, self) = DD
Impact (I)|$\frac{|(2 - 6\ detectors)|}{6\ detectors} \approx 0.67$||$\frac{|(0 - 6\ detectors)|}{6\, detectors}=1.00$|
Likelihood (L)d(Ag, limitstate) = 5 nmd(Ag, limitstate) = 3.9 nm

At time t, detector D1 is activated by the ‘antigen' and the problem is identified as ‘rudder not responsive'. The exposure of the system to this problem is assessed by calculating the concentration of the activated detectors, according to Eq. 2. Severity is assessed by the distance of the ‘antigen' to the nearest self cluster (see Eq. 3), which is proportional to the deviation from the safe operational envelope. In this state, there is no longer the possibility for the ship to correct its course and decrease the deviation from its planned route. The constraint imposed on the system by this failure can be represented by deriving the ‘new self' clusters. This is achieved by limiting the ‘self' clusters to possible distances from shallow waters below 5 nm (i.e. Dsw ≤ 5 nm). The impact to system functionality can be assessed by calculating the percent reduction of ‘new self' compared to ‘self', according to Eq. 4. The likelihood of this state leading to a grounding can be assessed by the distance of the ‘antigen' from the accidental states.

Within the time window tt, the ship continues to drift uncontrollably towards shallow waters with increasing risk of grounding. In this developing situation, the values in the ‘antigen' change with each time step and the detectors D2, D3 and D4 are sequentially activated. At time Δt, there are four activated detectors and therefore their concentration, compared to the total number of detectors, has increased. Increasing concentration indicates that the detected problem is not being addressed and therefore risk increases proportionally. We also observe that, as the ship deviates more from its planned route and towards shallow waters, the distance of the ‘antigen' from the nearest ‘self' cluster also increases. With respect to the ‘new self' at time Δt, there is |$100\%$| reduction compared to ‘self' because the distance from shallow waters can no longer be maintained over 4 nm, as required. Furthermore, the likelihood of grounding is greater, compared to the one at time t, considering the proximity of the ship to shallow waters.

From the description of the example, it is clear that the states of the system, as described by the two state variables, between the time points t and tt correspond to a positive risk gradient (R(tt) > R(t)). The calculations in Table 1 show that this risk gradient can be reflected by using the risk description in our bio-inspired approach. In addition, the example shows that the conceptual calculation of the different elements in our risk description, although lacking a strict mathematical formulation, can be used for quantifying dynamic risk.

5. Discussion

Our approach involves constructing ML Artificial IS algorithms that exploit safe operational data, instead of solely relying on historical safety performance data, combined with knowledge of how the system might fail, which leads to the identification of RIFs included in the state vector. The availability of data that can be used to map the safe operational envelope of a technological system has opened the possibility of implementing risk assessment methodologies that do not just try to model failures and consider risk as a deviation from a norm [12]. According to Paltrinieri et al. [53], the benefits of implementing ML for continuous risk assessment include identifying risk patterns that can elude human analysis and retaining risk information in memory.

5.1 Problems addressed by the proposed method

The conventional approach to DRA involves dynamically updating prior probabilities for specific risk scenarios that have been calculated in static PRAs. There are two major issues with this process. The first is the uncertainty with respect to identifying a complete, or at least representative, set of risk scenarios where all factors that influence accident occurrence have been accounted for [53]. The second relates to how risk is quantified either through probability or frequency. Both approaches mainly rely on information provided by safety performance data, such as near misses and incidents. The problem with this type of information is that its quantity and quality mainly depend on humans spotting signs of increasing risk and reporting them [54].

Our immune-inspired approach aims to address some of the challenges of the DRA process. For dynamic risk identification, we rely on information about safe system operation (‘self' space) for artificially generating potential unsafe system states. This is a departure from the risk scenario concept, as a sequence of events that may lead to adverse consequences. Instead, we focus on how the current system state may impact its functionality by evaluating its relationship with the safe operational envelope. The detectors effectively cluster the ‘non-self' space through a process of negative selection and are used for detection. This process allows identifying unidentified or even unknown risk scenarios in real-time. Our approach can also exploit known failure data, if available, for ‘labelling' detectors and facilitating the diagnosis process. This can be considered as a process for ‘vaccinating' the system with prior knowledge to provide a faster response in the future. Furthermore, during the monitoring phase, detectors are activated by the ‘antigen' based on their similarity and therefore an exact match is not required. This means that future situations that are similar to those that have already been identified will also activate the detectors, which makes the risk assessment process adaptive and flexible.

For dynamic risk assessment, we introduce a novel non-probabilistic risk description that exploits information about the relationship of the ‘antigen' with the ‘self' space and accidental limit states. By not depending on updating accident probabilities, we minimize the need to use safety performance data that are either limited, non-informative, or not available. The risk description uses the information about the current system state, which is readily available in real time, to provide an estimation of the risk level. In addition, the non-probabilistic approach does not necessarily require an explicit statement about the relationships among the RIFs that comprise the description of the current system state, such as that needed to construct a BN risk model.

Compared to the relevant literature on Artificial IS applications, our risk assessment process is similar to that described by Perhinschi et al. [31] but without the direct quantitative evaluation of the problem. Instead, we rely on determining the ‘antigen-self' distance as a measure of the severity of the detected problem. In addition, we have adapted concepts, such as ‘detector concentration' and contextual information associated with the detectors [44] from the information security domain for specific application to marine systems.

Regarding the representation of the system state and the ‘antigen' structure, the approaches in the literature imply using expert knowledge for identifying the components of the state vector. For marine systems, we suggest using a structured approach by either using a safety model of the system, such as a safety control structure in STPA [6], or a functional resonance analysis model, or a framework for risk indicators [55]. System safety models may also be used for identifying which known problems can be used for the ‘vaccination' process. In the aviation FDI framework, this is conducted by simulating known failures and using the data in a positive selection process for generating evaluators but without specifying how many and what kind of failures should be considered.

Regarding how the detected problem impacts the system, the information security applications use predefined information based on expert knowledge that link attacks to potential consequences and their severity. In our approach, we have adopted the concepts of ‘distance to self' and ‘new self' from the FDI framework as proxy measures for evaluating the potential impact to system functionality. Another difference is that we have introduced the ‘distance to accident' concept as a measure of the likelihood of the current system state leading to an accident. In the FDI framework, the assessment process ends with evaluating the constraints imposed on system functionality, while in the information security applications there is only an expression of the severity of the potential consequences and not their likelihood.

In the grounding scenario example we commented that our approach is equally applicable to conventional, manned ships and autonomous ships with varying degrees of automation and human presence. However, we consider this framework as particularly important for higher degrees of autonomy, where the human element will not be present on board and therefore ships will have to manage operational risk in an automated way [6]. The algorithms in such ships will have to assess any situation and the state of the system, including unknown conditions, as well as to gradually learn from their experience and improve their risk knowledge. Our bio-inspired framework can facilitate the development of intelligent, ML algorithms that are adaptive to any risk environment due to the limited dependence on knowledge of specific failures and the probabilistic nature of the detection process. Furthermore, risk is assessed only from information that is readily available in real time, which may facilitate the adaptiveness of autonomous ship operation.

5.2 Risk description in the bio-inspired approach

The risk perspective in our approach is derived from a systems approach, which establishes a link between the state of the system and potential consequences. The consideration of system states has also been described by Andretta [15] and Haimes [56] where the source of risk is an abnormal state. Leveson [57] defines risk as ‘a function of the hazard level combined with (1) the likelihood of the hazard leading to an accident and (2) hazard exposure or duration'. The hazard in this definition is considered as a state of the system or set of conditions and its level is determined by its severity and its likelihood to occur. Compared to the conventional approach that views risk as the probability of failures and the severity of the associated consequences, the systems approach focuses on the system as a whole and considers the interactions among its components as the source of risk.

The risk perspective in our approach considers the impact of an unsafe system state on the functionality of the system and its likelihood of leading to an accident. An unsafe system state is an adverse, unwanted event and the system impact and potential accident are potential consequences. These are the basic elements of risk regardless of the specific definition and perspective. Compared to the risk definition by Leveson, there is a correspondence with the elements in our risk description as follows: (1) the concentration of activated detectors is indicative of the exposure to the hazard, (2) the ‘antigen–self' distance indicates the likelihood of the hazard to occur, (3) the relationship between the ‘new self' and ‘self' shows the severity of the hazard, or the expected worst case damage to the system and (4) the ‘antigen-limit state' distance shows the likelihood of the hazard leading to an accident. Furthermore, because the detection process is probabilistic, there is uncertainty about whether the current state is unsafe and about the nature of the problem, which adds to the validity of our risk description. If we assumed no uncertainty in the detection process, then the description would be more related to the concept of vulnerability, which points to the potential consequences given a risk scenario has occurred (in our case, an unsafe state has been detected) [58].

5.3 Limitations of the proposed method

Despite the expected benefits, there are limitations with respect to methodological and performance issues. Generating potential unsafe states from ‘self' samples may require a significant amount of data for adequately representing the safe operational envelope. The success of the detection process directly depends on this representation and incomplete or inaccurate data may result in increased false detection rates.

Another limitation is that associating detectors with specific problems in an informative way requires safety performance data or expert knowledge. If detectors cannot be ‘labelled', diagnosis will not be possible and unknown problems will remain unknown even though an estimation of the risk level will still be available. In addition, diagnosis through information attached to detectors has an inherent uncertainty because the same observed deviation from ‘self' may be linked to multiple potential causes. In the grounding scenario example, some of the detectors, which correspond to an observed deviation from safe distance from shallow waters and the planned route, have been assumed to be related to an unresponsive rudder (failure) and the resulting compromised manoeuvrability of the ship. However, there is the possibility that the same deviation is observed, for example, due to not having enough propulsive power. In this case, although the manoeuvrability of the ship is not compromised, it is not adequate for the particular conditions.

The selection of risk indicators affects whether an accidental limit state may clearly and unambiguously be defined for determining the likelihood of the state leading to an accident. Depending on the risk indicators used, a greater ‘antigen-self' distance, which indicates a larger deviation from the norm, may not always indicate increased risk. The success of the risk assessment process also strongly depends on the selection of risk indicators. An inappropriate selection may lead to leaving out important aspects of the problem and therefore to unidentified risks. Considering the potential state explosion effect when too many indicators are selected, the need to minimize the size of the state vector may also lead to excluding important parameters. In addition, the performance of an Artificial IS algorithm is influenced by the total number of detectors. More detectors means that more comparisons with the ‘antigen' will have to be made in real time, which might increase the required run time. On the other hand, more detectors means that the coverage of ‘non-self' space is better and therefore unsafe states are more likely to be detected. Forrest et al. [39] have discussed the trade-offs between performance and detection rates for a required probability of detection.

5.4 Next steps of our research

The next steps of our research include addressing conceptual and methodological issues in terms of representation, Artificial IS algorithm development and risk-level assessment. In the following, we describe the immediate steps that need to be taken to make the described framework more concrete, and the long-term research efforts that will help to enrich and extend the framework.

The immediate steps include creating a structured process for defining the ‘antigen', which consists of a set of risk indicators related to RIFs that adequately describe the system safety state. For implementing a systemic approach, the RIFs need to include human, organizational and technical issues and effectively capture interactions among system components. The process will also need to include an approach for determining the appropriate size of the state vector for avoiding state explosion effects while maintaining an adequate description of system safety. Furthermore, the Artificial IS algorithms described in this paper will be thoroughly tested and validated with more case studies that relate to various accident types (e.g. fire/explosion and collision). Algorithm parameters, such as affinity measures and size of the detector clusters, need to be appropriately selected and different parameter configurations need to be investigated in a sensitivity analysis regarding their impact on the results and the performance of the algorithms. Furthermore, the risk description should be expressed through a concrete mathematical formulation so that the risk function appropriately reflects operational risk changes, while remaining in the following value range 0 ≤ R(t) ≤ 1. Uncertainties should also be considered explicitly and systematically and the risk metric should be tested and validated by using various state vectors and more case studies.

In the long term, our framework could be extended to include techniques for optimizing the performance of the Artificial IS algorithms, such as using non-random detector generation for minimizing run time and hybridizing immune-inspired algorithms with other analytical or probabilistic models. Such a hybrid approach could increase the effectiveness of our framework by integrating specialized tools for determining the impact to the system (‘new self') or the likelihood of the current state leading to an accident. In addition, more adaptable algorithms may be created, for example, by dynamically defining the ‘self' [29]. The implication would be that detectors could be automatically retrained to reflect changes to the system’s operational envelope, such as those caused by structural degradation throughout its life cycle or when the system’s characteristics change (e.g. a major retrofit).

The framework can also be enhanced by including processes for identifying effective risk control options to reduce the assessed risk. The process would mimic biological mechanisms to automatically generate risk control options (e.g. from a ‘gene library') in real time and assess their risk reduction effectiveness given the current state of the system. Just as the immune system may prioritize protecting the most important organs for sustaining life (see background), bio-inspired risk control may target at maintaining or restoring functionalities that are critical to system operation.

Finally, other extensions to the framework may be derived by integrating ideas from immune system theories other than clonal selection and the immune network theory. An example is the more recent danger model by Matzinger [59], which posits that the immune system responds to damage caused by pathogens, by detecting danger signals from cells of the organism that have died unexpectedly, and not to pathogens as foreign entities. This theory attempts to explain phenomena, such as the immune system’s tolerance to a changing self (e.g. during pregnancy) or the immune system attacking the self in autoimmune diseases. The implication for our framework could be that the detectors would not just identify deviations from the safe operational envelope (i.e. states that are ‘foreign to self'), but would also detect ‘signals' of compromised system functionality. Integrating this idea into the framework could enhance the diagnosis process and improve determining the nature of the problem related to the observed deviation from ‘self'.

6. Conclusions

In this paper, we have introduced the foundations of a framework for dynamic risk assessment that identifies risks in any environment and does not rely on predefined risk scenarios and solely on safety performance data. The rationale is inspired by the mechanisms of the biological immune system. Methodologically, it draws from the Artificial IS framework and adapts ideas from the literature on anomaly/intrusion detection (information security domain) and fault detection and diagnosis (aviation domain). The framework includes a process for risk identification, diagnosis and assessment and a novel non-probabilistic risk description that exploits real-time information about the deviation from the safe operational envelope. The risk description is based on the systems approach to risk, which focuses on the system being in an unsafe state as the source of risk.

The framework provides a conceptual basis and methodological guidance for developing Artificial IS algorithms that are specific to marine system safety. These ML algorithms can facilitate intelligent risk identification that can store information for future use. Artificial IS algorithms exploit mapping the safe operational envelope from relevant statistical and/or simulated data for automatically creating potential unsafe system states. In addition to limited dependence on safety performance data, they also minimize the requirement for expert knowledge, for example, regarding the relationships among risk factors.

This paper has described analogies between system safety concepts and biological entities that are meaningful in the particular problem domain. This paper has also shown how risk can be described as a deviation from safe operation by exploiting readily available information from the ‘antigen', the detectors and their relationship to the safe operational envelope and the accidental limit states. Through the grounding scenario example, we have demonstrated that our bio-inspired risk description can adequately reflect the increasing risk in a developing situation.

Finally, we consider our approach to be equally applicable to conventional, manned ships for decision support applications and to autonomous ships with varying degrees of automation and human presence for automated decision-making applications. However, we consider it particularly useful for higher degrees of autonomy to enable the detection of unidentified, or even unknown, risks and the retention of acquired risk knowledge.

ACKNOWLEDGEMENTS

The authors thank the anonymous reviewers for their valuable suggestions. This work is part of an on going PhD by K.L., supervised by N.P.V.

Author contributions statement

N.P.V. and K.L. conceived the bio-inspired approach to Life Cycle Risk, K.L. wrote the manuscript, N.P.V. reviewed the manuscript.

Conflict of Interest

There is no Conflict of Interest.

References

1.

IMO
.
MSC-MEPC.2/Circ.12, Revised Guidelines for Formal Safety Assessment (FSA) for Use in the IMO Rule-Making Process
.
London, UK
:
International Maritime Organization
;
2015
.

Google Scholar

2.

Papanikolaou
A
, editor.
Risk-Based Ship Design: Methods, Tools and Applications
.
Berlin/Heidelberg
:
Springer-Verlag
;
2009
.

Google Scholar

Crossref
Search ADS

 
3.

Vassalos
D
.
Design for safety, risk-based design, life-cycle risk management
. In:
Proceedings of the RINA Annual General Meeting, 30 April, London, UK
;
RINA
,
2014
.

Google Scholar

OpenURL Placeholder Text

 
4.

Vassalos
D
,
Papanikolaou
A
.
State of the art report on design for safety, risk-based design, life-cycle risk management
. In:
Proceedings of the 12th International Marine Design Conference, 11-14 May, Tokyo, Japan
;
Japan Society of Naval Architects and Ocean Engineers
,
2015
.

Google Scholar

OpenURL Placeholder Text

 
5.

Utne
IB
,
Sørensen
AJ
,
Schjølberg
I
.
Risk management of autonomous marine systems and operations
. In:
Proceedings of the ASME 2017 36th International Conference on Ocean, Offshore and Arctic Engineering, 25-30 June, Trondheim, Norway
;
Volume 3B
:
Structures, Safety and Reliability. ASME
,
2017
.

Google Scholar

Crossref
Search ADS

 
6.

Utne
IB
,
Rokseth
B
,
Sørensen
AJ
, et al.
Towards supervisory risk control of autonomous ships
.
Reliab Eng Syst Safety
.
2020
;
196
:
106757
.

Google Scholar

Crossref
Search ADS

 
7.

Yang
X
,
Haugen
S
,
Paltrinieri
N.
Clarifying the concept of operational risk assessment in the oil and gas industry
.
Safety Sci
.
2018
;
108
:
259
268
.

Google Scholar

Crossref
Search ADS

 
8.

Kaplan
S
,
Garrick
BJ.
On the quantitative definition of risk
.
Risk Anal
.
1981
;
1
(
1
):
11
27
.

Google Scholar

Crossref
Search ADS

 
9.

Paltrinieri
N
,
Khan
F
,
Amyotte
P
, et al.
Dynamic approach to risk management: application to the hoeganaes metal dust accidents
.
Proc Safety Environ Prot
.
2014
;
92
(
6
):
669
679
.

Google Scholar

Crossref
Search ADS

 
10.

Villa
V
,
Paltrinieri
N
,
Khan
F
, et al.
Towards dynamic risk analysis: a review of the risk assessment approach and its limitations in the chemical process industry
.
Safety Sci
.
2016
;
89
:
77
93
.

Google Scholar

Crossref
Search ADS

 
11.

Cai
W
,
Konovessis
D
,
Vassalos
D.
Development of bayesian models for marine accident investigation and their use in risk-based ship design
.
J Ship Prod Design
.
2014
;
30
(
1
):
39
47
.

Google Scholar

Crossref
Search ADS

 
12.

Ale
B.
Risk analysis and big data
.
Safety Reliab
.
2016
;
36
(
3
):
153
165
.

Google Scholar

Crossref
Search ADS

 
13.

de Castro
LN
,
Zuben
FJV
.
Artificial Immune Systems: Part I-Basic Theory and Applications
.
TR-DCA 01/99
.
Brazil
:
Feec/Unicamp
,
1999
.

14.

Janeway
CA.
How the immune system recognizes invaders
.
Sci Am
.
1993
;
269
(
3
):
72
79
.

Google Scholar

Crossref
Search ADS
PubMed

 
15.

Andretta
M.
Some considerations on the definition of risk based on concepts of systems theory and probability
.
Risk Anal
.
2014
;
34
(
7
):
1184
1195
.

Google Scholar

Crossref
Search ADS
PubMed

 
16.

de Castro
LN
,
Timmis
JI.
Artificial immune systems as a novel soft computing paradigm
.
Soft Comput
.
2003
;
7
(
8
):
526
544
.

Google Scholar

OpenURL Placeholder Text

 
17.

Hofmeyr
SA
.
An interpretative introduction to the immune system
. In:
Segel
LA
,
Cohen
IR
, editors.
Design Principles for the Immune System and Other Distributed Autonomous Systems, vol. 3 of Santa Fe Insitute Studies in the Sciences of Complexity
,
New York, NY
:
Oxford University Press
;
2001
. p.
28
36
.

Google Scholar

OpenURL Placeholder Text

 
18.

Ishida
Y
.
Immunity-Based Systems: A Design Perspective
.
Berlin/Heidelberg
:
Springer-Verlag
;
2004
.

Google Scholar

Crossref
Search ADS

 
19.

Coico
R
,
Sunshine
G
.
Immunology: A Short Course
. 7th edition.
Oxford, UK
:
Wiley-Blackwell
,
2015
.

Google Scholar

OpenURL Placeholder Text

 
20.

Jamieson
AM
,
Crane
M
,
Xu
Y
,
Lee
K.
Immune triage: prioritization of host immune responses
.
J Immunol
.
2016
;
196
(
1 Supplement
):
197.20
.

Google Scholar

OpenURL Placeholder Text

 
21.

Smith
DJ
,
Forrest
S
,
Perelson
AS
.
Immunological Memory Is Associative*
. In:
Dasgupta
D
, editor.
Artificial Immune Systems and Their Applications Berlin
,
Heidelberg
:
Springer
;
1999
. p.
105
114
.

Google Scholar

Crossref
Search ADS

 
22.

Malim
MR
,
Halim
FA.
Immunology and artificial immune systems
.
Int J Artif Intell Tools
.
2012
;
21
(
06
):
1250031
.

Google Scholar

Crossref
Search ADS

 
23.

Sotiropoulos
DN
,
Tsihrintzis
GA
.
Machine Learning Paradigms: Artificial Immune Systems and Their Application in Software Personalization
.
New York, NY
:
Springer
;
2016
.

Google Scholar

24.

Jerne
NK.
Towards a network theory of the immune system
.
Ann Immunol
.
1974
;
125
:
373
389
.

Google Scholar

OpenURL Placeholder Text

 
25.

Perelson
AS.
Immune network theory
.
Immunol Rev
.
1989
;
110
:
5
33
.

Google Scholar

Crossref
Search ADS
PubMed

 
26.

Timmis
J
,
Knight
T
,
de Castro
LN
et al. ,
An overview of artificial immune systems
. In:
Computation in Cells and Tissues
,
Berlin/Heidelberg
:
Springer
;
2004
. p.
51
91
.

Google Scholar

Crossref
Search ADS

 
27.

Bayar
N
,
Darmoul
S
,
Hajri-Gabouj
S
et al. ,
Fault detection, diagnosis and recovery using artificial immune systems: a review
.
Eng Appl Artif Intell
.
2015
;
46
:
43
57
.

Google Scholar

Crossref
Search ADS

 
28.

Hart
E
,
Timmis
J.
Application areas of AIS: the past, the present and the future
.
Appl Soft Comput J
.
2008
;
8
(
1
):
191
201
.

Google Scholar

Crossref
Search ADS

 
29.

Li
T.
An immunity based network security risk estimation
.
Sci China Series F
.
2005
;
48
(
5
):
557
.

Google Scholar

OpenURL Placeholder Text

 
30.

Moncayo
H
,
Perhinschi
MG
,
Davis
J.
Aircraft failure detection and identification using an immunological hierarchical multiself strategy
.
J Guidance Control Dynam
.
2010
;
33
(
4
):
1105
1114
.

Google Scholar

Crossref
Search ADS

 
31.

Perhinschi
MG
,
Moncayo
H
,
Al Azzawi
D.
Integrated immunity-based framework for aircraft abnormal conditions management
.
J Aircraft
.
2014
;
51
(
6
):
1726
1739
.

Google Scholar

Crossref
Search ADS

 
32.

Wang
Z
,
Tang
X
,
Liu
H
et al.
Artificial immune intelligence-inspired dynamic real-time computer forensics model
.
Math Biosci Eng
.
2020
;
17
(
6
):
7222
7234
.

Google Scholar

Crossref
Search ADS

 
33.

Sun
Fx
,
Zhang
Sw
.
Immunity-inspired risk assessment approach for network security
. In:
Proceedings of the 2009 International Conference on Web Information Systems and Mining, 23-24 October, Shanghai, China
;
IEEE
,
2009
. p.
515
518
.

Google Scholar

Crossref
Search ADS

 
34.

Sun
F
,
Xu
F
.
Antibody concentration based method for network security situation awareness
. In:
Proceedings of the 3rd International Conference on Bioinformatics and Biomedical Engineering, 11-13 June, Beijing, China
;
IEEE
,
2009
. p.
1
4
.

Google Scholar

Crossref
Search ADS

 
35.

Yuan
H.
A network security risk assessment method based on immunity algorithm
.
Adv Mater Res
.
2010
;
108–111
:
948
953
.

Google Scholar

OpenURL Placeholder Text

 
36.

Sun
F
,
Wu
Z
.
A new risk assessment model for E-government network security based on antibody concentration
. In:
Proceedings of the 2009 International Conference on E-Learning, E-Business, Enterprise Information Systems, and E-Government, 5-6 December, Washington DC, USA
;
IEEE
,
2009
. p.
119
121
.

Google Scholar

Crossref
Search ADS

 
37.

Liu
C
,
Guo
M
,
Peng
L
,
Guo
J
,
Yang
S
,
Zeng
J
Artificial immunity-based model for information system security risk evaluation
. In:
Proceedings of the 2010 International Conference on E-Health Networking Digital Ecosystems and Technologies (EDT), 17-18 April, Shenzhen, China
, vol.
1
;
IEEE
,
2010
. p.
39
42
.

Google Scholar

OpenURL Placeholder Text

 
38.

Liu
C
,
Zhang
Y
,
Zeng
J
,
Peng
L
,
Chen
R
Research on dynamical security risk assessment for the internet of things inspired by immunology
. In:
Proceedings of the 2012 8th International Conference on Natural Computation, 29-31 May, Chongqing, Sichuan, China
;
IEEE
,
2012
. p.
874
878
.

Google Scholar

Crossref
Search ADS

 
39.

Forrest
S
,
Perelson
AS
,
Allen
L
,
Cherukuri
R
Self–nonself discrimination in a computer
. In:
Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy, 16-18 May, Oakland, CA
;
IEEE
,
1994
. p.
202
212
.

Google Scholar

Crossref
Search ADS

 
40.

Dasgupta
D.
Advances in artificial immune systems
.
IEEE Computational Intelligence Magazine
.
2006
;
1
(
4
):
40
49
.

Google Scholar

Crossref
Search ADS

 
41.

Gonzalez
F
,
Dasgupta
D
,
Kozma
R
.
Combining negative selection and classification techniques for anomaly detection
. In:
Proceedings of the 2002 Congress on Evolutionary Computation. CEC’02 (Cat. No.02TH8600), 12-17 May, Honolulu, HI, USA
, vol.
1
;
IEEE
,
2002
. p.
705
710
.

Google Scholar

Crossref
Search ADS

 
42.

Shuqin
C
,
Ge
W
,
Hong
C
.
Research on the application of immune network theory in risk assessment
. In:
Proceedings of the 2008 ISECS International Colloquium on Computing, Communication, Control, and Management, 3-4 August, Washington DC, USA
;
IEEE
,
2008
. p.
230
235
.

Google Scholar

Crossref
Search ADS

 
43.

Liu
T
,
Shang
L
,
Hu
Z
.
Risk assessment model based on immune theory
. In:
Zeng
Z
,
Wang
J
, editors.
Advances in Neural Network Research and Applications Lecture Notes in Electrical Engineering
,
Berlin/Heidelberg
:
Springer
;
2010
. p.
101
108
.

Google Scholar

Crossref
Search ADS

 
44.

Powers
ST
,
He
J.
A hybrid artificial immune system and self organising map for network intrusion detection
.
Inform Sci
.
2008
;
178
(
15
):
3024
3042
.

Google Scholar

Crossref
Search ADS

 
45.

He
J
,
Li
T
,
Li
B
, et al.
An immune-based risk assessment method for digital virtual assets
.
Comput Security
.
2021
;
102
:
102134
.

Google Scholar

Crossref
Search ADS

 
46.

Perhinschi
MG
,
Moncayo
H
,
Davis
J
.
Integrated framework for aircraft sub-system failure detection, identification, and evaluation based on the artificial immune system paradigm
. In:
Proceedings of the AIAA Guidance, Navigation, and Control Conference, 10-13 August, Chicago, Illinois, USA
;
AIAA
,
2009
. p.
1
17
.

Google Scholar

Crossref
Search ADS

 
47.

Leveson
NG
,
Thomas
JP
.
STPA Handbook
;
Boston, MA, USA
:
MIT
,
2018
.

Google Scholar

OpenURL Placeholder Text

 
48.

Øien
K.
,
Risk indicators as a tool for risk control
.
Reliab Eng Syst Safety
.
2001
;
74
(
2
):
129
145
.

Google Scholar

Crossref
Search ADS

 
49.

Øien
K
,
Utne
IB
,
Herrera
IA.
Building safety indicators: Part 1 - Theoretical foundation
.
Safety Sci
.
2011
;
49
(
2
):
148
161
.

Google Scholar

Crossref
Search ADS

 
50.

Chen
J
,
Wang
X
,
Su
M
,
Lin
X
A fast detector generation algorithm for negative selection
.
Appl Intell
.
2021
;
51
:
4525
4547
.

Google Scholar

Crossref
Search ADS

 
51.

Li
D
,
Liu
S
,
Zhang
H.
Negative selection algorithm with constant detectors for anomaly detection
.
Appl Soft Comput
.
2015
;
36
:
618
632
.

Google Scholar

Crossref
Search ADS

 
52.

Aven
T
.
Society for Risk Analysis Glossary
;
SRA
,
2018
,
1
9
.

Google Scholar

OpenURL Placeholder Text

 
53.

Paltrinieri
N
,
Comfort
L
,
Reniers
G.
Learning about risk: machine learning for risk assessment
.
Safety Sci
.
2019
;
118
:
475
486
.

Google Scholar

Crossref
Search ADS

 
54.

Georgoulis
G
,
Nikitakos
N.
The importance of reporting all the occurred near misses on board: The Seafarers’ Perception
.
TransNav, International Journal on Marine Navigation and Safety of Sea Transportation
.
2019
;
13
(
3
):
657
662
.

Google Scholar

Crossref
Search ADS

 
55.

Fan
C
,
Wróbel
K
,
Montewka
J
et al. ,
A framework to identify factors influencing navigational risk for maritime autonomous surface ships
.
Ocean Eng
.
2020
;
202
:
107188
.

Google Scholar

Crossref
Search ADS

 
56.

Haimes
YY.
On the complex definition of risk: a systems-based approach
.
Risk Anal
.
2009
;
29
(
12
):
1647
1654
.

Google Scholar

Crossref
Search ADS
PubMed

 
57.

Leveson
NG
.
Engineering a Safer World: Systems Thinking Applied to Safety
. Reprint editioned.
Cambridge, MA/London, England
:
The MIT Press
;
2016
.

Google Scholar

Crossref
Search ADS
 
58.

Aven
T.
On some recent definitions and analysis frameworks for risk, vulnerability, and resilience
.
Risk Anal
.
2011
;
31
(
4
):
515
522
.

Google Scholar

Crossref
Search ADS
PubMed

 
59.

Matzinger
P.
The danger model: a renewed sense of self
.
Science
.
2002
;
296
(
5566
):
301
305
.

Google Scholar

Crossref
Search ADS
PubMed

 
The Author(s) 2022. Published by Oxford University Press on behalf of Central South University Press.
This is an Open Access article distributed under the terms of the Creative Commons Attribution-NonCommercial License (https://creativecommons.org/licenses/by-nc/4.0/), which permits non-commercial re-use, distribution, and reproduction in any medium, provided the original work is properly cited. For commercial re-use, please contact [email protected]
Issue Section:
Research article
Download all slides