STPA Based Approach for a Resilience Assessment at an Early Design Stage of a Cruise Ship

Several definitions and approaches have been proposed to study resilience in different fields like materials, ecology, psychology and infrastructures. A general definition, applicable also to human-made or engineered systems, describes resilience as the ability to maintain capability in case of disruption. Thanks to its systemic, top-down approach, STAMP (System-Theoretic Accident Model and Processes) has been already identified in literature as a very effective and “conductive” reference when reasoning about the possible need of resilience of a complex system. The STAMP-based tool named STPA (System Theoretic Process Analysis) establishes the following steps: identify system accidents, hazards; draw functional control structure; identify unsafe control actions (UCAs); identify accident scenarios; formulate decisions and recommendations. It focuses on what actually is in the hands of the system designer and operator i.e. the possibility to take action on hazards that can be eliminated or controlled. In this paper an approach to design resilience into a cruise vessel will be proposed. An application case will be developed considering the specific hazard of dead ship condition i.e. of energy black-out on board. In case of navigation close to the shore and in heavy weather condition, this situation can rapidly evolve into a loss. The ship energy production and delivery system, both for the propulsion and for the hotel services, will be considered. Running the procedure up to the level of UCAs enables the identification of the possible disruptive events capable to degrade the operational performance of the system. Starting from this point, suggestions will be discussed for a selected UCA, able to prevent or mitigate it. A metric for ship resilience will be proposed as well with the aim to allow comparisons among different design solutions.